Abstract
Lateral movement technology is widely used in complex network attacks, especially in advanced persistent threats (APT). In order to evade the detection of security tools, attackers usually use the legal credentials retained on the compromised hosts to move laterally between computers across the enterprise intranet for searching valuable information. However, attackers cannot acquire the information about the normal action patterns of intranet users. So even the savviest attacker will “blindly move” in the intranet, making his lateral movement usually different from the typical users’ behavior. In order to identify this potential malicious lateral movement, we proposes a Continuous-Temporal Lateral Movement Detection framework CTLMD. The remote and local authentication events are represented as a Path Connection Graph and a Bipartite Graph respectively. We extract normal lateral movement paths with time constraints while abnormal lateral movement paths are generated based on several attack scenarios. Finally, we define multiple path features using graph embedding methods to complete the follow-up classification task. We evaluate our framework by using injected attack data in real enterprise network dataset (LANL). Our experimental results show that the proposed framework can classify normal and malicious lateral movement paths well with the highest AUC of 92%. Meanwhile, the framework can detect the lateral movement state timely and effectively.
This work was supported by the National Key R&D Program of China (2016YFB0801001).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Morgan, J.P.: Chase Hack Affects 76 Million Households. https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/. Accessed 30 May 2019
Home Depot Hackers Exposed 53 Million Email Addresses. http://www.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282. Accessed 1 June 2019
Smokescreen Technologies Pvt. Ltd.: Top 20 Lateral Movement Tactics. https://www.smokescreen.io/wp-content/uploads/2016/08/Top-20-Lateral-Movement-Tactics.pdf. Accessed 3 July 2019
How Do Threat Actors Move Deeper Into Your Network. http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/tlp_lateral_movement.pdf. Accessed 10 July 2019
Zeadally, S., Yu, B., Jeong, D.H., Liang, L.: Detecting insider threats: solutions and trends. Inf. Secur. J. Glob. Perspect. 21(3), 183–192 (2012)
Nguyen, G.H., Lee, J.B., Rossi, R.A., Ahmed, N.K., Koh, E., Kim, S.: Continuous-time dynamic network embeddings. In: Companion Proceedings of the Web Conference 2018, Lyon, pp. 969–976. IWWWCSC (2018). https://doi.org/10.1145/3184558.3191526
Gao, M., Chen, L., He, X., Zhou, A.: BiNE: bipartite network embedding. In: Ann, A. (ed.) The 41st International ACM SIGIR Conference on Research & Development in Information Retrieval, New York, pp. 715–724. ACM (2018). https://doi.org/10.1145/3209978.3209987
Detecting malicious lateral movement across a computer network. http://www.freepatentsonline.com/20180367548.pdf. Accessed 14 May 2019
Johnson, J.R., Hogan, E.A.: A graph analytic metric for mitigating advanced persistent threat. In: 2013 IEEE International Conference on Intelligence and Security Informatics, Seattle, pp. 129–133. IEEE (2013). https://doi.org/10.1109/ISI.2013.6578801
Pope, A., Tauritz, D., Kent, A.: Evolving bipartite authentication graph partitions. IEEE Trans. Dependable Secure Comput. 16(1), 58–71 (2017)
Kent, D., Liebrock, M., Neil, C.: Analyzing user behavior within an enterprise network. Comput. Secur. 48(1), 150–166 (2015)
Siadati, H., Memon, N.: Detecting structurally anomalous logins within enterprise networks. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Texas, pp. 1273–1284. ACM (2017). https://doi.org/10.1145/3133956.3134003
Eberle, W., Graves, J., Holder, L.: Insider threat detection using a graph-based approach. J. Appl. Secur. Res. 6(1), 32–81 (2010)
Hogan, E., Johnson, J.R., Halappanavar, M.: Graph coarsening for path finding in cybersecurity graphs. In: Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop, Tennessee, p. 7. ACM (2013). https://doi.org/10.1145/2459976.2459984
Xu, X., Liu, C., Feng, Q., Yin, H., Song, L., Song, D.: Neural network-based graph embedding for cross-platform binary code similarity detection. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, pp. 363–376. ACM (2017). https://doi.org/10.1145/3133956.3134018
Ding, S., Fung, B., Charland, P.: Asm2Vec: boosting static representation robustness for binary clone search against code obfuscation and compiler optimization. In: Proceedings of the 2019 IEEE Symposium on Security and Privacy, San Francisco, pp. 38–55. IEEE (2019). https://doi.org/10.1109/SP.2019.00003
Song, W., Yin, H., Liu, C., Song, D.: DeepMem: learning graph neural network models for fast and robust memory forensic analysis. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, pp. 606–618. ACM (2018). https://doi.org/10.1145/3243734.3243813
Chen, M., Yao, Y., Liu, J., Jiang, B., Su, L., Lu, Z.: A novel approach for identifying lateral movement attacks based on network embedding. In: 2018 IEEE International Conference on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom), Melbourne, pp. 708–715. IEEE (2018). https://doi.org/10.1109/BDCloud.2018.00107
Bohara, A., Noureddine, M., Fawaz, A., Sanders, W.: An unsupervised multi-detector approach for identifying malicious lateral movement. In: 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS), Hong Kong, pp. 224–233. IEEE (2017). https://doi.org/10.1109/SRDS.2017.31
Dong, B., et al.: Efficient discovery of abnormal event sequences in enterprise security systems. In: Proceedings of the 2017 ACM on Conference on Information and Knowledge Management, Singapore, pp. 707–715. ACM (2017). https://doi.org/10.1145/3132847.3132854
Junlin, Z.: Search Engine: Detailed Core Technology, 1st edn. Publishing House of Electronics Industry, Beijing (2012)
Dunagan, J., Zheng, A.X., Simon, D.R.: Heat-ray: combating identity snowball attacks using machine learning, combinatorial optimization and attack graphs. In: Proceedings of the 22nd ACM Symposium on Operating Systems Principles, , Montana, pp. 305–320. ACM (2009). https://doi.org/10.1145/1629575.1629605
Perozzi, B., Al-Rfou, R., Skiena, S.: DeepWalk: online learning of social representations. In: Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, New York, pp. 701–710. ACM (2014). https://doi.org/10.1145/2623330.2623732
Tang, J., Qu, M., Wang, M., Zhang, M., Yan, J., Mei, Q.: Line: large-scale information network embedding. In: Proceedings of the 24th International Conference on World Wide Web, Florence, pp. 1067–1077. ACM (2015). https://doi.org/10.1145/2736277.2741093
Kent, D.: Cyber security data sources for dynamic network research. In: Dynamic Networks and Cyber-Security, pp. 37–65 (2016)
Buda, T.S., Caglayan, B., Assem, H.: DeepAD: a generic framework based on deep learning for time series anomaly detection. In: Phung, D., Tseng, V.S., Webb, G.I., Ho, B., Ganji, M., Rashidi, L. (eds.) PAKDD 2018. LNCS (LNAI), vol. 10937, pp. 577–588. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93034-3_46
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Zhao, S., Wei, R., Cai, L., Yu, A., Meng, D. (2020). CTLMD: Continuous-Temporal Lateral Movement Detection Using Graph Embedding. In: Zhou, J., Luo, X., Shen, Q., Xu, Z. (eds) Information and Communications Security. ICICS 2019. Lecture Notes in Computer Science(), vol 11999. Springer, Cham. https://doi.org/10.1007/978-3-030-41579-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-41579-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41578-5
Online ISBN: 978-3-030-41579-2
eBook Packages: Computer ScienceComputer Science (R0)