Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios

Erwan Godefroy 1 Eric Totel 2 Michel Hurfin 2 Frédéric Majorczyk 1
2 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : In large distributed information systems, alert correlation systems are necessary to handle the huge amount of elementary security alerts and to identify complex multi-step attacks within the flow of low level events and alerts. In this paper, we show that, once a human expert has provided an action tree derived from an attack tree, a fully automated transformation process can generate exhaustive correlation rules that would be tedious and error prone to enumerate by hand. The transformation relies on a detailed description of various aspects of the real execution environment (topology of the system, deployed services, etc.). Consequently, the generated correlation rules are tightly linked to the characteristics of the monitored information system. The proposed transformation process has been implemented in a prototype that generates correlation rules expressed in an attack description language.
Document type :
Conference papers
Liste complète des métadonnées

Cited literature [8 references]  Display  Hide  Download
Contributor : Michel Hurfin <>
Submitted on : Friday, December 5, 2014 - 12:00:21 PM
Last modification on : Thursday, November 15, 2018 - 11:57:50 AM
Document(s) archivé(s) le : Saturday, April 15, 2017 - 4:03:30 AM


Files produced by the author(s)


  • HAL Id : hal-01091385, version 1


Erwan Godefroy, Eric Totel, Michel Hurfin, Frédéric Majorczyk. Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios. 2014 International Conference on Information Assurance and Security (IAS 2014), Nov 2014, Okinawa, Japan. pp.6. ⟨hal-01091385⟩



Record views


Files downloads