Skip to Main content Skip to Navigation
Journal articles

Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios

Erwan Godefroy 1, 2 Eric Totel 1 Michel Hurfin 1 Frédéric Majorczyk 1, 2
1 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : Current SIEM (Security Information and Event Management) provide very simple alert correlation languages that express at best the recognition of a sequence of alerts. That’s why our team developed a correlation tool called GnG that describes the attacks in ADeLe (Attack Description Language). This language provides an efficient way to describe complex multi-steps attack scenarios. However, the experience proved that writing such correlation rules is very difficult. It requires a high level of knowledge of the attack and the supervision mech- anisms deployed in the system. In this paper, we show that, starting from an enriched attack tree that describes the attack, an automated process can generate exhaustive correlation rules which could be tedious and error prone to produce by hand. While the initial attack tree is an informal high level descrip- tion, the transformation relies on a specific description of the execution environment (topology, services and sensor compos- ing the system). Those elements make it possible to produce correlation rules tightly linked to the characteristics of the tar- get system (e.g., the possible targets of each step of an attack, the deployed intrusion detection systems and sensors). A proof of concept implements the proposed transformations and can generate usable correlation rules.
Document type :
Journal articles
Complete list of metadata
Contributor : Eric Totel Connect in order to contact the contributor
Submitted on : Friday, December 11, 2015 - 8:58:40 AM
Last modification on : Tuesday, October 19, 2021 - 11:58:56 PM


  • HAL Id : hal-01241807, version 1


Erwan Godefroy, Eric Totel, Michel Hurfin, Frédéric Majorczyk. Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios. Journal of Information Assurance and Security, Dynamic Publishers Inc., USA, 2015, 10 (3), pp.11. ⟨hal-01241807⟩



Record views