Skip to Main content Skip to Navigation
Theses

Heterogeneous Event Causal Dependency Definition for the Detection and Explanation of Multi-Step Attacks

Abstract : Knowing that a persistent attacker will eventually succeed in gaining a foothold inside the targeted network despite prevention mechanisms, it is mandatory to perform security monitoring on the system. The purpose of this thesis is to enable the discovery of multi-step attacks through logged events analysis. To that end, previous alert correlation work has aimed at building connections among events and between attack steps. In practice, this type of link is not trivial to define and discover, especially when considering heterogeneous events (i.e., events emanating from monitoring systems deployed in different abstraction layers of the monitored system), and the literature lacks a formal definition of these connections. We argue that the connections among heterogeneous events correspond to causal dependency relationships among events.Inspired from two causality models from the distributed system and the security research areas, i.e., Lamport's and d'Ausbourg's models, we have thereby proposed a formal definition of this relationship called event causal dependency. The relationship enables the discovery of all events, which can be considered as the cause or the effect of an event of interest (e.g., an IDS alert).To the best of our knowledge, our work is the first one to propose a formal definition of the causal dependency relationship among heterogeneous events. We present how existing work permits the computation of parts of the overall model, and detail our implementation, which exclusively leverages existing monitoring facilities (e.g., auditd, or Zeek NIDS) to produce events. We show that our implementation already yields a good approximation of our model.
Document type :
Theses
Complete list of metadatas

Cited literature [222 references]  Display  Hide  Download

https://tel.archives-ouvertes.fr/tel-02947368
Contributor : Abes Star :  Contact
Submitted on : Thursday, September 24, 2020 - 1:02:24 AM
Last modification on : Wednesday, October 14, 2020 - 4:09:16 AM

File

2020_XOSANAVONGSA_archivage.pd...
Version validated by the jury (STAR)

Identifiers

  • HAL Id : tel-02947368, version 1

Citation

Charles Xosanavongsa. Heterogeneous Event Causal Dependency Definition for the Detection and Explanation of Multi-Step Attacks. Cryptography and Security [cs.CR]. CentraleSupélec, 2020. English. ⟨NNT : 2020CSUP0003⟩. ⟨tel-02947368⟩

Share

Metrics

Record views

96

Files downloads

36