{"id":"https://openalex.org/W4281391324","doi":"https://doi.org/10.1145/3488932.3517412","title":"Ruling the Rules","display_name":"Ruling the Rules","publication_year":2022,"publication_date":"2022-05-24","ids":{"openalex":"https://openalex.org/W4281391324","doi":"https://doi.org/10.1145/3488932.3517412"},"language":"en","primary_location":{"id":"doi:10.1145/3488932.3517412","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3488932.3517412","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3488932.3517412","source":{"id":"https://openalex.org/S4363609011","display_name":"Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3488932.3517412","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5065041795","display_name":"Mathew Vermeer","orcid":"https://orcid.org/0009-0008-8460-1466"},"institutions":[{"id":"https://openalex.org/I98358874","display_name":"Delft University of Technology","ror":"https://ror.org/02e2c7k09","country_code":"NL","type":"education","lineage":["https://openalex.org/I98358874"]}],"countries":["NL"],"is_corresponding":true,"raw_author_name":"Mathew Vermeer","raw_affiliation_strings":["Delft University of Technology, Delft, Netherlands"],"affiliations":[{"raw_affiliation_string":"Delft University of Technology, Delft, Netherlands","institution_ids":["https://openalex.org/I98358874"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5012946294","display_name":"Michel van Eeten","orcid":"https://orcid.org/0000-0002-0338-2812"},"institutions":[{"id":"https://openalex.org/I98358874","display_name":"Delft University of Technology","ror":"https://ror.org/02e2c7k09","country_code":"NL","type":"education","lineage":["https://openalex.org/I98358874"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Michel van Eeten","raw_affiliation_strings":["Delft University of Technology, Delft, Netherlands"],"affiliations":[{"raw_affiliation_string":"Delft University of Technology, Delft, Netherlands","institution_ids":["https://openalex.org/I98358874"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5048211807","display_name":"Carlos Ga\u00f1\u00e1n","orcid":"https://orcid.org/0000-0002-4699-3007"},"institutions":[{"id":"https://openalex.org/I98358874","display_name":"Delft University of Technology","ror":"https://ror.org/02e2c7k09","country_code":"NL","type":"education","lineage":["https://openalex.org/I98358874"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Carlos Ga\u00f1\u00e1n","raw_affiliation_strings":["Delft University of Technology, Delft, Netherlands"],"affiliations":[{"raw_affiliation_string":"Delft University of Technology, Delft, Netherlands","institution_ids":["https://openalex.org/I98358874"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5065041795"],"corresponding_institution_ids":["https://openalex.org/I98358874"],"apc_list":null,"apc_paid":null,"fwci":1.0799,"has_fulltext":true,"cited_by_count":6,"citation_normalized_percentile":{"value":0.71774194,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"799","last_page":"814"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12326","display_name":"Network Packet Processing and Optimization","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.9994999766349792,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.6820811033248901},{"id":"https://openalex.org/keywords/false-positive-paradox","display_name":"False positive paradox","score":0.6096512675285339},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.60307377576828},{"id":"https://openalex.org/keywords/attack-patterns","display_name":"Attack patterns","score":0.5470406413078308},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5260921716690063},{"id":"https://openalex.org/keywords/demise","display_name":"Demise","score":0.525365948677063},{"id":"https://openalex.org/keywords/categorization","display_name":"Categorization","score":0.5190661549568176},{"id":"https://openalex.org/keywords/service","display_name":"Service (business)","score":0.4802558720111847},{"id":"https://openalex.org/keywords/compromise","display_name":"Compromise","score":0.4687010943889618},{"id":"https://openalex.org/keywords/minor","display_name":"Minor (academic)","score":0.46626266837120056},{"id":"https://openalex.org/keywords/risk-management","display_name":"Risk management","score":0.43838179111480713},{"id":"https://openalex.org/keywords/network-security","display_name":"Network security","score":0.4329547584056854},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.4087332487106323},{"id":"https://openalex.org/keywords/data-science","display_name":"Data science","score":0.32087868452072144},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.16516122221946716},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.14547979831695557},{"id":"https://openalex.org/keywords/law","display_name":"Law","score":0.09762418270111084}],"concepts":[{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.6820811033248901},{"id":"https://openalex.org/C64869954","wikidata":"https://www.wikidata.org/wiki/Q1859747","display_name":"False positive paradox","level":2,"score":0.6096512675285339},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.60307377576828},{"id":"https://openalex.org/C2780741293","wikidata":"https://www.wikidata.org/wiki/Q4818019","display_name":"Attack patterns","level":3,"score":0.5470406413078308},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5260921716690063},{"id":"https://openalex.org/C2777720223","wikidata":"https://www.wikidata.org/wiki/Q5255430","display_name":"Demise","level":2,"score":0.525365948677063},{"id":"https://openalex.org/C94124525","wikidata":"https://www.wikidata.org/wiki/Q912550","display_name":"Categorization","level":2,"score":0.5190661549568176},{"id":"https://openalex.org/C2780378061","wikidata":"https://www.wikidata.org/wiki/Q25351891","display_name":"Service (business)","level":2,"score":0.4802558720111847},{"id":"https://openalex.org/C46355384","wikidata":"https://www.wikidata.org/wiki/Q726686","display_name":"Compromise","level":2,"score":0.4687010943889618},{"id":"https://openalex.org/C2779760435","wikidata":"https://www.wikidata.org/wiki/Q5396169","display_name":"Minor (academic)","level":2,"score":0.46626266837120056},{"id":"https://openalex.org/C32896092","wikidata":"https://www.wikidata.org/wiki/Q189447","display_name":"Risk management","level":2,"score":0.43838179111480713},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.4329547584056854},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.4087332487106323},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.32087868452072144},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.16516122221946716},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.14547979831695557},{"id":"https://openalex.org/C199539241","wikidata":"https://www.wikidata.org/wiki/Q7748","display_name":"Law","level":1,"score":0.09762418270111084},{"id":"https://openalex.org/C10138342","wikidata":"https://www.wikidata.org/wiki/Q43015","display_name":"Finance","level":1,"score":0.0},{"id":"https://openalex.org/C162853370","wikidata":"https://www.wikidata.org/wiki/Q39809","display_name":"Marketing","level":1,"score":0.0},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3488932.3517412","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3488932.3517412","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3488932.3517412","source":{"id":"https://openalex.org/S4363609011","display_name":"Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security","raw_type":"proceedings-article"},{"id":"pmh:oai:tudelft.nl:uuid:b8271b80-a38e-41f1-8455-a728040ce795","is_oa":false,"landing_page_url":"http://resolver.tudelft.nl/uuid:b8271b80-a38e-41f1-8455-a728040ce795","pdf_url":null,"source":{"id":"https://openalex.org/S4306400906","display_name":"Research Repository (Delft University of Technology)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I98358874","host_organization_name":"Delft University of Technology","host_organization_lineage":["https://openalex.org/I98358874"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"conference paper"}],"best_oa_location":{"id":"doi:10.1145/3488932.3517412","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3488932.3517412","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3488932.3517412","source":{"id":"https://openalex.org/S4363609011","display_name":"Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.6399999856948853}],"awards":[{"id":"https://openalex.org/G2931968922","display_name":null,"funder_award_id":"FA8750-19-1-0152","funder_id":"https://openalex.org/F4320338294","funder_display_name":"Air Force Research Laboratory"}],"funders":[{"id":"https://openalex.org/F4320338294","display_name":"Air Force Research Laboratory","ror":"https://ror.org/02e2egq70"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4281391324.pdf","grobid_xml":"https://content.openalex.org/works/W4281391324.grobid-xml"},"referenced_works_count":12,"referenced_works":["https://openalex.org/W1986121650","https://openalex.org/W2026372785","https://openalex.org/W2034362794","https://openalex.org/W2078910959","https://openalex.org/W2098691354","https://openalex.org/W2099218848","https://openalex.org/W2108196245","https://openalex.org/W2765181145","https://openalex.org/W2783741806","https://openalex.org/W2963197901","https://openalex.org/W4240886128","https://openalex.org/W4253767040"],"related_works":["https://openalex.org/W2801622120","https://openalex.org/W2164141394","https://openalex.org/W4240977217","https://openalex.org/W3036524962","https://openalex.org/W2161225422","https://openalex.org/W4281398169","https://openalex.org/W2358069691","https://openalex.org/W4367591269","https://openalex.org/W2992161509","https://openalex.org/W3027216454"],"abstract_inverted_index":{"Notwithstanding":[0],"the":[1,13,22,53,57,63,142,167,198,203,238],"predicted":[2],"demise":[3],"of":[4,12,15,24,55,81,91,112,118,145,157,166,174,202,205],"signature-based":[5],"network":[6],"monitoring,":[7],"it":[8],"is":[9,104,209,222],"still":[10],"part":[11],"bedrock":[14],"security":[16],"operations.":[17],"Rulesets":[18],"are":[19,160,215],"fundamental":[20],"to":[21,48,88,133,179,197],"efficacy":[23],"Network":[25],"Intrusion":[26],"Detection":[27],"Systems":[28],"(NIDS).":[29],"Yet,":[30],"they":[31,60,120],"have":[32],"rarely":[33],"been":[34],"studied":[35],"in":[36,110,228,242],"production":[37],"environments.":[38],"We":[39,68,93,152],"partner":[40],"with":[41,234,263],"a":[42,70,149,210,220],"Managed":[43],"Security":[44],"Service":[45],"Provider":[46],"(MSSP)":[47],"gain":[49],"more":[50,126,163],"insight":[51],"into":[52],"evolution":[54],"rulesets,":[56],"alerts":[58,130,168,176],"that":[59,65,79,95,154,252],"trigger":[61],"and":[62,76,85,131,169,171,192,218,255,266],"incidents":[64,170],"get":[66],"investigated.":[67],"analyze":[69],"combined":[71,123],"ruleset":[72,124,256],"--including":[73],"both":[74],"commercial":[75,261],"proprietary":[77],"rules--":[78],"consists":[80],"130":[82],"thousand":[83,135],"rules":[84,146,159,208,214,262,268],"was":[86],"used":[87],"monitor":[89],"hundreds":[90],"networks.":[92],"find":[94,153],"these":[96],"rulesets":[97],"keep":[98],"growing":[99],"over":[100],"time":[101],"but":[102],"there":[103],"almost":[105],"no":[106],"overlap":[107],"among":[108],"them":[109],"terms":[111],"detection":[113],"options":[114],"or":[115],"what":[116],"indicators":[117],"compromise":[119],"contain.":[121],"The":[122],"triggered":[125,148],"than":[127,164],"62":[128],"million":[129],"led":[132],"150":[134],"incident":[136],"investigations":[137],"by":[138],"SOC":[139],"analysts,":[140],"though":[141],"vast":[143],"majority":[144],"never":[147,216],"single":[150],"alert.":[151],"just":[155],"0.5%":[156],"all":[158,175,184],"responsible":[161],"for":[162,225],"80%":[165],"only":[172,219],"1.2%":[173],"were":[177,187],"deemed":[178],"merit":[180],"closer":[181],"investigation.":[182],"Of":[183],"incidents,":[185],"16%":[186],"labeled":[188],"as":[189,259,269,271],"false":[190],"positives":[191],"9%":[193],"carried":[194],"significant":[195],"risk":[196],"client":[199],"organization.":[200],"Independently":[201],"type":[204],"rule,":[206],"updating":[207],"minor":[211],"activity.":[212],"Most":[213],"modified":[217],"fraction":[221],"deleted,":[223],"except":[224],"periodic":[226],"purges":[227],"some":[229],"sets.":[230],"Seven":[231],"in-depth":[232],"interviews":[233],"rule":[235,249,254],"developers":[236],"corroborate":[237],"patterns":[239],"we":[240,246],"found":[241],"our":[243],"analysis.":[244],"Finally,":[245],"identify":[247],"several":[248],"management":[250],"practices":[251],"influence":[253],"efficacy,":[257],"such":[258],"supplementing":[260],"your":[264],"own":[265],"making":[267],"specific":[270],"possible.":[272]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":3},{"year":2024,"cited_by_count":1},{"year":2023,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2022-05-25T00:00:00"}