Stellar: A fusion system for scenario construction and security risk assessment

Stellar aggregates and correlates alerts from heterogeneous network defense systems, building scenarios and estimating the security risk of the entire scenario. Prior work considered Stellar scenario formation; in this paper we explore the advantages provided by using scenario context to assess the risk of actions occurring on a network. We describe the design and an evaluation of Stellar and its Security Assessment Declarative Language (SADL), a fast, stateful, simple-to-use language for assessing the priority of scenarios, on a high traffic network tinder constant attack. The evaluation of the Stellar system deployed on a large, operational enterprise network demonstrated its ability, to scale to high alert volumes while accurately forming and prioritizing scenarios. Stellar not only produced high priority scenarios matching all incidents reported by human analysts, but also discovered additional scenarios of concern that had initially gone unnoticed. Furthermore, by following the simple formalism embedded in example SADL rules, system administrators quickly develop a correct understanding of the network they are protecting(1).