Cross-domain alert correlation methodology for industrial control systems

Abstract

Alert correlation is a set of techniques that process alerts raised by intrusion detection systems to eliminate redundant alerts, reduce the number of false positives, and reconstruct attack scenarios. Since Industrial Control Systems (ICSs) exhibit both a physical and a cyber domain, they present unique challenges for alert correlation. The presence of heterogeneous domains each with its specific threats has led to the development of multi-domain detection techniques. Indeed, some detection approaches rely solely on observations at the level of the cyber domain, while other approaches will monitor the physical process. Although these two approaches are complementary, the nature of the information carried by the detection alerts differs. In this article, we develop an alert correlation framework tailored explicitly for ICSs. We combine physical domain intrusion detection alerts with more classical cyber domain intrusion detection alerts. We develop a correlation approach that maps physical domain alerts into the cyber domain using alert enrichment. We also propose a specific alert selection for correlation that adapts to the state of the physical process by dynamically adjusting the size of the selected alert window. We test our approach on a realistic experimental setup with and we publicly release all datasets used to derive our results. Our cross-domain correlation methodology achieves better correlation metrics compared to classical temporal-based correlation approaches in terms of false correlation rate, missing correlation rate and alert reduction.