Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios - Archive ouverte HAL Access content directly
Journal Articles Journal of Information Assurance and Security Year : 2015

Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios

(1, 2) , (1) , (1) , (1, 2)
1
2

Abstract

Current SIEM (Security Information and Event Management) provide very simple alert correlation languages that express at best the recognition of a sequence of alerts. That’s why our team developed a correlation tool called GnG that describes the attacks in ADeLe (Attack Description Language). This language provides an efficient way to describe complex multi-steps attack scenarios. However, the experience proved that writing such correlation rules is very difficult. It requires a high level of knowledge of the attack and the supervision mech- anisms deployed in the system. In this paper, we show that, starting from an enriched attack tree that describes the attack, an automated process can generate exhaustive correlation rules which could be tedious and error prone to produce by hand. While the initial attack tree is an informal high level descrip- tion, the transformation relies on a specific description of the execution environment (topology, services and sensor compos- ing the system). Those elements make it possible to produce correlation rules tightly linked to the characteristics of the tar- get system (e.g., the possible targets of each step of an attack, the deployed intrusion detection systems and sensors). A proof of concept implements the proposed transformations and can generate usable correlation rules.
Not file

Dates and versions

hal-01241807 , version 1 (11-12-2015)

Identifiers

  • HAL Id : hal-01241807 , version 1

Cite

Erwan Godefroy, Eric Totel, Michel Hurfin, Frédéric Majorczyk. Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios. Journal of Information Assurance and Security, 2015, 10 (3), pp.11. ⟨hal-01241807⟩
240 View
0 Download

Share

Gmail Facebook Twitter LinkedIn More