Skip to Main content Skip to Navigation
Conference papers

Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios

Erwan Godefroy 1 Eric Totel 2 Michel Hurfin 2 Frédéric Majorczyk 1
2 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : In large distributed information systems, alert correlation systems are necessary to handle the huge amount of elementary security alerts and to identify complex multi-step attacks within the flow of low level events and alerts. In this paper, we show that, once a human expert has provided an action tree derived from an attack tree, a fully automated transformation process can generate exhaustive correlation rules that would be tedious and error prone to enumerate by hand. The transformation relies on a detailed description of various aspects of the real execution environment (topology of the system, deployed services, etc.). Consequently, the generated correlation rules are tightly linked to the characteristics of the monitored information system. The proposed transformation process has been implemented in a prototype that generates correlation rules expressed in an attack description language.
Document type :
Conference papers
Complete list of metadata

Cited literature [8 references]  Display  Hide  Download
Contributor : Michel Hurfin Connect in order to contact the contributor
Submitted on : Friday, December 5, 2014 - 12:00:21 PM
Last modification on : Tuesday, October 19, 2021 - 11:58:55 PM
Long-term archiving on: : Saturday, April 15, 2017 - 4:03:30 AM


Files produced by the author(s)



Erwan Godefroy, Eric Totel, Michel Hurfin, Frédéric Majorczyk. Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios. 2014 International Conference on Information Assurance and Security (IAS 2014), Nov 2014, Okinawa, Japan. pp.6, ⟨10.1109/ISIAS.2014.7064615⟩. ⟨hal-01091385⟩



Record views


Files downloads