Assessment of an Automatic Correlation Rules Generator

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9478)


Information systems are prone to attacks. Those attacks can take different forms, from an obvious DDOS to a complex attack scenario involving a step by step stealthy compromise of key nodes in the target system. In order to detect those multi-steps attack scenarios, alert correlation systems are required. Those systems rely on explicit or implicit correlation rules in order to detect complex links between various events or alerts produced by IDSes. Explicit and accurate correlation rules strongly linked with the system are difficult to build and maintain manually. However this process can be partially automated when enough information on the attack scenario and the target system are available. In this paper, we focus on the evaluation of correlation rules produced by an automatic process. In a first place, the method is evaluated on a representative system. In this realistic evaluation context, when the knowledge of both the attack scenario and the targeted system is precise enough, the generated rules allow to have a perfect detection rate (no false positive and no false negative). Then stress tests are conducted in order to measure the robustness of the approach when the generation of rules relies on a provided knowledge which is either partially incorrect or incomplete.


Alert correlation evaluation Attack scenario Attack tree 


  1. 1.
    Ahmadinejad, S.H., Jalili, S., Abadi, M.: A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs. Comput. Netw. 55(9), 2221–2240 (2011)CrossRefGoogle Scholar
  2. 2.
    Çamtepe, S.A., Yener, B.: Modeling and detection of complex attacks. In: Proceedings of the 3rd International Conference on Security and Privacy in Communications Networks, pp. 234–243. IEEE (2007)Google Scholar
  3. 3.
    Godefroy, E., Totel, E., Hurfin, M., Majorczyk, F.: Automatic generation of correlation rules to detect complex attack scenarios. In: 2014 10th International Conference on Information Assurance and Security (IAS), pp. 23–28. IEEE (2014)Google Scholar
  4. 4.
    Jajodia, S., Noel, S.: Topological vulnerability analysis: A powerful new approach for network attack prevention, detection, and response. Indian Statistical Institute Monograph Series (2007)Google Scholar
  5. 5.
    McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur. 3(4), 262–294 (2000)CrossRefGoogle Scholar
  6. 6.
    Michel, C., Mé, L.: ADeLe: an attack description language for knowledge-based intrusion detection. In: Dupuy, M., Paradinas, P. (eds.) SEC 2001. IFIP AICT, vol. 65, pp. 353–365. Springer, Heidelberg (2001)Google Scholar
  7. 7.
    Noel, S., Robertson, E., Jajodia, S.: Correlating intrusion events and building attack scenarios through attack graph distances. In: ACSAC, pp. 350–359 (2004)Google Scholar
  8. 8.
    Roschke, S., Cheng, F., Meinel, C.: A new alert correlation algorithm based on attack graph. In: Herrero, A., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 58–67. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  9. 9.
    Tjhai, G.C., Papadaki, M., Furnell, S., Clarke, N.L.: Investigating the problem of ids false alarms: An experimental study using snort. In: Jajodia, S., Samarati, P., Cimato, S. (eds.) Proceedings of the IFIP TC 11 23rd International Information Security Conference. IFIP AICT, vol. 278, pp. 253–267. Springer, Boston (2008)CrossRefGoogle Scholar
  10. 10.
    Totel, E., Vivinis, B., Mé, L.: A language driven intrusion detection system for event and alert correlation. In: Proceedings ot the 19th IFIP International Information Security Conference, pp. 209–224. Kluwer Academic (2004)Google Scholar
  11. 11.
    Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  12. 12.
    Vigna, G.: Teaching hands-on network security: Testbeds and live exercises. J. Inf. Warfare 3(2), 8–25 (2003)Google Scholar
  13. 13.
    Xu, D., Ning, P.: Alert correlation through triggering events and common resources. In: 20th Annual Computer Security Applications Conference, pp. 360–369. IEEE (2004)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • E. Godefroy
    • 1
    • 2
    • 3
  • E. Totel
    • 3
  • M. Hurfin
    • 2
  • F. Majorczyk
    • 1
  1. 1.DGA-MIBruzFrance
  2. 2.InriaRennesFrance
  3. 3.CentraleSupélecRennesFrance

Personalised recommendations