Elvira Castillo-Fernández, J. Díaz-Verdejo, Rafael Estepa Alonso, Antonio Estepa Alonso, Javier Muñoz Calle, Germán Mabinabeitia
{"title":"基于警报和事件关联的灵活多级系统的多步网络攻击检测","authors":"Elvira Castillo-Fernández, J. Díaz-Verdejo, Rafael Estepa Alonso, Antonio Estepa Alonso, Javier Muñoz Calle, Germán Mabinabeitia","doi":"10.1145/3590777.3590778","DOIUrl":null,"url":null,"abstract":"Current network monitoring systems tend to generate several alerts per attack, especially in multistep attacks. However, Cybersecurity Officers (CSO) would rather receive a single alert summarizing the entire incident. Triggering a single alert per attack is a challenge that requires developing and evaluating advanced event correlation techniques and models to determine the relationships between the different observed events/alerts. In this work, we propose a flexible architecture oriented toward the correlation and aggregation of events and alerts in a multilevel iterative approach. In our scheme, sensors generate events and alerts that are stored in a non-relational database queried by modules that create knowledge structured as meta-alerts that are also stored in the database. These meta-alerts (also called hyperalerts) are, in turn, used iteratively to create new knowledge. This iterative approach can be used to aggregate information at multiple levels or steps in complex attack models. Our architecture also allows the incorporation of additional sensors and the evaluation of various correlation techniques and multistage attack models. The capabilities of the system are assessed through three case studies.","PeriodicalId":231403,"journal":{"name":"Proceedings of the 2023 European Interdisciplinary Cybersecurity Conference","volume":"9 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Multistep Cyberattacks Detection using a Flexible Multilevel System for Alerts and Events Correlation\",\"authors\":\"Elvira Castillo-Fernández, J. Díaz-Verdejo, Rafael Estepa Alonso, Antonio Estepa Alonso, Javier Muñoz Calle, Germán Mabinabeitia\",\"doi\":\"10.1145/3590777.3590778\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Current network monitoring systems tend to generate several alerts per attack, especially in multistep attacks. However, Cybersecurity Officers (CSO) would rather receive a single alert summarizing the entire incident. Triggering a single alert per attack is a challenge that requires developing and evaluating advanced event correlation techniques and models to determine the relationships between the different observed events/alerts. In this work, we propose a flexible architecture oriented toward the correlation and aggregation of events and alerts in a multilevel iterative approach. In our scheme, sensors generate events and alerts that are stored in a non-relational database queried by modules that create knowledge structured as meta-alerts that are also stored in the database. These meta-alerts (also called hyperalerts) are, in turn, used iteratively to create new knowledge. This iterative approach can be used to aggregate information at multiple levels or steps in complex attack models. Our architecture also allows the incorporation of additional sensors and the evaluation of various correlation techniques and multistage attack models. The capabilities of the system are assessed through three case studies.\",\"PeriodicalId\":231403,\"journal\":{\"name\":\"Proceedings of the 2023 European Interdisciplinary Cybersecurity Conference\",\"volume\":\"9 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-06-14\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2023 European Interdisciplinary Cybersecurity Conference\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3590777.3590778\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2023 European Interdisciplinary Cybersecurity Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3590777.3590778","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Multistep Cyberattacks Detection using a Flexible Multilevel System for Alerts and Events Correlation
Current network monitoring systems tend to generate several alerts per attack, especially in multistep attacks. However, Cybersecurity Officers (CSO) would rather receive a single alert summarizing the entire incident. Triggering a single alert per attack is a challenge that requires developing and evaluating advanced event correlation techniques and models to determine the relationships between the different observed events/alerts. In this work, we propose a flexible architecture oriented toward the correlation and aggregation of events and alerts in a multilevel iterative approach. In our scheme, sensors generate events and alerts that are stored in a non-relational database queried by modules that create knowledge structured as meta-alerts that are also stored in the database. These meta-alerts (also called hyperalerts) are, in turn, used iteratively to create new knowledge. This iterative approach can be used to aggregate information at multiple levels or steps in complex attack models. Our architecture also allows the incorporation of additional sensors and the evaluation of various correlation techniques and multistage attack models. The capabilities of the system are assessed through three case studies.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
