A Forensic Model for Forecasting Alerts Workload and Patterns of Intrusions

Concurrent forecasting of alerts workload and reconstruction of computer crimes using historic alerts of intrusion detectors are necessary for extracting admissible evidence in courts of law. Such evidence can be useful for designing efficient countermeasures that will thwart multiple attacks in progress. However, some intruders may take total control of computer networks over time while others may decide to partially compromise certain segments of their targets. Consequently, most intrusion analysts often find it difficult to establish hidden correlations between these two categories of probes and their associated objectives. This paper uses time series analysis to reconstruct workloads using baselines in the range of t₁ = 1s to t₆₀ = 60s for each intrusion log. Comparisons of the results obtained across different range of datasets demonstrate that alerts triggered by Snort can be used to reconstruct admissible evidence for litigation purposes. The results also reveal the variability of workloads within predefined intervals and the extent that alerts from different intrusion logs resemble each other.