A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection
This article is part of: JUCS - Journal of Universal Computer Science 30(9): Fighting Cybersecurity Risks from a Multidisciplinary Perspective
| Autores: | , , , , , |
|---|---|
| Tipo de recurso: | artículo |
| Estado: | Versión publicada |
| Fecha de publicación: | 2024 |
| País: | España |
| Institución: | Universidad de Sevilla (US) |
| Repositorio: | idUS. Depósito de Investigación de la Universidad de Sevilla |
| OAI Identifier: | oai:idus.us.es:11441/168067 |
| Acceso en línea: | https://hdl.handle.net/11441/168067 https://doi.org/10.3897/jucs.131686 |
| Access Level: | acceso abierto |
| Palabra clave: | Network security monitoring Intrusion Detection Systems Cyberattacks models Alert correlation Mitre ATT&CK attack models |
| id |
ES_7aa065b1a70c8ad5f45fe22eb90607e2 |
|---|---|
| oai_identifier_str |
oai:idus.us.es:11441/168067 |
| network_acronym_str |
ES |
| network_name_str |
España |
| repository_id_str |
|
| spelling |
A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks DetectionMuñoz Calle, Francisco JavierEstepa Alonso, Rafael MaríaEstepa Alonso, Antonio JoséDíaz Verdejo, JesúsCastillo Fernández, ElviraMadinabeitia Luque, GermánNetwork security monitoringIntrusion Detection SystemsCyberattacks modelsAlert correlationMitre ATT&CK attack modelsThis article is part of: JUCS - Journal of Universal Computer Science 30(9): Fighting Cybersecurity Risks from a Multidisciplinary PerspectiveNetwork monitoring systems can struggle to detect the full sequence of actions in a multi-step cyber attack, frequently resulting in multiple alerts (some of which are false positive (FP)) and missed actions. The challenge of easing the job of security analysts by triggering a single and accurate alert per attack requires developing and evaluating advanced event correlation techniques and models that have the potential to devise relationships between the different observed events/alerts. This work introduces a flexible architecture designed for hierarchical and iterative correlation of alerts and events. Its key feature is the sequential correlation of operations targeting specific attack episodes or aspects. This architecture utilizes IDS alerts or similar cybersecurity sensors, storing events and alerts in a non-relational database. Modules designed for knowledge creation then query these stored items to generate meta-alerts, also stored in the database. This approach facilitates creating a more refined knowledge that can be built on top of existing one by creating specialized modules. For illustrative purposes, we make a case study where we use this architectural approach to explore the feasibility of monitoring the progress of attacks of increased complexity by increasing the levels of the hyperalerts defined, including a case of a multi-step attack that adheres to the ATT&CK model. Although the mapping between the observations and the model components (i.e., techniques and tactics) is challenging, we could fully monitor the progress of two attacks and up to 5 out of 6 steps of the most complex attack by building up to three specialized modules. Despite some limitations due to the sensors and attack scenarios tested, the results indicate the architecture’s potential for enhancing the detection of complex cyber attacks, offering a promising direction for future cybersecurity research.Journal of Universal Computer ScienceIngeniería TelemáticaTIC154: Departamento de Ingeniería TelemáticaMinisterio de Ciencia e Innovación (MICIN). EspañaAgencia Estatal de Investigación. España2024info:eu-repo/semantics/articleinfo:eu-repo/semantics/publishedVersionapplication/pdfapplication/pdfhttps://hdl.handle.net/11441/168067https://doi.org/10.3897/jucs.131686reponame:idUS. Depósito de Investigación de la Universidad de Sevillainstname:Universidad de Sevilla (US)InglésJUCS - Journal of Universal Computer Science, 30 (9), 1184-1204.PID2020- 115199RB-I00https://lib.jucs.org/article/131686/info:eu-repo/semantics/openAccessoai:idus.us.es:11441/1680672026-06-17T12:51:07Z |
| dc.title.none.fl_str_mv |
A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection |
| title |
A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection |
| spellingShingle |
A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection Muñoz Calle, Francisco Javier Network security monitoring Intrusion Detection Systems Cyberattacks models Alert correlation Mitre ATT&CK attack models |
| title_short |
A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection |
| title_full |
A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection |
| title_fullStr |
A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection |
| title_full_unstemmed |
A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection |
| title_sort |
A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection |
| dc.creator.none.fl_str_mv |
Muñoz Calle, Francisco Javier Estepa Alonso, Rafael María Estepa Alonso, Antonio José Díaz Verdejo, Jesús Castillo Fernández, Elvira Madinabeitia Luque, Germán |
| author |
Muñoz Calle, Francisco Javier |
| author_facet |
Muñoz Calle, Francisco Javier Estepa Alonso, Rafael María Estepa Alonso, Antonio José Díaz Verdejo, Jesús Castillo Fernández, Elvira Madinabeitia Luque, Germán |
| author_role |
author |
| author2 |
Estepa Alonso, Rafael María Estepa Alonso, Antonio José Díaz Verdejo, Jesús Castillo Fernández, Elvira Madinabeitia Luque, Germán |
| author2_role |
author author author author author |
| dc.contributor.none.fl_str_mv |
Ingeniería Telemática TIC154: Departamento de Ingeniería Telemática Ministerio de Ciencia e Innovación (MICIN). España Agencia Estatal de Investigación. España |
| dc.subject.none.fl_str_mv |
Network security monitoring Intrusion Detection Systems Cyberattacks models Alert correlation Mitre ATT&CK attack models |
| topic |
Network security monitoring Intrusion Detection Systems Cyberattacks models Alert correlation Mitre ATT&CK attack models |
| description |
This article is part of: JUCS - Journal of Universal Computer Science 30(9): Fighting Cybersecurity Risks from a Multidisciplinary Perspective |
| publishDate |
2024 |
| dc.date.none.fl_str_mv |
2024 |
| dc.type.none.fl_str_mv |
info:eu-repo/semantics/article info:eu-repo/semantics/publishedVersion |
| format |
article |
| status_str |
publishedVersion |
| dc.identifier.none.fl_str_mv |
https://hdl.handle.net/11441/168067 https://doi.org/10.3897/jucs.131686 |
| url |
https://hdl.handle.net/11441/168067 https://doi.org/10.3897/jucs.131686 |
| dc.language.none.fl_str_mv |
Inglés |
| language_invalid_str_mv |
Inglés |
| dc.relation.none.fl_str_mv |
JUCS - Journal of Universal Computer Science, 30 (9), 1184-1204. PID2020- 115199RB-I00 https://lib.jucs.org/article/131686/ |
| dc.rights.none.fl_str_mv |
info:eu-repo/semantics/openAccess |
| eu_rights_str_mv |
openAccess |
| dc.format.none.fl_str_mv |
application/pdf application/pdf |
| dc.publisher.none.fl_str_mv |
Journal of Universal Computer Science |
| publisher.none.fl_str_mv |
Journal of Universal Computer Science |
| dc.source.none.fl_str_mv |
reponame:idUS. Depósito de Investigación de la Universidad de Sevilla instname:Universidad de Sevilla (US) |
| instname_str |
Universidad de Sevilla (US) |
| reponame_str |
idUS. Depósito de Investigación de la Universidad de Sevilla |
| collection |
idUS. Depósito de Investigación de la Universidad de Sevilla |
| repository.name.fl_str_mv |
|
| repository.mail.fl_str_mv |
|
| _version_ |
1869411452903751680 |
| score |
15,811543 |