Skip to Main content Skip to Navigation

Heterogeneous Event Causal Dependency Definition for the Detection and Explanation of Multi-Step Attacks

Abstract : Knowing that a persistent attacker will eventually succeed in gaining a foothold inside the targeted network despite prevention mechanisms, it is mandatory to perform security monitoring on the system. The purpose of this thesis is to enable the discovery of multi-step attacks through logged events analysis. To that end, previous alert correlation work has aimed at building connections among events and between attack steps. In practice, this type of link is not trivial to define and discover, especially when considering heterogeneous events (i.e., events emanating from monitoring systems deployed in different abstraction layers of the monitored system), and the literature lacks a formal definition of these connections. We argue that the connections among heterogeneous events correspond to causal dependency relationships among events.Inspired from two causality models from the distributed system and the security research areas, i.e., Lamport's and d'Ausbourg's models, we have thereby proposed a formal definition of this relationship called event causal dependency. The relationship enables the discovery of all events, which can be considered as the cause or the effect of an event of interest (e.g., an IDS alert).To the best of our knowledge, our work is the first one to propose a formal definition of the causal dependency relationship among heterogeneous events. We present how existing work permits the computation of parts of the overall model, and detail our implementation, which exclusively leverages existing monitoring facilities (e.g., auditd, or Zeek NIDS) to produce events. We show that our implementation already yields a good approximation of our model.
Document type :
Complete list of metadatas

Cited literature [222 references]  Display  Hide  Download
Contributor : Abes Star :  Contact
Submitted on : Thursday, September 24, 2020 - 1:02:24 AM
Last modification on : Wednesday, October 14, 2020 - 4:09:16 AM


Version validated by the jury (STAR)


  • HAL Id : tel-02947368, version 1


Charles Xosanavongsa. Heterogeneous Event Causal Dependency Definition for the Detection and Explanation of Multi-Step Attacks. Cryptography and Security [cs.CR]. CentraleSupélec, 2020. English. ⟨NNT : 2020CSUP0003⟩. ⟨tel-02947368⟩



Record views


Files downloads