Abstract
Automation in Security Operations Centers (SOCs) plays a prominent role in alert classification and incident escalation. However, automated methods must be robust in the presence of imbalanced input data, which can negatively affect performance. Additionally, automated methods should make explainable decisions. In this work, we evaluate the effect of label imbalance on the classification of network intrusion alerts. As our use-case we employ DeepCASE, the state-of-the-art method for automated alert classification. We show that label imbalance impacts both classification performance and correctness of the classification explanations offered by DeepCASE. We conclude tuning the detection rules used in SOCs can significantly reduce imbalance and may benefit the performance and explainability offered by alert post-processing methods such as DeepCASE. Therefore, our findings suggest that traditional methods to improve the quality of input data can benefit automation.
| Original language | English |
|---|---|
| Title of host publication | 10th IEEE European Symposium on Security and Privacy Workshops |
| Publisher | Institute of Electrical and Electronics Engineers |
| DOIs | |
| Publication status | Accepted/In press - 2 Jul 2025 |
Funding
This publication is part of the CATRIN, INTERSECT, and SeReNity projects (with numbers NWA.1215.18.003, NWA.1160.18.301, and CS.010) which are (partly) financed by the Dutch Research Council (NWO).
| Funders | Funder number |
|---|---|
| Nederlandse Organisatie voor Wetenschappelijk Onderzoek | NWA.1215.18.003 |
| Nederlandse Organisatie voor Wetenschappelijk Onderzoek | NWA.1160.18.301 |
| Nederlandse Organisatie voor Wetenschappelijk Onderzoek | CS.010 |
Keywords
- Security Operations Center (SOC)
- Network Intrusion Detection System (NIDS)
- Network Security Alerts
- Alert Reduction
- Intrusion Detection Ruleset Tuning
- Network Intrusion Detection Rules
