Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios

Erwan Godefroy 1 Eric Totel 2 Michel Hurfin 2 Frédéric Majorczyk 1
2 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
IRISA-D1 - SYSTÈMES LARGE ÉCHELLE, Inria Rennes – Bretagne Atlantique , CentraleSupélec
Abstract : In large distributed information systems, alert correlation systems are necessary to handle the huge amount of elementary security alerts and to identify complex multi-step attacks within the flow of low level events and alerts. In this paper, we show that, once a human expert has provided an action tree derived from an attack tree, a fully automated transformation process can generate exhaustive correlation rules that would be tedious and error prone to enumerate by hand. The transformation relies on a detailed description of various aspects of the real execution environment (topology of the system, deployed services, etc.). Consequently, the generated correlation rules are tightly linked to the characteristics of the monitored information system. The proposed transformation process has been implemented in a prototype that generates correlation rules expressed in an attack description language.
Type de document :
Communication dans un congrès
2014 International Conference on Information Assurance and Security (IAS 2014), Nov 2014, Okinawa, Japan. IEEE, pp.6, 〈http://www.mirlabs.net/ias14/〉
Liste complète des métadonnées

Littérature citée [8 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01091385
Contributeur : Michel Hurfin <>
Soumis le : vendredi 5 décembre 2014 - 12:00:21
Dernière modification le : mercredi 21 février 2018 - 01:49:34
Document(s) archivé(s) le : samedi 15 avril 2017 - 04:03:30

Fichier

IAS.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : hal-01091385, version 1

Citation

Erwan Godefroy, Eric Totel, Michel Hurfin, Frédéric Majorczyk. Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios. 2014 International Conference on Information Assurance and Security (IAS 2014), Nov 2014, Okinawa, Japan. IEEE, pp.6, 〈http://www.mirlabs.net/ias14/〉. 〈hal-01091385〉

Partager

Métriques

Consultations de la notice

667

Téléchargements de fichiers

346