Risk Averse Alert Prioritization for IDS Using Subnormal Gaussian Fuzzy Models

Problem
This paper addresses the challenge of alert fatigue in intrusion detection systems (IDS), which is exacerbated by the generation of numerous false positives and low-impact alerts. The authors propose a novel framework for alert prioritization that leverages subnormal Gaussian fuzzy models to effectively manage uncertainty in threat severity, detection confidence, and organizational risk attitude. This work is presented as a preprint and has not yet undergone peer review.

Method
The proposed framework utilizes subnormal Gaussian fuzzy numbers to represent alerts, where each alert is characterized by three components: the core (indicating severity), the spread (indicating uncertainty), and the height (reflecting detection reliability). The authors introduce a risk-attitude parameter that allows organizations to adjust their security posture based on their tolerance for risk. The prioritization process employs ranking indices to order alerts, facilitating a more nuanced response to potential threats. The experimental validation is conducted on two datasets: CIC-IDS2017 and NSL-KDD, demonstrating the framework’s effectiveness across various detector configurations.

Results
The framework achieves a normalized discounted cumulative gain (NDCGrel@100) score of 0.9963 on the CIC-IDS2017 dataset, significantly outperforming the baseline score of 0.8215. This indicates a substantial improvement in alert prioritization, particularly in scenarios involving detector degradation. The authors report that their method exhibits distinct differentiation in mid-confidence alerts, which are often overlooked by traditional systems. Under robust detector conditions, the proposed framework maintains near-parity with existing baselines, showcasing its versatility and robustness across different detection scenarios.

Limitations
The authors acknowledge that their approach may be sensitive to the choice of fuzzy parameters and the specific risk-attitude settings, which could affect the prioritization outcomes. Additionally, while the framework is designed to be computationally efficient, the scalability of the model in real-time applications remains to be fully evaluated. The paper does not address potential limitations related to the interpretability of fuzzy models in complex threat environments or the integration of the framework with existing IDS architectures.

Why it matters
This work has significant implications for enhancing the effectiveness of IDS by providing a structured approach to alert prioritization that accounts for uncertainty and organizational risk preferences. By improving the signal-to-noise ratio in alert management, the framework can help security teams focus on high-priority threats, thereby reducing alert fatigue and improving response times. The theoretical grounding and computational efficiency of the proposed method suggest that it could be integrated into existing IDS frameworks, paving the way for more adaptive and resilient security operations.

Authors: Murat Moran
Source: arXiv:2605.27299
URL: https://arxiv.org/abs/2605.27299v1