**2. Literature Review**

In the previous section, we gave an overview of several categories of methods for dealing with redundant alarms. In this section, we mainly discuss hot approaches for dealing with alarm problems in recent years and explore the application of heuristic algorithms (such as WOA) in dealing with alarm problems in the intrusion detection domain. Firstly, we introduce the research results of scholars on alarm problems of the past few years. Wang et al. [30] proposed a framework to improve the intelligent false alarm reduction for DIDS based on edge computing devices. They built a false alarm filter by using machine learning classifiers, which can select an appropriate algorithm to maintain the

filtration accuracy. Toldinas et al. [31] proposed a new image recognition method using multi-level deep learning to solve the problem of intrusion detection system identification of network attacks. They converted network features into four-channel images that were used to train and test the pre-trained deep learning model ResNet50. Kinghorst et al. [32] introduced a pre-processing step in the process of alarm flood analysis to enhance the robustness of the alarm system in dealing with the random alarm or interference alarm mode through probability calculation of alarm correlation. Fahimipirehgalin et al. [33] proposed a data-driven method, using alarm log files to detect the causal sequence of alarms. In this method, an efficient alarm clustering method based on the time distance between alarms is proposed, which is helpful to preserve adjacent alarms in a cluster. To solve the problem of a large number of redundant alarms generated by IDS, Sun and Chen [1] proposed an alarm aggregation scheme based on the combination of conditional rough entropy and knowledge granularity. Based on this scheme, the weights of different attributes in the alarms were obtained, and the similarity values of the alarms were calculated within the sliding time window to aggregate the similar alarms to reduce redundant alarms.

In recent years, the development of swarm intelligence optimization algorithms has attracted the attention of researchers. Swarm intelligence (SI) optimization algorithms can be divided into two main categories: one is the particle swarm optimization algorithm (PSO), and the other is the ant colony optimization algorithm (ACO). The emergence of SI was first used to solve optimization problems and was subsequently applied by scholars in the field of network attack detection. Alharbi et al. [34] proposed a method combining the bat algorithm and neural network to detect botnet attacks. The bat algorithm is used to select feature subsets and adjust hyperparameters in a network attack, and is used to adjust the hyperparameters and weight optimization of a neural network. In article [35], Khurma et al. combined the salp swarm algorithm and ant lion optimization algorithm to propose a wrapper feature selection model to solve the problem of high dimension of features in IDS. Zhang et al. [36] proposed an improved particle swarm optimization algorithm to solve the problems of repeated alarms and high false positive rate in IDS. In the process of reconstructing the attack path between DDoS attack victims and attackers based on an internet protocol backtracking scheme, Lin et al. [37] proposed a multi-mode optimization scheme that applied the improved locust swarm optimization algorithm to the reconstructed attack path in order to solve the problem that the traditional route search algorithm was prone to fall into local optimum. This method shows the excellent search performance of the SI algorithm. In addition, there is also a lot of research of SI in the feature selection stage of the IDS and attack target detection [38–40].

PSO and ACO algorithms have achieved good results in many fields. On this basis, scholars have proposed more excellent swarm intelligence optimization algorithms inspired by nature, such as the WOA [28], bat algorithm [41], wolf optimization algorithm [42], pathfinder algorithm [43], etc. Mirjalili and Lewis studied the behavior of humpback whales in preying on prey, analyzed and modeled the behavior patterns of the bubble net attack and spiral approach, and put forward the WOA. It is proved that the WOA has strong competitiveness, compared with the existing meta-heuristic algorithms and traditional algorithms. After WOA was proposed, due to its excellent problem optimization ability, it was quickly applied in various fields of research. In a review article on the application of WOA [29], the author listed the research progress of WOA, including hybridization, improvement and variation, as well as application scenarios such as engineering problems, clustering problems, classification problems, image processing, network and task scheduling and other problems. It can be seen that WOA, as a new meta-heuristic swarm intelligent optimization algorithm, has proved its reliability and good performance in handling optimization problems. However, in the field of alarm clustering, previous scholars did not carry out further research on it. Based on the proven global and local search capabilities of WOA, this paper studies the application of WOA in alarm clustering, focusing on the optimization of alarm hierarchical clustering based on WOA.
