This study addresses the lack of trustworthy, interpretable explanations in existing deep learning–based anomaly intrusion detection systems, which typically operate as black boxes and fail to provide packet-sequence–level, process-oriented interpretability. To bridge this gap, the work introduces process mining into intrusion detection alert interpretation for the first time, proposing a fine-grained, hierarchical alert severity assessment mechanism that integrates process mining with deep learning. By leveraging network behavior process models, the system generates interpretable alert ratings, enabling prioritized response to high-risk incidents while allowing suspected benign traffic to pass. Evaluated on the USB-IDS-TC dataset, the approach achieves a recall of 99.94% and precision of 99.99%, substantially reducing false positives and effectively discriminating among multiple levels of alert severity—from low to critical.

Anomaly-based Intrusion Detection Systems (IDSs) ensure protection against malicious attacks on networked systems. While deep learning-based IDSs achieve effective performance, their limited trustworthiness due to black-box architectures remains a critical constraint. Despite existing explainable techniques offering insight into the alarms raised by IDSs, they lack process-based explanations grounded in packet-level sequencing analysis. In this paper, we propose a method that employs process mining techniques to enhance anomaly-based IDSs by providing process-based alarm severity ratings and explanations for alerts. Our method prioritizes critical alerts and maintains visibility into network behavior, while minimizing disruption by allowing misclassified benign traffic to pass. We apply the method to the publicly available USB-IDS-TC dataset, which includes anomalous traffic affected by different variants of the Slowloris DoS attack. Results show that our method is able to discriminate between low- to very-high-severity alarms while preserving up to 99.94% recall and 99.99% precision, effectively discarding false positives while providing different degrees of severity for the true positives.