Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey

Max Landauer; Florian Skopik; Markus Wurzenberger; Teodor Sommestad; Henrik Karlzén

doi:10.1007/978-3-032-00633-2_2

Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey

Max Landauer (Autor:in und Vortragende:r)
, Florian Skopik
, Markus Wurzenberger
, Teodor Sommestad
, Henrik Karlzén

Security & Communication Technologies

Swedish Defence Research Agency

Publikation: Beitrag in Buch oder Tagungsband › Vortrag mit Beitrag in Tagungsband › Begutachtung

Abstract

Simulations of normal user behavior are integral parts of cyber exercises where training and testing takes place in simulated environments. Specifically, benign user activities are essential to generate background traffic during cyber exercises and to estimate false positive rates when evaluating intrusion detection systems. Even though many user automation tools are available, developers typically only consider valid and compliant interactions with systems and applications when defining the scope of normal user behavior models. However, real legitimate users sometimes behave in ways that are non-compliant, erratic, or otherwise deviate from expected norms, and thereby generate suspicious yet benign traffic that triggers alerts from intrusion detection systems. To identify common activities in the vast space of possible user interactions and to support the design of realistic user behavior models, we assemble a list of 17 user activities that are commonly associated with false positives. We assess the relevance and frequencies of these event types with respect to their perceived priority, intent behind them, responsible actor, and circumstances in which they become noteworthy, through likert scale analysis of an expert study with 62 domain experts. Our findings reveal diverse perspectives among respondents and suggest that the behaviors leading to false positives can vary significantly between organizations.

Originalsprache	Englisch
Titel	Availability, Reliability and Security
Untertitel	ARES 2025 International Workshops, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II
Redakteure/-innen	Bart Coppens, Bruno Volckaert, Vincent Naessens, Bjorn De Sutter
Seiten	25-43
Seitenumfang	19
Band	15995
Auflage	1
ISBN (elektronisch)	978-3-032-00633-2
DOIs	https://doi.org/10.1007/978-3-032-00633-2_2
Publikationsstatus	Veröffentlicht - Aug. 2025
Veranstaltung	ARES 2025 International Workshops - Ghent, Ghent, Belgien Dauer: 11 Aug. 2025 → 14 Aug. 2025

Publikationsreihe

Name	Lecture Notes in Computer Science
Herausgeber (Verlag)	Springer
Band	15995
ISSN (Print)	0302-9743
ISSN (elektronisch)	1611-3349

Workshop

Workshop	ARES 2025 International Workshops
Land/Gebiet	Belgien
Stadt	Ghent
Zeitraum	11/08/25 → 14/08/25

Research Field

Cyber Security

Zugriff auf Dokument

10.1007/978-3-032-00633-2_2

Diese Publikation zitieren

Landauer, M., Skopik, F., Wurzenberger, M., Sommestad, T., & Karlzén, H. (2025). Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey. in B. Coppens, B. Volckaert, V. Naessens, & B. De Sutter (Hrsg.), Availability, Reliability and Security: ARES 2025 International Workshops, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II (1 Aufl., Band 15995, S. 25-43). (Lecture Notes in Computer Science; Band 15995). https://doi.org/10.1007/978-3-032-00633-2_2

Landauer, Max ; Skopik, Florian ; Wurzenberger, Markus et al. / Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey. Availability, Reliability and Security: ARES 2025 International Workshops, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II. Hrsg. / Bart Coppens ; Bruno Volckaert ; Vincent Naessens ; Bjorn De Sutter. Band 15995 1. Aufl. 2025. S. 25-43 (Lecture Notes in Computer Science).

@inproceedings{16cbe3b1033249bc9979a325b56bdc5d,

title = "Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey",

abstract = "Simulations of normal user behavior are integral parts of cyber exercises where training and testing takes place in simulated environments. Specifically, benign user activities are essential to generate background traffic during cyber exercises and to estimate false positive rates when evaluating intrusion detection systems. Even though many user automation tools are available, developers typically only consider valid and compliant interactions with systems and applications when defining the scope of normal user behavior models. However, real legitimate users sometimes behave in ways that are non-compliant, erratic, or otherwise deviate from expected norms, and thereby generate suspicious yet benign traffic that triggers alerts from intrusion detection systems. To identify common activities in the vast space of possible user interactions and to support the design of realistic user behavior models, we assemble a list of 17 user activities that are commonly associated with false positives. We assess the relevance and frequencies of these event types with respect to their perceived priority, intent behind them, responsible actor, and circumstances in which they become noteworthy, through likert scale analysis of an expert study with 62 domain experts. Our findings reveal diverse perspectives among respondents and suggest that the behaviors leading to false positives can vary significantly between organizations.",

keywords = "intrusion detection systems, user simulation, false positives",

author = "Max Landauer and Florian Skopik and Markus Wurzenberger and Teodor Sommestad and Henrik Karlz{\'e}n",

year = "2025",

month = aug,

doi = "10.1007/978-3-032-00633-2\_2",

language = "English",

isbn = "978-3-032-00632-5",

volume = "15995",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "25--43",

editor = "Bart Coppens and Volckaert, \{Bruno \} and Naessens, \{Vincent \} and \{De Sutter\}, \{Bjorn \}",

booktitle = "Availability, Reliability and Security",

edition = "1",

note = "ARES 2025 International Workshops ; Conference date: 11-08-2025 Through 14-08-2025",

}

Landauer, M , Skopik, F , Wurzenberger, M, Sommestad, T & Karlzén, H 2025, Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey. in B Coppens, B Volckaert, V Naessens & B De Sutter (Hrsg.), Availability, Reliability and Security: ARES 2025 International Workshops, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II. 1 Aufl., Bd. 15995, Lecture Notes in Computer Science, Bd. 15995, S. 25-43, ARES 2025 International Workshops, Ghent, Belgien, 11/08/25. https://doi.org/10.1007/978-3-032-00633-2_2

Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey. / Landauer, Max (Autor:in und Vortragende:r); Skopik, Florian ; Wurzenberger, Markus et al.
Availability, Reliability and Security: ARES 2025 International Workshops, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II. Hrsg. / Bart Coppens; Bruno Volckaert; Vincent Naessens; Bjorn De Sutter. Band 15995 1. Aufl. 2025. S. 25-43 (Lecture Notes in Computer Science; Band 15995).

Publikation: Beitrag in Buch oder Tagungsband › Vortrag mit Beitrag in Tagungsband › Begutachtung

TY - GEN

T1 - Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey

AU - Skopik, Florian

AU - Wurzenberger, Markus

AU - Sommestad, Teodor

AU - Karlzén, Henrik

A2 - Landauer, Max

A2 - Coppens, Bart

A2 - Volckaert, Bruno

A2 - Naessens, Vincent

A2 - De Sutter, Bjorn

PY - 2025/8

Y1 - 2025/8

N2 - Simulations of normal user behavior are integral parts of cyber exercises where training and testing takes place in simulated environments. Specifically, benign user activities are essential to generate background traffic during cyber exercises and to estimate false positive rates when evaluating intrusion detection systems. Even though many user automation tools are available, developers typically only consider valid and compliant interactions with systems and applications when defining the scope of normal user behavior models. However, real legitimate users sometimes behave in ways that are non-compliant, erratic, or otherwise deviate from expected norms, and thereby generate suspicious yet benign traffic that triggers alerts from intrusion detection systems. To identify common activities in the vast space of possible user interactions and to support the design of realistic user behavior models, we assemble a list of 17 user activities that are commonly associated with false positives. We assess the relevance and frequencies of these event types with respect to their perceived priority, intent behind them, responsible actor, and circumstances in which they become noteworthy, through likert scale analysis of an expert study with 62 domain experts. Our findings reveal diverse perspectives among respondents and suggest that the behaviors leading to false positives can vary significantly between organizations.

AB - Simulations of normal user behavior are integral parts of cyber exercises where training and testing takes place in simulated environments. Specifically, benign user activities are essential to generate background traffic during cyber exercises and to estimate false positive rates when evaluating intrusion detection systems. Even though many user automation tools are available, developers typically only consider valid and compliant interactions with systems and applications when defining the scope of normal user behavior models. However, real legitimate users sometimes behave in ways that are non-compliant, erratic, or otherwise deviate from expected norms, and thereby generate suspicious yet benign traffic that triggers alerts from intrusion detection systems. To identify common activities in the vast space of possible user interactions and to support the design of realistic user behavior models, we assemble a list of 17 user activities that are commonly associated with false positives. We assess the relevance and frequencies of these event types with respect to their perceived priority, intent behind them, responsible actor, and circumstances in which they become noteworthy, through likert scale analysis of an expert study with 62 domain experts. Our findings reveal diverse perspectives among respondents and suggest that the behaviors leading to false positives can vary significantly between organizations.

KW - intrusion detection systems

KW - user simulation

KW - false positives

U2 - 10.1007/978-3-032-00633-2_2

DO - 10.1007/978-3-032-00633-2_2

M3 - Conference Proceedings with Oral Presentation

SN - 978-3-032-00632-5

VL - 15995

T3 - Lecture Notes in Computer Science

SP - 25

EP - 43

BT - Availability, Reliability and Security

T2 - ARES 2025 International Workshops

Y2 - 11 August 2025 through 14 August 2025

ER -

Landauer M , Skopik F , Wurzenberger M, Sommestad T, Karlzén H. Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey. in Coppens B, Volckaert B, Naessens V, De Sutter B, Hrsg., Availability, Reliability and Security: ARES 2025 International Workshops, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II. 1 Aufl. Band 15995. 2025. S. 25-43. (Lecture Notes in Computer Science). doi: 10.1007/978-3-032-00633-2_2

Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey

Abstract

Publikationsreihe

Workshop

Research Field

Zugriff auf Dokument

Fingerprint

Diese Publikation zitieren