TY - GEN
T1 - Generation and assessment of correlation rules to detect complex attack scenarios
AU - Godefroy, Erwan
AU - Totel, Eric
AU - Hurfin, Michel
AU - Majorczyk, Frederic
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015/12/3
Y1 - 2015/12/3
N2 - Information systems can be targeted by different types of attacks. Some of them are easily detected (like an DDOS targeting the system) while others are more stealthy and consist in successive attacks steps that compromise different parts of the targeted system. The alarm referring to detected attack steps are often hidden in a tremendous amount of notifications that include false alarms. Alert correlators use correlation rules (that can be explicit, implicit or semi-explicit [3]) in order to solve this problem by extracting complex relationships between the different generated events and alerts. On the other hand, providing maintainable, complete and accurate correlation rules specifically adapted to an information system is a very difficult work. We propose an approach that, given proper input information, can build a complete and system dependant set of correlation rules derived from a high level attack scenario. We then evaluate the applicability of this method by applying it to a real system and assessing the fault tolerance in a simulated environment in a second phase.
AB - Information systems can be targeted by different types of attacks. Some of them are easily detected (like an DDOS targeting the system) while others are more stealthy and consist in successive attacks steps that compromise different parts of the targeted system. The alarm referring to detected attack steps are often hidden in a tremendous amount of notifications that include false alarms. Alert correlators use correlation rules (that can be explicit, implicit or semi-explicit [3]) in order to solve this problem by extracting complex relationships between the different generated events and alerts. On the other hand, providing maintainable, complete and accurate correlation rules specifically adapted to an information system is a very difficult work. We propose an approach that, given proper input information, can build a complete and system dependant set of correlation rules derived from a high level attack scenario. We then evaluate the applicability of this method by applying it to a real system and assessing the fault tolerance in a simulated environment in a second phase.
KW - Alert correlation
KW - Intrusion detection
KW - Security and protection
U2 - 10.1109/CNS.2015.7346896
DO - 10.1109/CNS.2015.7346896
M3 - Conference contribution
AN - SCOPUS:84966350544
T3 - 2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015
SP - 707
EP - 708
BT - 2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 3rd IEEE International Conference on Communications and Network Security, CNS 2015
Y2 - 28 September 2015 through 30 September 2015
ER -