Enhancing Anomaly-Based Intrusion Detection Systems with Process Mining

TL;DR

This paper introduces a process mining approach to enhance anomaly-based IDSs by providing explainable, severity-rated alerts that improve detection accuracy and reduce false positives.

Contribution

It presents a novel process mining method that offers process-based explanations and severity ratings for IDS alerts, improving interpretability and effectiveness.

Findings

Discriminates between low- and very-high-severity alarms

Maintains 99.94% recall and 99.99% precision on the dataset

Effectively discards false positives while providing severity levels

Abstract

Anomaly-based Intrusion Detection Systems (IDSs) ensure protection against malicious attacks on networked systems. While deep learning-based IDSs achieve effective performance, their limited trustworthiness due to black-box architectures remains a critical constraint. Despite existing explainable techniques offering insight into the alarms raised by IDSs, they lack process-based explanations grounded in packet-level sequencing analysis. In this paper, we propose a method that employs process mining techniques to enhance anomaly-based IDSs by providing process-based alarm severity ratings and explanations for alerts. Our method prioritizes critical alerts and maintains visibility into network behavior, while minimizing disruption by allowing misclassified benign traffic to pass. We apply the method to the publicly available USB-IDS-TC dataset, which includes anomalous traffic affected by different variants of the Slowloris DoS attack. Results show that our method is able to discriminate between low- to very-high-severity alarms while preserving up to 99.94% recall and 99.99% precision, effectively discarding false positives while providing different degrees of severity for the true positives.