1. Introduction

In response to attacks against enterprise networks, administrators are increasingly deploying intrusion detection systems (IDSs). These systems monitor hosts, networks, or other resources using a variety of techniques [25], [Chapter 2]. Unfortunately, the use of intrusion detection has given rise to another difficult problem, namely the handling of a generally large number of alarm messages (alarms, for short). In fact, it is not uncommon for an IDS to trigger thousands of alarms per day, up to 99% of which are false positives [17], [24]. Investigating alarms manually is not only error-prone but also a waste of human time and energy [3], [24]. This paper presents a novel semi-automatic approach for handling intrusion detection alarms efficiently.