Skip to Main content Skip to Navigation
New interface
Conference papers

A Scalable and Efficient Correlation Engine to Detect Multi-step Attacks in Distributed Systems

David Lanoe 1 Michel Hurfin 1 Eric Totel 1 
1 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : In distributed systems and in particular in industrial SCADA environments, alert correlation systems are necessary to identify complex multi-step attacks within the huge amount of alerts and events. In this paper we describe an automata-based correlation engine developed in the context of a European project where the main stakeholder was an energy distribution company. The behavior of the engine is extended to fit new requirements. In the proposed solution, a fully automated process generates thousands of correlation rules. Despite this major scalability challenge, the designed correlation engine exhibits good performances. Expected rates of incoming low level alerts approaching several hundreds of elements per second are tolerated. Moreover, the used data structures allow to quickly handle dynamic changes of the set of correlation rules. As some attack steps are not observed, the correlation engine can be tuned to raise an alert when all the attack steps except k of them have been detected. To be able to react to an ongoing attack by taking countermeasures, alerts must also be raised as soon as a significant prefix of an attack scenario is recognized. Fulfilling these additional requirements leads to increase the memory consumption. Therefore purge mechanisms are also proposed and analyzed. An evaluation of the tool is conducted in the context of a SCADA environment.
Complete list of metadata

Cited literature [14 references]  Display  Hide  Download
Contributor : Michel Hurfin Connect in order to contact the contributor
Submitted on : Sunday, December 9, 2018 - 6:31:11 PM
Last modification on : Saturday, August 6, 2022 - 3:32:58 AM
Long-term archiving on: : Sunday, March 10, 2019 - 2:14:07 PM


Files produced by the author(s)



David Lanoe, Michel Hurfin, Eric Totel. A Scalable and Efficient Correlation Engine to Detect Multi-step Attacks in Distributed Systems. SRDS 2018 - 37th IEEE International Symposium on Reliable Distributed Systems, Oct 2018, Salvador, Brazil. pp.1-10, ⟨10.1109/srds.2018.00014⟩. ⟨hal-01949183⟩



Record views


Files downloads