Uncovering Lateral Movement Using Authentication Logs

Bian, Haibo; Bai, Tim; Salahuddin, Mohammad A.; Limam, Noura; Daya, Abbas Abou; Boutaba, Raouf

doi:10.1109/tnsm.2021.3054356

Cited by 22 publications

(12 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Keeping the same principles as in [7], the authors leveraged Windows hostbased RDP event logs (as evidences) through the combination of two publicly available Windows event-logs subsets of the LANL dataset, namely, comprehensive and unified, respectively. The subject of LM detection via authentication logs was re-addressed in [9] by the same authors, although extended in the examination of the effects on classification efficiency due to perturbations of LM techniques patterns.…”

Section: Supervised Learning Based Schemesmentioning

confidence: 99%

On the detection of lateral movement through supervised machine learning and an open-source tool to create turnkey datasets from Sysmon logs

Smiliotopoulos

Kambourakis

Barmpatsalou

2023

Preprint

View full text Add to dashboard Cite

Lateral movement (LM) is a principal, increasingly common, tactic in the arsenal of advanced persistent threat (APT) groups and other less or more powerful threat actors. It concerns techniques that enable a cyberattacker, after establishing foothold, to maintain ongoing access and penetrate further into a network in quest of prized booty. This is done by moving through the infiltrated network and gaining elevated privileges using an assortment of tools. Concentrating on the MS Windows platform, this work provides the first to our knowledge holistic methodology supported by an abundance of experimental results towards the identification of LM via machine learning (ML) techniques. We not only assess this potential by means of both traditional and deep learning models, but also contribute a publicly available, open-source tool, which can convert Windows system monitor logs to turnkey datasets, ready to be fed into ML models. Vis-`a-vis the relevant literature, and by considering a highly unblalanced dataset and a multiclass classification problem, we report superior scores in terms of the F1 and AUC metrics, 99.41% and 99.84%, respectively.

show abstract

Section: Supervised Learning Based Schemesmentioning

confidence: 99%

On the detection of lateral movement through supervised machine learning and an open-source tool to create turnkey datasets from Sysmon logs

Smiliotopoulos

Kambourakis

Barmpatsalou

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…The life cycle of APT can be divided into the following stages: reconnaissance, delivery, initial intrusion, command and control (C&C), lateral movement, data exfiltration. 19 In the reconnaissance and delivery stage, attackers mainly collect information about the target, such as exploits, personnel information and host information. Then attackers use collected information to attack the target in the initial intrusion stage.…”

Section: Related Workmentioning

confidence: 99%

Exploring the vulnerability in the inference phase of advanced persistent threats

Guo

et al. 2022

International Journal of Distributed Sensor Networks

View full text Add to dashboard Cite

In recent years, the Internet of Things has been widely used in modern life. Advanced persistent threats are long-term network attacks on specific targets with attackers using advanced attack methods. The Internet of Things targets have also been threatened by advanced persistent threats with the widespread application of Internet of Things. The Internet of Things device such as sensors is weaker than host in security. In the field of advanced persistent threat detection, most works used machine learning methods whether host-based detection or network-based detection. However, models using machine learning methods lack robustness because it can be attacked easily by adversarial examples. In this article, we summarize the characteristics of advanced persistent threats traffic and propose the algorithm to make adversarial examples for the advanced persistent threat detection model. We first train advanced persistent threat detection models using different machine learning methods, among which the highest F1-score is 0.9791. Then, we use the algorithm proposed to grey-box attack one of models and the detection success rate of the model drop from 98.52% to 1.47%. We prove that advanced persistent threats adversarial examples are transitive and we successfully black-box attack other models according to this. The detection success rate of the attacked model with the best attacked effect dropped from 98.66% to 0.13%.

show abstract

“…To capture relations between network entities, researchers construct authentication graphs, where nodes represent users or devices and edges represent authentication events. At first, some researchers [29]- [31] characterize graph topology with features like in/out degree, in/out weight, centrality, eccentricity, etc., and spot anomalies with traditional ML methods. With the development of graph learning methods, GLGV [7] utilizes DeepWalk [32] to generate node embeddings, presents links as their Hadamard products, and trains a logistic regression classifier to predict lateral movement.…”

Section: A Lateral Movement Detectionmentioning

confidence: 99%

HetGLM: Lateral Movement Detection by Discovering Anomalous Links with Heterogeneous Graph Neural Network

Sun

Yang

2022

2022 IEEE International Performance, Computing, and Communications Conference (IPCCC)

View full text Add to dashboard Cite

As a critical stage in the Advanced Persistent Threat (APT) lifecycle, lateral movement (LM) has become a major concern in cybersecurity due to its stealthy nature. Recent authentication graph-based LM detection systems have achieved promising results. However, these methods have some unpractical requirements on data collection and model deployment, which severely affects their performance in real-world scenarios. In this paper, we propose HetGLM, a more accurate and practical LM detection system. Specifically, to fully explore the scenario, HetGLM constructs a heterogeneous graph with various network entities like users, devices, processes, etc. On this basis, we design MADR, a Graph neural network (GNN)-based anomaly link detection algorithm, to spot lateral movements. With the metapath-based sampling strategy, attention mechanism, the dual-decoder structure, and a mutual information regularization term, MADR can detect anomaly links on heterogeneous graphs, requiring neither labeled or purely benign training datasets nor manually preset thresholds. We implement a prototype of HetGLM and evaluate its performance via comprehensive experiments over public datasets. Comparison results show that HetGLM outperforms the state-of-the-art approaches in accuracy and practicality.

show abstract

Uncovering Lateral Movement Using Authentication Logs

Cited by 22 publications

References 27 publications

On the detection of lateral movement through supervised machine learning and an open-source tool to create turnkey datasets from Sysmon logs

On the detection of lateral movement through supervised machine learning and an open-source tool to create turnkey datasets from Sysmon logs

Exploring the vulnerability in the inference phase of advanced persistent threats

HetGLM: Lateral Movement Detection by Discovering Anomalous Links with Heterogeneous Graph Neural Network

Contact Info

Product

Resources

About