We present a security information event management system to fire the deployment of dynamic countermeasures against privilege escalations. The system is rule based and each rule is a pair with a set of n-grams and a countermeasure. A n-gram describes n consecutive attacks in an escalation. A rule fires the deployment of a countermeasure as soon as the sequence of alerts from a sensor network matches all its n-grams. We discuss a procedure to compute a set of rules by exploiting at best the information on the escalations to stop and on the ones to neglect because they cannot reach a goal. We also evaluate how the false positive rate and false negative one of the sensor network affect the effectiveness of the security management and how to improve it using evidence of the attacks. We apply the tools in the Haruspex suite to forecast the attacker escalations and to select those to stop at run time. Lastly, we outline an experimental evaluations of the system effectiveness using data from an industrial control system.
Deploying Dynamic Countermeasures through S-Rules
fabrizio baiardi
Primo
Membro del Collaboration Group
2018-01-01
Abstract
We present a security information event management system to fire the deployment of dynamic countermeasures against privilege escalations. The system is rule based and each rule is a pair with a set of n-grams and a countermeasure. A n-gram describes n consecutive attacks in an escalation. A rule fires the deployment of a countermeasure as soon as the sequence of alerts from a sensor network matches all its n-grams. We discuss a procedure to compute a set of rules by exploiting at best the information on the escalations to stop and on the ones to neglect because they cannot reach a goal. We also evaluate how the false positive rate and false negative one of the sensor network affect the effectiveness of the security management and how to improve it using evidence of the attacks. We apply the tools in the Haruspex suite to forecast the attacker escalations and to select those to stop at run time. Lastly, we outline an experimental evaluations of the system effectiveness using data from an industrial control system.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
