Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios

Erwan Godefroy 1, 2 Eric Totel 1 Michel Hurfin 1 Frédéric Majorczyk 1, 2
1 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
IRISA-D1 - SYSTÈMES LARGE ÉCHELLE, Inria Rennes – Bretagne Atlantique , CentraleSupélec
Abstract : Current SIEM (Security Information and Event Management) provide very simple alert correlation languages that express at best the recognition of a sequence of alerts. That’s why our team developed a correlation tool called GnG that describes the attacks in ADeLe (Attack Description Language). This language provides an efficient way to describe complex multi-steps attack scenarios. However, the experience proved that writing such correlation rules is very difficult. It requires a high level of knowledge of the attack and the supervision mech- anisms deployed in the system. In this paper, we show that, starting from an enriched attack tree that describes the attack, an automated process can generate exhaustive correlation rules which could be tedious and error prone to produce by hand. While the initial attack tree is an informal high level descrip- tion, the transformation relies on a specific description of the execution environment (topology, services and sensor compos- ing the system). Those elements make it possible to produce correlation rules tightly linked to the characteristics of the tar- get system (e.g., the possible targets of each step of an attack, the deployed intrusion detection systems and sensors). A proof of concept implements the proposed transformations and can generate usable correlation rules.
Type de document :
Article dans une revue
Journal of Information Assurance and Security, Dynamic Publishers Inc., USA, 2015, 10 (3), pp.11
Liste complète des métadonnées

https://hal.inria.fr/hal-01241807
Contributeur : Eric Totel <>
Soumis le : vendredi 11 décembre 2015 - 08:58:40
Dernière modification le : vendredi 16 novembre 2018 - 01:38:37

Identifiants

  • HAL Id : hal-01241807, version 1

Citation

Erwan Godefroy, Eric Totel, Michel Hurfin, Frédéric Majorczyk. Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios. Journal of Information Assurance and Security, Dynamic Publishers Inc., USA, 2015, 10 (3), pp.11. 〈hal-01241807〉

Partager

Métriques

Consultations de la notice

716