pith. sign in

arxiv: 2604.18066 · v1 · submitted 2026-04-20 · 💻 cs.CR · cs.LG· cs.NI

Enhancing Anomaly-Based Intrusion Detection Systems with Process Mining

Francesco Vitale , Francesco Grimaldi , Massimiliano Rak , Nicola Mazzocca This is my paper

Pith reviewed 2026-05-10 04:27 UTC · model grok-4.3

classification 💻 cs.CR cs.LGcs.NI
keywords intrusion detectionprocess mininganomaly detectionalarm severityfalse positive reductionSlowloris attacknetwork securitypacket sequence analysis
0
0 comments X

The pith

Process mining on network packet sequences rates intrusion alarms by severity while keeping 99.94% recall and 99.99% precision.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper proposes using process mining techniques on sequences of network packets to enhance anomaly-based intrusion detection systems. It aims to provide process-based explanations and severity ratings for alerts raised by the IDS, addressing the lack of trustworthiness in black-box models. By analyzing deviations from expected processes, the method can discriminate between different levels of alarm severity from low to very high. Applied to a dataset involving variants of the Slowloris denial-of-service attack, it achieves up to 99.94 percent recall and 99.99 percent precision. This allows prioritization of critical alerts and reduces the impact of false positives by allowing some benign traffic to pass.

Core claim

The authors claim that their method, which applies process mining to packet sequences from anomalous network traffic, can rate alarms according to severity levels based on the extent of process deviations. This provides explainable, process-grounded insights into why an alarm was raised, while maintaining high detection performance on the USB-IDS-TC dataset containing Slowloris DoS attacks. The approach discards false positives and assigns different severity degrees to true positives.

What carries the argument

Process mining techniques applied to sequences of network packets to identify deviations from normal process models, which are then used to assign severity ratings to IDS alarms.

If this is right

  • Critical alerts can be prioritized for immediate response based on severity ratings.
  • False positives are effectively discarded, reducing unnecessary disruptions.
  • Network behavior remains visible through process-based explanations.
  • Benign traffic that might be misclassified can still pass with minimal impact.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Integrating this approach with existing deep learning IDS models could improve their explainability without requiring full retraining.
  • The severity rating mechanism might extend to other network protocols or attack categories beyond Slowloris variants.
  • Automated response systems could use the graded severity levels to trigger graduated actions rather than binary block-or-allow decisions.

Load-bearing premise

Deviations discovered through process mining on packet sequences correspond to differences in attack severity rather than to normal variations in how legitimate traffic is sequenced or timed.

What would settle it

Observing that some benign traffic exhibits similar packet sequence deviations as high-severity attacks, leading to incorrect high severity ratings, or finding that certain attack variants produce no detectable process deviations.

Figures

Figures reproduced from arXiv: 2604.18066 by Francesco Grimaldi, Francesco Vitale, Massimiliano Rak, Nicola Mazzocca.

Figure 1
Figure 1. Figure 1: The proposed method for process-based explanation and ranking of anomaly-based IDS alerts. The first phase involves [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Example of a Petri net capturing a TCP event flow [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: The recall and precision metrics, together with the share [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: The percentages of TP and FP network flows falling in [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗
read the original abstract

Anomaly-based Intrusion Detection Systems (IDSs) ensure protection against malicious attacks on networked systems. While deep learning-based IDSs achieve effective performance, their limited trustworthiness due to black-box architectures remains a critical constraint. Despite existing explainable techniques offering insight into the alarms raised by IDSs, they lack process-based explanations grounded in packet-level sequencing analysis. In this paper, we propose a method that employs process mining techniques to enhance anomaly-based IDSs by providing process-based alarm severity ratings and explanations for alerts. Our method prioritizes critical alerts and maintains visibility into network behavior, while minimizing disruption by allowing misclassified benign traffic to pass. We apply the method to the publicly available USB-IDS-TC dataset, which includes anomalous traffic affected by different variants of the Slowloris DoS attack. Results show that our method is able to discriminate between low- to very-high-severity alarms while preserving up to 99.94% recall and 99.99% precision, effectively discarding false positives while providing different degrees of severity for the true positives.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 1 minor

Summary. The paper proposes applying process mining techniques to packet sequences from anomaly-based IDS alerts to generate process-based severity ratings (low to very-high) and explanations. Evaluated on the USB-IDS-TC dataset containing controlled Slowloris DoS variants, the method claims to discriminate alarm severity while preserving up to 99.94% recall and 99.99% precision, thereby discarding false positives and assigning graded severity to true positives.

Significance. If the central mapping from process deviations to attack severity holds, the work would provide a concrete way to add interpretable, packet-sequence-grounded explanations to black-box IDS outputs, enabling prioritized response without sacrificing detection coverage. This addresses a recognized limitation in deep-learning IDS trustworthiness and could be extended to other attack types if the deviation-severity link generalizes.

major comments (3)
  1. [Abstract and §4] Abstract and §4 (results): the claim that the method 'discriminates between low- to very-high-severity alarms' while preserving the quoted recall/precision rests on an untested assumption that conformance/deviation metrics from the chosen process model map causally to attack impact rather than to benign inter-packet timing or ordering variations present in normal traffic; the USB-IDS-TC controlled variants do not isolate this factor, so the severity scale may simply reflect incidental sequence differences.
  2. [§3] §3 (method): no description is supplied of the exact process-mining algorithm (directly-follows graph, Petri net, etc.), the feature extraction steps from packet traces, or the procedure for selecting severity thresholds; without these, the reported performance cannot be reproduced or stress-tested against the skeptic's concern about benign jitter.
  3. [§4] §4 (results): the 99.94% recall / 99.99% precision figures are presented without error bars, cross-validation details, or an ablation that isolates the contribution of the severity-assignment step from the underlying IDS detector; this leaves open whether the method adds genuine severity discrimination or merely filters alarms post hoc.
minor comments (1)
  1. [Abstract and §1] The abstract and introduction would benefit from a brief comparison table placing the proposed severity ratings against existing post-hoc explanation methods for IDS (e.g., SHAP, LIME) to clarify the claimed novelty.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive comments and the positive assessment of the significance of our work. We address each of the major comments point by point below, indicating where revisions will be made to the manuscript.

read point-by-point responses

  1. Referee: [Abstract and §4] Abstract and §4 (results): the claim that the method 'discriminates between low- to very-high-severity alarms' while preserving the quoted recall/precision rests on an untested assumption that conformance/deviation metrics from the chosen process model map causally to attack impact rather than to benign inter-packet timing or ordering variations present in normal traffic; the USB-IDS-TC controlled variants do not isolate this factor, so the severity scale may simply reflect incidental sequence differences.

    Authors: We appreciate this observation regarding the potential confounding factors. The USB-IDS-TC dataset consists of controlled Slowloris DoS variants with explicitly varying parameters that affect attack severity, such as the number of connections and hold times, which directly influence the impact on the target system. Our process mining models the normal packet flow and quantifies deviations in sequence and timing that align with these attack intensities. Nevertheless, we acknowledge that the current evaluation does not explicitly compare against benign traffic with similar timing variations. In the revised manuscript, we will include additional analysis to address this by examining deviation scores on augmented benign traces with jitter, and clarify the mapping in the discussion section. This will be a partial revision as the core results remain valid but the interpretation will be strengthened. revision: partial

  2. Referee: [§3] §3 (method): no description is supplied of the exact process-mining algorithm (directly-follows graph, Petri net, etc.), the feature extraction steps from packet traces, or the procedure for selecting severity thresholds; without these, the reported performance cannot be reproduced or stress-tested against the skeptic's concern about benign jitter.

    Authors: We agree that the method section lacks sufficient detail for full reproducibility. In the revised version of the paper, we will expand §3 to include: (1) the specific process mining algorithm employed, which is the Inductive Miner algorithm to discover a Petri net model from the event log; (2) the feature extraction process, detailing how packet traces are converted to event logs including attributes such as source/destination IP, port, protocol, and inter-arrival times; and (3) the severity threshold selection, which is based on quantiles of the conformance checking fitness scores derived from the discovered model. These additions will allow readers to reproduce and test the approach against concerns like benign jitter. revision: yes

  3. Referee: [§4] §4 (results): the 99.94% recall / 99.99% precision figures are presented without error bars, cross-validation details, or an ablation that isolates the contribution of the severity-assignment step from the underlying IDS detector; this leaves open whether the method adds genuine severity discrimination or merely filters alarms post hoc.

    Authors: The reported performance metrics are obtained from evaluating the complete pipeline on the USB-IDS-TC dataset, which is a fixed collection of traces without inherent variability for standard cross-validation. We will revise §4 to include error bars by repeating the process mining and conformance checking with bootstrapped samples of the traces where applicable, and provide details on any stochastic components. Additionally, we will add an ablation study that compares the performance with and without the severity assignment module to demonstrate its contribution beyond simple filtering. If the underlying IDS is a black-box, the ablation will focus on the process mining layer's impact on precision by discarding low-severity alerts. revision: yes

Circularity Check

0 steps flagged

No significant circularity; derivation is self-contained on external dataset

full rationale

The paper applies standard process mining techniques (e.g., conformance checking on packet sequences) to the external public USB-IDS-TC dataset containing Slowloris variants. Reported recall/precision figures and severity discrimination are empirical outcomes of this application rather than results of parameter fitting to the evaluation data, self-referential definitions, or load-bearing self-citations. No step in the provided derivation chain reduces a claimed prediction or uniqueness result to its own inputs by construction; the central performance claims rest on observable behavior of the method on held-out traffic traces.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The method assumes standard process-mining discovery algorithms can be applied directly to raw packet sequences and that severity can be read off from discovered process deviations without additional learned parameters.

free parameters (1)
  • severity thresholds
    Cut-off values that map process deviations to low/medium/high/very-high labels; these must be set to produce the reported discrimination.
axioms (1)
  • domain assumption Packet sequences contain sufficient ordering and timing information to distinguish attack severity from benign variation
    Invoked when process mining is used to rate alarms.

pith-pipeline@v0.9.0 · 5488 in / 1234 out tokens · 24518 ms · 2026-05-10T04:27:19.690518+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

27 extracted references · 27 canonical work pages

  1. [1]

    Survey of intrusion detection systems: techniques, datasets and challenges,

    A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzzaman, “Survey of intrusion detection systems: techniques, datasets and challenges,” Cybersecurity, vol. 2, no. 1, pp. 1–22, 2019

    work page 2019

  2. [2]

    Deep learning approaches for anomaly-based intrusion detection systems: A survey, taxonomy, and open issues,

    A. Aldweesh, A. Derhab, and A. Z. Emam, “Deep learning approaches for anomaly-based intrusion detection systems: A survey, taxonomy, and open issues,”Knowledge-Based Systems, vol. 189, p. 105124, 2020

    work page 2020

  3. [3]

    Deep learning enabled intrusion de- tection system for Industrial IIoT environment,

    H. Nandanwar and R. Katarya, “Deep learning enabled intrusion de- tection system for Industrial IIoT environment,”Expert Systems with Applications, vol. 249, p. 123808, 2024

    work page 2024

  4. [4]

    “Why Should I Trust Your IDS?

    Z. A. E. Abou El Houda, B. Brik, and L. Khoukhi, ““Why Should I Trust Your IDS?”: An Explainable Deep Learning Framework for Intrusion Detection Systems in Internet of Things Networks,”IEEE Open Journal of the Communications Society, vol. 3, pp. 1164–1176, 2022

    work page 2022

  5. [5]

    A Survey on Explainable Artificial Intelligence for Internet Traffic Classification and Prediction, and Intrusion Detection,

    A. Nascita, G. Aceto, D. Ciuonzo, A. Montieri, V . Persico, and A. Pescap´e, “A Survey on Explainable Artificial Intelligence for Internet Traffic Classification and Prediction, and Intrusion Detection,”IEEE Communications Surveys & Tutorials, vol. 27, no. 5, pp. 3165–3198, 2025

    work page 2025

  6. [6]

    XAI for intrusion detection system: comparing expla- nations based on global and local scope,

    S. Hariharan, R. Rejimol Robinson, R. R. Prasad, C. Thomas, and N. Balakrishnan, “XAI for intrusion detection system: comparing expla- nations based on global and local scope,”Journal of Computer Virology and Hacking Techniques, vol. 19, no. 2, pp. 217–239, 2023

    work page 2023

  7. [7]

    W. M. P. van der Aalst,Process Mining: Data Science in Action, 2nd ed. Berlin, Heidelberg: Springer, 2016

    work page 2016

  8. [8]

    Process-Based Anomaly Detec- tion and Analysis for Cyber-Physical System with MQTT Protocol,

    M. A. B. Ahmadon and S. Yamaguchi, “Process-Based Anomaly Detec- tion and Analysis for Cyber-Physical System with MQTT Protocol,” in 2020 IEEE International Conference on Consumer Electronics (ICCE), 2020, pp. 1–6

    work page 2020

  9. [9]

    Reading between the Lines: Process Mining on OPC UA Network Data,

    M. Hornsteiner, P. Empl, T. Bunghardt, and S. Sch ¨onig, “Reading between the Lines: Process Mining on OPC UA Network Data,”Sensors, vol. 24, no. 14, 2024

    work page 2024

  10. [10]

    Network Traffic Analysis with Process Mining: The UPSIDE Case Study,

    F. Vitale, P. Palmiero, M. Rak, and N. Mazzocca, “Network Traffic Analysis with Process Mining: The UPSIDE Case Study,” 2025. [Online]. Available: https://arxiv.org/abs/2512.23718

    work page arXiv 2025

  11. [11]

    USB-IDS-TC: A Flow-Based Intrusion Detection Dataset of DoS Attacks in Different Network Sce- narios,

    M. Catillo, A. Pecchia, and U. Villano, “USB-IDS-TC: A Flow-Based Intrusion Detection Dataset of DoS Attacks in Different Network Sce- narios,” inProceedings of the 11th International Conference on Infor- mation Systems Security and Privacy - Volume 1: ICISSP, INSTICC. SciTePress, 2025, pp. 302–309

    work page 2025

  12. [12]

    An explainable AI-based intrusion de- tection system for DNS over HTTPS (DoH) attacks,

    T. Zebin, S. Rezvy, and Y . Luo, “An explainable AI-based intrusion de- tection system for DNS over HTTPS (DoH) attacks,”IEEE Transactions on Information Forensics and Security, vol. 17, pp. 2339–2349, 2022

    work page 2022

  13. [13]

    A Survey of Explainable Intrusion Detection Systems in IoT Networks,

    J. Dai, J. Huang, Y . Jiang, S. Gyawali, and F. Zhong, “A Survey of Explainable Intrusion Detection Systems in IoT Networks,” inInterna- tional Symposium on Intelligent Computing and Networking. Springer, 2025, pp. 420–443

    work page 2025

  14. [14]

    Detecting anoma- lies in DNS protocol traces via passive testing and process mining,

    C. Saint-Pierre, F. Cifuentes, and J. Bustos-Jim ´enez, “Detecting anoma- lies in DNS protocol traces via passive testing and process mining,” in 2014 IEEE conference on communications and network security. IEEE, 2014, pp. 520–521

    work page 2014

  15. [15]

    xsemad: Explainable semantic anomaly detection in event logs using sequence-to-sequence models,

    K. Busch, T. Kampik, and H. Leopold, “xsemad: Explainable semantic anomaly detection in event logs using sequence-to-sequence models,” in International Conference on Business Process Management. Springer, 2024, pp. 309–327

    work page 2024

  16. [16]

    Process mining for digital twin development of industrial cyber-physical systems,

    F. Vitale, S. Guarino, F. Flammini, L. Faramondi, N. Mazzocca, and R. Setola, “Process mining for digital twin development of industrial cyber-physical systems,”IEEE Transactions on Industrial Informatics, vol. 21, no. 1, pp. 866–875, 2025

    work page 2025

  17. [17]

    Process mining and hierarchical clustering to help intrusion alert visualization,

    S. C. De Alvarenga, S. Barbon Jr, R. S. Miani, M. Cukier, and B. B. Zarpel˜ao, “Process mining and hierarchical clustering to help intrusion alert visualization,”Computers & Security, vol. 73, pp. 474–491, 2018

    work page 2018

  18. [18]

    MADDC: Multi-Scale Anomaly Detection, Diagnosis and Correction for Discrete Event Logs,

    X. Wang, L. Yang, D. Li, L. Ma, Y . He, J. Xiao, J. Liu, and Y . Yang, “MADDC: Multi-Scale Anomaly Detection, Diagnosis and Correction for Discrete Event Logs,” inProceedings of the 38th Annual Computer Security Applications Conference, 2022, p. 769–784

    work page 2022

  19. [19]

    CyberShapley: Explanation, prioritization, and triage of cybersecurity alerts using informative graph representa- tion,

    A. Malach, P. N. Wudali, S. Momiyama, J. Furukawa, T. Araki, Y . Elovici, and A. Shabtai, “CyberShapley: Explanation, prioritization, and triage of cybersecurity alerts using informative graph representa- tion,”Computers & Security, vol. 150, p. 104270, 2025

    work page 2025

  20. [20]

    Detection, explanation and filtering of cyber attacks combining sym- bolic and sub-symbolic methods,

    A. Himmelhuber, D. Dold, S. Grimm, S. Zillner, and T. Runkler, “Detection, explanation and filtering of cyber attacks combining sym- bolic and sub-symbolic methods,” in2022 IEEE symposium series on computational intelligence (SSCI). IEEE, 2022, pp. 381–388

    work page 2022

  21. [21]

    Real- Time Detection of Multi-Stage Cyber Attacks in Industrial IoT Networks Using Graph Attention Networks and Temporal LSTM Fusion,

    Q. M. Khalaf, B. Al-Attar, N. B. Pokale, A. K. Mohammed, Y . I. H. Aljanabi, R. Fadhil, H. Abd Alrazaq, N. Divekar, and R. Sekhar, “Real- Time Detection of Multi-Stage Cyber Attacks in Industrial IoT Networks Using Graph Attention Networks and Temporal LSTM Fusion,” in2025 3rd International Conference on Cyber Resilience (ICCR). IEEE, 2025, pp. 1–8

    work page 2025

  22. [22]

    A comprehensive survey on intrusion detection systems with advances in machine learning, deep learning and emerging cybersecurity challenges,

    A. Hozouri, A. Mirzaei, and M. Effatparvar, “A comprehensive survey on intrusion detection systems with advances in machine learning, deep learning and emerging cybersecurity challenges,”Discover Artificial Intelligence, vol. 5, no. 1, p. 314, 2025

    work page 2025

  23. [23]

    Char- acterization of tor traffic using time based features,

    A. H. Lashkari, G. D. Gil, M. S. I. Mamun, and A. A. Ghorbani, “Char- acterization of tor traffic using time based features,” inInternational conference on information systems security and privacy, vol. 2, 2017, pp. 253–262

    work page 2017

  24. [24]

    NTLFlowLyzer: To- wards generating an intrusion detection dataset and intruders behavior profiling through network and transport layers traffic analysis and pattern extraction,

    M. Shafi, A. H. Lashkari, and A. H. Roudsari, “NTLFlowLyzer: To- wards generating an intrusion detection dataset and intruders behavior profiling through network and transport layers traffic analysis and pattern extraction,”Computers & Security, vol. 148, p. 104160, Jan. 2025

    work page 2025

  25. [25]

    Discovering block- structured process models from incomplete event logs,

    S. J. Leemans, D. Fahland, and W. M. van der Aalst, “Discovering block- structured process models from incomplete event logs,” inInternational conference on applications and theory of petri nets and concurrency. Springer, 2014, pp. 91–110

    work page 2014

  26. [26]

    Control- flow anomaly detection by process mining-based feature extraction and dimensionality reduction,

    F. Vitale, M. Pegoraro, W. M. van der Aalst, and N. Mazzocca, “Control- flow anomaly detection by process mining-based feature extraction and dimensionality reduction,”Knowledge-Based Systems, vol. 310, p. 112970, 2025

    work page 2025

  27. [27]

    One-class Anomaly Detection for Industrial Applications: A Comparative Survey and Ex- perimental Study,

    D. Paolini, P. Dini, E. Soldaini, and S. Saponara, “One-class Anomaly Detection for Industrial Applications: A Comparative Survey and Ex- perimental Study,”Computers, vol. 14, no. 7, p. 281, 2025

    work page 2025