Assessment of Network Security Alerts Based on Expert Experience

Tao Wang; Ruowei Pang; Xu Wang; Weihai Shen; Bingqian Huang; Bin Xie; Tian Tan; Yang Yang

doi:10.1109/access.2025.3559709

IEEE Access (Jan 2025)

Assessment of Network Security Alerts Based on Expert Experience

Tao Wang,
Ruowei Pang,
Xu Wang,
Weihai Shen,
Bingqian Huang,
Bin Xie,
Tian Tan,
Yang Yang

Affiliations

Tao Wang: ORCiD; Hangzhou DPtech Technologies Company Ltd., Hangzhou, China
Ruowei Pang: ORCiD; Science and Technology Informatization Bureau of Hangzhou Municipal Public Security Bureau, Hangzhou, China
Xu Wang: ORCiD; Science and Technology Informatization Bureau of Hangzhou Municipal Public Security Bureau, Hangzhou, China
Weihai Shen: ORCiD; Hangzhou DPtech Technologies Company Ltd., Hangzhou, China
Bingqian Huang: Science and Technology Informatization Bureau of Hangzhou Municipal Public Security Bureau, Hangzhou, China
Bin Xie: ORCiD; Science and Technology Informatization Bureau of Hangzhou Municipal Public Security Bureau, Hangzhou, China
Tian Tan: ORCiD; Hangzhou DPtech Technologies Company Ltd., Hangzhou, China
Yang Yang: ORCiD; Hangzhou DPtech Technologies Company Ltd., Hangzhou, China

DOI: https://doi.org/10.1109/access.2025.3559709
Journal volume & issue: Vol. 13
pp. 64783 – 64795

Abstract

Read online

The network architecture of the public security video private network is relatively complex, and the types of devices it carries are different from those of general information networks. It mainly consists of video surveillance IoT devices, as well as numerous streaming media servers, video scheduling servers, structured computing power, big data computing power, storage devices, and network devices. These devices have strong regional dispersion. In such a network environment, when conducting alarm analysis and assessment for network intrusions, malicious code, and abnormal logs, the collected security logs have strong characteristics of multi-source and heterogeneity. Traditional log processing methods are prone to alarm fatigue, high false positive rates, and poor adaptability to complex traffic. To improve the accuracy and efficiency of alarm analysis and assessment, this paper proposes a model that integrates expert experience and supervised learning, called FEESLM, aiming to enhance the ability to judge network security alarms. The FEESLM model consists of three major components: the expert experience modeling component, the supervised learning modeling component, and the assessment result decision component. The expert experience modeling component summarizes the expert’s assessment experience to form rules, statistics, and association models. The supervised learning modeling component uses the XGBoost algorithm to learn from the data processed by expert experience, constructing a assessment model. The assessment result decision component uses the maximum entropy model to calculate the most credible results from the outputs of expert and supervised learning modeling as the final assessment result. Experimental results show that the FEESLM model outperforms single expert experience modeling and supervised learning modeling in terms of accuracy, recall rate, and F1-score, effectively improving the accuracy of network security alarm assessment.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords