IDEAS home Printed from https://ideas.repec.org/p/hal/journl/hal-03218219.html
   My bibliography  Save this paper

OMMA: open architecture for Operator-guided Monitoring of Multi-step Attacks

Author

Listed:
  • Julio Navarro

    (ICube - Laboratoire des sciences de l'ingénieur, de l'informatique et de l'imagerie - ENGEES - École Nationale du Génie de l'Eau et de l'Environnement de Strasbourg - UNISTRA - Université de Strasbourg - HUS - Les Hôpitaux Universitaires de Strasbourg - INSA Strasbourg - Institut National des Sciences Appliquées - Strasbourg - INSA - Institut National des Sciences Appliquées - CNRS - Centre National de la Recherche Scientifique - MNGE - Matériaux et Nanosciences Grand-Est - UNISTRA - Université de Strasbourg - Université de Haute-Alsace (UHA) - Université de Haute-Alsace (UHA) Mulhouse - Colmar - INSERM - Institut National de la Santé et de la Recherche Médicale - INC-CNRS - Institut de Chimie - CNRS Chimie - CNRS - Centre National de la Recherche Scientifique - Réseau nanophotonique et optique - UNISTRA - Université de Strasbourg - Université de Haute-Alsace (UHA) - Université de Haute-Alsace (UHA) Mulhouse - Colmar - CNRS - Centre National de la Recherche Scientifique)

  • Véronique Legrand

    (CEDRIC - Centre d'études et de recherche en informatique et communications - ENSIIE - Ecole Nationale Supérieure d'Informatique pour l'Industrie et l'Entreprise - CNAM - Conservatoire National des Arts et Métiers [CNAM] - HESAM - HESAM Université - Communauté d'universités et d'établissements Hautes écoles Sorbonne Arts et métiers université)

  • Aline Deruyver

    (ICube - Laboratoire des sciences de l'ingénieur, de l'informatique et de l'imagerie - ENGEES - École Nationale du Génie de l'Eau et de l'Environnement de Strasbourg - UNISTRA - Université de Strasbourg - HUS - Les Hôpitaux Universitaires de Strasbourg - INSA Strasbourg - Institut National des Sciences Appliquées - Strasbourg - INSA - Institut National des Sciences Appliquées - CNRS - Centre National de la Recherche Scientifique - MNGE - Matériaux et Nanosciences Grand-Est - UNISTRA - Université de Strasbourg - Université de Haute-Alsace (UHA) - Université de Haute-Alsace (UHA) Mulhouse - Colmar - INSERM - Institut National de la Santé et de la Recherche Médicale - INC-CNRS - Institut de Chimie - CNRS Chimie - CNRS - Centre National de la Recherche Scientifique - Réseau nanophotonique et optique - UNISTRA - Université de Strasbourg - Université de Haute-Alsace (UHA) - Université de Haute-Alsace (UHA) Mulhouse - Colmar - CNRS - Centre National de la Recherche Scientifique)

  • Pierre Parrend

    (ICube - Laboratoire des sciences de l'ingénieur, de l'informatique et de l'imagerie - ENGEES - École Nationale du Génie de l'Eau et de l'Environnement de Strasbourg - UNISTRA - Université de Strasbourg - HUS - Les Hôpitaux Universitaires de Strasbourg - INSA Strasbourg - Institut National des Sciences Appliquées - Strasbourg - INSA - Institut National des Sciences Appliquées - CNRS - Centre National de la Recherche Scientifique - MNGE - Matériaux et Nanosciences Grand-Est - UNISTRA - Université de Strasbourg - Université de Haute-Alsace (UHA) - Université de Haute-Alsace (UHA) Mulhouse - Colmar - INSERM - Institut National de la Santé et de la Recherche Médicale - INC-CNRS - Institut de Chimie - CNRS Chimie - CNRS - Centre National de la Recherche Scientifique - Réseau nanophotonique et optique - UNISTRA - Université de Strasbourg - Université de Haute-Alsace (UHA) - Université de Haute-Alsace (UHA) Mulhouse - Colmar - CNRS - Centre National de la Recherche Scientifique)

Abstract

Current attacks are complex and stealthy. The recent WannaCry malware campaign demonstrates that this is true notonly for targeted operations, but also for massive attacks. Complex attacks can only be described as a set ofindividual actions composing a global strategy. Most of the time, different devices are involved in the same attackscenario. Information about the events recorded in these devices can be collected in the shape of logs in a centralsystem, where an automatic search of threat traces can be implemented. Much has been written about automaticevent correlation to detect multi-step attacks but the proposed methods are rarely brought together in the sameplatform. In this paper, we propose OMMA (Operator-guided Monitoring of Multi-step Attacks), an open andcollaborative engineering system which offers a platform to integrate the methods developed by the multi-stepattack detection research community. Inspired by a HuMa access (Navarro et al., HuMa: A multi-layer framework forthreat analysis in a heterogeneous log environment, 2017) and Knowledge and Information Logs-based System(Legrand et al., Vers une architecture «big-data» bio-inspirée pour la détection d'anomalie des SIEM, 2014) systems,OMMA incorporates real-time feedback from human experts, so the integrated methods can improve theirperformance through a learning process. This feedback loop is used by Morwilog, an Ant Colony Optimization-basedanalysis engine that we show as one of the first methods to be integrated in OMMA.

Suggested Citation

  • Julio Navarro & Véronique Legrand & Aline Deruyver & Pierre Parrend, 2018. "OMMA: open architecture for Operator-guided Monitoring of Multi-step Attacks," Post-Print hal-03218219, HAL.
    • Handle: RePEc:hal:journl:hal-03218219
    DOI: 10.1186/s13635-018-0075-x
    Note: View the original document on HAL open archive server: https://hal.science/hal-03218219
    as

    Download full text from publisher

    File URL: https://hal.science/hal-03218219/document
    Download Restriction: no
    File URL: https://libkey.io/10.1186/s13635-018-0075-x?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Ramaki, Ali Ahmadian & Ghaemi-Bafghi, Abbas & Rasoolzadegan, Abbas, 2023. "CAPTAIN: Community-based Advanced Persistent Threat Analysis in IT Networks," International Journal of Critical Infrastructure Protection, Elsevier, vol. 42(C).

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:hal:journl:hal-03218219. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: CCSD (email available below). General contact details of provider: https://hal.archives-ouvertes.fr/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.