The 99% Problem: Why OT Networks Face a False Positive Crisis
Up to 99% of alerts generated by conventional network intrusion detection systems (NIDS) are false positives — a finding from a 2022 survey by King Khalid University that reframes false positive reduction not as an optimisation exercise but as a prerequisite for operational viability. In IT environments, alert fatigue is a management problem. In operational technology (OT) environments — encompassing SCADA systems, industrial control systems (ICS), and distributed control systems — it is an industrial safety and continuity problem: spurious alerts can trigger costly operational shutdowns and disrupt physical processes with real-world consequences.
The dataset underpinning this analysis encompasses over 60 patents and peer-reviewed publications addressing AI-based network intrusion detection, with a consistent thematic focus on false positive reduction, anomaly detection accuracy, and hybrid algorithmic architectures. Key assignees appearing most frequently include academic institutions in China (Shihezi University, Beijing University of Technology, Guangzhou University), multiple Saudi Arabian universities, and commercial entities such as WIZ, INC., Nokia Technologies, Microsoft Technology Licensing, and Kyndryl.
OT networks compound the false positive problem in ways that standard IT-focused IDS research does not address. Industrial protocols such as Modbus and DNP3 produce deterministic, highly repetitive traffic patterns — SCADA polling cycles, for example — that superficially resemble reconnaissance or flooding attacks to classifiers trained on IT datasets. This means that a model optimised on benchmarks such as KDD Cup 99 or UNSW-NB15 will systematically misclassify normal OT traffic as malicious unless specifically adapted. According to NIST‘s guidance on ICS security, the operational consequences of false alarms in industrial settings extend beyond analyst fatigue to process interruption and safety system activation — making precision a higher-order concern than recall in many OT deployments.
Operational technology (OT) networks connect hardware and software that monitors and controls physical devices, processes, and infrastructure — including SCADA systems, programmable logic controllers (PLCs), and distributed control systems (DCS) in sectors such as energy, manufacturing, and water treatment. Unlike IT networks, OT networks prioritise availability and deterministic behaviour over confidentiality, making false positive-driven disruptions particularly costly.
Five dominant technical approaches to false positive reduction emerge from the corpus: (1) hybrid deep learning and classical ML ensembles, (2) alert correlation and post-processing pipelines, (3) feature selection and dimensionality reduction, (4) behavioral baseline modeling with dynamic thresholding, and (5) explainable AI (XAI) for human-in-the-loop validation. The remainder of this article examines each in depth, drawing on specific patents and publications from the dataset.
Up to 99% of alerts generated by conventional network intrusion detection systems (NIDS) are false positives, according to a 2022 survey from King Khalid University — a statistic that makes false positive reduction a fundamental operational requirement in OT environments where spurious alerts can disrupt industrial processes.
Hybrid and Ensemble ML Architectures That Cut Alert Noise
Combining multiple complementary algorithms into hybrid or ensemble architectures is the most extensively validated strategy for reducing false positives in AI-based IDS, because it counteracts the individual weaknesses of any single classifier. A 2020 study from the University of Food Technologies, Bulgaria, demonstrated that combining deep learning algorithms with rule-based filters into a hybrid system improves both efficiency and accuracy of anomaly detection — a finding with direct OT relevance, since known-normal industrial protocol behaviour can be codified as rules to reduce misclassification of legitimate traffic.
Ensemble voting approaches further reduce individual model bias. Research from Mohammed V University (2020) presents a majority voting system combining multiple simple feedforward neural networks as weak learners, achieving high detection capability with reduced computational overhead. The reliability-based combination mechanism inherently penalises outlier misclassifications — a property that suppresses isolated false positive events common in noisy industrial network traffic. Complementarily, Jeju National University (2021) demonstrated that ensembling prediction and learning mechanisms produces superior anomaly detection accuracy compared to single-model baselines.
“Up to 99% of alerts generated by conventional network intrusion detection systems are false positives — making false positive reduction not merely an optimisation goal but a fundamental operational requirement.”
Metaheuristic optimisation of individual neural networks has also shown demonstrated false positive reduction. Shihezi University (2022) proposed MSCB-BPNN, which uses a variable-scale chaos bat algorithm to optimise BP neural network weights and thresholds, preventing local optima convergence and improving classification precision on KDD Cup 99 and UNSW-NB15 datasets. The improved convergence properties directly reduce the tendency to over-trigger alerts on ambiguous traffic. Shandong University of Political Science and Law (2020) introduced automatic variable-rate learning with forgetting factors and random optimisation operators, explicitly demonstrating reduced false positive and false negative rates through improved BPNN training.
The two-layer DNN-feature-extraction-plus-ML-classification approach demonstrated by Guangzhou University (2022) shows that extracting richer internal representations before final classification substantially improves precision and reduces false alert volume. In this architecture, hidden layer outputs of a deep neural network serve as enriched feature representations for a secondary machine learning classifier — a design evaluated using precision, recall, and F1 metrics in large-scale network security protection deployments.
Explore the full patent landscape for AI-based intrusion detection and false positive reduction in PatSnap Eureka.
Search IDS Patents in PatSnap Eureka →Alert Correlation Pipelines and Dynamic Thresholding
Even with well-tuned classifiers, raw IDS alert streams in OT environments produce high volumes of redundant and erroneous alarms — making post-processing pipelines that aggregate, correlate, and filter alerts before presenting them to operators a critical second layer of false positive suppression. EMEA College of Arts and Science (2021) proposed a three-phase pipeline: alert normalisation, preliminary alert filtration with priority ranking, and alert correlation graph construction. The causal-relationship graph in the final phase specifically targets and eliminates false positives that lack temporal or logical correlation with other events.
This causal-graph approach is particularly valuable for OT protocols such as Modbus or DNP3, where legitimate session sequences are deterministic and predictable. A false positive generated by an isolated anomalous packet will lack causal predecessors or successors in the graph, enabling automated elimination without analyst intervention.
The King Khalid University (2022) survey taxonomises alert correlation methods into four categories: similarity-based, statistical-based, knowledge-based, and hybrid-based. Its central conclusion is that hybrid alert correlation approaches best address the simultaneous challenge of reducing false positive volume while preserving detection of multi-step attack sequences — a requirement directly applicable to OT environments vulnerable to Advanced Persistent Threat (APT)-style industrial sabotage, as documented by CISA in its ICS-CERT advisories.
WIZ, INC. holds active US patents (2024 and 2026) on a dynamic noise-metric thresholding system that groups OT monitored resources by common attributes, computes a noise metric from observed event frequencies, and derives detection thresholds that suppress environmentally-driven false positives from legitimate traffic spikes such as SCADA polling cycles.
From the patent domain, WIZ, INC.’s 2024 patent discloses a system that groups monitored resources by common attributes, computes a noise metric from observed event frequencies, and derives dynamic detection thresholds. Sensors only trigger alerts when event counts exceed this statistically-derived threshold — a design that directly suppresses environmentally-driven false positives arising from variable but legitimate traffic spikes common in OT environments. A 2026 continuation patent extends this approach, further refining group-level noise characterisation to improve scalability across large sensor deployments.
The 2022 King Khalid University survey concludes that hybrid alert correlation approaches — combining similarity-based, statistical-based, and knowledge-based methods — best address the dual challenge of reducing false positive volume while preserving detection of multi-step attack sequences. This is the highest-leverage intervention available to OT security teams deploying NIDS.
Microsoft Technology Licensing’s 2026 EP patent extends the correlation concept into predictive territory: sequential alert pattern prediction speculatively triggers future alerts and enables analyst pre-validation, reducing the false positive burden on security operations centres by contextualising individual alerts within predicted multi-step attack chains. Secureworks Corporation’s 2025 patent (filed in JP) takes a complementary approach — using security analyst workflow data, including tags, filters, and rankings applied by analysts, to continuously retrain tagging and review classifiers. This human-in-the-loop feedback loop systematically eliminates recurring false positive patterns identified by analysts, creating a self-improving detection system.
Feature Selection, Graph Neural Networks, and Explainable AI for OT
The specific characteristics of OT network traffic — deterministic communication patterns, fixed device behaviours, and protocol-specific data fields — create both an opportunity and a challenge for AI-based IDS. Appropriate feature selection that leverages OT domain knowledge can substantially reduce the dimensionality of the classification problem, constraining the model’s decision boundary to relevant behavioural signals and thereby decreasing false positive generation from irrelevant or noisy features.
Beijing Institute of Technology (2019) combined adaptive PCA for automatic feature selection with an incremental extreme learning machine (I-ELM), demonstrating that relevant feature selection directly correlates with improved detection accuracy and reduced misclassification on NSL-KDD and UNSW-NB15 benchmarks. Critically, the adaptive selection mechanism ensures that as network traffic profiles evolve — a key challenge in OT systems undergoing firmware updates or process changes — the feature set adapts without requiring full model retraining. RITS, Bhopal (2013) established the theoretical foundation for this approach, demonstrating that reducing non-contributory features via artificial immune system (AIS) and neural network methods eliminates attributes not involved in security threats, directly reducing noise-driven false positive rates.
Analyse the latest XAI and graph neural network patents for OT cybersecurity with PatSnap Eureka’s AI-powered research tools.
Explore OT Cybersecurity Patents in PatSnap Eureka →Graph neural networks (GNNs) represent a particularly promising structural approach for OT environments. Nokia Technologies’ 2025 EP patent employs GNNs trained on normal and attack traffic subgraphs, with inference rules applied to graph representations of data logs. This approach reduces false positives by anchoring detection in the topological structure of communication relationships rather than individual packet features — a method well-suited to OT network topologies with fixed node communication patterns. CEA’s 2025 FR patent similarly deploys GNNs to generate discriminative feature vectors per network flow, combining flow topology with binary authorised/malicious classification in a two-stage approach that enriches the feature space with relational context.
SHAP (Shapley value)-based interpretability methods applied to intrusion detection achieved over 94% true positive and true negative rates on the NSL-KDD dataset, as reported by Lebanese American University (2023), enabling OT operators to audit and reject flagged events where contributing features are known to be operationally benign.
Explainability is the bridge between algorithmic detection and operational action in OT security. Beijing University of Technology (2020) directly addressed the industrial control network context by analysing DNN models from an information-theoretic perspective to clarify the correlation between DNN computation and classification decisions, then comparing normal with abnormal samples to pinpoint anomalous attributes during classification. This explainability layer is essential for OT security professionals who cannot act on a simple binary alarm without understanding which process variable or network attribute triggered the detection.
Lebanese American University (2023) applied Shapley values to quantify each feature’s contribution to model output, achieving over 94% true positive and true negative rates on NSL-KDD. The SHAP-based interpretability allows operators to audit and reject flagged events where the contributing features are known to be innocuous in the specific OT deployment context — providing a formal mechanism for operator-driven false positive suppression. Lukasiewicz Institute, Poland (2021) used XAI-based interpretation of binary classifiers to provide detailed characterisation of detected anomalies, enabling targeted rule refinement to eliminate recurring false positive patterns. As noted by IEEE in its standards for industrial cybersecurity, explainability is increasingly recognised as a non-negotiable requirement for IDS deployed in safety-critical environments.
F-Secure Corporation’s 2025 JP patent describes a complementary scalability approach: generating local and common behavioural models of normal operation across multiple nodes, then filtering input events by likelihood estimation against these models. Events matching the common normal behaviour model are efficiently suppressed without individual per-event analysis — enabling scalable false positive reduction across large OT node populations without analyst involvement.
Nokia Technologies (EP, 2025) and CEA (FR, 2025) both hold active patents on graph neural network-based intrusion detection systems that reduce false positives in OT networks by anchoring detection in the topological structure of communication relationships between nodes, rather than analysing individual packet features in isolation.
Key Patent Filers and Academic Contributors Shaping the Field
The patent and academic landscape for OT IDS false positive reduction is shaped by a distinct set of commercial and institutional actors, each with differentiated technical philosophies. WIZ, INC. emerges as the leading patent filer in false-positive-specific reduction technology, with at least two active US patents (2024 and 2026) centred on noise-metric-driven dynamic thresholding. Their architecture’s group-based baselining approach represents a distinctive engineering philosophy applicable to OT asset groups sharing common behavioural profiles.
Nokia Technologies Oy’s active EP patent (2025) employs graph neural networks trained on normal and attack traffic subgraphs. Microsoft Technology Licensing’s active EP patent (2026) uses sequential alert pattern prediction to enable analyst pre-validation. CEA’s active FR patent (2025) deploys GNNs to generate discriminative feature vectors per network flow. Secureworks Corporation’s active JP patent (2025) uses analyst workflow data to continuously retrain detection classifiers. F-Secure Corporation’s active JP patent (2025) generates behavioural models of normal operation for scalable event suppression. Together, these five commercial actors represent the frontier of industrially deployable false positive reduction, as catalogued in the PatSnap IP intelligence platform.
On the academic side, Shihezi University (multiple papers on BPNN optimisation), Beijing University of Technology (industrial control network explainability), King Khalid University (alert correlation survey), and Guangzhou University (DNN+ML hybrid false alert detection) collectively dominate the literature on practical false positive reduction methodologies validated against standard benchmarks. Their work provides the empirical foundation on which commercial patent claims are increasingly built — a dynamic that IP professionals can track systematically using PatSnap’s patent analytics tools.
The broader standards context for OT cybersecurity is set by frameworks from IEC (specifically IEC 62443 for industrial automation and control system security), which increasingly references AI-based detection as a component of defence-in-depth strategies. False positive reduction is implicitly required by IEC 62443’s emphasis on operational continuity and the avoidance of security measures that themselves introduce operational risk — a regulatory signal that will drive further R&D investment in the techniques described in this article.