Role-based lateral movement detection with unsupervised learning

by   Brian A. Powell, et al.

Adversarial lateral movement via compromised accounts remains difficult to discover via traditional rule-based defenses because it generally lacks explicit indicators of compromise. We propose a behavior-based, unsupervised framework comprising two methods of lateral movement detection on enterprise networks: one aimed at generic lateral movement via either exploit or authenticated connections, and one targeting the specific techniques of process injection and hijacking. The first method is based on the premise that the role of a system—the functions it performs on the network—determines the roles of the systems it should make connections with. The adversary meanwhile might move between any systems whatever, possibly seeking out systems with unusual roles that facilitate certain accesses. We use unsupervised learning to cluster systems according to role and identify connections to systems with novel roles as potentially malicious. The second method is based on the premise that the temporal patterns of inter-system processes that facilitate these connections depend on the roles of the systems involved. If a process is compromised by an attacker, these normal patterns might be disrupted in discernible ways. We apply frequent-itemset mining to process sequences to establish regular patterns of communication between systems based on role, and identify rare process sequences as signalling potentially malicious connections.


Detecting malicious logins as graph anomalies

Authenticated lateral movement via compromised accounts is a common adve...

Nichtverbales Verhalten sozialer Roboter: Bewegungen, deren Bedeutung und die Technik dahinter

Nichtverbale Signale sind ein elementarer Bestandteil der menschlichen K...

Role-Based Deception in Enterprise Networks

Historically, enterprise network reconnaissance is an active process, of...

Patterns of Patient and Caregiver Mutual Support Connections in an Online Health Community

Online health communities offer the promise of support benefits to users...

The epidemiology of lateral movement: exposures and countermeasures with network contagion models

An approach is developed for analyzing computer networks to identify sys...

Measuring Thematic Fit with Distributional Feature Overlap

In this paper, we introduce a new distributional method for modeling pre...

Deep Reinforcement Learning of Cell Movement in the Early Stage of C. elegans Embryogenesis

Cell movement in the early phase of C. elegans development is regulated ...

Please sign up or login with your details

Forgot password? Click here to reset