{"title":"一种预测警报、工作量和入侵模式的取证模型","authors":"J. Nehinbe, Johnson Ige Nehibe","doi":"10.1109/UKSim.2012.122","DOIUrl":null,"url":null,"abstract":"Concurrent forecasting of alerts workload and reconstruction of computer crimes using historic alerts of intrusion detectors are necessary for extracting admissible evidence in courts of law. Such evidence can be useful for designing efficient countermeasures that will thwart multiple attacks in progress. However, some intruders may take total control of computer networks over time while others may decide to partially compromise certain segments of their targets. Consequently, most intrusion analysts often find it difficult to establish hidden correlations between these two categories of probes and their associated objectives. This paper uses time series analysis to reconstruct workloads using baselines in the range of t1 = 1s to t60 = 60s for each intrusion log. Comparisons of the results obtained across different range of datasets demonstrate that alerts triggered by Snort can be used to reconstruct admissible evidence for litigation purposes. The results also reveal the variability of workloads within predefined intervals and the extent that alerts from different intrusion logs resemble each other.","PeriodicalId":405479,"journal":{"name":"2012 UKSim 14th International Conference on Computer Modelling and Simulation","volume":"34 4 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-03-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"A Forensic Model for Forecasting Alerts Workload and Patterns of Intrusions\",\"authors\":\"J. Nehinbe, Johnson Ige Nehibe\",\"doi\":\"10.1109/UKSim.2012.122\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Concurrent forecasting of alerts workload and reconstruction of computer crimes using historic alerts of intrusion detectors are necessary for extracting admissible evidence in courts of law. Such evidence can be useful for designing efficient countermeasures that will thwart multiple attacks in progress. However, some intruders may take total control of computer networks over time while others may decide to partially compromise certain segments of their targets. Consequently, most intrusion analysts often find it difficult to establish hidden correlations between these two categories of probes and their associated objectives. This paper uses time series analysis to reconstruct workloads using baselines in the range of t1 = 1s to t60 = 60s for each intrusion log. Comparisons of the results obtained across different range of datasets demonstrate that alerts triggered by Snort can be used to reconstruct admissible evidence for litigation purposes. The results also reveal the variability of workloads within predefined intervals and the extent that alerts from different intrusion logs resemble each other.\",\"PeriodicalId\":405479,\"journal\":{\"name\":\"2012 UKSim 14th International Conference on Computer Modelling and Simulation\",\"volume\":\"34 4 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2012-03-28\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2012 UKSim 14th International Conference on Computer Modelling and Simulation\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/UKSim.2012.122\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 UKSim 14th International Conference on Computer Modelling and Simulation","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/UKSim.2012.122","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A Forensic Model for Forecasting Alerts Workload and Patterns of Intrusions
Concurrent forecasting of alerts workload and reconstruction of computer crimes using historic alerts of intrusion detectors are necessary for extracting admissible evidence in courts of law. Such evidence can be useful for designing efficient countermeasures that will thwart multiple attacks in progress. However, some intruders may take total control of computer networks over time while others may decide to partially compromise certain segments of their targets. Consequently, most intrusion analysts often find it difficult to establish hidden correlations between these two categories of probes and their associated objectives. This paper uses time series analysis to reconstruct workloads using baselines in the range of t1 = 1s to t60 = 60s for each intrusion log. Comparisons of the results obtained across different range of datasets demonstrate that alerts triggered by Snort can be used to reconstruct admissible evidence for litigation purposes. The results also reveal the variability of workloads within predefined intervals and the extent that alerts from different intrusion logs resemble each other.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
