Modern intrusion detection systems generate thousands of alerts daily, but alert fatigue severely limits security operations effectiveness due to too many false positives or low-impact events. We address this by proposing a principled framework for alert prioritization based on subnormal Gaussian fuzzy numbers, explicitly modeling three sources of uncertainty: threat severity, detection confidence, and organizational risk attitude. Each alert is represented as a fuzzy number with the core indicating severity, spread indicating uncertainty, and height reflecting detection reliability. We apply ranking indices to prioritize alerts, allowing organizations to tune security posture through a risk-attitude parameter. Experimental validation on CIC-IDS2017 and NSL-KDD demonstrates greater robustness than baselines under detector degradation (0.9963 vs 0.8215 NDCGrel@100), with distinct differentiation in mid-confidence alerts and near-parity with baselines under robust detectors. The framework is theoretically grounded, computationally efficient, provides interpretable reasoning, and remains robust across detector families and miscalibration scenarios.

翻译：现代入侵检测系统每日产生数千条告警，但告警疲劳因大量误报或低影响事件严重制约了安全运营效能。本文提出一种基于次正态高斯模糊数的理论化告警优先级排序框架，显式建模三类不确定性来源：威胁严重性、检测置信度与组织风险偏好。每条告警被建模为模糊数，其核心表示严重性，展度表示不确定性，高度反映检测可靠性。我们运用排序指标对告警进行优先级排序，允许组织通过风险偏好参数调整安全态势。在CIC-IDS2017与NSL-KDD数据集上的实验验证表明：当检测器性能退化时，本框架相比基线方法展现出更强鲁棒性（NDCGrel@100指标0.9963 vs 0.8215），在中置信度告警区间呈现显著区分度，且在稳健检测器场景下与基线方法性能接近。该框架具有理论奠基性、计算高效性、推理可解释性，并能跨检测器家族及校准偏差场景保持鲁棒性。