Automatic generation of correlation rules to detect complex attack scenarios

Godefroy, Erwan; Totel, Éric; Hurfin, Michel; Majorczyk, Frédéric

doi:10.1109/isias.2014.7064615

Cited by 6 publications

(6 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Malware samples are classified in to different classes and rules for each class are generated with positional information of signature to improve performance. Godefroy et al suggested an approach to automatically create co-related rules [23]. A human expert provides action tree derived from attack tree and a fully automatic system creates co-related rules.…”

Section: Cmentioning

confidence: 99%

Flow-Based Rules Generation for Intrusion Detection System using Machine Learning Approach

Saleem

Anwar

Bashir

et al. 2020

Research Journal Of Computer Science And Information Technology

View full text Add to dashboard Cite

Rapid increase in internet users also brought new ways of privacy and security exploitation. Intrusion is one of such attacks in which an authorized user can access system resources and is major concern for cyber security community. Although AV and firewall companies work hard to cope with this kind of attacks and generate signatures for such exploits but still, they are lagging behind badly in this race. This research proposes an approach to ease the task of rules generationby making use of machine learning for this purpose. We used 17 network features to train a random forest classifier and this trained classifier is then translated into rules which can easily be integrated with most commonly used firewalls like snort and suricata etc. This work targets five kind of attacks: brute force, denial of service, HTTP DoS, infiltrate from inside and SSH brute force. Separate rules are generated for each kind of attack. As not every generated rule contributes toward detection that's why an evaluation mechanism is also used which selects the best rule on the basis of precision and f-measure values. Generated rules for some attacks have 100% precision with detection rate of more than 99% which represents effectiveness of this approach on traditional firewalls. As our proposed system translates trained classifier model into set of rules for firewalls so it is not only effective for rules generation but also give machine learning characteristics to traditional firewall to some extent.

show abstract

Section: Cmentioning

confidence: 99%

Flow-Based Rules Generation for Intrusion Detection System using Machine Learning Approach

Saleem

Anwar

Bashir

et al. 2020

Research Journal Of Computer Science And Information Technology

View full text Add to dashboard Cite

show abstract

“…When it is done by human experts, this is a non trivial, time consuming, and error-prone task. Thus a recent work [2] aims at producing the correlation rules through an automated process.…”

Section: State Of the Art: Alert Correlationmentioning

confidence: 99%

“…This representation of the attacker's behavior can be transformed into a correlation tree that represents all the sequences of events or alerts an attacker can generate in the supervised system. This approach has been followed in [2] and demonstrates that an attack can be associated with two similar representations corresponding respectively to the point of view of the attacker (attack tree) and the point of view of the defender (correlation tree). A base of knowledge about the system can be used to develop an automated process which establish the links between actions and possible observations and thus deduce the correlation rules from the attacker description [2].…”

Section: State Of the Art: Alert Correlationmentioning

confidence: 99%

“…IDSes are often inaccurate and a large number of these alerts are false positives that overwhelm the administrator of a system. The original purpose of an alert correlation process was thus (1) to reduce the number of false positives and (2) to propose high semantic alerts to the administrator when an actual attack occurs. In particular, a correlation engine should be able to consider multi-step attacks and to warn the administrator when such a complex and meaningful attack occurs.…”

Section: Introductionmentioning

confidence: 99%

“…Over the past fifteen years, works [1] have followed an automata based approach to develop correlation engines. More recently, the problem of automated generation of correlation rules has been studied in [2]. However scalability issues raised by the mixing of both objectives have not been addressed.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Scalable and Efficient Correlation Engine to Detect Multi-Step Attacks in Distributed Systems

Lanoë

Hurfin

Totel

2018

2018 IEEE 37th Symposium on Reliable Distributed Systems (SRDS)

Self Cite

View full text Add to dashboard Cite

In distributed systems and in particular in industrial SCADA environments, alert correlation systems are necessary to identify complex multi-step attacks within the huge amount of alerts and events. In this paper we describe an automatabased correlation engine developed in the context of a European project where the main stakeholder was an energy distribution company. The behavior of the engine is extended to fit new requirements. In the proposed solution, a fully automated process generates thousands of correlation rules. Despite this major scalability challenge, the designed correlation engine exhibits good performances. Expected rates of incoming low level alerts approaching several hundreds of elements per second are tolerated. Moreover, the used data structures allow to quickly handle dynamic changes of the set of correlation rules. As some attack steps are not observed, the correlation engine can be tuned to raise an alert when all the attack steps except k of them have been detected. To be able to react to an ongoing attack by taking countermeasures, alerts must also be raised as soon as a significant prefix of an attack scenario is recognized. Fulfilling these additional requirements leads to increase the memory consumption. Therefore purge mechanisms are also proposed and analyzed. An evaluation of the tool is conducted in the context of a SCADA environment.

show abstract