Skip to Main content Skip to Navigation
Conference papers

A Scalable and Efficient Correlation Engine to Detect Multi-step Attacks in Distributed Systems

David Lanoe 1 Michel Hurfin 1 Eric Totel 1
1 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : In distributed systems and in particular in industrial SCADA environments, alert correlation systems are necessary to identify complex multi-step attacks within the huge amount of alerts and events. In this paper we describe an automata-based correlation engine developed in the context of a European project where the main stakeholder was an energy distribution company. The behavior of the engine is extended to fit new requirements. In the proposed solution, a fully automated process generates thousands of correlation rules. Despite this major scalability challenge, the designed correlation engine exhibits good performances. Expected rates of incoming low level alerts approaching several hundreds of elements per second are tolerated. Moreover, the used data structures allow to quickly handle dynamic changes of the set of correlation rules. As some attack steps are not observed, the correlation engine can be tuned to raise an alert when all the attack steps except k of them have been detected. To be able to react to an ongoing attack by taking countermeasures, alerts must also be raised as soon as a significant prefix of an attack scenario is recognized. Fulfilling these additional requirements leads to increase the memory consumption. Therefore purge mechanisms are also proposed and analyzed. An evaluation of the tool is conducted in the context of a SCADA environment.
Complete list of metadatas

Cited literature [14 references]  Display  Hide  Download

https://hal.inria.fr/hal-01949183
Contributor : Michel Hurfin <>
Submitted on : Sunday, December 9, 2018 - 6:31:11 PM
Last modification on : Friday, July 10, 2020 - 4:01:37 PM
Long-term archiving on: : Sunday, March 10, 2019 - 2:14:07 PM

File

Hal-SRDS-2018.pdf
Files produced by the author(s)

Identifiers

Citation

David Lanoe, Michel Hurfin, Eric Totel. A Scalable and Efficient Correlation Engine to Detect Multi-step Attacks in Distributed Systems. SRDS 2018 - 37th IEEE International Symposium on Reliable Distributed Systems, Oct 2018, Salvador, Brazil. pp.1-10, ⟨10.1109/srds.2018.00014⟩. ⟨hal-01949183⟩

Share

Metrics

Record views

195

Files downloads

410