Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios

International audienceCurrent SIEM (Security Information and Event Management) provide very simple alert correlation languages that express at best the recognition of a sequence of alerts. That’s why our team developed a correlation tool called GnG that describes the attacks in ADeLe (Attack Description Language). This language provides an efficient way to describe complex multi-steps attack scenarios. However, the experience proved that writing such correlation rules is very difficult. It requires a high level of knowledge of the attack and the supervision mech- anisms deployed in the system. In this paper, we show that, starting from an enriched attack tree that describes the attack, an automated process can generate exhaustive correlation rules which could be tedious and error prone to produce by hand. While the initial attack tree is an informal high level descrip- tion, the transformation relies on a specific description of the execution environment (topology, services and sensor compos- ing the system). Those elements make it possible to produce correlation rules tightly linked to the characteristics of the tar- get system (e.g., the possible targets of each step of an attack, the deployed intrusion detection systems and sensors). A proof of concept implements the proposed transformations and can generate usable correlation rules