{"id":"https://openalex.org/W4387298311","doi":"https://doi.org/10.1145/3607199.3607247","title":"Towards Understanding Alerts raised by Unsupervised Network Intrusion Detection Systems","display_name":"Towards Understanding Alerts raised by Unsupervised Network Intrusion Detection Systems","publication_year":2023,"publication_date":"2023-10-03","ids":{"openalex":"https://openalex.org/W4387298311","doi":"https://doi.org/10.1145/3607199.3607247"},"language":"en","primary_location":{"id":"doi:10.1145/3607199.3607247","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3607199.3607247","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://hal.science/hal-04172470/document","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5026663577","display_name":"Maxime Lanvin","orcid":"https://orcid.org/0009-0001-0368-2153"},"institutions":[{"id":"https://openalex.org/I2802519937","display_name":"Institut de Recherche en Informatique et Syst\u00e8mes Al\u00e9atoires","ror":"https://ror.org/00myn0z94","country_code":"FR","type":"facility","lineage":["https://openalex.org/I1294671590","https://openalex.org/I1294671590","https://openalex.org/I1326498283","https://openalex.org/I205703379","https://openalex.org/I2802204017","https://openalex.org/I2802519937","https://openalex.org/I28221208","https://openalex.org/I4210127572","https://openalex.org/I4210159245","https://openalex.org/I56067802"]},{"id":"https://openalex.org/I4210107720","display_name":"CentraleSup\u00e9lec","ror":"https://ror.org/019tcpt25","country_code":"FR","type":"facility","lineage":["https://openalex.org/I277688954","https://openalex.org/I4210107720"]},{"id":"https://openalex.org/I56067802","display_name":"Universit\u00e9 de Rennes","ror":"https://ror.org/015m7wh34","country_code":"FR","type":"education","lineage":["https://openalex.org/I56067802"]}],"countries":["FR"],"is_corresponding":true,"raw_author_name":"Maxime Lanvin","raw_affiliation_strings":["CentraleSup\u00e9lec, Univ. Rennes, IRISA, France"],"raw_orcid":"https://orcid.org/0009-0001-0368-2153","affiliations":[{"raw_affiliation_string":"CentraleSup\u00e9lec, Univ. Rennes, IRISA, France","institution_ids":["https://openalex.org/I4210107720","https://openalex.org/I2802519937","https://openalex.org/I56067802"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5083520169","display_name":"Pierre-Fran\u00e7ois Gimenez","orcid":"https://orcid.org/0000-0002-4238-4423"},"institutions":[{"id":"https://openalex.org/I2802519937","display_name":"Institut de Recherche en Informatique et Syst\u00e8mes Al\u00e9atoires","ror":"https://ror.org/00myn0z94","country_code":"FR","type":"facility","lineage":["https://openalex.org/I1294671590","https://openalex.org/I1294671590","https://openalex.org/I1326498283","https://openalex.org/I205703379","https://openalex.org/I2802204017","https://openalex.org/I2802519937","https://openalex.org/I28221208","https://openalex.org/I4210127572","https://openalex.org/I4210159245","https://openalex.org/I56067802"]},{"id":"https://openalex.org/I4210107720","display_name":"CentraleSup\u00e9lec","ror":"https://ror.org/019tcpt25","country_code":"FR","type":"facility","lineage":["https://openalex.org/I277688954","https://openalex.org/I4210107720"]},{"id":"https://openalex.org/I56067802","display_name":"Universit\u00e9 de Rennes","ror":"https://ror.org/015m7wh34","country_code":"FR","type":"education","lineage":["https://openalex.org/I56067802"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Pierre-Fran\u00e7ois Gimenez","raw_affiliation_strings":["CentraleSup\u00e9lec, Univ. Rennes, IRISA, France"],"raw_orcid":"https://orcid.org/0000-0002-4238-4423","affiliations":[{"raw_affiliation_string":"CentraleSup\u00e9lec, Univ. Rennes, IRISA, France","institution_ids":["https://openalex.org/I4210107720","https://openalex.org/I2802519937","https://openalex.org/I56067802"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5001937964","display_name":"Yufei Han","orcid":"https://orcid.org/0000-0002-9035-6718"},"institutions":[{"id":"https://openalex.org/I1326498283","display_name":"Institut national de recherche en sciences et technologies du num\u00e9rique","ror":"https://ror.org/02kvxyf05","country_code":"FR","type":"government","lineage":["https://openalex.org/I1326498283"]},{"id":"https://openalex.org/I2802519937","display_name":"Institut de Recherche en Informatique et Syst\u00e8mes Al\u00e9atoires","ror":"https://ror.org/00myn0z94","country_code":"FR","type":"facility","lineage":["https://openalex.org/I1294671590","https://openalex.org/I1294671590","https://openalex.org/I1326498283","https://openalex.org/I205703379","https://openalex.org/I2802204017","https://openalex.org/I2802519937","https://openalex.org/I28221208","https://openalex.org/I4210127572","https://openalex.org/I4210159245","https://openalex.org/I56067802"]},{"id":"https://openalex.org/I56067802","display_name":"Universit\u00e9 de Rennes","ror":"https://ror.org/015m7wh34","country_code":"FR","type":"education","lineage":["https://openalex.org/I56067802"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Yufei Han","raw_affiliation_strings":["Inria, Univ. Rennes, IRISA, France"],"raw_orcid":"https://orcid.org/0000-0002-9035-6718","affiliations":[{"raw_affiliation_string":"Inria, Univ. Rennes, IRISA, France","institution_ids":["https://openalex.org/I2802519937","https://openalex.org/I56067802","https://openalex.org/I1326498283"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5104651631","display_name":"Fr\u00e9d\u00e9ric Majorczyk","orcid":"https://orcid.org/0009-0008-9558-397X"},"institutions":[{"id":"https://openalex.org/I2802519937","display_name":"Institut de Recherche en Informatique et Syst\u00e8mes Al\u00e9atoires","ror":"https://ror.org/00myn0z94","country_code":"FR","type":"facility","lineage":["https://openalex.org/I1294671590","https://openalex.org/I1294671590","https://openalex.org/I1326498283","https://openalex.org/I205703379","https://openalex.org/I2802204017","https://openalex.org/I2802519937","https://openalex.org/I28221208","https://openalex.org/I4210127572","https://openalex.org/I4210159245","https://openalex.org/I56067802"]},{"id":"https://openalex.org/I56067802","display_name":"Universit\u00e9 de Rennes","ror":"https://ror.org/015m7wh34","country_code":"FR","type":"education","lineage":["https://openalex.org/I56067802"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Fr\u00e9d\u00e9ric Majorczyk","raw_affiliation_strings":["DGA-MI, Univ. Rennes, IRISA, France"],"raw_orcid":"https://orcid.org/0009-0008-9558-397X","affiliations":[{"raw_affiliation_string":"DGA-MI, Univ. Rennes, IRISA, France","institution_ids":["https://openalex.org/I2802519937","https://openalex.org/I56067802"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5104520545","display_name":"Ludovic M\u00e9","orcid":"https://orcid.org/0009-0002-1103-2430"},"institutions":[{"id":"https://openalex.org/I1326498283","display_name":"Institut national de recherche en sciences et technologies du num\u00e9rique","ror":"https://ror.org/02kvxyf05","country_code":"FR","type":"government","lineage":["https://openalex.org/I1326498283"]},{"id":"https://openalex.org/I56067802","display_name":"Universit\u00e9 de Rennes","ror":"https://ror.org/015m7wh34","country_code":"FR","type":"education","lineage":["https://openalex.org/I56067802"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Ludovic M\u00e9","raw_affiliation_strings":["Inria, Univ. Rennes, France, France"],"raw_orcid":"https://orcid.org/0009-0002-1103-2430","affiliations":[{"raw_affiliation_string":"Inria, Univ. Rennes, France, France","institution_ids":["https://openalex.org/I56067802","https://openalex.org/I1326498283"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5034190175","display_name":"\u00c9ric Totel","orcid":"https://orcid.org/0009-0009-2774-007X"},"institutions":[{"id":"https://openalex.org/I4210145102","display_name":"Institut Polytechnique de Paris","ror":"https://ror.org/042tfbd02","country_code":"FR","type":"education","lineage":["https://openalex.org/I4210145102"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Eric Totel","raw_affiliation_strings":["Samovar, T\u00e9l\u00e9com SudParis, Institut Polytechnique de Paris, France"],"raw_orcid":"https://orcid.org/0009-0009-2774-007X","affiliations":[{"raw_affiliation_string":"Samovar, T\u00e9l\u00e9com SudParis, Institut Polytechnique de Paris, France","institution_ids":["https://openalex.org/I4210145102"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5026663577"],"corresponding_institution_ids":["https://openalex.org/I2802519937","https://openalex.org/I4210107720","https://openalex.org/I56067802"],"apc_list":null,"apc_paid":null,"fwci":1.1929,"has_fulltext":true,"cited_by_count":7,"citation_normalized_percentile":{"value":0.83341104,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":94,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"135","last_page":"150"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9991000294685364,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9991000294685364,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9977999925613403,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9904000163078308,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.8354313373565674},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.8305425643920898},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8100393414497375},{"id":"https://openalex.org/keywords/anomaly-based-intrusion-detection-system","display_name":"Anomaly-based intrusion detection system","score":0.5923863649368286},{"id":"https://openalex.org/keywords/anomaly","display_name":"Anomaly (physics)","score":0.5487422347068787},{"id":"https://openalex.org/keywords/network-security","display_name":"Network security","score":0.5261057019233704},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.4958218038082123},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.4773029088973999},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.4686042070388794},{"id":"https://openalex.org/keywords/autoencoder","display_name":"Autoencoder","score":0.4500270187854767},{"id":"https://openalex.org/keywords/attack-patterns","display_name":"Attack patterns","score":0.44737234711647034},{"id":"https://openalex.org/keywords/unsupervised-learning","display_name":"Unsupervised learning","score":0.4191751480102539},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.27789056301116943},{"id":"https://openalex.org/keywords/deep-learning","display_name":"Deep learning","score":0.2764459252357483}],"concepts":[{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.8354313373565674},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.8305425643920898},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8100393414497375},{"id":"https://openalex.org/C137524506","wikidata":"https://www.wikidata.org/wiki/Q2247688","display_name":"Anomaly-based intrusion detection system","level":3,"score":0.5923863649368286},{"id":"https://openalex.org/C12997251","wikidata":"https://www.wikidata.org/wiki/Q567560","display_name":"Anomaly (physics)","level":2,"score":0.5487422347068787},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.5261057019233704},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.4958218038082123},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.4773029088973999},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.4686042070388794},{"id":"https://openalex.org/C101738243","wikidata":"https://www.wikidata.org/wiki/Q786435","display_name":"Autoencoder","level":3,"score":0.4500270187854767},{"id":"https://openalex.org/C2780741293","wikidata":"https://www.wikidata.org/wiki/Q4818019","display_name":"Attack patterns","level":3,"score":0.44737234711647034},{"id":"https://openalex.org/C8038995","wikidata":"https://www.wikidata.org/wiki/Q1152135","display_name":"Unsupervised learning","level":2,"score":0.4191751480102539},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.27789056301116943},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.2764459252357483},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0},{"id":"https://openalex.org/C26873012","wikidata":"https://www.wikidata.org/wiki/Q214781","display_name":"Condensed matter physics","level":1,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3607199.3607247","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3607199.3607247","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses","raw_type":"proceedings-article"},{"id":"pmh:oai:HAL:hal-04172470v1","is_oa":true,"landing_page_url":"https://hal.science/hal-04172470","pdf_url":"https://hal.science/hal-04172470/document","source":{"id":"https://openalex.org/S4406922461","display_name":"SPIRE - Sciences Po Institutional REpository","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"The 26th International Symposium on Research in Attacks, Intrusions and Defenses (RAID ), Oct 2023, Hong Kong China, France. pp.135-150, &#x27E8;10.1145/3607199.3607247&#x27E9;","raw_type":"Conference papers"}],"best_oa_location":{"id":"pmh:oai:HAL:hal-04172470v1","is_oa":true,"landing_page_url":"https://hal.science/hal-04172470","pdf_url":"https://hal.science/hal-04172470/document","source":{"id":"https://openalex.org/S4406922461","display_name":"SPIRE - Sciences Po Institutional REpository","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"The 26th International Symposium on Research in Attacks, Intrusions and Defenses (RAID ), Oct 2023, Hong Kong China, France. pp.135-150, &#x27E8;10.1145/3607199.3607247&#x27E9;","raw_type":"Conference papers"},"sustainable_development_goals":[{"score":0.7200000286102295,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4387298311.pdf","grobid_xml":"https://content.openalex.org/works/W4387298311.grobid-xml"},"referenced_works_count":20,"referenced_works":["https://openalex.org/W1991616145","https://openalex.org/W2116448239","https://openalex.org/W2282821441","https://openalex.org/W2789828921","https://openalex.org/W2891503716","https://openalex.org/W2947745012","https://openalex.org/W2969495950","https://openalex.org/W3041629534","https://openalex.org/W3093400437","https://openalex.org/W3093410479","https://openalex.org/W3117974500","https://openalex.org/W3191161603","https://openalex.org/W3211484264","https://openalex.org/W3214757078","https://openalex.org/W4210712437","https://openalex.org/W4213315959","https://openalex.org/W4224249813","https://openalex.org/W4307571902","https://openalex.org/W4309346044","https://openalex.org/W4312628478"],"related_works":["https://openalex.org/W2997921738","https://openalex.org/W2806873178","https://openalex.org/W2770818364","https://openalex.org/W2965146396","https://openalex.org/W2742053845","https://openalex.org/W2363068348","https://openalex.org/W2183239701","https://openalex.org/W2901647851","https://openalex.org/W2368329025","https://openalex.org/W2061466315"],"abstract_inverted_index":{"The":[0],"use":[1],"of":[2,23,85,173,189],"Machine":[3],"Learning":[4],"for":[5,38,65,112],"anomaly":[6,30,93,108,142],"detection":[7,15,68,94,143],"in":[8,139,176],"cyber":[9],"security-critical":[10],"applications,":[11],"such":[12],"as":[13],"intrusion":[14,56,125],"systems,":[16],"has":[17],"been":[18],"hindered":[19],"by":[20,90],"the":[21,27,67,83,86,99,113,130,140,150,165,177,186,190],"lack":[22],"explainability.":[24],"Without":[25],"understanding":[26],"reason":[28],"behind":[29],"alerts,":[31],"it":[32],"is":[33,63,80],"too":[34],"expensive":[35],"or":[36],"impossible":[37],"human":[39,181],"analysts":[40,183],"to":[41,128,184,196],"verify":[42],"and":[43,51,192],"identify":[44,170],"cyber-attacks.":[45],"Our":[46,96,145],"research":[47],"addresses":[48],"this":[49],"challenge":[50],"focuses":[52],"on":[53,82],"unsupervised":[54,141],"network":[55,61,102,124,157,174],"detection,":[57],"where":[58],"only":[59],"benign":[60],"traffic":[62,103,158],"available":[64],"training":[66],"model.":[69],"We":[70,116],"propose":[71],"a":[72,122],"novel":[73],"post-hoc":[74],"explanation":[75,166],"method,":[76],"called":[77],"AE-pvalues,":[78],"which":[79],"based":[81],"p-values":[84],"reconstruction":[87],"errors":[88],"produced":[89],"an":[91,107,118],"Auto-Encoder-based":[92],"method.":[95],"work":[97],"identifies":[98,154],"most":[100],"informative":[101],"features":[104],"associated":[105],"with":[106,134],"alert,":[109],"providing":[110],"interpretations":[111],"generated":[114],"alerts.":[115],"conduct":[117],"empirical":[119],"study":[120,162],"using":[121],"large-scale":[123],"dataset,":[126],"CICIDS2017,":[127],"compare":[129],"proposed":[131],"AE-pvalues":[132,151],"method":[133,152],"two":[135],"state-of-the-art":[136],"baselines":[137],"applied":[138],"task.":[144],"experimental":[146],"results":[147],"show":[148],"that":[149,164],"accurately":[153],"abnormal":[155],"influential":[156],"features.":[159],"Furthermore,":[160],"our":[161],"demonstrates":[163],"outputs":[167],"can":[168],"help":[169],"different":[171],"types":[172],"attacks":[175],"detected":[178],"anomalies,":[179],"enabling":[180],"security":[182,198],"understand":[185],"root":[187],"cause":[188],"anomalies":[191],"take":[193],"prompt":[194],"action":[195],"strengthen":[197],"measures.":[199]},"counts_by_year":[{"year":2025,"cited_by_count":5},{"year":2024,"cited_by_count":2}],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2023-10-04T00:00:00"}