English

Enhancing Anomaly-Based Intrusion Detection Systems with Process Mining

Cryptography and Security 2026-04-21 v1 Machine Learning Networking and Internet Architecture

Abstract

Anomaly-based Intrusion Detection Systems (IDSs) ensure protection against malicious attacks on networked systems. While deep learning-based IDSs achieve effective performance, their limited trustworthiness due to black-box architectures remains a critical constraint. Despite existing explainable techniques offering insight into the alarms raised by IDSs, they lack process-based explanations grounded in packet-level sequencing analysis. In this paper, we propose a method that employs process mining techniques to enhance anomaly-based IDSs by providing process-based alarm severity ratings and explanations for alerts. Our method prioritizes critical alerts and maintains visibility into network behavior, while minimizing disruption by allowing misclassified benign traffic to pass. We apply the method to the publicly available USB-IDS-TC dataset, which includes anomalous traffic affected by different variants of the Slowloris DoS attack. Results show that our method is able to discriminate between low- to very-high-severity alarms while preserving up to 99.94% recall and 99.99% precision, effectively discarding false positives while providing different degrees of severity for the true positives.

Keywords

Cite

@article{arxiv.2604.18066,
  title  = {Enhancing Anomaly-Based Intrusion Detection Systems with Process Mining},
  author = {Francesco Vitale and Francesco Grimaldi and Massimiliano Rak and Nicola Mazzocca},
  journal= {arXiv preprint arXiv:2604.18066},
  year   = {2026}
}

Comments

Accepted to the 2026 IEEE International Conference on Cyber Security and Resilience

R2 v1 2026-07-01T12:18:03.890Z