TY - GEN
T1 - A scalable and efficient correlation engine to detect multi-step attacks in distributed systems
AU - Lanoe, David
AU - Hurfin, Michel
AU - Totel, Eric
N1 - Publisher Copyright:
©2018 IEEE
PY - 2018/7/2
Y1 - 2018/7/2
N2 - In distributed systems and in particular in industrial SCADA environments, alert correlation systems are necessary to identify complex multi-step attacks within the huge amount of alerts and events. In this paper we describe an automata-based correlation engine developed in the context of a European project where the main stakeholder was an energy distribution company. The behavior of the engine is extended to fit new requirements. In the proposed solution, a fully automated process generates thousands of correlation rules. Despite this major scalability challenge, the designed correlation engine exhibits good performances. Expected rates of incoming low level alerts approaching several hundreds of elements per second are tolerated. Moreover, the used data structures allow to quickly handle dynamic changes of the set of correlation rules. As some attack steps are not observed, the correlation engine can be tuned to raise an alert when all the attack steps except k of them have been detected. To be able to react to an ongoing attack by taking countermeasures, alerts must also be raised as soon as a significant prefix of an attack scenario is recognized. Fulfilling these additional requirements leads to increase the memory consumption. Therefore purge mechanisms are also proposed and analyzed. An evaluation of the tool is conducted in the context of a SCADA environment.
AB - In distributed systems and in particular in industrial SCADA environments, alert correlation systems are necessary to identify complex multi-step attacks within the huge amount of alerts and events. In this paper we describe an automata-based correlation engine developed in the context of a European project where the main stakeholder was an energy distribution company. The behavior of the engine is extended to fit new requirements. In the proposed solution, a fully automated process generates thousands of correlation rules. Despite this major scalability challenge, the designed correlation engine exhibits good performances. Expected rates of incoming low level alerts approaching several hundreds of elements per second are tolerated. Moreover, the used data structures allow to quickly handle dynamic changes of the set of correlation rules. As some attack steps are not observed, the correlation engine can be tuned to raise an alert when all the attack steps except k of them have been detected. To be able to react to an ongoing attack by taking countermeasures, alerts must also be raised as soon as a significant prefix of an attack scenario is recognized. Fulfilling these additional requirements leads to increase the memory consumption. Therefore purge mechanisms are also proposed and analyzed. An evaluation of the tool is conducted in the context of a SCADA environment.
U2 - 10.1109/SRDS.2018.00014
DO - 10.1109/SRDS.2018.00014
M3 - Conference contribution
AN - SCOPUS:85062104693
T3 - Proceedings of the IEEE Symposium on Reliable Distributed Systems
SP - 31
EP - 40
BT - Proceedings - 2018 IEEE 37th Symposium on Reliable Distributed Systems, SRDS 2018
PB - IEEE Computer Society
T2 - 37th Symposium on Reliable Distributed Systems, SRDS 2018
Y2 - 2 October 2018 through 5 October 2018
ER -