On the Effect of Ruleset Tuning and Data Imbalance on Explainable Network Security Alert Classifications: a Case-Study on DeepCASE
Authors:
Koen T. W. Teuwen,
Sam Baggen,
Emmanuele Zambon,
Luca Allodi
Abstract:
Automation in Security Operations Centers (SOCs) plays a prominent role in alert classification and incident escalation. However, automated methods must be robust in the presence of imbalanced input data, which can negatively affect performance. Additionally, automated methods should make explainable decisions. In this work, we evaluate the effect of label imbalance on the classification of networ…
▽ More
Automation in Security Operations Centers (SOCs) plays a prominent role in alert classification and incident escalation. However, automated methods must be robust in the presence of imbalanced input data, which can negatively affect performance. Additionally, automated methods should make explainable decisions. In this work, we evaluate the effect of label imbalance on the classification of network intrusion alerts. As our use-case we employ DeepCASE, the state-of-the-art method for automated alert classification. We show that label imbalance impacts both classification performance and correctness of the classification explanations offered by DeepCASE. We conclude tuning the detection rules used in SOCs can significantly reduce imbalance and may benefit the performance and explainability offered by alert post-processing methods such as DeepCASE. Therefore, our findings suggest that traditional methods to improve the quality of input data can benefit automation.
△ Less
Submitted 2 July, 2025;
originally announced July 2025.
Proceedings of Workshop AEW10: Concepts in Information Theory and Communications
Authors:
Kees A. Schouhamer Immink,
Stan Baggen,
Ferdaous Chaabane,
Yanling Chen,
Peter H. N. de With,
Hela Gassara,
Hamed Gharbi,
Adel Ghazel,
Khaled Grati,
Naira M. Grigoryan,
Ashot Harutyunyan,
Masayuki Imanishi,
Mitsugu Iwamoto,
Ken-ichi Iwata,
Hiroshi Kamabe,
Brian M. Kurkoski,
Shigeaki Kuzuoka,
Patrick Langenhuizen,
Jan Lewandowsky,
Akiko Manada,
Shigeki Miyake,
Hiroyoshi Morita,
Jun Muramatsu,
Safa Najjar,
Arnak V. Poghosyan
, et al. (9 additional authors not shown)
Abstract:
The 10th Asia-Europe workshop in "Concepts in Information Theory and Communications" AEW10 was held in Boppard, Germany on June 21-23, 2017. It is based on a longstanding cooperation between Asian and European scientists. The first workshop was held in Eindhoven, the Netherlands in 1989. The idea of the workshop is threefold: 1) to improve the communication between the scientist in the different p…
▽ More
The 10th Asia-Europe workshop in "Concepts in Information Theory and Communications" AEW10 was held in Boppard, Germany on June 21-23, 2017. It is based on a longstanding cooperation between Asian and European scientists. The first workshop was held in Eindhoven, the Netherlands in 1989. The idea of the workshop is threefold: 1) to improve the communication between the scientist in the different parts of the world; 2) to exchange knowledge and ideas; and 3) to pay a tribute to a well respected and special scientist.
△ Less
Submitted 27 July, 2017;
originally announced July 2017.
