Detection systems that utilize machine learning are progressively implemented at Security Operations Centers (SOCs) to help an analyst to filter through high volumes of security alerts. Practically, such systems tend to reveal probabilistic results or confidence scores which are ill-calibrated and hard to read when under pressure. Qualitative and survey based studies of SOC practice done before reveal that poor alert quality and alert overload greatly augment the burden on the analyst, especially when tool outputs are not coherent with decision requirements, or signal noise. One of the most significant limitations is that model confidence is usually shown without expressing that there are asymmetric costs in decision making where false alarms are much less harmful than missed attacks. The present paper presents a decision-sensitive trust signal correspondence scheme of SOC alert triage. The framework combines confidence that has been calibrated, lightweight uncertainty cues, and cost-sensitive decision thresholds into coherent decision-support layer, instead of making changes to detection models. To enhance probabilistic consistency, the calibration is done using the known post-hoc methods and the uncertainty cues give conservative protection in situations where model certainty is low. To measure the model-independent performance of the suggested model, we apply the Logistic Regression and the Random Forest classifiers to the UNSW-NB15 intrusion detection benchmark. According to simulation findings, false negatives are greatly amplified by the presence of misaligned displays of confidence, whereas cost weighted loss decreases by orders of magnitude between models with decision aligned trust signals. Lastly, we describe a human-in-the-loop study plan that would allow empirically assessing the decision-making of the analysts with aligned and misaligned trust interfaces.

翻译：利用机器学习的检测系统正逐步在安全运营中心(SOC)中部署，以协助分析师处理海量安全告警。实践中，此类系统往往输出概率性结果或置信度分数，这些指标通常校准不佳且在压力环境下难以解读。先前基于定性与调查的SOC实践研究表明，低质量告警与告警过载显著加重了分析师负担，特别是当工具输出与决策需求或信号噪声不匹配时。当前最突出的局限在于：模型置信度展示通常未体现决策过程中存在的不对称代价——误报的危害远低于漏报。本文提出一种面向SOC告警分诊的决策敏感型信任信号对齐方案。该框架将校准后的置信度、轻量级不确定性提示以及代价敏感的决策阈值整合为连贯的决策支持层，而非直接修改检测模型。为提升概率一致性，校准过程采用经典的事后校准方法；不确定性提示则在模型确定性较低时提供保守性保护。为评估所提方案的模型无关性能，我们在UNSW-NB15入侵检测基准数据集上应用逻辑回归与随机森林分类器进行验证。仿真结果表明：未对齐的置信度展示会大幅增加漏报率，而采用决策对齐信任信号的模型间，代价加权损失可降低数个数量级。最后，我们阐述了人机协同研究方案，用于实证评估分析师在使用对齐与非对齐信任界面时的决策行为。