Fuzzy Model Improves IDS Alert Prioritization
A novel framework that employs subnormal Gaussian fuzzy numbers improves the prioritization of alerts in intrusion detection systems by assessing threat severity, detection confidence, and the organization's risk attitude. Each alert is depicted as a fuzzy number, where the core signifies severity, the spread indicates uncertainty, and the height represents detection reliability. Alerts are ranked using indices, which can be adjusted through a risk-attitude parameter. Evaluations on the CIC-IDS2017 and NSL-KDD datasets demonstrate its effectiveness even when detector performance declines (0.9963 compared to 0.8215 NDCGrel@100), particularly in distinguishing mid-confidence alerts. This method effectively mitigates alert fatigue caused by false positives and low-impact incidents.
Key facts
- arXiv:2605.27299v1
- Announce Type: cross
- Proposes alert prioritization using subnormal Gaussian fuzzy numbers
- Models three sources of uncertainty: threat severity, detection confidence, organizational risk attitude
- Each alert represented as fuzzy number with core (severity), spread (uncertainty), height (reliability)
- Uses ranking indices for prioritization
- Risk-attitude parameter allows tuning security posture
- Validated on CIC-IDS2017 and NSL-KDD datasets
- Achieves 0.9963 vs 0.8215 NDCGrel@100 under detector degradation
Entities
—