AlertSets: Supporting Exploratory Analysis of Cybersecurity Alerts Through Set Interactions

Franziska Becker; Christoph Müller; David Karpuk; Tanja Blascheck; Thomas Ertl

doi:10.5220/0013376800003912

AlertSets: Supporting Exploratory Analysis of Cybersecurity Alerts Through Set Interactions

Franziska Becker, Christoph Müller, David Karpuk, Tanja Blascheck, Thomas Ertl

2025

Abstract

Security providers typically deal with large numbers of alerts based on heterogeneous data from many endpoint sensors. While the number of alerts is generally much smaller than the volume of raw data, most alerts are false positives that do not reflect genuinely malicious activity. All types of experts work on such alerts, be it to determine whether they are indeed false positives, to build machine learning models to support their analysis or to keep an eye on the current threat landscape. We conducted a design study to support a diverse group of experts whose working environments are connected to the same alert data. Based on an ongoing industry project that clusters alerts, we designed and evaluated a visual analytics system which enables exploration via powerful, easy-to-understand filtering mechanisms framed through set operations. In this article, we describe our system, give a detailed breakdown of the design process and the lessons we learned. We discuss the results from expert interviews, which showed the set-based framing to align with experts’ intuitive approach to data analysis and helped users uncover improvement opportunities for the clustering and detection pipelines.

Download

Paper Citation

in Harvard Style

Becker F., Müller C., Karpuk D., Blascheck T. and Ertl T. (2025). AlertSets: Supporting Exploratory Analysis of Cybersecurity Alerts Through Set Interactions. In Proceedings of the 20th International Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications - Volume 1: IVAPP; ISBN 978-989-758-728-3, SciTePress, pages 776-787. DOI: 10.5220/0013376800003912

in Bibtex Style

@conference{ivapp25,
author={Franziska Becker and Christoph Müller and David Karpuk and Tanja Blascheck and Thomas Ertl},
title={AlertSets: Supporting Exploratory Analysis of Cybersecurity Alerts Through Set Interactions},
booktitle={Proceedings of the 20th International Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications - Volume 1: IVAPP},
year={2025},
pages={776-787},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0013376800003912},
isbn={978-989-758-728-3},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 20th International Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications - Volume 1: IVAPP
TI - AlertSets: Supporting Exploratory Analysis of Cybersecurity Alerts Through Set Interactions
SN - 978-989-758-728-3
AU - Becker F.
AU - Müller C.
AU - Karpuk D.
AU - Blascheck T.
AU - Ertl T.
PY - 2025
SP - 776
EP - 787
DO - 10.5220/0013376800003912
PB - SciTePress