Skip to Main content Skip to Navigation
Conference papers

Assessment of an Automatic Correlation Rules Generator

Erwan Godefroy 1, 2 Eric Totel 2 Michel Hurfin 2 Frédéric Majorczyk 2, 1
2 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : Information systems are prone to attacks. Those attacks can take different forms, from an obvious DDOS to a complex attack sce- nario involving a step by step stealthy compromise of key nodes in the target system. In order to detect those multi-steps attack scenarios, alert correlation systems are required. Those systems rely on explicit or im- plicit correlation rules in order to detect complex links between various events or alerts produced by IDSes. Explicit and accurate correlation rules strongly linked with the system are difficult to build and maintain manually. However this process can be partially automated when enough information on the attack scenario and the target system are available. In this paper, we focus on the evaluation of correlation rules produced by an automatic process. In a first place, the method is evaluated on a representative system. In this realistic evaluation context, when the knowledge of both the attack scenario and the targeted system is precise enough, the generated rules allow to have a perfect detection rate (no false positive and no false negative). Then stress tests are conducted in order to measure the robustness of the approach when the generation of rules relies on a provided knowledge which is either partially incorrect or incomplete.
Document type :
Conference papers
Complete list of metadatas

https://hal.inria.fr/hal-01241810
Contributor : Eric Totel <>
Submitted on : Friday, December 11, 2015 - 9:05:25 AM
Last modification on : Friday, July 10, 2020 - 4:25:32 PM

Identifiers

Citation

Erwan Godefroy, Eric Totel, Michel Hurfin, Frédéric Majorczyk. Assessment of an Automatic Correlation Rules Generator. 11th International Conference on Information Systems Security (ICISS 2015), Dec 2015, Kolkata, India. ⟨10.1007/978-3-319-26961-0_13⟩. ⟨hal-01241810⟩

Share

Metrics

Record views

516