Generation and assessment of correlation rules to detect complex attack scenarios

Information systems can be targeted by different types of attacks. Some of them are easily detected (like an DDOS targeting the system) while others are more stealthy and consist in successive attacks steps that compromise different parts of the targeted system. The alarm referring to detected attack steps are often hidden in a tremendous amount of notifications that include false alarms. Alert correlators use correlation rules (that can be explicit, implicit or semi-explicit [3]) in order to solve this problem by extracting complex relationships between the different generated events and alerts. On the other hand, providing maintainable, complete and accurate correlation rules specifically adapted to an information system is a very difficult work. We propose an approach that, given proper input information, can build a complete and system dependant set of correlation rules derived from a high level attack scenario. We then evaluate the applicability of this method by applying it to a real system and assessing the fault tolerance in a simulated environment in a second phase.

[1]  Eric Totel,et al.  Automatic generation of correlation rules to detect complex attack scenarios , 2014, 2014 10th International Conference on Information Assurance and Security.

[2]  Gabriel Maciá-Fernández,et al.  A model-based survey of alert correlation techniques , 2013, Comput. Networks.

[3]  Bülent Yener,et al.  Modeling and detection of complex attacks , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[4]  Ludovic Mé,et al.  A Language Driven Intrusion Detection System for Event and Alert Correlation , 2004 .