A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection
Metadatos
Afficher la notice complèteAuteur
Muñoz-Calle, Javier; Estepa Alonso, Rafael; Estepa Alonso, Antonio; Díaz Verdejo, Jesús Esteban; Castillo Fernández, Elvira; Madinabeitia, GermánEditorial
Graz University of Technology
Materia
network security monitoring Intrusion Detection Systems cyberattacks models
Date
2024-09-14Referencia bibliográfica
Muñoz Calle, J. et. al. J,UCS, vol. 30, no. 9 (2024), 1184-1204. [https://doi.org/10.3897/jucs.131686]
Patrocinador
Spanish MICIN/AEI/10.13039/501100011033 under Project PID2020- 115199RB-I00Résumé
Network monitoring systems can struggle to detect the full sequence of actions in a
multi-step cyber attack, frequently resulting in multiple alerts (some of which are false positive
(FP)) and missed actions. The challenge of easing the job of security analysts by triggering a
single and accurate alert per attack requires developing and evaluating advanced event correlation
techniques and models that have the potential to devise relationships between the different observed
events/alerts.
This work introduces a flexible architecture designed for hierarchical and iterative correlation of
alerts and events. Its key feature is the sequential correlation of operations targeting specific attack
episodes or aspects. This architecture utilizes IDS alerts or similar cybersecurity sensors, storing
events and alerts in a non-relational database. Modules designed for knowledge creation then query
these stored items to generate meta-alerts, also stored in the database. This approach facilitates
creating a more refined knowledge that can be built on top of existing one by creating specialized
modules. For illustrative purposes, we make a case study where we use this architectural approach
to explore the feasibility of monitoring the progress of attacks of increased complexity by increasing
the levels of the hyperalerts defined, including a case of a multi-step attack that adheres to the
ATT&CK model. Although the mapping between the observations and the model components
(i.e., techniques and tactics) is challenging, we could fully monitor the progress of two attacks
and up to 5 out of 6 steps of the most complex attack by building up to three specialized modules.
Despite some limitations due to the sensors and attack scenarios tested, the results indicate the architecture’s potential for enhancing the detection of complex cyber attacks, offering a promising
direction for future cybersecurity research.