A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection

This article is part of: JUCS - Journal of Universal Computer Science 30(9): Fighting Cybersecurity Risks from a Multidisciplinary Perspective

Detalles Bibliográficos
Autores: Muñoz Calle, Francisco Javier, Estepa Alonso, Rafael María, Estepa Alonso, Antonio José, Díaz Verdejo, Jesús, Castillo Fernández, Elvira, Madinabeitia Luque, Germán
Tipo de recurso: artículo
Estado:Versión publicada
Fecha de publicación:2024
País:España
Institución:Universidad de Sevilla (US)
Repositorio:idUS. Depósito de Investigación de la Universidad de Sevilla
OAI Identifier:oai:idus.us.es:11441/168067
Acceso en línea:https://hdl.handle.net/11441/168067
https://doi.org/10.3897/jucs.131686
Access Level:acceso abierto
Palabra clave:Network security monitoring
Intrusion Detection Systems
Cyberattacks models
Alert correlation
Mitre ATT&CK attack models
id ES_7aa065b1a70c8ad5f45fe22eb90607e2
oai_identifier_str oai:idus.us.es:11441/168067
network_acronym_str ES
network_name_str España
repository_id_str
spelling A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks DetectionMuñoz Calle, Francisco JavierEstepa Alonso, Rafael MaríaEstepa Alonso, Antonio JoséDíaz Verdejo, JesúsCastillo Fernández, ElviraMadinabeitia Luque, GermánNetwork security monitoringIntrusion Detection SystemsCyberattacks modelsAlert correlationMitre ATT&CK attack modelsThis article is part of: JUCS - Journal of Universal Computer Science 30(9): Fighting Cybersecurity Risks from a Multidisciplinary PerspectiveNetwork monitoring systems can struggle to detect the full sequence of actions in a multi-step cyber attack, frequently resulting in multiple alerts (some of which are false positive (FP)) and missed actions. The challenge of easing the job of security analysts by triggering a single and accurate alert per attack requires developing and evaluating advanced event correlation techniques and models that have the potential to devise relationships between the different observed events/alerts. This work introduces a flexible architecture designed for hierarchical and iterative correlation of alerts and events. Its key feature is the sequential correlation of operations targeting specific attack episodes or aspects. This architecture utilizes IDS alerts or similar cybersecurity sensors, storing events and alerts in a non-relational database. Modules designed for knowledge creation then query these stored items to generate meta-alerts, also stored in the database. This approach facilitates creating a more refined knowledge that can be built on top of existing one by creating specialized modules. For illustrative purposes, we make a case study where we use this architectural approach to explore the feasibility of monitoring the progress of attacks of increased complexity by increasing the levels of the hyperalerts defined, including a case of a multi-step attack that adheres to the ATT&CK model. Although the mapping between the observations and the model components (i.e., techniques and tactics) is challenging, we could fully monitor the progress of two attacks and up to 5 out of 6 steps of the most complex attack by building up to three specialized modules. Despite some limitations due to the sensors and attack scenarios tested, the results indicate the architecture’s potential for enhancing the detection of complex cyber attacks, offering a promising direction for future cybersecurity research.Journal of Universal Computer ScienceIngeniería TelemáticaTIC154: Departamento de Ingeniería TelemáticaMinisterio de Ciencia e Innovación (MICIN). EspañaAgencia Estatal de Investigación. España2024info:eu-repo/semantics/articleinfo:eu-repo/semantics/publishedVersionapplication/pdfapplication/pdfhttps://hdl.handle.net/11441/168067https://doi.org/10.3897/jucs.131686reponame:idUS. Depósito de Investigación de la Universidad de Sevillainstname:Universidad de Sevilla (US)InglésJUCS - Journal of Universal Computer Science, 30 (9), 1184-1204.PID2020- 115199RB-I00https://lib.jucs.org/article/131686/info:eu-repo/semantics/openAccessoai:idus.us.es:11441/1680672026-06-17T12:51:07Z
dc.title.none.fl_str_mv A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection
title A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection
spellingShingle A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection
Muñoz Calle, Francisco Javier
Network security monitoring
Intrusion Detection Systems
Cyberattacks models
Alert correlation
Mitre ATT&CK attack models
title_short A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection
title_full A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection
title_fullStr A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection
title_full_unstemmed A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection
title_sort A Flexible Multilevel System for Mitre ATT&CK Model-driven Alerts and Events Correlation in Cyberattacks Detection
dc.creator.none.fl_str_mv Muñoz Calle, Francisco Javier
Estepa Alonso, Rafael María
Estepa Alonso, Antonio José
Díaz Verdejo, Jesús
Castillo Fernández, Elvira
Madinabeitia Luque, Germán
author Muñoz Calle, Francisco Javier
author_facet Muñoz Calle, Francisco Javier
Estepa Alonso, Rafael María
Estepa Alonso, Antonio José
Díaz Verdejo, Jesús
Castillo Fernández, Elvira
Madinabeitia Luque, Germán
author_role author
author2 Estepa Alonso, Rafael María
Estepa Alonso, Antonio José
Díaz Verdejo, Jesús
Castillo Fernández, Elvira
Madinabeitia Luque, Germán
author2_role author
author
author
author
author
dc.contributor.none.fl_str_mv Ingeniería Telemática
TIC154: Departamento de Ingeniería Telemática
Ministerio de Ciencia e Innovación (MICIN). España
Agencia Estatal de Investigación. España
dc.subject.none.fl_str_mv Network security monitoring
Intrusion Detection Systems
Cyberattacks models
Alert correlation
Mitre ATT&CK attack models
topic Network security monitoring
Intrusion Detection Systems
Cyberattacks models
Alert correlation
Mitre ATT&CK attack models
description This article is part of: JUCS - Journal of Universal Computer Science 30(9): Fighting Cybersecurity Risks from a Multidisciplinary Perspective
publishDate 2024
dc.date.none.fl_str_mv 2024
dc.type.none.fl_str_mv info:eu-repo/semantics/article
info:eu-repo/semantics/publishedVersion
format article
status_str publishedVersion
dc.identifier.none.fl_str_mv https://hdl.handle.net/11441/168067
https://doi.org/10.3897/jucs.131686
url https://hdl.handle.net/11441/168067
https://doi.org/10.3897/jucs.131686
dc.language.none.fl_str_mv Inglés
language_invalid_str_mv Inglés
dc.relation.none.fl_str_mv JUCS - Journal of Universal Computer Science, 30 (9), 1184-1204.
PID2020- 115199RB-I00
https://lib.jucs.org/article/131686/
dc.rights.none.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
application/pdf
dc.publisher.none.fl_str_mv Journal of Universal Computer Science
publisher.none.fl_str_mv Journal of Universal Computer Science
dc.source.none.fl_str_mv reponame:idUS. Depósito de Investigación de la Universidad de Sevilla
instname:Universidad de Sevilla (US)
instname_str Universidad de Sevilla (US)
reponame_str idUS. Depósito de Investigación de la Universidad de Sevilla
collection idUS. Depósito de Investigación de la Universidad de Sevilla
repository.name.fl_str_mv
repository.mail.fl_str_mv
_version_ 1869411452903751680
score 15,811543