Abstract
Information systems are prone to attacks. Those attacks can take different forms, from an obvious DDOS to a complex attack scenario involving a step by step stealthy compromise of key nodes in the target system. In order to detect those multi-steps attack scenarios, alert correlation systems are required. Those systems rely on explicit or implicit correlation rules in order to detect complex links between various events or alerts produced by IDSes. Explicit and accurate correlation rules strongly linked with the system are difficult to build and maintain manually. However this process can be partially automated when enough information on the attack scenario and the target system are available. In this paper, we focus on the evaluation of correlation rules produced by an automatic process. In a first place, the method is evaluated on a representative system. In this realistic evaluation context, when the knowledge of both the attack scenario and the targeted system is precise enough, the generated rules allow to have a perfect detection rate (no false positive and no false negative). Then stress tests are conducted in order to measure the robustness of the approach when the generation of rules relies on a provided knowledge which is either partially incorrect or incomplete.
This work was partially funded by the European project Panoptesec (FP7-GA 610416).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
MIT Lincoln Laboratory, DARPA Intrusion Detection Evaluation, http://www.ll.mit.edu/ideval/.
References
Ahmadinejad, S.H., Jalili, S., Abadi, M.: A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs. Comput. Netw. 55(9), 2221–2240 (2011)
Çamtepe, S.A., Yener, B.: Modeling and detection of complex attacks. In: Proceedings of the 3rd International Conference on Security and Privacy in Communications Networks, pp. 234–243. IEEE (2007)
Godefroy, E., Totel, E., Hurfin, M., Majorczyk, F.: Automatic generation of correlation rules to detect complex attack scenarios. In: 2014 10th International Conference on Information Assurance and Security (IAS), pp. 23–28. IEEE (2014)
Jajodia, S., Noel, S.: Topological vulnerability analysis: A powerful new approach for network attack prevention, detection, and response. Indian Statistical Institute Monograph Series (2007)
McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur. 3(4), 262–294 (2000)
Michel, C., Mé, L.: ADeLe: an attack description language for knowledge-based intrusion detection. In: Dupuy, M., Paradinas, P. (eds.) SEC 2001. IFIP AICT, vol. 65, pp. 353–365. Springer, Heidelberg (2001)
Noel, S., Robertson, E., Jajodia, S.: Correlating intrusion events and building attack scenarios through attack graph distances. In: ACSAC, pp. 350–359 (2004)
Roschke, S., Cheng, F., Meinel, C.: A new alert correlation algorithm based on attack graph. In: Herrero, A., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 58–67. Springer, Heidelberg (2011)
Tjhai, G.C., Papadaki, M., Furnell, S., Clarke, N.L.: Investigating the problem of ids false alarms: An experimental study using snort. In: Jajodia, S., Samarati, P., Cimato, S. (eds.) Proceedings of the IFIP TC 11 23rd International Information Security Conference. IFIP AICT, vol. 278, pp. 253–267. Springer, Boston (2008)
Totel, E., Vivinis, B., Mé, L.: A language driven intrusion detection system for event and alert correlation. In: Proceedings ot the 19th IFIP International Information Security Conference, pp. 209–224. Kluwer Academic (2004)
Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)
Vigna, G.: Teaching hands-on network security: Testbeds and live exercises. J. Inf. Warfare 3(2), 8–25 (2003)
Xu, D., Ning, P.: Alert correlation through triggering events and common resources. In: 20th Annual Computer Security Applications Conference, pp. 360–369. IEEE (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Godefroy, E., Totel, E., Hurfin, M., Majorczyk, F. (2015). Assessment of an Automatic Correlation Rules Generator. In: Jajoda, S., Mazumdar, C. (eds) Information Systems Security. ICISS 2015. Lecture Notes in Computer Science(), vol 9478. Springer, Cham. https://doi.org/10.1007/978-3-319-26961-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-26961-0_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26960-3
Online ISBN: 978-3-319-26961-0
eBook Packages: Computer ScienceComputer Science (R0)