Skip to Main content Skip to Navigation
Journal articles

OMMA: open architecture for Operator-guided Monitoring of Multi-step Attacks

Abstract : Current attacks are complex and stealthy. The recent WannaCry malware campaign demonstrates that this is true notonly for targeted operations, but also for massive attacks. Complex attacks can only be described as a set ofindividual actions composing a global strategy. Most of the time, different devices are involved in the same attackscenario. Information about the events recorded in these devices can be collected in the shape of logs in a centralsystem, where an automatic search of threat traces can be implemented. Much has been written about automaticevent correlation to detect multi-step attacks but the proposed methods are rarely brought together in the sameplatform. In this paper, we propose OMMA (Operator-guided Monitoring of Multi-step Attacks), an open andcollaborative engineering system which offers a platform to integrate the methods developed by the multi-stepattack detection research community. Inspired by a HuMa access (Navarro et al., HuMa: A multi-layer framework forthreat analysis in a heterogeneous log environment, 2017) and Knowledge and Information Logs-based System(Legrand et al., Vers une architecture «big-data» bio-inspirée pour la détection d’anomalie des SIEM, 2014) systems,OMMA incorporates real-time feedback from human experts, so the integrated methods can improve theirperformance through a learning process. This feedback loop is used by Morwilog, an Ant Colony Optimization-basedanalysis engine that we show as one of the first methods to be integrated in OMMA.
Complete list of metadata
Contributor : Research Team Sécurité Défense Connect in order to contact the contributor
Submitted on : Thursday, June 10, 2021 - 4:04:36 PM
Last modification on : Monday, February 21, 2022 - 3:38:11 PM
Long-term archiving on: : Saturday, September 11, 2021 - 7:20:52 PM


Publisher files allowed on an open archive


Distributed under a Creative Commons Attribution 4.0 International License



Julio Navarro, Véronique Legrand, Aline Deruyver, Pierre Parrend. OMMA: open architecture for Operator-guided Monitoring of Multi-step Attacks. EURASIP Journal on Information Security, Hindawi/SpringerOpen, 2018, 2018 (1), pp.144-159. ⟨10.1186/s13635-018-0075-x⟩. ⟨hal-03218219⟩



Record views


Files downloads