Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Reducing the Cognitive Load on Analysts Through Hamming Distance Based Alert Aggregation



Peter M. Mell, Richard Harang


Previous work introduced the idea of grouping alerts at a Hamming distance of 1 to achieve alert aggregation; such aggregated meta-alerts were shown to increase alert interpret-ability. However, a mean of 84,023 daily Snort alerts were reduced to a still formidable 14,099 meta-alerts. In this work, we address this limitation by investigating several approaches that all contribute towards reducing the burden on the analyst and providing timely analysis. We explore minimizing the number of both alerts and data fields by aggregating at Hamming distances greater than 1. We show how increasing bin sizes can improve aggregation rates. And we provide a new aggregation algorithm that operates up to an order of magnitude faster at Hamming distance 1. Lastly, we demonstrate the broad applicability of this approach through empirical analysis of Windows security alerts, Snort alerts, netflow records, and DNS logs.
International Journal of Network Security & Its Applications


alert aggregation, cognitive load, Hamming distance, hypergraphs, security logs


Mell, P. and Harang, R. (2014), Reducing the Cognitive Load on Analysts Through Hamming Distance Based Alert Aggregation, International Journal of Network Security & Its Applications, [online], (Accessed June 20, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created September 30, 2014, Updated November 10, 2018