Assessment of an Automatic Correlation Rules Generator

Erwan Godefroy 1, 2 Eric Totel 2 Michel Hurfin 2 Frédéric Majorczyk 2, 1
2 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : Information systems are prone to attacks. Those attacks can take different forms, from an obvious DDOS to a complex attack sce- nario involving a step by step stealthy compromise of key nodes in the target system. In order to detect those multi-steps attack scenarios, alert correlation systems are required. Those systems rely on explicit or im- plicit correlation rules in order to detect complex links between various events or alerts produced by IDSes. Explicit and accurate correlation rules strongly linked with the system are difficult to build and maintain manually. However this process can be partially automated when enough information on the attack scenario and the target system are available. In this paper, we focus on the evaluation of correlation rules produced by an automatic process. In a first place, the method is evaluated on a representative system. In this realistic evaluation context, when the knowledge of both the attack scenario and the targeted system is precise enough, the generated rules allow to have a perfect detection rate (no false positive and no false negative). Then stress tests are conducted in order to measure the robustness of the approach when the generation of rules relies on a provided knowledge which is either partially incorrect or incomplete.
Type de document :
Communication dans un congrès
Eleventh International Conference on Information Systems Security (ICISS 2015) , Dec 2015, Kolkata, India. Proceedings of the Eleventh International Conference on Information Systems Security (ICISS 2015) 2015
Liste complète des métadonnées

https://hal.inria.fr/hal-01241810
Contributeur : Eric Totel <>
Soumis le : vendredi 11 décembre 2015 - 09:05:25
Dernière modification le : mardi 16 janvier 2018 - 15:54:19

Identifiants

  • HAL Id : hal-01241810, version 1

Citation

Erwan Godefroy, Eric Totel, Michel Hurfin, Frédéric Majorczyk. Assessment of an Automatic Correlation Rules Generator. Eleventh International Conference on Information Systems Security (ICISS 2015) , Dec 2015, Kolkata, India. Proceedings of the Eleventh International Conference on Information Systems Security (ICISS 2015) 2015. 〈hal-01241810〉

Partager

Métriques

Consultations de la notice

317