Non-Statistical metrics for estimating redundancies in forensic investigations of network intrusions

2011 UKSim 5th European Symposium on Computer Modeling and Simulation Pub Date : 2011-11-16 DOI:10.1109/EMS.2011.93

J. Nehinbe

{"title":"Non-Statistical metrics for estimating redundancies in forensic investigations of network intrusions","authors":"J. Nehinbe","doi":"10.1109/EMS.2011.93","DOIUrl":null,"url":null,"abstract":"Most statistical methods do not perfectly conform to real cases of cyber crimes. Consequently, using statistical methods to analyze intrusion logs in order to present evidentiary values in courts of law are often refuted as baseless and inadmissible evidences regardless of the input spent to generate the reports and whether the reports are well-grounded evidences or not. Sometimes, complainants are often bewildered and confused because it is almost certain that the prime suspects will be absolved in courts of law. These are tragic developments to computer security experts, corporate and private organizations that leverage on the usage of the Internet facilities to boost service delivery, business activities and profitability. Thus, this paper presents non-statistical metrics that adopt Serialization Modelling Method (S2M) to improve interpretations of intrusion logs. The approach instantiates tokens and serializes alerts triggered by Snort using well-defined values. Experiments illustrate that duplicate tokens or patterns of alerts that exhibit increased propensity are indicative of redundant alerts to a certain degree.","PeriodicalId":131364,"journal":{"name":"2011 UKSim 5th European Symposium on Computer Modeling and Simulation","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-11-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 UKSim 5th European Symposium on Computer Modeling and Simulation","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EMS.2011.93","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Most statistical methods do not perfectly conform to real cases of cyber crimes. Consequently, using statistical methods to analyze intrusion logs in order to present evidentiary values in courts of law are often refuted as baseless and inadmissible evidences regardless of the input spent to generate the reports and whether the reports are well-grounded evidences or not. Sometimes, complainants are often bewildered and confused because it is almost certain that the prime suspects will be absolved in courts of law. These are tragic developments to computer security experts, corporate and private organizations that leverage on the usage of the Internet facilities to boost service delivery, business activities and profitability. Thus, this paper presents non-statistical metrics that adopt Serialization Modelling Method (S2M) to improve interpretations of intrusion logs. The approach instantiates tokens and serializes alerts triggered by Snort using well-defined values. Experiments illustrate that duplicate tokens or patterns of alerts that exhibit increased propensity are indicative of redundant alerts to a certain degree.

查看原文本刊更多论文

网络入侵取证调查中冗余估计的非统计度量

大多数统计方法并不完全符合网络犯罪的真实案例。因此，使用统计方法来分析入侵日志，以便在法庭上提供证据价值，往往被驳斥为毫无根据和不可接受的证据，而不管报告的产生投入和报告是否有充分的证据基础。有时，申诉人往往感到困惑和困惑，因为几乎可以肯定，主要嫌疑人将在法庭上被赦免。对于计算机安全专家、企业和私人组织来说，这些都是悲剧性的发展，它们利用互联网设施的使用来促进服务的提供、商业活动和盈利能力。因此，本文提出了采用序列化建模方法(S2M)的非统计度量来改进入侵日志的解释。该方法使用定义良好的值实例化令牌并序列化Snort触发的警报。实验表明，表现出增加倾向的重复令牌或警报模式在一定程度上表明存在冗余警报。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2011 UKSim 5th European Symposium on Computer Modeling and Simulation

自引率

0.00%

发文量