Multistep Cyberattacks Detection using a Flexible Multilevel System for Alerts and Events Correlation
Authors: 
Elvira Castillo-Fernández, Jesús Díaz-Verdejo, Rafael Estepa Alonso, Antonio Estepa Alonso, Javier Muñoz Calle, Germán MabinabeitiaAuthors Info & Claims
Elvira Castillo-Fernández, Jesús Díaz-Verdejo, Rafael Estepa Alonso, Antonio Estepa Alonso, Javier Muñoz Calle, Germán MabinabeitiaAuthors Info & ClaimsPages 1 - 6
Abstract
Current network monitoring systems tend to generate several alerts per attack, especially in multistep attacks. However, Cybersecurity Officers (CSO) would rather receive a single alert summarizing the entire incident. Triggering a single alert per attack is a challenge that requires developing and evaluating advanced event correlation techniques and models to determine the relationships between the different observed events/alerts.
In this work, we propose a flexible architecture oriented toward the correlation and aggregation of events and alerts in a multilevel iterative approach. In our scheme, sensors generate events and alerts that are stored in a non-relational database queried by modules that create knowledge structured as meta-alerts that are also stored in the database. These meta-alerts (also called hyperalerts) are, in turn, used iteratively to create new knowledge. This iterative approach can be used to aggregate information at multiple levels or steps in complex attack models. Our architecture also allows the incorporation of additional sensors and the evaluation of various correlation techniques and multistage attack models. The capabilities of the system are assessed through three case studies.
References
[1]
[1] I. Ghafir, V. Prenosil, J. Svoboda and M. Hammoudeh. 2016. A Survey on Network Security Monitoring Systems. Proc. 2016 IEEE 4th Int. Conf. on Future Internet of Things and Cloud Workshops (FiCloudW) (2016), 77-82.
[2]
[2] P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández and E. Vázquez. 2009. Anomaly-based network intrusion detection: techniques, systems and challenges, Computers & Security 28 (2009) 18-28.
[3]
[3] Igor Kotenko and Diana Levshun St. 2023. A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities. Artificial Intelligence Review, under review.
[4]
[4] G. Spathoulas nad S. Katsikas. 2013. Enhancing IDS performance through comprehensive alert post-processing. Computers & Security 37 (2013), 176-196.
[5]
[5] J. Navarro, A. Deruyver and P. Parrend. 2018. A systematic survey on multi-step attack detection. Computers & Security 76 (2018), 214-249.
[6]
[6] M. Soleimani and A. Ghorbani. 2012. Multi-layer episode filtering for the multi-step attack detection. Computer Communications 35 (2012), 1368–1379.
[7]
[7] Martin Husák and Jaroslav Kašpar. 2019. AIDA Framework: Real-Time Correlation and Prediction of Intrusion Detection Alerts. In Proc. of the 14th Int. Conf. on Availability, Reliability and Security (ARES ’19). Article 81 (2019), 1–8.
[8]
[8] I. Ghafir et al. 2019, Hidden Markov Models and Alert Correlations for the Prediction of Advanced Persistent Threats. IEEE Access 7 (2019), 99508-99520.
[9]
[9] S. Haas and M. Fischer. 2019. On the alert correlation process for the detection of multi-step attacks and a graph-based realization. ACM SIGAPP Applied Computing Review 19 (2019), 5–19.
[10]
[10] R. Zuech, R., T. Khoshgoftaar, T. and R. Wald. 2015. Intrusion detection and big heterogeneous data: a survey. Journal of Big Data 2 (2015).
[11]
[11] A. Valdes and K. Skinner, K. 2001. Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds) Recent Advances in Intrusion Detection. RAID 2001. Lecture Notes in Computer Science 2212.
[12]
[12] S. Salah, G. Maciá-Fernández and J. E. Díaz-Verdejo. 2013. A model-based survey of alert correlation techniques. Computer Networks 57 (2013), 1289-1317.
[13]
[13] Yuxin Meng and Lam-For Kwok. 2014. Adaptive non-critical alarm reduction using hash-based contextual signatures in intrusion detection. Computer Communications 38 (2014), 50-59.
[14]
[14] S. Sahu and B.M. Mehtre. 2015. Network intrusion detection system using J48 Decision Tree. Proc. 2015 Int. Conf. on Advances in Computing, Communications and Informatics (ICACCI) (2015), 2023-2026.
[15]
[15] K. Zhang, F. Zhao, S. Luo, Y. Xin and H. Zhu. 2019. An Intrusion Action-Based IDS Alert Correlation Analysis and Prediction Framework. IEEE Access 7 (2019), 150540-150551.
[16]
[16] H. Al-Mohannadi, Q. Mirza, A. Namanya, I. Awan, A. Cullen and J. Disso. 2016. Cyber-Attack Modeling Analysis Techniques: An Overview. Proc. IEEE 4th Int. Conf. on Future Internet of Things and Cloud Workshops (FiCloudW) (2016), 69-76.
[17]
[17] B. E. Strom et al. 2017. Finding cyber threats with ATT&CK-based analytics. The MITRE Corporation, Technical Report No. MTR170202 (2017).
[18]
[18] K. Kaynar, K. 2016. A taxonomy for attack graph generation and usage in network Security. Journal of Information Security and Applications 29 (2016), 27-56.
[19]
[19] R. T. El-Maghraby, N. M. Abd Elazim and A. M. Bahaa-Eldin. 2017. A survey on deep packet inspection. Proc. 2017 12th Int. Conf. on Computer Engineering and Systems (ICCES) (2017), 188-197.
[20]
[20] Sheila A. Berta. 2017. How to Exploit Eternalblue & Doublepulsar to Get an Empire/meterpreter Session on Windows 7/2008. Eleven Path, Tech. Report (2017).
Index Terms
- Multistep Cyberattacks Detection using a Flexible Multilevel System for Alerts and Events Correlation
Recommendations
Modeling network intrusion detection alerts for correlation
Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security ...
Constructing attack scenarios through correlation of intrusion alerts
CCS '02: Proceedings of the 9th ACM conference on Computer and communications securityTraditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts ...
Network Security Alerts Management Architecture for Signature-Based Intrusions Detection Systems within a NAT Environment
Internet is providing essential communication between an infinite number of people and is being increasingly used as a tool for commerce. At the same time, security is becoming a tremendously important issue to deal with. Different network security ...
Comments
Information & Contributors
Information
Published In
June 2023
205 pages
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 14 June 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- FEDER / Junta de Andalucía - Consejería de Transformación Económica, Industria, Conocimiento y Universidades
- MICIN/AEI/10.13039/501100011033
Conference
EICC 2023
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 88Total Downloads
- Downloads (Last 12 months)24
- Downloads (Last 6 weeks)4
Reflects downloads up to 25 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format