Abstract

Network monitoring systems can struggle to detect the full sequence of actions in a multi-step cyber attack, frequently resulting in multiple alerts (some of which are false positive (FP)) and missed actions. The challenge of easing the job of security analysts by triggering a single and accurate alert per attack requires developing and evaluating advanced event correlation techniques and models that have the potential to devise relationships between the different observed events/alerts.

This work introduces a flexible architecture designed for hierarchical and iterative correlation of alerts and events. Its key feature is the sequential correlation of operations targeting specific attack episodes or aspects. This architecture utilizes IDS alerts or similar cybersecurity sensors, storing events and alerts in a non-relational database. Modules designed for knowledge creation then query these stored items to generate meta-alerts, also stored in the database. This approach facilitates creating a more refined knowledge that can be built on top of existing one by creating specialized modules. For illustrative purposes, we make a case study where we use this architectural approach to explore the feasibility of monitoring the progress of attacks of increased complexity by increasing the levels of the hyperalerts defined, including a case of a multi-step attack that adheres to the ATT&CK model. Although the mapping between the observations and the model components (i.e., techniques and tactics) is challenging, we could fully monitor the progress of two attacks and up to 5 out of 6 steps of the most complex attack by building up to three specialized modules. Despite some limitations due to the sensors and attack scenarios tested, the results indicate the architecture’s potential for enhancing the detection of complex cyber attacks, offering a promising direction for future cybersecurity research.

Details

Title
A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection
Author
Muñoz-Calle, Javier  VIAFID ORCID Logo  ; Rafael Estepa Alonso  VIAFID ORCID Logo  ; Antonio Estepa Alonso  VIAFID ORCID Logo  ; Díaz-Verdejo, Jesús E  VIAFID ORCID Logo  ; Elvira Castillo Fernández  VIAFID ORCID Logo  ; Madinabeitia, Germán  VIAFID ORCID Logo 
Pages
1184-1204
Section
Research Article
Publication year
2024
Publication date
2024
Publisher
Pensoft Publishers
ISSN
0948695X
e-ISSN
09486968
Source type
Scholarly Journal
Language of publication
English
ProQuest document ID
3106682761
Copyright
© 2024. This work is licensed under https://creativecommons.org/licenses/by-nd/4.0/ (the “License”). Notwithstanding the ProQuest Terms and conditions, you may use this content in accordance with the terms of the License.