Search papers, labs, and topics across Lattice.
This paper introduces a process mining-based method to enhance anomaly-based Intrusion Detection Systems (IDSs) by providing process-based alarm severity ratings and explanations. The approach analyzes packet-level sequencing to prioritize critical alerts and maintain network visibility. Applied to the USB-IDS-TC dataset with Slowloris DoS attack variants, the method achieves up to 99.94% recall and 99.99% precision while effectively discriminating alarm severity.
Process mining can turn black-box intrusion detection systems into transparent, prioritized alert generators without sacrificing accuracy.
Anomaly-based Intrusion Detection Systems (IDSs) ensure protection against malicious attacks on networked systems. While deep learning-based IDSs achieve effective performance, their limited trustworthiness due to black-box architectures remains a critical constraint. Despite existing explainable techniques offering insight into the alarms raised by IDSs, they lack process-based explanations grounded in packet-level sequencing analysis. In this paper, we propose a method that employs process mining techniques to enhance anomaly-based IDSs by providing process-based alarm severity ratings and explanations for alerts. Our method prioritizes critical alerts and maintains visibility into network behavior, while minimizing disruption by allowing misclassified benign traffic to pass. We apply the method to the publicly available USB-IDS-TC dataset, which includes anomalous traffic affected by different variants of the Slowloris DoS attack. Results show that our method is able to discriminate between low- to very-high-severity alarms while preserving up to 99.94% recall and 99.99% precision, effectively discarding false positives while providing different degrees of severity for the true positives.
