On the Effect of Ruleset Tuning and Data Imbalance on Explainable Network Security Alert Classifications: A Case-Study on DeepCASE
On the Effect of Ruleset Tuning and Data Imbalance on Explainable Network Security Alert Classifications: A Case-Study on DeepCASE
Automation in Security Operations Centers (SOCs) plays a prominent role in alert classification and incident escalation. However, automated methods must be robust in the presence of imbalanced input data, which can negatively affect performance. Additionally, automated methods should make explainable decisions. In this work, we evaluate the effect of label imbalance on the classification of network intrusion alerts. As our use-case we employ DeepCASE, the state-of-the-art method for automated alert classification. We show that label imbalance impacts both classification performance and correctness of the classification explanations offered by DeepCASE. We conclude tuning the detection rules used in SOCs can significantly reduce imbalance and may benefit the performance and explainability offered by alert post-processing methods such as DeepCASE. Therefore, our findings suggest that traditional methods to improve the quality of input data can benefit automation.
- Technical University Eindhoven Netherlands
- Eindhoven University of Technology Netherlands
Network Security Alerts, Networking and Internet Architecture (cs.NI), FOS: Computer and information sciences, rechtvaardigheid en sterke instellingen, SDG 16 - Peace, Intrusion Detection Ruleset Tuning, SDG 16 – Vrede, Cryptography and Security, Justice and Strong Institutions, Machine Learning (cs.LG), Machine Learning, Alert Reduction, Networking and Internet Architecture, Security Operations Center (SOC), Network Intrusion Detection Rules, Network Intrusion Detection System (NIDS), Cryptography and Security (cs.CR)
Network Security Alerts, Networking and Internet Architecture (cs.NI), FOS: Computer and information sciences, rechtvaardigheid en sterke instellingen, SDG 16 - Peace, Intrusion Detection Ruleset Tuning, SDG 16 – Vrede, Cryptography and Security, Justice and Strong Institutions, Machine Learning (cs.LG), Machine Learning, Alert Reduction, Networking and Internet Architecture, Security Operations Center (SOC), Network Intrusion Detection Rules, Network Intrusion Detection System (NIDS), Cryptography and Security (cs.CR)
selected citations These citations are derived from selected sources.This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).0 popularity This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network.Average influence This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).Average impulse This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network.Average
Citations provided by BIP!Popularity provided by BIP!