Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey

Max Landauer; Florian Skopik; Markus Wurzenberger; Teodor Sommestad; Henrik Karlzén

doi:10.1007/978-3-032-00633-2_2

Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey

Max Landauer (Author and Speaker)
, Florian Skopik
, Markus Wurzenberger
, Teodor Sommestad
, Henrik Karlzén

Swedish Defence Research Agency

Research output: Chapter in Book or Conference Proceedings › Conference Proceedings with Oral Presentation › peer-review

Abstract

Simulations of normal user behavior are integral parts of cyber exercises where training and testing takes place in simulated environments. Specifically, benign user activities are essential to generate background traffic during cyber exercises and to estimate false positive rates when evaluating intrusion detection systems. Even though many user automation tools are available, developers typically only consider valid and compliant interactions with systems and applications when defining the scope of normal user behavior models. However, real legitimate users sometimes behave in ways that are non-compliant, erratic, or otherwise deviate from expected norms, and thereby generate suspicious yet benign traffic that triggers alerts from intrusion detection systems. To identify common activities in the vast space of possible user interactions and to support the design of realistic user behavior models, we assemble a list of 17 user activities that are commonly associated with false positives. We assess the relevance and frequencies of these event types with respect to their perceived priority, intent behind them, responsible actor, and circumstances in which they become noteworthy, through likert scale analysis of an expert study with 62 domain experts. Our findings reveal diverse perspectives among respondents and suggest that the behaviors leading to false positives can vary significantly between organizations.

Original language	English
Title of host publication	Availability, Reliability and Security
Subtitle of host publication	ARES 2025 International Workshops, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II
Editors	Bart Coppens, Bruno Volckaert, Vincent Naessens, Bjorn De Sutter
Pages	25-43
Number of pages	19
Volume	15995
Edition	1
ISBN (Electronic)	978-3-032-00633-2
DOIs	https://doi.org/10.1007/978-3-032-00633-2_2
Publication status	Published - Aug 2025
Event	ARES 2025 International Workshops - Ghent, Ghent, Belgium Duration: 11 Aug 2025 → 14 Aug 2025

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	15995
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Workshop

Workshop	ARES 2025 International Workshops
Country/Territory	Belgium
City	Ghent
Period	11/08/25 → 14/08/25

Research Field

Cyber Security

Keywords

intrusion detection systems
user simulation
false positives

Access to Document

10.1007/978-3-032-00633-2_2

Cite this

Landauer, M., Skopik, F., Wurzenberger, M., Sommestad, T., & Karlzén, H. (2025). Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey. In B. Coppens, B. Volckaert, V. Naessens, & B. De Sutter (Eds.), Availability, Reliability and Security: ARES 2025 International Workshops, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II (1 ed., Vol. 15995, pp. 25-43). (Lecture Notes in Computer Science; Vol. 15995). https://doi.org/10.1007/978-3-032-00633-2_2

Landauer, Max ; Skopik, Florian ; Wurzenberger, Markus et al. / Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey. Availability, Reliability and Security: ARES 2025 International Workshops, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II. editor / Bart Coppens ; Bruno Volckaert ; Vincent Naessens ; Bjorn De Sutter. Vol. 15995 1. ed. 2025. pp. 25-43 (Lecture Notes in Computer Science).

@inproceedings{16cbe3b1033249bc9979a325b56bdc5d,

title = "Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey",

abstract = "Simulations of normal user behavior are integral parts of cyber exercises where training and testing takes place in simulated environments. Specifically, benign user activities are essential to generate background traffic during cyber exercises and to estimate false positive rates when evaluating intrusion detection systems. Even though many user automation tools are available, developers typically only consider valid and compliant interactions with systems and applications when defining the scope of normal user behavior models. However, real legitimate users sometimes behave in ways that are non-compliant, erratic, or otherwise deviate from expected norms, and thereby generate suspicious yet benign traffic that triggers alerts from intrusion detection systems. To identify common activities in the vast space of possible user interactions and to support the design of realistic user behavior models, we assemble a list of 17 user activities that are commonly associated with false positives. We assess the relevance and frequencies of these event types with respect to their perceived priority, intent behind them, responsible actor, and circumstances in which they become noteworthy, through likert scale analysis of an expert study with 62 domain experts. Our findings reveal diverse perspectives among respondents and suggest that the behaviors leading to false positives can vary significantly between organizations.",

keywords = "intrusion detection systems, user simulation, false positives",

author = "Max Landauer and Florian Skopik and Markus Wurzenberger and Teodor Sommestad and Henrik Karlz{\'e}n",

year = "2025",

month = aug,

doi = "10.1007/978-3-032-00633-2\_2",

language = "English",

isbn = "978-3-032-00632-5",

volume = "15995",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "25--43",

editor = "Bart Coppens and Volckaert, \{Bruno \} and Naessens, \{Vincent \} and \{De Sutter\}, \{Bjorn \}",

booktitle = "Availability, Reliability and Security",

edition = "1",

note = "ARES 2025 International Workshops ; Conference date: 11-08-2025 Through 14-08-2025",

}

Landauer, M , Skopik, F , Wurzenberger, M, Sommestad, T & Karlzén, H 2025, Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey. in B Coppens, B Volckaert, V Naessens & B De Sutter (eds), Availability, Reliability and Security: ARES 2025 International Workshops, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II. 1 edn, vol. 15995, Lecture Notes in Computer Science, vol. 15995, pp. 25-43, ARES 2025 International Workshops, Ghent, Belgium, 11/08/25. https://doi.org/10.1007/978-3-032-00633-2_2

Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey. / Landauer, Max (Author and Speaker); Skopik, Florian ; Wurzenberger, Markus et al.
Availability, Reliability and Security: ARES 2025 International Workshops, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II. ed. / Bart Coppens; Bruno Volckaert; Vincent Naessens; Bjorn De Sutter. Vol. 15995 1. ed. 2025. p. 25-43 (Lecture Notes in Computer Science; Vol. 15995).

Research output: Chapter in Book or Conference Proceedings › Conference Proceedings with Oral Presentation › peer-review

TY - GEN

T1 - Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey

AU - Skopik, Florian

AU - Wurzenberger, Markus

AU - Sommestad, Teodor

AU - Karlzén, Henrik

A2 - Landauer, Max

A2 - Coppens, Bart

A2 - Volckaert, Bruno

A2 - Naessens, Vincent

A2 - De Sutter, Bjorn

PY - 2025/8

Y1 - 2025/8

N2 - Simulations of normal user behavior are integral parts of cyber exercises where training and testing takes place in simulated environments. Specifically, benign user activities are essential to generate background traffic during cyber exercises and to estimate false positive rates when evaluating intrusion detection systems. Even though many user automation tools are available, developers typically only consider valid and compliant interactions with systems and applications when defining the scope of normal user behavior models. However, real legitimate users sometimes behave in ways that are non-compliant, erratic, or otherwise deviate from expected norms, and thereby generate suspicious yet benign traffic that triggers alerts from intrusion detection systems. To identify common activities in the vast space of possible user interactions and to support the design of realistic user behavior models, we assemble a list of 17 user activities that are commonly associated with false positives. We assess the relevance and frequencies of these event types with respect to their perceived priority, intent behind them, responsible actor, and circumstances in which they become noteworthy, through likert scale analysis of an expert study with 62 domain experts. Our findings reveal diverse perspectives among respondents and suggest that the behaviors leading to false positives can vary significantly between organizations.

AB - Simulations of normal user behavior are integral parts of cyber exercises where training and testing takes place in simulated environments. Specifically, benign user activities are essential to generate background traffic during cyber exercises and to estimate false positive rates when evaluating intrusion detection systems. Even though many user automation tools are available, developers typically only consider valid and compliant interactions with systems and applications when defining the scope of normal user behavior models. However, real legitimate users sometimes behave in ways that are non-compliant, erratic, or otherwise deviate from expected norms, and thereby generate suspicious yet benign traffic that triggers alerts from intrusion detection systems. To identify common activities in the vast space of possible user interactions and to support the design of realistic user behavior models, we assemble a list of 17 user activities that are commonly associated with false positives. We assess the relevance and frequencies of these event types with respect to their perceived priority, intent behind them, responsible actor, and circumstances in which they become noteworthy, through likert scale analysis of an expert study with 62 domain experts. Our findings reveal diverse perspectives among respondents and suggest that the behaviors leading to false positives can vary significantly between organizations.

KW - intrusion detection systems

KW - user simulation

KW - false positives

U2 - 10.1007/978-3-032-00633-2_2

DO - 10.1007/978-3-032-00633-2_2

M3 - Conference Proceedings with Oral Presentation

SN - 978-3-032-00632-5

VL - 15995

T3 - Lecture Notes in Computer Science

SP - 25

EP - 43

BT - Availability, Reliability and Security

T2 - ARES 2025 International Workshops

Y2 - 11 August 2025 through 14 August 2025

ER -

Landauer M , Skopik F , Wurzenberger M, Sommestad T, Karlzén H. Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey. In Coppens B, Volckaert B, Naessens V, De Sutter B, editors, Availability, Reliability and Security: ARES 2025 International Workshops, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II. 1 ed. Vol. 15995. 2025. p. 25-43. (Lecture Notes in Computer Science). doi: 10.1007/978-3-032-00633-2_2

Benign User Activities that Trigger False Positives in Intrusion Detection Systems: An Expert Survey

Abstract

Publication series

Workshop

Research Field

Keywords

Access to Document

Fingerprint

Cite this