Confusion Matrix

"Machine learning" refers to advanced computational systems capable of performing automated analysis and decision-making based on artificial intelligence rules. These systems, programmed to identify patterns and detect anomalies, are essential in various applications, including information security.

In the context of our system, we have integrated an alert evaluation engine that uses machine learning. This integration enhances our ability to analyze and respond to security events efficiently. We use the confusion matrix to measure the effectiveness of this technology, a crucial tool in assessing the system's accuracy in correctly identifying specific events.

In information security, the confusion matrix is used to evaluate the efficiency of monitoring systems, which use Boolean algebra to automatically identify potential threats. These are then appropriately classified and managed. Commonly in information security, we emphasize the 'true positive' and 'false positive' parameters. True positives indicate real threats correctly identified by the system, while false positives represent erroneous alerts. In our application, we have fully implemented the confusion matrix, which improves quality and increases operational control. These indicators allow us to evaluate the accuracy and maturity of the correlation rules, contributing to the system's evolution.

In Inopli, the indicators for the alerts are generated automatically, given by monitoring the entire trajectory of the incident during its treatment. However, we also value flexibility and accuracy. Therefore, we allow manual updates for each alert. In situations of inconsistencies, analysts can intervene, adding detailed comments that reflect the specific context and characteristics of the incident.

Confusion Matrix Indicators

This matrix not only categorizes alerts into 'true positives' and 'false positives' but also incorporates other crucial parameters such as Accuracy, F1-Score, Precision, False Positive Rate (FPR), Recall, and False Negative Rate (FNR). Each of these topics plays a vital role in the detailed analysis of the system's effectiveness:

• Accuracy: This indicator measures the proportion of correct predictions (both true positives and true negatives) relative to the total number of cases analyzed. It is a general measure of the system's effectiveness.

• F1-Score: This metric is the balance between Precision and Recall. It is particularly useful when classes are unbalanced. The F1-Score is the harmonic mean of Precision and Recall, providing a consolidated view of the system's performance.

• Precision: Refers to the proportion of true positives relative to the total number of cases classified as positive (true positives and false positives). This metric indicates the accuracy of the system's positive predictions.

• False Positive Rate (FPR): This index shows the proportion of false positives relative to the total number of actual negative cases. A high FPR can indicate many false alarms, a critical aspect in information security.

• Recall (Sensitivity or True Positive Rate): Measures the proportion of true positives relative to the total number of actual positive cases (true positives and false negatives). It is a crucial metric to understand the system's ability to correctly identify threats.

• False Negative Rate (FNR): Indicates the proportion of false negatives relative to the total number of actual positive cases. A high FNR can mean that the system is failing to detect real threats, a significant risk in information security.

By integrating these indicators, Inopli not only efficiently categorizes alerts but also offers a comprehensive view of the system's performance and reliability. These indicators are necessary for ongoing evaluation and improvement of security strategies, ensuring that the system maintains a high rate of accuracy and efficiency in detecting and treating security incidents.