An unsupervised multi-detector approach for identifying malicious lateral movement

Atul Bohara, Mohammad A. Noureddine, Ahmed Fawaz, William H. Sanders

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Lateral movement-based attacks are increasingly leading to compromises in large private and government networks, often resulting in information exfiltration or service disruption. Such attacks are often slow and stealthy and usually evade existing security products. To enable effective detection of such attacks, we present a new approach based on graph-based modeling of the security state of the target system and correlation of diverse indicators of anomalous host behavior. We believe that irrespective of the specific attack vectors used, attackers typically establish a command and control channel to operate, and move in the target system to escalate their privileges and reach sensitive areas. Accordingly, we identify important features of command and control and lateral movement activities and extract them from internal and external communication traffic. Driven by the analysis of the features, we propose the use of multiple anomaly detection techniques to identify compromised hosts. These methods include Principal Component Analysis, k-means clustering, and Median Absolute Deviation-based outlier detection. We evaluate the accuracy of identifying compromised hosts by using injected attack traffic in a real enterprise network dataset, for various attack communication models. Our results show that the proposed approach can detect infected hosts with high accuracy and a low false positive rate.

Original languageEnglish (US)
Title of host publicationProceedings - 2017 IEEE 36th International Symposium on Reliable Distributed Systems, SRDS 2017
PublisherIEEE Computer Society
Pages224-233
Number of pages10
ISBN (Electronic)9781538616796
DOIs
StatePublished - Oct 13 2017
Event36th IEEE International Symposium on Reliable Distributed Systems, SRDS 2017 - Hong Kong, Hong Kong
Duration: Sep 26 2017Sep 29 2017

Publication series

NameProceedings of the IEEE Symposium on Reliable Distributed Systems
Volume2017-September
ISSN (Print)1060-9857

Other

Other36th IEEE International Symposium on Reliable Distributed Systems, SRDS 2017
CountryHong Kong
CityHong Kong
Period9/26/179/29/17

Keywords

  • Advanced persistent threat
  • Anomaly detection
  • Command and control
  • Lateral movement

ASJC Scopus subject areas

  • Software
  • Theoretical Computer Science
  • Hardware and Architecture
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'An unsupervised multi-detector approach for identifying malicious lateral movement'. Together they form a unique fingerprint.

  • Cite this

    Bohara, A., Noureddine, M. A., Fawaz, A., & Sanders, W. H. (2017). An unsupervised multi-detector approach for identifying malicious lateral movement. In Proceedings - 2017 IEEE 36th International Symposium on Reliable Distributed Systems, SRDS 2017 (pp. 224-233). [8069085] (Proceedings of the IEEE Symposium on Reliable Distributed Systems; Vol. 2017-September). IEEE Computer Society. https://doi.org/10.1109/SRDS.2017.31