Event correlation for detecting advanced multi-stage cyber-attacks

More Info


Rapidly evolving IT infrastructures bring beneficial effects to society and promote information sharing and use. However, vulnerabilities create opportunities for hostile users to perform malicious activities and IT security has gradually turned into a critical research area for organizations and governments. Processes of decision making in large organizations are widely influenced by their capability of detecting malicious activities effectively, and by the correctness in analyzing suspicious phenomena, which can be observed by a number of security sensors deployed in such large networks. Several techniques are currently employed to detect incidents starting from captured security-related events within networks and computer systems. However, the large volume of observable events, the continuous sophistication and changes in attack strategies make it challenging to provide effective solutions to detect and reconstruct cyber-security incidents. In particular, advanced multi-stage attacks tend to remain undiscovered because common security mechanisms can generally detect and flag harmful activity – sometimes with unsatisfactory false alert rates – but they are not able to draw a big picture of the incidents. Since such task is usually performed by security experts in full, it may be expensive and prone to errors. Therefore, it is essential to develop procedures for combining large heterogeneous datasets and system’s information in meaningful way, and for supplying detailed information to IT security management. By examining realistic multi-stage incidents, this thesis proposes the design of a model to correlate detectable suspicious events by combining complementary state of the art methods, which perform correlation along different axis. Thus, it aims at providing standard data formats, prioritizing and clustering data, increasing confidence about threats, finding relations of causality between suspicious events and eventually reconstructing multi-stage incidents. In addition, reviewing the most influential scientific papers gives us the chance to categorize the techniques and suggest practices for further implementation.