{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,11]],"date-time":"2025-09-11T20:26:10Z","timestamp":1757622370925,"version":"3.44.0"},"publisher-location":"Cham","reference-count":23,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783032006325"},{"type":"electronic","value":"9783032006332"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,8,9]],"date-time":"2025-08-09T00:00:00Z","timestamp":1754697600000},"content-version":"vor","delay-in-days":220,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>Simulations of normal user behavior are integral parts of cyber exercises where training and testing takes place in simulated environments. Specifically, benign user activities are essential to generate background traffic during cyber exercises and to estimate false positive rates when evaluating intrusion detection systems. Even though many user automation tools are available, developers typically only consider valid and compliant interactions with systems and applications when defining the scope of normal user behavior models. However, real legitimate users sometimes behave in ways that are non-compliant, erratic, or otherwise deviate from expected norms, and thereby generate suspicious yet benign traffic that triggers alerts from intrusion detection systems. To identify common activities in the vast space of possible user interactions and to support the design of realistic user behavior models, we assemble a list of 17 user activities that are commonly associated with false positives. We assess the relevance and frequencies of these event types with respect to their perceived priority, intent behind them, responsible actor, and circumstances in which they become noteworthy, through likert scale analysis of an expert study with 62 domain experts. Our findings reveal diverse perspectives among respondents and suggest that the behaviors leading to false positives can vary significantly between organizations.<\/jats:p>","DOI":"10.1007\/978-3-032-00633-2_2","type":"book-chapter","created":{"date-parts":[[2025,8,8]],"date-time":"2025-08-08T10:15:10Z","timestamp":1754648110000},"page":"25-43","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Benign User Activities that\u00a0Trigger False Positives in\u00a0Intrusion Detection Systems: An Expert Survey"],"prefix":"10.1007","author":[{"given":"Max","family":"Landauer","sequence":"first","affiliation":[]},{"given":"Florian","family":"Skopik","sequence":"additional","affiliation":[]},{"given":"Markus","family":"Wurzenberger","sequence":"additional","affiliation":[]},{"given":"Teodor","family":"Sommestad","sequence":"additional","affiliation":[]},{"given":"Henrik","family":"Karlz\u00e9n","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,8,9]]},"reference":[{"key":"2_CR1","unstructured":"Alahmadi, B.A., Axon, L., Martinovic, I.: 99% false positives: a qualitative study of soc analysts\u2019 perspectives on security alarms. In: Proceedings of the 31st USENIX Security Symposium, pp. 2783\u20132800 (2022)"},{"key":"2_CR2","doi-asserted-by":"crossref","unstructured":"Brown, C., Cowperthwaite, A., Hijazi, A., Somayaji, A.: Analysis of the 1999 darpa\/lincoln laboratory ids evaluation data with netadhict. In: Proceedings of the Symposium on Computational Intelligence for Security and Defense Applications, pp.\u00a01\u20137. IEEE (2009)","DOI":"10.1109\/CISDA.2009.5356522"},{"issue":"4","key":"2_CR3","doi-asserted-by":"publisher","first-page":"1809","DOI":"10.3390\/app11041809","volume":"11","author":"N Chouliaras","year":"2021","unstructured":"Chouliaras, N., Kittes, G., Kantzavelou, I., Maglaras, L., Pantziou, G., Ferrag, M.A.: Cyber ranges and testbeds for education, training, and research. Appl. Sci. 11(4), 1809 (2021)","journal-title":"Appl. Sci."},{"key":"2_CR4","doi-asserted-by":"crossref","unstructured":"Cram, W.A., Proudfoot, J., D\u2019Arcy, J.: Seeing the forest and the trees: A meta-analysis of information security policy compliance literature (2017)","DOI":"10.24251\/HICSS.2017.489"},{"key":"2_CR5","doi-asserted-by":"crossref","unstructured":"Creech, G., Hu, J.: Generation of a new ids test dataset: time to retire the kdd collection. In: Proceedings of the Wireless Communications and Networking Conference, pp. 4487\u20134492. IEEE (2013)","DOI":"10.1109\/WCNC.2013.6555301"},{"key":"2_CR6","doi-asserted-by":"crossref","unstructured":"Dutta, P., Ryan, G., Zieba, A., Stolfo, S.: Simulated user bots: real time testing of insider threat detection systems. In: Proceedings of the Security and Privacy Workshops, pp. 228\u2013236. IEEE (2018)","DOI":"10.1109\/SPW.2018.00038"},{"key":"2_CR7","first-page":"135","volume":"11","author":"M Grimmer","year":"2019","unstructured":"Grimmer, M., R\u00f6hling, M.M., Kreusel, D., Ganz, S.: A modern and sophisticated host based intrusion detection data set. IT-Sicherheit als Voraussetzung f\u00fcr eine erfolgreiche Digitalisierung 11, 135\u2013145 (2019)","journal-title":"IT-Sicherheit als Voraussetzung f\u00fcr eine erfolgreiche Digitalisierung"},{"key":"2_CR8","doi-asserted-by":"crossref","unstructured":"Guttman, R.D., Hammerstein, J.A., Mattson, J.A., Schlackman, A.L.: Automated failure detection and attribution in virtual environments. In: Proceedings of the Symposium on Technologies for Homeland Security. pp.\u00a01\u20135. IEEE (2015)","DOI":"10.1109\/THS.2015.7225309"},{"issue":"3","key":"2_CR9","doi-asserted-by":"publisher","first-page":"146","DOI":"10.1109\/MCOM.2012.6163595","volume":"50","author":"CY Ho","year":"2012","unstructured":"Ho, C.Y., Lai, Y.C., Chen, I.W., Wang, F.Y., Tai, W.H.: Statistical analysis of false positives and false negatives from real traffic with intrusion detection\/prevention systems. IEEE Commun. Mag. 50(3), 146\u2013154 (2012)","journal-title":"IEEE Commun. Mag."},{"issue":"4","key":"2_CR10","doi-asserted-by":"publisher","first-page":"3466","DOI":"10.1109\/TDSC.2022.3201582","volume":"20","author":"M Landauer","year":"2022","unstructured":"Landauer, M., Skopik, F., Frank, M., Hotwagner, W., Wurzenberger, M., Rauber, A.: Maintainable log datasets for evaluation of intrusion detection systems. IEEE Trans. Dependable Secure Comput. 20(4), 3466\u20133482 (2022)","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"2_CR11","doi-asserted-by":"crossref","unstructured":"Landauer, M., Skopik, F., Wurzenberger, M.: Introducing a new alert data set for multi-step attack analysis. In: Proceedings of the 17th Cyber Security Experimentation and Test Workshop, pp. 41\u201353 (2024)","DOI":"10.1145\/3675741.3675748"},{"key":"2_CR12","doi-asserted-by":"crossref","unstructured":"Lashkari, A.H., Kadir, A.F.A., Taheri, L., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark android malware datasets and classification. In: Proceedings of the International Carnahan Conference on Security Technology, pp.\u00a01\u20137. IEEE (2018)","DOI":"10.1109\/CCST.2018.8585560"},{"key":"2_CR13","doi-asserted-by":"crossref","unstructured":"Layman, L., Roden, W.: A controlled experiment on the impact of intrusion detection false alarm rate on analyst performance. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting. vol.\u00a067, pp. 220\u2013225. SAGE (2023)","DOI":"10.1177\/21695067231192573"},{"issue":"4","key":"2_CR14","first-page":"37","volume":"12","author":"M Leitner","year":"2021","unstructured":"Leitner, M., et al.: Enabling exercises, education and research with a comprehensive cyber range. J. Wirel. Mob. Networks, Ubiquitous Comput. Dependable Appl. 12(4), 37\u201361 (2021)","journal-title":"J. Wirel. Mob. Networks, Ubiquitous Comput. Dependable Appl."},{"issue":"4","key":"2_CR15","doi-asserted-by":"publisher","first-page":"262","DOI":"10.1145\/382912.382923","volume":"3","author":"J McHugh","year":"2000","unstructured":"McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur. 3(4), 262\u2013294 (2000)","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"2_CR16","doi-asserted-by":"publisher","first-page":"41","DOI":"10.1016\/j.comnet.2015.09.026","volume":"92","author":"P Megyesi","year":"2015","unstructured":"Megyesi, P., Szab\u00f3, G., Moln\u00e1r, S.: User behavior based traffic emulator: a framework for generating test data for dpi tools. Comput. Netw. 92, 41\u201354 (2015)","journal-title":"Comput. Netw."},{"key":"2_CR17","unstructured":"Sangster, B., O\u2019connor, T., Cook, T., Fanelli, R., Dean, E., Morrell, C., Conti, G.J.: Toward instrumenting network warfare competitions to generate labeled datasets. In: Proceedings of the 2nd Cyber Security Experimentation and Test Workshop (2009)"},{"issue":"1","key":"2_CR18","doi-asserted-by":"publisher","first-page":"177","DOI":"10.13052\/jsn2445-9739.2017.009","volume":"2018","author":"I Sharafaldin","year":"2018","unstructured":"Sharafaldin, I., Gharib, A., Lashkari, A.H., Ghorbani, A.A., et al.: Towards a reliable intrusion detection benchmark dataset. Softw. Networking 2018(1), 177\u2013200 (2018)","journal-title":"Softw. Networking"},{"key":"2_CR19","doi-asserted-by":"crossref","unstructured":"Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, pp. 108\u2013116. SciTePress (2018)","DOI":"10.5220\/0006639801080116"},{"key":"2_CR20","doi-asserted-by":"crossref","unstructured":"van Sloun, C., Wehrle, K.: Poster: Vulcan\u2013repurposing accessibility features for behavior-based intrusion detection dataset generation. In: Proceedings of the Conference on Computer and Communications Security, pp. 3543\u20133545 (2023)","DOI":"10.1145\/3576915.3624404"},{"key":"2_CR21","doi-asserted-by":"crossref","unstructured":"Tjhai, G.C., Papadaki, M., Furnell, S., Clarke, N.L.: Investigating the problem of ids false alarms: an experimental study using snort. In: Proceedings of the 23rd International Information Security Conference, pp. 253\u2013267. Springer (2008)","DOI":"10.1007\/978-0-387-09699-5_17"},{"key":"2_CR22","doi-asserted-by":"crossref","unstructured":"Wright, C.V., Connelly, C., Braje, T., Rabek, J.C., Rossey, L.M., Cunningham, R.K.: Generating client workloads and high-fidelity network traffic for controllable, repeatable experiments in computer security. In: Proceedings of the International workshop on Recent Advances in Intrusion Detection, pp. 218\u2013237. Springer (2010)","DOI":"10.1007\/978-3-642-15512-3_12"},{"key":"2_CR23","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.101636","volume":"88","author":"MM Yamin","year":"2020","unstructured":"Yamin, M.M., Katt, B., Gkioulos, V.: Cyber ranges and security testbeds: scenarios, functions, tools and architecture. Comput. Secur. 88, 101636 (2020)","journal-title":"Comput. Secur."}],"container-title":["Lecture Notes in Computer Science","Availability, Reliability and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-00633-2_2","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,8]],"date-time":"2025-09-08T19:08:40Z","timestamp":1757358520000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-00633-2_2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9783032006325","9783032006332"],"references-count":23,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-00633-2_2","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"9 August 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ARES","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Availability, Reliability and Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Ghent","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Belgium","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"11 August 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14 August 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"ares-12025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/2025.ares-conference.eu","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}