Detecting malicious logins as graph anomalies

by   Brian A. Powell, et al.

Authenticated lateral movement via compromised accounts is a common adversarial maneuver that is challenging to discover with signature- or rules-based intrusion detection systems. In this work a behavior-based approach to detecting malicious logins to novel systems indicative of lateral movement is presented, in which a user's historical login activity is used to build a model of putative "normal" behavior. This historical login activity is represented as a collection of daily login graphs, which encode authentications among accessed systems. Each system, or graph vertex, is described by a set of graph centrality measures that characterize it and the local topology of its login graph. The unsupervised technique of non-negative matrix factorization is then applied to this set of features to assign each vertex to a role that summarizes how the system participates in logins. The reconstruction error quantifying how well each vertex fits into its role is then computed, and the statistics of this error can be used to identify outlier vertices that correspond to systems involved in unusual logins. We test this technique with a small cohort of privileged accounts using real login data from an operational enterprise network. The ability of the method to identify malicious logins among normal activity is tested with simulated graphs of login activity representative of adversarial lateral movement. We find that the method is generally successful at detecting a broad range of lateral movement for each user, with false positive rates significantly lower than those resulting from alerts based solely on login novelty.


Role-based lateral movement detection with unsupervised learning

Adversarial lateral movement via compromised accounts remains difficult ...

The GANfather: Controllable generation of malicious activity to improve defence systems

Machine learning methods to aid defence systems in detecting malicious a...

Hopper: Modeling and Detecting Lateral Movement (Extended Report)

In successful enterprise attacks, adversaries often need to gain access ...

Directional Laplacian Centrality for Cyber Situational Awareness

Cyber operations is drowning in diverse, high-volume, multi-source data....

Effective Feature Extraction for Intrusion Detection System using Non-negative Matrix Factorization and Univariate analysis

An Intrusion detection system (IDS) is essential for avoiding malicious ...

How to find a GSMem malicious activity via an AI approach

This paper investigates the following problem: how to find a GSMem malic...

The epidemiology of lateral movement: exposures and countermeasures with network contagion models

An approach is developed for analyzing computer networks to identify sys...

Please sign up or login with your details

Forgot password? Click here to reset