Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios - Archive ouverte HAL Access content directly
Conference Papers Year :

Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios

(1) , (2) , (2) , (1)
1
2

Abstract

In large distributed information systems, alert correlation systems are necessary to handle the huge amount of elementary security alerts and to identify complex multi-step attacks within the flow of low level events and alerts. In this paper, we show that, once a human expert has provided an action tree derived from an attack tree, a fully automated transformation process can generate exhaustive correlation rules that would be tedious and error prone to enumerate by hand. The transformation relies on a detailed description of various aspects of the real execution environment (topology of the system, deployed services, etc.). Consequently, the generated correlation rules are tightly linked to the characteristics of the monitored information system. The proposed transformation process has been implemented in a prototype that generates correlation rules expressed in an attack description language.
Fichier principal
Vignette du fichier
IAS.pdf (705.17 Ko) Télécharger le fichier
Origin : Files produced by the author(s)
Loading...

Dates and versions

hal-01091385 , version 1 (05-12-2014)

Identifiers

Cite

Erwan Godefroy, Eric Totel, Michel Hurfin, Frédéric Majorczyk. Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios. 2014 International Conference on Information Assurance and Security (IAS 2014), Nov 2014, Okinawa, Japan. pp.6, ⟨10.1109/ISIAS.2014.7064615⟩. ⟨hal-01091385⟩
375 View
671 Download

Altmetric

Share

Gmail Facebook Twitter LinkedIn More