{"id":"https://openalex.org/W4388867285","doi":"https://doi.org/10.1145/3576915.3616581","title":"Alert Alchemy: SOC Workflows and Decisions in the Management of NIDS Rules","display_name":"Alert Alchemy: SOC Workflows and Decisions in the Management of NIDS Rules","publication_year":2023,"publication_date":"2023-11-15","ids":{"openalex":"https://openalex.org/W4388867285","doi":"https://doi.org/10.1145/3576915.3616581"},"language":"en","primary_location":{"id":"doi:10.1145/3576915.3616581","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3576915.3616581","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3576915.3616581","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3576915.3616581","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5065041795","display_name":"Mathew Vermeer","orcid":"https://orcid.org/0009-0008-8460-1466"},"institutions":[{"id":"https://openalex.org/I98358874","display_name":"Delft University of Technology","ror":"https://ror.org/02e2c7k09","country_code":"NL","type":"education","lineage":["https://openalex.org/I98358874"]}],"countries":["NL"],"is_corresponding":true,"raw_author_name":"Mathew Vermeer","raw_affiliation_strings":["Delft University of Technology, Delft, Netherlands"],"raw_orcid":"https://orcid.org/0009-0008-8460-1466","affiliations":[{"raw_affiliation_string":"Delft University of Technology, Delft, Netherlands","institution_ids":["https://openalex.org/I98358874"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037666673","display_name":"Natalia Kadenko","orcid":"https://orcid.org/0000-0001-8831-6744"},"institutions":[{"id":"https://openalex.org/I98358874","display_name":"Delft University of Technology","ror":"https://ror.org/02e2c7k09","country_code":"NL","type":"education","lineage":["https://openalex.org/I98358874"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Natalia Kadenko","raw_affiliation_strings":["Delft University of Technology, Delft, Netherlands"],"raw_orcid":"https://orcid.org/0000-0001-8831-6744","affiliations":[{"raw_affiliation_string":"Delft University of Technology, Delft, Netherlands","institution_ids":["https://openalex.org/I98358874"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5012946294","display_name":"Michel van Eeten","orcid":"https://orcid.org/0000-0002-0338-2812"},"institutions":[{"id":"https://openalex.org/I98358874","display_name":"Delft University of Technology","ror":"https://ror.org/02e2c7k09","country_code":"NL","type":"education","lineage":["https://openalex.org/I98358874"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Michel van Eeten","raw_affiliation_strings":["Delft University of Technology, Delft, Netherlands"],"raw_orcid":"https://orcid.org/0000-0002-0338-2812","affiliations":[{"raw_affiliation_string":"Delft University of Technology, Delft, Netherlands","institution_ids":["https://openalex.org/I98358874"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5048211807","display_name":"Carlos Ga\u00f1\u00e1n","orcid":"https://orcid.org/0000-0002-4699-3007"},"institutions":[{"id":"https://openalex.org/I98358874","display_name":"Delft University of Technology","ror":"https://ror.org/02e2c7k09","country_code":"NL","type":"education","lineage":["https://openalex.org/I98358874"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Carlos Ga\u00f1\u00e1n","raw_affiliation_strings":["Delft University of Technology, Delft, Netherlands"],"raw_orcid":"https://orcid.org/0000-0002-4699-3007","affiliations":[{"raw_affiliation_string":"Delft University of Technology, Delft, Netherlands","institution_ids":["https://openalex.org/I98358874"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5016771481","display_name":"Simon Parkin","orcid":"https://orcid.org/0000-0002-6667-0440"},"institutions":[{"id":"https://openalex.org/I98358874","display_name":"Delft University of Technology","ror":"https://ror.org/02e2c7k09","country_code":"NL","type":"education","lineage":["https://openalex.org/I98358874"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Simon Parkin","raw_affiliation_strings":["Delft University of Technology, Delft, Netherlands"],"raw_orcid":"https://orcid.org/0000-0002-6667-0440","affiliations":[{"raw_affiliation_string":"Delft University of Technology, Delft, Netherlands","institution_ids":["https://openalex.org/I98358874"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5065041795"],"corresponding_institution_ids":["https://openalex.org/I98358874"],"apc_list":null,"apc_paid":null,"fwci":3.148,"has_fulltext":true,"cited_by_count":16,"citation_normalized_percentile":{"value":0.92346647,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":94,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"2770","last_page":"2784"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9994000196456909,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9980999827384949,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.7177789211273193},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6819934248924255},{"id":"https://openalex.org/keywords/workflow","display_name":"Workflow","score":0.6768942475318909},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5291624069213867},{"id":"https://openalex.org/keywords/network-management","display_name":"Network management","score":0.5106943249702454},{"id":"https://openalex.org/keywords/network-security","display_name":"Network security","score":0.5051029324531555},{"id":"https://openalex.org/keywords/network-monitoring","display_name":"Network monitoring","score":0.48503702878952026},{"id":"https://openalex.org/keywords/false-positive-paradox","display_name":"False positive paradox","score":0.46610674262046814},{"id":"https://openalex.org/keywords/service","display_name":"Service (business)","score":0.46428099274635315},{"id":"https://openalex.org/keywords/risk-analysis","display_name":"Risk analysis (engineering)","score":0.36621779203414917},{"id":"https://openalex.org/keywords/knowledge-management","display_name":"Knowledge management","score":0.3214814364910126},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.1485971212387085},{"id":"https://openalex.org/keywords/computer-network","display_name":"Computer network","score":0.13536235690116882},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.10423398017883301}],"concepts":[{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.7177789211273193},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6819934248924255},{"id":"https://openalex.org/C177212765","wikidata":"https://www.wikidata.org/wiki/Q627335","display_name":"Workflow","level":2,"score":0.6768942475318909},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5291624069213867},{"id":"https://openalex.org/C129763632","wikidata":"https://www.wikidata.org/wiki/Q1454667","display_name":"Network management","level":2,"score":0.5106943249702454},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.5051029324531555},{"id":"https://openalex.org/C81877898","wikidata":"https://www.wikidata.org/wiki/Q1965787","display_name":"Network monitoring","level":2,"score":0.48503702878952026},{"id":"https://openalex.org/C64869954","wikidata":"https://www.wikidata.org/wiki/Q1859747","display_name":"False positive paradox","level":2,"score":0.46610674262046814},{"id":"https://openalex.org/C2780378061","wikidata":"https://www.wikidata.org/wiki/Q25351891","display_name":"Service (business)","level":2,"score":0.46428099274635315},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.36621779203414917},{"id":"https://openalex.org/C56739046","wikidata":"https://www.wikidata.org/wiki/Q192060","display_name":"Knowledge management","level":1,"score":0.3214814364910126},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.1485971212387085},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.13536235690116882},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.10423398017883301},{"id":"https://openalex.org/C162853370","wikidata":"https://www.wikidata.org/wiki/Q39809","display_name":"Marketing","level":1,"score":0.0},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3576915.3616581","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3576915.3616581","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3576915.3616581","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},{"id":"pmh:oai:tudelft.nl:uuid:4f14241e-efd0-41bd-9b60-40f0303fb928","is_oa":true,"landing_page_url":"http://resolver.tudelft.nl/uuid:4f14241e-efd0-41bd-9b60-40f0303fb928","pdf_url":null,"source":{"id":"https://openalex.org/S4306400906","display_name":"Research Repository (Delft University of Technology)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I98358874","host_organization_name":"Delft University of Technology","host_organization_lineage":["https://openalex.org/I98358874"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"conference paper"}],"best_oa_location":{"id":"doi:10.1145/3576915.3616581","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3576915.3616581","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3576915.3616581","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G2931968922","display_name":null,"funder_award_id":"FA8750-19-1-0152","funder_id":"https://openalex.org/F4320338294","funder_display_name":"Air Force Research Laboratory"},{"id":"https://openalex.org/G4937468798","display_name":null,"funder_award_id":"H2020","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"},{"id":"https://openalex.org/G5356549776","display_name":null,"funder_award_id":"830929","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"},{"id":"https://openalex.org/G6384328479","display_name":null,"funder_award_id":"830929","funder_id":"https://openalex.org/F4320332999","funder_display_name":"Horizon 2020 Framework Programme"}],"funders":[{"id":"https://openalex.org/F4320320300","display_name":"European Commission","ror":"https://ror.org/00k4n6c32"},{"id":"https://openalex.org/F4320332999","display_name":"Horizon 2020 Framework Programme","ror":"https://ror.org/00k4n6c32"},{"id":"https://openalex.org/F4320338294","display_name":"Air Force Research Laboratory","ror":"https://ror.org/02e2egq70"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4388867285.pdf","grobid_xml":"https://content.openalex.org/works/W4388867285.grobid-xml"},"referenced_works_count":20,"referenced_works":["https://openalex.org/W1986121650","https://openalex.org/W2783741806","https://openalex.org/W2893240802","https://openalex.org/W2901413379","https://openalex.org/W2903094299","https://openalex.org/W2944277663","https://openalex.org/W2952657082","https://openalex.org/W2963197901","https://openalex.org/W2986291326","https://openalex.org/W2996415795","https://openalex.org/W3007705818","https://openalex.org/W3008066310","https://openalex.org/W3108159510","https://openalex.org/W4206672341","https://openalex.org/W4253388879","https://openalex.org/W4253767040","https://openalex.org/W4281391324","https://openalex.org/W4283710164","https://openalex.org/W4308632271","https://openalex.org/W4388867283"],"related_works":["https://openalex.org/W2061466315","https://openalex.org/W2376886931","https://openalex.org/W1992118813","https://openalex.org/W2010561419","https://openalex.org/W2374845301","https://openalex.org/W2351448539","https://openalex.org/W2378302710","https://openalex.org/W1977863481","https://openalex.org/W2384741105","https://openalex.org/W2380400043"],"abstract_inverted_index":{"Signature-based":[0],"network":[1,7,17,74,100,109,141],"intrusion":[2,8,75],"detection":[3,220],"systems":[4,10,159],"(NIDSs)":[5],"and":[6,52,69,121,126,195,202,224],"prevention":[9],"(NIPSs)":[11],"remain":[12],"at":[13,89],"the":[14,21,63,66,162,169,211,231],"heart":[15],"of":[16,71,124,140,171,204,213,233],"defense,":[18],"along":[19],"with":[20,84],"rules":[22,30,48,72],"that":[23,98,129,160,185],"enable":[24],"them":[25],"to":[26,36,177,190,198,221,229],"detect":[27],"threats.":[28],"These":[29,137,207],"allow":[31,196],"Security":[32,91],"Operation":[33],"Centers":[34],"(SOCs)":[35],"properly":[37],"defend":[38],"a":[39,103],"network,":[40],"yet":[41],"we":[42,61,81,181],"know":[43],"almost":[44],"nothing":[45],"about":[46],"how":[47],"are":[49],"created,":[50],"evaluated":[51],"managed":[53],"from":[54,219],"an":[55],"organizational":[56,227],"standpoint.":[57],"In":[58],"this":[59],"work,":[60,152],"analyze":[62],"processes":[64,143,228],"surrounding":[65],"creation,":[67],"management,":[68],"acquisition":[70],"for":[73],"detection.":[76],"To":[77],"understand":[78],"these":[79,187],"processes,":[80],"conducted":[82],"interviews":[83],"17":[85],"professionals":[86],"who":[87],"work":[88],"Managed":[90],"Service":[92],"Providers":[93],"(MSSPs)":[94],"or":[95,105],"other":[96],"organizations":[97],"provide":[99],"monitoring":[101,110,142],"as":[102,118,148],"service":[104],"conduct":[106],"their":[107,133],"own":[108],"internally.":[111],"We":[112],"discovered":[113],"numerous":[114],"critical":[115],"factors,":[116],"such":[117],"rule":[119,134,222],"specificity":[120,212],"total":[122],"number":[123,170],"alerts":[125,173],"false":[127],"positives,":[128],"guide":[130],"SOCs":[131,197],"in":[132],"management":[135],"processes.":[136],"lower-level":[138,188],"aspects":[139,189],"have":[144],"generally":[145],"been":[146],"regarded":[147],"immutable":[149],"by":[150,166],"prior":[151],"which":[153],"has":[154],"mainly":[155],"focused":[156],"on":[157],"designing":[158],"handle":[161],"resulting":[163],"alert":[164,193],"flows":[165],"dynamically":[167],"reducing":[168],"noisy":[172],"SOC":[174],"analysts":[175],"need":[176],"sift":[178],"through.":[179],"Instead,":[180],"present":[182],"several":[183],"recommendations":[184,208],"address":[186],"help":[191],"improve":[192,230],"quality":[194],"better":[199],"optimize":[200],"workflows":[201],"use":[203],"available":[205],"resources.":[206],"include":[209],"increasing":[210],"rules,":[214],"explicitly":[215],"defining":[216],"feedback":[217],"loops":[218],"development,":[223],"setting":[225],"up":[226],"transfer":[232],"tacit":[234],"knowledge.":[235]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":13},{"year":2024,"cited_by_count":2}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}