Researchers Identify Principles to Reduce Noise in Network Intrusion Detection Systems in SOC

A group of researchers from Eindhoven University of Technology has unveiled a new findings that could significantly improve the efficiency of Security Operations Centers (SOCs) worldwide.

The study, set to be presented at the ACM Asia Conference on Computer and Communications Security (ASIA CCS ’25) in Hanoi later this year, focuses on designing low-noise detection rules for Network Intrusion Detection Systems (NIDS) like Suricata.

SOCs, which defend organizations against cyber threats, often struggle to maintain a balance between detecting as many potential threats as possible (coverage) and minimizing false alarms (specificity).

The volume of noisy alerts often overwhelms analysts, hindering their ability to focus on real threats.

The study systematically analyzed 290,000 unique rules and 30 million alerts generated over 11 months at a commercial SOC to uncover new insights and actionable solutions.

Key Findings In This Research:

1. Design Principles for Reduced Noise: The researchers identified six essential principles for creating more effective detection rules. These include leveraging atomic Indicators of Compromise (IoCs), using alert throttling, distinguishing between successful and unsuccessful attacks, and avoiding generalized detection mechanisms that lead to excessive noise.
2. Tradeoff Between Coverage and Specificity: One principle revealed a key tradeoff while increasing coverage can capture more threats, it often reduces specificity, creating unnecessary noise. This finding underscores the need for a balanced approach in rule design.
3. Concentration of Noisy Rules: The study observed that a small subset of high-noise rules was responsible for the majority of false alarms. Most rules, in contrast, never triggered alerts, indicating inefficiencies in existing rulesets.
4. Role of Legacy and New Rules: Both legacy and recently introduced rules played vital roles in maintaining detection coverage, debunking the notion that coverage is solely a product of new rule deployment.
5. Tool Development: The team built a tool to identify rules violating the proposed design principles. Preliminary testing revealed that many rules, including those from open-source and commercial sources, could be optimized based on these principles.

Practical Implications for SOCs

The findings are expected to help SOCs reduce unnecessary workload, enabling analysts to focus on real threats. By implementing these design principles, SOCs could achieve better detection with fewer resources while maintaining coverage.

According to the research report, The methodology also emphasizes the importance of input quality for automated systems, such as machine learning tools used in “alert post-processing.” By refining the rules that generate alerts, SOCs can improve the overall effectiveness of these systems.

The study, authored by Koen Teuwen, Tom Mulders, Emmanuele Zambon, and Luca Allodi, is the first to analyze individual NIDS rules comprehensively within a commercial SOC.

It bridges gaps in previous research by providing actionable guidelines for rule design and emphasizing the link between rule characteristics and their impact on SOC operations.

The team hopes their work will inspire SOCs to adopt data-driven approaches to rule engineering, leading to more robust defenses against an ever-evolving cyber threat landscape.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar