25,827 Hits in 7.3 sec

Automatic generation of correlation rules to detect complex attack scenarios

Erwan Godefroy, Eric Totel, Michel Hurfin, Frederic Majorczyk
2014 2014 10th International Conference on Information Assurance and Security  
In large distributed information systems, alert correlation systems are necessary to handle the huge amount of elementary security alerts and to identify complex multistep attacks within the flow of low  ...  Consequently, the generated correlation rules are tightly linked to the characteristics of the monitored information system.  ...  This paper focuses on the transformation process that allows to translate the description of a complex attack scenario into correlation rules.  ... 
doi:10.1109/isias.2014.7064615 dblp:conf/IEEEias/GodefroyTHM14 fatcat:uh54zcdfrzdvnh7syhrq7mc5pa

Toward a novel rule-based attack description and response language

Samih Souissi
2015 2015 11th International Conference on Information Assurance and Security (IAS)  
The originality of our approach is that rules' syntax can be deduced from a certain behavior or automatically generated from a valid behavioral scenario.  ...  The objective is to simplify complex rules' expression, thanks to a modular and intuitive syntax that gives a high power of expression.  ...  In fact, detection languages should be complex enough to adapt to complexity of attacks.  ... 
doi:10.1109/isias.2015.7492743 dblp:conf/IEEEias/Souissi15 fatcat:whohk6nfyndyrdh2fhzhrbmrpm

A Review of Intrusion Alerts Correlation Frameworks

Joseph Mbugua Chahira, Jane Kinanu Kiruki, Peter Kiprono Kemei
2016 International Journal of Computer Applications Technology and Research  
Thus Alert and event correlation is required to preprocess, analyze and correlate the alerts produced by one or more network intrusion detection systems and events generated from different systems and  ...  They generate huge amount of low quality alerts and in different formats when an attack has already taken place.  ...  Automatic attack scenario discovering based on a new alert correlation method (Ebrahimi at el, 2012) introduced a method to automatically extract multi-step attack scenarios.  ... 
doi:10.7753/ijcatr0504.1009 fatcat:rwtm3hy6urerbhlvl4kox7jfg4

A Novel Security Architecture Based on Multi-level Rule Expression Language [chapter]

Samih Souissi, Layth Sliman, Benoit Charroux
2015 Advances in Intelligent Systems and Computing  
This paper introduces an attack detection and response system based on multi-level rule expression language.  ...  Our approach helps simplifying complex rules' expression and alert handling, thanks to a modular architecture and an intuitive rules along with a powerful expression language.  ...  Contribution The challenge is how to guarantee a good detection of attacks while providing architecture modularity, rule writing simplicity in order to be able to detect complex attacks and respond automatically  ... 
doi:10.1007/978-3-319-27221-4_22 fatcat:cbdmnwtgibh7feb5ueb3itooqi

Toward a novel classification-based attack detection and response architecture

Samih Souissi
2015 2015 6th International Conference on the Network of the Future (NOF)  
Our approach helps simplify complex rules' expression and alert handling, thanks to a modular architecture and an intuitive rules defining with a high power of expression language.  ...  This paper introduces a classification-based Attack Detection system which provides a framework to evaluate, identify, classify and defend against sophisticated attacks.  ...  PROPOSAL The challenge is to guarantee a good detection of attacks while providing modularity and rule writing simplicity to detect complex attacks and respond automatically according to a user defined  ... 
doi:10.1109/nof.2015.7333305 dblp:conf/nof/Souissi15 fatcat:3vlkydxvxzh77gmqyxpm3b5nea

Systematic Literature Review of Security Event Correlation Methods

Igor Kotenko, Diana Gaifulina, Igor Zelichenok
2022 IEEE Access  
Security event correlation approaches are necessary to detect and predict incremental threats such as multi-step or targeted attacks (advanced persistent threats) and other causal sequences of abnormal  ...  The results of the analysis include the main directions of research in the field of event correlation and methods used for correlation both single events and their sequences in attack scenarios.  ...  [28] , [29] introduce an automatic fuzzy logic rule generator to block highly correlated alerts.  ... 
doi:10.1109/access.2022.3168976 fatcat:uk3h6prqh5d73m6vrximkk2lty

Providing SIEM systems with self-adaptation

Guillermo Suarez-Tangil, Esther Palomar, Arturo Ribagorda, Ivan Sanz
2015 Information Fusion  
In particular, our enhanced correlation engine automatically learns and produces correlation rules based on the context for different types of multi-step attacks using genetic programming.  ...  In this regard, a number of artificial neural networks are trained to classify events according to the corresponding context established for the attack.  ...  several complex-to-detect attacks using Metasploit penetration toolkit.  ... 
doi:10.1016/j.inffus.2013.04.009 fatcat:pg5lmkcoc5fkzhatdc3iluynjm

A Scalable and Efficient Correlation Engine to Detect Multi-Step Attacks in Distributed Systems

David Lanoe, Michel Hurfin, Eric Totel
2018 2018 IEEE 37th Symposium on Reliable Distributed Systems (SRDS)  
The behavior of the engine is extended to fit new requirements. In the proposed solution, a fully automated process generates thousands of correlation rules.  ...  As some attack steps are not observed, the correlation engine can be tuned to raise an alert when all the attack steps except k of them have been detected.  ...  generated correlation rules; • to predict incoming multi-step attacks; • to detect attack scenarios with some missing steps; • to scale to handle hundreds of alerts per second while supporting thousands  ... 
doi:10.1109/srds.2018.00014 dblp:conf/srds/LanoeHT18 fatcat:lmqxieldx5cxvdp4ur3njmrxai

Developing Apt Attacks Detection System Based on Correlation Analysis Methods

Currently, the APT attack is tremendously difficult to deal with because of its unique design for each target, which makes prior experiences and rules less accurate in detecting APT attacks.  ...  It consists of various complex and devious techniques in order to be able to obtain a highly secured trade secret, sensitive information.  ...  Rule Generator: This is a technique for automatically generating rules from signatures.  ... 
doi:10.35940/ijitee.e2318.039520 fatcat:2zkxo3swwbgm5m6iqzl65seyy4

Towards Predictive Real-time Multi-sensors Intrusion Alert Correlation Framework

Maheyzah Md Siraj, Hashim Hussein Taha Albasheer, Mazura Mat Din
2015 Indian Journal of Science and Technology  
They generate a high volume of low-quality intrusion alerts when attack scenarios have taken place. Worst, NIDSs cannot extract or even predict sequence of attack scenarios.  ...  It is worth mentioning that to complement NIDSs in detecting the incoming attacks, intrusion alert prediction is an exploratory area for future research for the purpose of improving the quality of correlation  ...  AC is a complex multi-stages transformation process and most of existing frameworks suffer from: complex correlation rules definition 5 that limits the capabilities of detecting new attack scenarios due  ... 
doi:10.17485/ijst/2015/v8i12/70658 fatcat:4vntq6aelfaxxjcyi224npznuq

MARS: Multi-stage Attack Recognition System

Faeiz Alserhani, Monis Akhlaq, Irfan U. Awan, Andrea J. Cullen, Pravin Mirchandani
2010 2010 24th IEEE International Conference on Advanced Information Networking and Applications  
Thousands of signatures and rules are created to specify different attacks and variations of a single attack.  ...  Alerts correlation techniques have been widely used to provide intelligent and stateful detection methodologies. This is to understand attack steps and predict the expected sequence of events.  ...  false detected scenarios 7 not detected scenario 2 Multistage attack detection rate 92%  ... 
doi:10.1109/aina.2010.57 dblp:conf/aina/AlserhaniAACM10 fatcat:bn4ktakv5jflzcvxzz552oiqcy

A Combined Approach to DoS Attack Detection System

Archana Salaskar, R.N. Phursule
2015 International Journal of Computer Applications  
To generate geometrical triangular area measurements for normal profiles on the basis of these features the multivariate correlation analysis (MCA) model is used.  ...  So the inventive work behavioral based rule model integrated with MCA and anomaly, as a hybrid model used to enhance the accuracy of DoS attack detection.  ...  certain scenarios have to be described complicated correlations between communications.  ... 
doi:10.5120/ijca2015905684 fatcat:kzcri3pbvbbknns63xnoiqp3ee

Dynamic security management driven by situations: An exploratory analysis of logs for the identification of security situations

Abdelmalek Benzekri, Romain Laborde, Arnaud Oglaza, Darine Rammal, Francois Barrere
2019 2019 3rd Cyber Security in Networking Conference (CSNet)  
Detecting these complex attacks (a.k.a.  ...  This approach generates massive data that have to be analysed at the right time in order to detect any accidental or caused incident.  ...  Such complex attacks require correlating all the security events generated by each IDS in order to be detected.  ... 
doi:10.1109/csnet47905.2019.9108976 dblp:conf/csnet/BenzekriLORB19 fatcat:urvlmbkcajby5axgm3sfbvvcea

CLAP: A Cross-Layer Analytic Platform for the Correlation of Cyber and Physical Security Events Affecting Water Critical Infrastructures

Gustavo Gonzalez-Granadillo, Rodrigo Diaz, Juan Caubet, Ignasi Garcia-Milà
2021 Journal of Cybersecurity and Privacy  
CLAP aims to improve the detection of complex attack scenarios in real time based on the correlation of cyber and physical security events.  ...  Results show promising benefits in the improvement of response accuracy, false rates reduction and real-time detection of complex attacks based on cross-correlation rules.  ...  Acknowledgments: A special thanks to the Mekorot team for their collaboration and insights in the testing and validation of the tools composing the proposed platform.  ... 
doi:10.3390/jcp1020020 fatcat:6mc3qeivfzdrbmvfidgc5zpvam

Extracting Attack Scenarios Using Intrusion Semantics [chapter]

Sherif Saad, Issa Traore
2013 Lecture Notes in Computer Science  
Our approach can reconstruct known and unknown attack scenarios and correlate alerts generated in multi-sensor IDS environment.  ...  Existing attack scenario reconstruction approaches, however, suffer from several limitations that weaken the elicitation of the attack scenarios and decrease the quality of the generated attack scenarios  ...  One of these limitations is the inability of the techniques to reconstruct complex or sophisticated multi-step attack scenarios.  ... 
doi:10.1007/978-3-642-37119-6_18 fatcat:mebgnxfq55acvjz5w37svs74je
« Previous Showing results 1 — 15 out of 25,827 results