Cross-domain Alert Correlation methodology for Industrial Control Systems

International audienceIn this paper we develop an alert correlation framework specifically tailored for Industrial Control Systems (ICSs). Alert correlation is a set of techniques used to process alerts raised by various intrusion detection systems in order to a eliminate redundant alerts, reduce the number of false alerts, and reconstruct attack scenarios. In ICSs the presence of a physical process and the associated specific threats has led to the heterogeneity of alerts due to the development of multi-domain detection techniques. Such that, some detection approaches rely solely on observations at the level of the cyber domain while other approaches will monitor the physical process. The two approaches are complementary but the information carried by the two types of alerts are different. In this work, we combine the alerts from physical domain intrusion detection with more classical cyber-domain intrusion detection alerts. We develop an alert correlation approach using an alert enrichment that allows mapping physical domain alerts into the cyber domain. We also propose a specific alert selection for correlation that adapts to the state of the physical process by dynamically adjusting the size of the selected alert window. We publicly released all the datasets generated and used in our results