An unsupervised multi-detector approach for identifying malicious lateral movement

Atul Bohara, Mohammad A. Noureddine, Ahmed Fawaz, William H. Sanders

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Lateral movement-based attacks are increasingly leading to compromises in large private and government networks, often resulting in information exfiltration or service disruption. Such attacks are often slow and stealthy and usually evade existing security products. To enable effective detection of such attacks, we present a new approach based on graph-based modeling of the security state of the target system and correlation of diverse indicators of anomalous host behavior. We believe that irrespective of the specific attack vectors used, attackers typically establish a command and control channel to operate, and move in the target system to escalate their privileges and reach sensitive areas. Accordingly, we identify important features of command and control and lateral movement activities and extract them from internal and external communication traffic. Driven by the analysis of the features, we propose the use of multiple anomaly detection techniques to identify compromised hosts. These methods include Principal Component Analysis, k-means clustering, and Median Absolute Deviation-based outlier detection. We evaluate the accuracy of identifying compromised hosts by using injected attack traffic in a real enterprise network dataset, for various attack communication models. Our results show that the proposed approach can detect infected hosts with high accuracy and a low false positive rate.

Original languageEnglish (US)
Title of host publicationProceedings - 2017 IEEE 36th International Symposium on Reliable Distributed Systems, SRDS 2017
PublisherIEEE Computer Society
Pages224-233
Number of pages10
ISBN (Electronic)9781538616796
DOIs
StatePublished - Oct 13 2017
Event36th IEEE International Symposium on Reliable Distributed Systems, SRDS 2017 - Hong Kong, Hong Kong
Duration: Sep 26 2017Sep 29 2017

Publication series

NameProceedings of the IEEE Symposium on Reliable Distributed Systems
Volume2017-September
ISSN (Print)1060-9857

Other

Other36th IEEE International Symposium on Reliable Distributed Systems, SRDS 2017
CountryHong Kong
CityHong Kong
Period9/26/179/29/17

Fingerprint

Lateral
Detector
Attack
Detectors
Telecommunication traffic
Principal component analysis
Command and Control
Communication
Traffic
Industry
Target
Outlier Detection
K-means Clustering
Anomaly Detection
False Positive
Principal Component Analysis
Anomalous
Movement
High Accuracy
Deviation

Keywords

  • Advanced persistent threat
  • Anomaly detection
  • Command and control
  • Lateral movement

ASJC Scopus subject areas

  • Software
  • Theoretical Computer Science
  • Hardware and Architecture
  • Computer Networks and Communications

Cite this

Bohara, A., Noureddine, M. A., Fawaz, A., & Sanders, W. H. (2017). An unsupervised multi-detector approach for identifying malicious lateral movement. In Proceedings - 2017 IEEE 36th International Symposium on Reliable Distributed Systems, SRDS 2017 (pp. 224-233). [8069085] (Proceedings of the IEEE Symposium on Reliable Distributed Systems; Vol. 2017-September). IEEE Computer Society. https://doi.org/10.1109/SRDS.2017.31

An unsupervised multi-detector approach for identifying malicious lateral movement. / Bohara, Atul; Noureddine, Mohammad A.; Fawaz, Ahmed; Sanders, William H.

Proceedings - 2017 IEEE 36th International Symposium on Reliable Distributed Systems, SRDS 2017. IEEE Computer Society, 2017. p. 224-233 8069085 (Proceedings of the IEEE Symposium on Reliable Distributed Systems; Vol. 2017-September).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Bohara, A, Noureddine, MA, Fawaz, A & Sanders, WH 2017, An unsupervised multi-detector approach for identifying malicious lateral movement. in Proceedings - 2017 IEEE 36th International Symposium on Reliable Distributed Systems, SRDS 2017., 8069085, Proceedings of the IEEE Symposium on Reliable Distributed Systems, vol. 2017-September, IEEE Computer Society, pp. 224-233, 36th IEEE International Symposium on Reliable Distributed Systems, SRDS 2017, Hong Kong, Hong Kong, 9/26/17. https://doi.org/10.1109/SRDS.2017.31
Bohara A, Noureddine MA, Fawaz A, Sanders WH. An unsupervised multi-detector approach for identifying malicious lateral movement. In Proceedings - 2017 IEEE 36th International Symposium on Reliable Distributed Systems, SRDS 2017. IEEE Computer Society. 2017. p. 224-233. 8069085. (Proceedings of the IEEE Symposium on Reliable Distributed Systems). https://doi.org/10.1109/SRDS.2017.31
Bohara, Atul ; Noureddine, Mohammad A. ; Fawaz, Ahmed ; Sanders, William H. / An unsupervised multi-detector approach for identifying malicious lateral movement. Proceedings - 2017 IEEE 36th International Symposium on Reliable Distributed Systems, SRDS 2017. IEEE Computer Society, 2017. pp. 224-233 (Proceedings of the IEEE Symposium on Reliable Distributed Systems).
@inproceedings{29728b1a64a84732b3c1ae6721fa123a,
title = "An unsupervised multi-detector approach for identifying malicious lateral movement",
abstract = "Lateral movement-based attacks are increasingly leading to compromises in large private and government networks, often resulting in information exfiltration or service disruption. Such attacks are often slow and stealthy and usually evade existing security products. To enable effective detection of such attacks, we present a new approach based on graph-based modeling of the security state of the target system and correlation of diverse indicators of anomalous host behavior. We believe that irrespective of the specific attack vectors used, attackers typically establish a command and control channel to operate, and move in the target system to escalate their privileges and reach sensitive areas. Accordingly, we identify important features of command and control and lateral movement activities and extract them from internal and external communication traffic. Driven by the analysis of the features, we propose the use of multiple anomaly detection techniques to identify compromised hosts. These methods include Principal Component Analysis, k-means clustering, and Median Absolute Deviation-based outlier detection. We evaluate the accuracy of identifying compromised hosts by using injected attack traffic in a real enterprise network dataset, for various attack communication models. Our results show that the proposed approach can detect infected hosts with high accuracy and a low false positive rate.",
keywords = "Advanced persistent threat, Anomaly detection, Command and control, Lateral movement",
author = "Atul Bohara and Noureddine, {Mohammad A.} and Ahmed Fawaz and Sanders, {William H.}",
year = "2017",
month = "10",
day = "13",
doi = "10.1109/SRDS.2017.31",
language = "English (US)",
series = "Proceedings of the IEEE Symposium on Reliable Distributed Systems",
publisher = "IEEE Computer Society",
pages = "224--233",
booktitle = "Proceedings - 2017 IEEE 36th International Symposium on Reliable Distributed Systems, SRDS 2017",

}

TY - GEN

T1 - An unsupervised multi-detector approach for identifying malicious lateral movement

AU - Bohara, Atul

AU - Noureddine, Mohammad A.

AU - Fawaz, Ahmed

AU - Sanders, William H.

PY - 2017/10/13

Y1 - 2017/10/13

N2 - Lateral movement-based attacks are increasingly leading to compromises in large private and government networks, often resulting in information exfiltration or service disruption. Such attacks are often slow and stealthy and usually evade existing security products. To enable effective detection of such attacks, we present a new approach based on graph-based modeling of the security state of the target system and correlation of diverse indicators of anomalous host behavior. We believe that irrespective of the specific attack vectors used, attackers typically establish a command and control channel to operate, and move in the target system to escalate their privileges and reach sensitive areas. Accordingly, we identify important features of command and control and lateral movement activities and extract them from internal and external communication traffic. Driven by the analysis of the features, we propose the use of multiple anomaly detection techniques to identify compromised hosts. These methods include Principal Component Analysis, k-means clustering, and Median Absolute Deviation-based outlier detection. We evaluate the accuracy of identifying compromised hosts by using injected attack traffic in a real enterprise network dataset, for various attack communication models. Our results show that the proposed approach can detect infected hosts with high accuracy and a low false positive rate.

AB - Lateral movement-based attacks are increasingly leading to compromises in large private and government networks, often resulting in information exfiltration or service disruption. Such attacks are often slow and stealthy and usually evade existing security products. To enable effective detection of such attacks, we present a new approach based on graph-based modeling of the security state of the target system and correlation of diverse indicators of anomalous host behavior. We believe that irrespective of the specific attack vectors used, attackers typically establish a command and control channel to operate, and move in the target system to escalate their privileges and reach sensitive areas. Accordingly, we identify important features of command and control and lateral movement activities and extract them from internal and external communication traffic. Driven by the analysis of the features, we propose the use of multiple anomaly detection techniques to identify compromised hosts. These methods include Principal Component Analysis, k-means clustering, and Median Absolute Deviation-based outlier detection. We evaluate the accuracy of identifying compromised hosts by using injected attack traffic in a real enterprise network dataset, for various attack communication models. Our results show that the proposed approach can detect infected hosts with high accuracy and a low false positive rate.

KW - Advanced persistent threat

KW - Anomaly detection

KW - Command and control

KW - Lateral movement

UR - http://www.scopus.com/inward/record.url?scp=85038092583&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85038092583&partnerID=8YFLogxK

U2 - 10.1109/SRDS.2017.31

DO - 10.1109/SRDS.2017.31

M3 - Conference contribution

AN - SCOPUS:85038092583

T3 - Proceedings of the IEEE Symposium on Reliable Distributed Systems

SP - 224

EP - 233

BT - Proceedings - 2017 IEEE 36th International Symposium on Reliable Distributed Systems, SRDS 2017

PB - IEEE Computer Society

ER -