Non-Statistical metrics for estimating redundancies in forensic investigations of network intrusions

Most statistical methods do not perfectly conform to real cases of cyber crimes. Consequently, using statistical methods to analyze intrusion logs in order to present evidentiary values in courts of law are often refuted as baseless and inadmissible evidences regardless of the input spent to generate the reports and whether the reports are well-grounded evidences or not. Sometimes, complainants are often bewildered and confused because it is almost certain that the prime suspects will be absolved in courts of law. These are tragic developments to computer security experts, corporate and private organizations that leverage on the usage of the Internet facilities to boost service delivery, business activities and profitability. Thus, this paper presents non-statistical metrics that adopt Serialization Modelling Method (S2M) to improve interpretations of intrusion logs. The approach instantiates tokens and serializes alerts triggered by Snort using well-defined values. Experiments illustrate that duplicate tokens or patterns of alerts that exhibit increased propensity are indicative of redundant alerts to a certain degree.