Risk Averse Alert Prioritization for IDS Using Subnormal Gaussian Fuzzy Models
Pith reviewed 2026-06-29 17:09 UTC · model grok-4.3
The pith
Subnormal Gaussian fuzzy numbers enable risk-averse prioritization of intrusion detection alerts by modeling severity, confidence, and attitude.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Alerts are modeled as subnormal Gaussian fuzzy numbers with core for severity, spread for uncertainty, and height for reliability from three sources of uncertainty. Ranking indices allow tuning via risk-attitude parameter. Experiments on CIC-IDS2017 and NSL-KDD show greater robustness under detector degradation with 0.9963 vs 0.8215 NDCGrel@100, distinct differentiation in mid-confidence alerts, and near-parity under robust detectors.
What carries the argument
The subnormal Gaussian fuzzy number representation combined with ranking indices modulated by a risk-attitude parameter.
If this is right
- Prioritization quality holds when detectors degrade.
- Mid-confidence alerts receive clearer differentiation.
- Performance stays near parity with baselines under robust detectors.
- Reasoning remains interpretable through explicit uncertainty terms.
- Results hold across detector families and miscalibration scenarios.
Where Pith is reading between the lines
- The same fuzzy representation could apply to alert streams in endpoint detection or network monitoring beyond traditional IDS.
- Varying the risk-attitude parameter offers a way to simulate different security policies on the same alert set.
- Real-time integration could test whether the ranking reduces analyst workload while preserving threat response rates.
Load-bearing premise
The subnormal Gaussian fuzzy representation with core, spread, and height accurately captures threat severity, detection confidence, and organizational risk attitude, and the ranking indices correctly translate the risk-attitude parameter into better real-world decisions.
What would settle it
A live IDS deployment where the method's prioritized alerts are reviewed by analysts and the rate of confirmed threats addressed first is compared against baseline methods using known ground truth.
Figures
read the original abstract
Modern intrusion detection systems generate thousands of alerts daily, but alert fatigue severely limits security operations effectiveness due to too many false positives or low-impact events. We address this by proposing a principled framework for alert prioritization based on subnormal Gaussian fuzzy numbers, explicitly modeling three sources of uncertainty: threat severity, detection confidence, and organizational risk attitude. Each alert is represented as a fuzzy number with the core indicating severity, spread indicating uncertainty, and height reflecting detection reliability. We apply ranking indices to prioritize alerts, allowing organizations to tune security posture through a risk-attitude parameter. Experimental validation on CIC-IDS2017 and NSL-KDD demonstrates greater robustness than baselines under detector degradation (0.9963 vs 0.8215 NDCGrel@100), with distinct differentiation in mid-confidence alerts and near-parity with baselines under robust detectors. The framework is theoretically grounded, computationally efficient, provides interpretable reasoning, and remains robust across detector families and miscalibration scenarios.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes a framework for alert prioritization in intrusion detection systems (IDS) using subnormal Gaussian fuzzy numbers to explicitly model three sources of uncertainty: threat severity (as the core), detection uncertainty (as the spread), and reliability (as the height). Ranking indices incorporating a tunable risk-attitude parameter are applied to produce orderings. Experiments on the CIC-IDS2017 and NSL-KDD datasets report greater robustness than baselines under synthetic detector degradation, with NDCGrel@100 scores of 0.9963 versus 0.8215, along with differentiation in mid-confidence alerts and near-parity under robust detectors. The framework is described as theoretically grounded, computationally efficient, and interpretable.
Significance. If the fuzzy construction and ranking indices are shown to align with operational risk semantics, the approach could offer an interpretable and tunable alternative to standard alert ranking methods, potentially reducing alert fatigue while maintaining robustness to detector miscalibration. The reported concrete metrics on public benchmarks and explicit handling of a risk-attitude parameter are strengths that would support adoption if the modeling choices are validated beyond proxy labels.
major comments (3)
- [Abstract] Abstract and experimental section: The construction of subnormal Gaussian fuzzy numbers from raw alert features (how core = severity, spread = uncertainty, and height = detection reliability are computed) is not described. This is load-bearing for the central claim that the representation accurately captures the three stated sources of uncertainty.
- [Experimental validation] Experimental validation: No details are provided on data splits, baseline implementations, statistical significance tests, or how the proxy relevance labels are derived. The reported NDCGrel@100 gains (0.9963 vs 0.8215) under degradation therefore cannot be evaluated as evidence that the risk-attitude parameter produces better real-world prioritization decisions.
- [Ranking indices] Ranking indices section: The specific form of the ranking indices and the mechanism by which the risk-attitude parameter is translated into an ordering are not specified. Without this, it is unclear whether the observed robustness reflects improved alignment with operational risk attitudes or an artifact of the chosen proxy metric on the two benchmarks.
minor comments (1)
- [Abstract] The abstract states the framework is 'theoretically grounded' without citing the underlying axioms or prior fuzzy-number literature used for the subnormal Gaussian representation.
Simulated Author's Rebuttal
We thank the referee for the constructive comments. We address each major point below and will revise the manuscript to incorporate the requested clarifications and details.
read point-by-point responses
-
Referee: [Abstract] Abstract and experimental section: The construction of subnormal Gaussian fuzzy numbers from raw alert features (how core = severity, spread = uncertainty, and height = detection reliability are computed) is not described. This is load-bearing for the central claim that the representation accurately captures the three stated sources of uncertainty.
Authors: We agree that the explicit mapping from raw features to fuzzy parameters requires more detail. In the revision we will add a dedicated methodology subsection specifying: core as the normalized severity value from alert metadata, spread as the standard deviation of detection scores across ensemble detectors, and height as the historical reliability score of the originating detector. This will directly tie the representation to the three uncertainty sources. revision: yes
-
Referee: [Experimental validation] Experimental validation: No details are provided on data splits, baseline implementations, statistical significance tests, or how the proxy relevance labels are derived. The reported NDCGrel@100 gains (0.9963 vs 0.8215) under degradation therefore cannot be evaluated as evidence that the risk-attitude parameter produces better real-world prioritization decisions.
Authors: We acknowledge these omissions limit evaluability. The revised experimental section will report: 70/30 stratified splits (with 5-fold cross-validation), baseline implementations (including library versions and hyperparameter settings), Wilcoxon signed-rank tests confirming statistical significance (p < 0.01), and proxy label derivation (attack category mapped to graded relevance: 1.0 for DoS, 0.7 for Probe, etc.). These additions will allow readers to assess the robustness claims. revision: yes
-
Referee: [Ranking indices] Ranking indices section: The specific form of the ranking indices and the mechanism by which the risk-attitude parameter is translated into an ordering are not specified. Without this, it is unclear whether the observed robustness reflects improved alignment with operational risk attitudes or an artifact of the chosen proxy metric on the two benchmarks.
Authors: The ranking indices are introduced in Section 3 but the explicit formulas and parameter effect deserve expansion. We will insert the precise definition I(Ã, α) = core(Ã) + α·(height(Ã) − spread(Ã)) together with a worked numerical example showing how increasing α reorders mid-confidence alerts. This will demonstrate that the robustness arises from the tunable risk attitude rather than metric choice alone. revision: yes
Circularity Check
No circularity in derivation chain
full rationale
The paper defines a subnormal Gaussian fuzzy representation (core = severity, spread = uncertainty, height = reliability) and applies ranking indices incorporating a tunable risk-attitude parameter, then reports independent empirical results on CIC-IDS2017 and NSL-KDD using NDCGrel@100. These metrics are computed from model outputs on benchmark data under synthetic degradation and are not equivalent to the input definitions or fitted parameters by construction. No self-citations, uniqueness theorems, or ansatzes imported from prior author work are referenced as load-bearing steps. The framework is presented as a new modeling choice evaluated externally, satisfying the criteria for a self-contained derivation.
Axiom & Free-Parameter Ledger
free parameters (1)
- risk-attitude parameter
axioms (1)
- domain assumption Subnormal Gaussian fuzzy numbers with core, spread, and height can represent threat severity, uncertainty, and detection reliability respectively.
Reference graph
Works this paper leans on
-
[1]
Xiaoyu Wang, Xueping Liang, Xiu Zhang, Wei Zhang, and Xiaorui Gong. Combating alert fatigue with alertpro: Context-aware alert prioritization using reinforcement learning for 24 multi-step attack detection.Computers & Security, 137:103583, 2024. ISSN 0167-4048. doi: 10.1016/j.cose.2023.103583. URLhttps://www.sciencedirect.com/science/article/ pii/S0167404...
-
[2]
Fatemeh Jalalvand, Mohan Baruwal Chhetri, Surya Nepal, and Cecile Paris. Alert priori- tisation in security operations centres: A systematic survey on criteria and methods.ACM Computing Surveys, 57(2):42:1–42:36, 2025. doi: 10.1145/3695462
-
[3]
Alahmadi, Louise Axon, and Ivan Martinovic
Bushra A. Alahmadi, Louise Axon, and Ivan Martinovic. 99% false positives: A qualitative study of soc analysts’ perspectives on security alarms. InProceedings of the 31st USENIX Security Symposium (USENIX Security 22), pages 1–18. USENIX Association, 2022
2022
-
[4]
Sans 2024 detection and response survey: Transforming cybersecu- rity operations
SANS Institute. Sans 2024 detection and response survey: Transforming cybersecu- rity operations. Technical report, SANS Institute, 2024. URLhttps://www.sans.org/ white-papers/sans-2024-detection-response-survey
2024
-
[5]
Outside the closed world: On using machine learning for network intrusion detection
Robin Sommer and Vern Paxson. Outside the closed world: On using machine learning for network intrusion detection. InIEEE Symposium on Security and Privacy, pages 305–316. IEEE, 2010. doi: 10.1109/SP.2010.25
-
[6]
Snort: Lightweight intrusion detection for networks
Martin Roesch. Snort: Lightweight intrusion detection for networks. InProceedings of the 13th USENIX Conference on System Administration, pages 229–238. USENIX Association, 1999
1999
-
[7]
Lippmann, David J
Richard P. Lippmann, David J. Fried, Ian Graf, and et al. Evaluating intrusion detec- tion systems: The 1998 darpa off-line intrusion detection evaluation. InProceedings of the DARPA Information Survivability Conference and Exposition, volume 2, pages 12–26. IEEE, 2000
1998
-
[8]
Random forests.Machine Learning, 45:5–32, 2001
Leo Breiman. Random forests.Machine Learning, 45:5–32, 2001
2001
-
[9]
A deep learning ap- proach for network intrusion detection system
Ahmad Javaid, Quamar Niyaz, Weiqing Sun, and Mansoor Alam. A deep learning ap- proach for network intrusion detection system. In9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS). EAI,
-
[10]
doi: 10.4108/eai.3-12-2015.2262516
- [11]
-
[12]
Clustering intrusion detection alarms to support root cause analysis.ACM Transactions on Information and System Security, 6:443–471, 2003
Klaus Julisch. Clustering intrusion detection alarms to support root cause analysis.ACM Transactions on Information and System Security, 6:443–471, 2003
2003
-
[13]
Uncertainty-quantified, robust deep learning for network intrusion detection
J.A.Wong, A.M.Berenbeim, D.A.Bierbrauer, andN.D.Bastian. Uncertainty-quantified, robust deep learning for network intrusion detection. InWinter Simulation Conference, pages 1–12. IEEE, 2023
2023
-
[14]
Lstm-based encoder-decoder for multi-sensor anomaly detection, 2016
Pankaj Malhotra et al. Lstm-based encoder-decoder for multi-sensor anomaly detection, 2016
2016
-
[15]
Weinberger
Chuan Guo, Geoff Pleiss, Yu Sun, and Kilian Q. Weinberger. On calibration of modern neural networks. InProceedings of the 34th International Conference on Machine Learning, pages 1321–1330. PMLR, 2017
2017
-
[16]
Ribeiro, Sameer Singh, and Carlos Guestrin
Marco T. Ribeiro, Sameer Singh, and Carlos Guestrin. Why should i trust you?: Explaining the predictions of any classifier. InProceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pages 1135–1144. ACM, 2016. 25
2016
-
[17]
Grégoire Montavon, Wojciech Samek, and Klaus-Robert Müller. Methods for interpreting and understanding deep neural networks.Digital Signal Processing, 73:1–15, 2018. doi: 10.1016/j.dsp.2017.10.011
-
[18]
Springer, 4 edition,
Hans-Jürgen Zimmermann.Fuzzy Set Theory and Its Applications. Springer, 4 edition,
-
[19]
doi: 10.1007/978-94-010-0646-0
-
[20]
A complete guide to the common vulnerability scoring system version 2.0
Peter Mell, Karen Scarfone, and Sasha Romanosky. A complete guide to the common vulnerability scoring system version 2.0. Technical Report 800-145, NIST, 2007
2007
-
[21]
Common vulnerability scoring system version 3.0 speci- fication
National Vulnerability Database. Common vulnerability scoring system version 3.0 speci- fication. Technical report, FIRST, 2015
2015
-
[22]
Comparing vulnerability severity and exploits using case-control studies
Luca Allodi and Fabio Massacci. Comparing vulnerability severity and exploits using case-control studies. InProceedings of the 2012 ACM Conference on Computer and Com- munications Security, pages 386–397. ACM, 2012
2012
-
[23]
Improving vulnerability remedia- tion through better exploit prediction
Jay Jacobs, Sasha Romanosky, and Benjamin Edwards. Improving vulnerability remedia- tion through better exploit prediction. InIEEE Symposium on Security and Privacy, pages 1–16. IEEE, 2019
2019
-
[24]
Chi-Ho Tsang, Sam Kwong, and Hanli Wang. Genetic-fuzzy rule mining approach and eval- uation of feature selection techniques for anomaly intrusion detection.Pattern Recognition, 40(9):2373–2391, 2007. doi: 10.1016/j.patcog.2006.12.009
-
[25]
A. K. Kar and S. Mishra. A fuzzy-based approach for detecting http-based attacks. In2012 International Conference on Advances in Computing, Communications and Informatics, pages 1–6. IEEE, 2012
2012
-
[26]
Enhancing cloud-based intrusion detection systems with log-based alert verification.IEEE Transac- tions on Cloud Computing, 3:242–254, 2013
Weizhi Meng, Wenjuan Li, Lam-For Kwok, and Kim-Kwang Raymond Choo. Enhancing cloud-based intrusion detection systems with log-based alert verification.IEEE Transac- tions on Cloud Computing, 3:242–254, 2013
2013
-
[27]
S.-H. Chen. Ranking fuzzy numbers with maximizing set and minimizing set.Fuzzy Sets and Systems, 17(2):113–129, 1985. doi: 10.1016/0165-0114(85)90050-8
-
[28]
L.A. Zadeh. Fuzzy sets.Information and Control, 8(3):338–353, 1965. ISSN 0019-9958. doi: https://doi.org/10.1016/S0019-9958(65)90241-X. URLhttps://www.sciencedirect. com/science/article/pii/S001999586590241X
-
[29]
H. G. Akdemir and M. Moran. Shortest path problem with subnormal gaussian fuzzy costs. Submitted, 2025
2025
-
[30]
Ghorbani
Iman Sharafaldin, Arash Habibi Lashkari, and Ali A. Ghorbani. Toward generating a new intrusion detection dataset and intrusion traffic characterization. InInternational Confer- ence on Information Systems Security and Privacy (ICISSP), pages 108–116. SciTePress,
-
[31]
doi: 10.5220/0006639801080116
-
[32]
Kalervo Järvelin and Jaana Kekäläinen. Cumulated gain-based evaluation of ir techniques. ACM Transactions on Information Systems, 20(4):422–446, 2002. doi: 10.1145/582415. 582418
-
[33]
Mahbod Tavallaee, Ebrahim Bagheri, Wei Lu, and Ali A. Ghorbani. A detailed analysis of the kdd cup 99 data set. InIEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA), pages 1–6. IEEE, 2009. doi: 10.1109/CISDA.2009. 5356528. 26
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.