Multistep Cyberattacks Detection using a Flexible Multilevel System for Alerts and Events Correlation

Current network monitoring systems tend to generate several alerts per attack, especially in multistep attacks. However, Cybersecurity Officers (CSO) would rather receive a single alert summarizing the entire incident. Triggering a single alert per attack is a challenge that requires developing and evaluating advanced event correlation techniques and models to determine the relationships between the different observed events/alerts. In this work, we propose a flexible architecture oriented toward the correlation and aggregation of events and alerts in a multi-level iterative approach. In our scheme, sensors generate events and alerts that are stored in a non-relational database queried by modules that create knowledge structured as meta-alerts that are also stored in the database. These meta-alerts (also called hyper-alerts) are, in turn, used iteratively to create new knowledge. This iterative approach can be used to aggregate information at multiple levels or steps in complex attack models. Our architecture also allows the incorporation of additional sensors and the evaluation of various correlation techniques and multistage attack models. The capabilities of the system are assessed through three case studies.