Main Article Content
Optimized model for comparing two intrusion logs
Abstract
The detectors for watching, keeping and reporting records of digital activities that have the tendency to endanger the security of computer and mobile systems are greatly needed in digital security and forensics across the globe. Nevertheless, most detectors are fraught with series of challenges whenever they are concomitantly operated to detect potential intrusions within mobile and computer networks. Conventionally, analysts must correlate and aggregate alerts of such devices before well-informed decisions can be made from them. Unfortunately, correlations and aggregations will fail to produce desirable results whenever multiple pairs of alerts do not possess visible, mutual, complementary, or reciprocal relationships. Consequently, most of the existing models can suffer low efficacies whenever they are adapted to compare two intrusion logs within different time intervals. This paper presents a pragmatic and optimized approach that uses computational methods to compare a pair of intrusion logs together. Category utility and entropy are applied to respectively measure the quality of each pair of logs generated from Snort. Series of evaluations carried out using intrusion logs that are derived from synthetic and real traces demonstrate how analysts can forecast the extent of similarities and dissimilarities of two intrusion logs. The results further suggest some intrusive themes, the nature, quality, degree and significance of pairs of intrusion logs across different time intervals.
Keywords: Intrusion, intrusion detection system, detector, networks forensics