Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios - Archive ouverte HAL Accéder directement au contenu
Article Dans Une Revue Journal of Information Assurance and Security Année : 2015

Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios

Résumé

Current SIEM (Security Information and Event Management) provide very simple alert correlation languages that express at best the recognition of a sequence of alerts. That’s why our team developed a correlation tool called GnG that describes the attacks in ADeLe (Attack Description Language). This language provides an efficient way to describe complex multi-steps attack scenarios. However, the experience proved that writing such correlation rules is very difficult. It requires a high level of knowledge of the attack and the supervision mech- anisms deployed in the system. In this paper, we show that, starting from an enriched attack tree that describes the attack, an automated process can generate exhaustive correlation rules which could be tedious and error prone to produce by hand. While the initial attack tree is an informal high level descrip- tion, the transformation relies on a specific description of the execution environment (topology, services and sensor compos- ing the system). Those elements make it possible to produce correlation rules tightly linked to the characteristics of the tar- get system (e.g., the possible targets of each step of an attack, the deployed intrusion detection systems and sensors). A proof of concept implements the proposed transformations and can generate usable correlation rules.
Fichier non déposé

Dates et versions

hal-01241807 , version 1 (11-12-2015)

Identifiants

  • HAL Id : hal-01241807 , version 1

Citer

Erwan Godefroy, Eric Totel, Michel Hurfin, Frédéric Majorczyk. Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios. Journal of Information Assurance and Security, 2015, 10 (3), pp.11. ⟨hal-01241807⟩
246 Consultations
0 Téléchargements

Partager

Gmail Facebook X LinkedIn More