文章基本信息

标题：OMMA: open architecture for Operator-guided Monitoring of Multi-step Attacks
本地全文：下载
作者：Julio Navarro ; Véronique Legrand ; Aline Deruyver 等
期刊名称：EURASIP Journal on Information Security
印刷版ISSN：1687-4161
电子版ISSN：1687-417X
出版年度：2018
卷号：2018
期号：1
页码：1-25
DOI：10.1186/s13635-018-0075-x
出版社：Hindawi Publishing Corporation
摘要：Current attacks are complex and stealthy. The recent WannaCry malware campaign demonstrates that this is true not only for targeted operations, but also for massive attacks. Complex attacks can only be described as a set of individual actions composing a global strategy. Most of the time, different devices are involved in the same attack scenario. Information about the events recorded in these devices can be collected in the shape of logs in a central system, where an automatic search of threat traces can be implemented. Much has been written about automatic event correlation to detect multi-step attacks but the proposed methods are rarely brought together in the same platform. In this paper, we propose OMMA (Operator-guided Monitoring of Multi-step Attacks), an open and collaborative engineering system which offers a platform to integrate the methods developed by the multi-step attack detection research community. Inspired by a HuMa access (Navarro et al., HuMa: A multi-layer framework for threat analysis in a heterogeneous log environment, 2017) and Knowledge and Information Logs-based System (Legrand et al., Vers une architecture «big-data» bio-inspirée pour la détection d’anomalie des SIEM, 2014) systems, OMMA incorporates real-time feedback from human experts, so the integrated methods can improve their performance through a learning process. This feedback loop is used by Morwilog, an Ant Colony Optimization-based analysis engine that we show as one of the first methods to be integrated in OMMA..
关键词：Advanced persistent threats ; Event correlation ; Intrusion detection systems ; Multi-stage attacks ; Network security ;