Lateral Movement Detection Using Distributed Data Fusion

Ahmed Fawaz, Atul Bohara, Carmen Cheh, William H. Sanders

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Attackers often attempt to move laterally from host to host, infecting them until an overall goal is achieved. One possible defense against this strategy is to detect such coordinated and sequential actions by fusing data from multiple sources. In this paper, we propose a framework for distributed data fusion that specifies the communication architecture and data transformation functions. Then, we use this framework to specify an approach for lateral movement detection that uses host-level process communication graphs to infer network connection causations. The connection causations are then aggregated into system-wide host-communication graphs that expose possible lateral movement in the system. In order to provide a balance between the resource usage and the robustness of the fusion architecture, we propose a multilevel fusion hierarchy that uses different clustering techniques. We evaluate the scalability of the hierarchical fusion scheme in terms of storage overhead, number of message updates sent, fairness of resource sharing among clusters, and quality of local graphs. Finally, we implement a host-level monitor prototype to collect connection causations, and evaluate its overhead. The results show that our approach provides an effective method to detect lateral movement between hosts, and can be implemented with acceptable overhead.

Original languageEnglish (US)
Title of host publicationProceedings - 2016 IEEE 35th International Symposium on Reliable Distributed Systems, SRDS 2016
PublisherIEEE Computer Society
Pages21-30
Number of pages10
ISBN (Electronic)9781509035137
DOIs
StatePublished - Dec 21 2016
Event35th IEEE International Symposium on Reliable Distributed Systems, SRDS 2016 - Budapest, Hungary
Duration: Sep 26 2016Sep 29 2016

Publication series

NameProceedings of the IEEE Symposium on Reliable Distributed Systems
ISSN (Print)1060-9857

Other

Other35th IEEE International Symposium on Reliable Distributed Systems, SRDS 2016
CountryHungary
CityBudapest
Period9/26/169/29/16

Fingerprint

Causation
Data Fusion
Data fusion
Lateral
Fusion
Communication
Graph in graph theory
Data Transformation
Resource Sharing
Evaluate
Fairness
Scalability
Monitor
Update
Clustering
Prototype
Robustness
Resources
Movement
Framework

ASJC Scopus subject areas

  • Software
  • Theoretical Computer Science
  • Hardware and Architecture
  • Computer Networks and Communications

Cite this

Fawaz, A., Bohara, A., Cheh, C., & Sanders, W. H. (2016). Lateral Movement Detection Using Distributed Data Fusion. In Proceedings - 2016 IEEE 35th International Symposium on Reliable Distributed Systems, SRDS 2016 (pp. 21-30). [7794326] (Proceedings of the IEEE Symposium on Reliable Distributed Systems). IEEE Computer Society. https://doi.org/10.1109/SRDS.2016.014

Lateral Movement Detection Using Distributed Data Fusion. / Fawaz, Ahmed; Bohara, Atul; Cheh, Carmen; Sanders, William H.

Proceedings - 2016 IEEE 35th International Symposium on Reliable Distributed Systems, SRDS 2016. IEEE Computer Society, 2016. p. 21-30 7794326 (Proceedings of the IEEE Symposium on Reliable Distributed Systems).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Fawaz, A, Bohara, A, Cheh, C & Sanders, WH 2016, Lateral Movement Detection Using Distributed Data Fusion. in Proceedings - 2016 IEEE 35th International Symposium on Reliable Distributed Systems, SRDS 2016., 7794326, Proceedings of the IEEE Symposium on Reliable Distributed Systems, IEEE Computer Society, pp. 21-30, 35th IEEE International Symposium on Reliable Distributed Systems, SRDS 2016, Budapest, Hungary, 9/26/16. https://doi.org/10.1109/SRDS.2016.014
Fawaz A, Bohara A, Cheh C, Sanders WH. Lateral Movement Detection Using Distributed Data Fusion. In Proceedings - 2016 IEEE 35th International Symposium on Reliable Distributed Systems, SRDS 2016. IEEE Computer Society. 2016. p. 21-30. 7794326. (Proceedings of the IEEE Symposium on Reliable Distributed Systems). https://doi.org/10.1109/SRDS.2016.014
Fawaz, Ahmed ; Bohara, Atul ; Cheh, Carmen ; Sanders, William H. / Lateral Movement Detection Using Distributed Data Fusion. Proceedings - 2016 IEEE 35th International Symposium on Reliable Distributed Systems, SRDS 2016. IEEE Computer Society, 2016. pp. 21-30 (Proceedings of the IEEE Symposium on Reliable Distributed Systems).
@inproceedings{ad79d78352ca44f68d75b460592cbe7a,
title = "Lateral Movement Detection Using Distributed Data Fusion",
abstract = "Attackers often attempt to move laterally from host to host, infecting them until an overall goal is achieved. One possible defense against this strategy is to detect such coordinated and sequential actions by fusing data from multiple sources. In this paper, we propose a framework for distributed data fusion that specifies the communication architecture and data transformation functions. Then, we use this framework to specify an approach for lateral movement detection that uses host-level process communication graphs to infer network connection causations. The connection causations are then aggregated into system-wide host-communication graphs that expose possible lateral movement in the system. In order to provide a balance between the resource usage and the robustness of the fusion architecture, we propose a multilevel fusion hierarchy that uses different clustering techniques. We evaluate the scalability of the hierarchical fusion scheme in terms of storage overhead, number of message updates sent, fairness of resource sharing among clusters, and quality of local graphs. Finally, we implement a host-level monitor prototype to collect connection causations, and evaluate its overhead. The results show that our approach provides an effective method to detect lateral movement between hosts, and can be implemented with acceptable overhead.",
author = "Ahmed Fawaz and Atul Bohara and Carmen Cheh and Sanders, {William H.}",
year = "2016",
month = "12",
day = "21",
doi = "10.1109/SRDS.2016.014",
language = "English (US)",
series = "Proceedings of the IEEE Symposium on Reliable Distributed Systems",
publisher = "IEEE Computer Society",
pages = "21--30",
booktitle = "Proceedings - 2016 IEEE 35th International Symposium on Reliable Distributed Systems, SRDS 2016",

}

TY - GEN

T1 - Lateral Movement Detection Using Distributed Data Fusion

AU - Fawaz, Ahmed

AU - Bohara, Atul

AU - Cheh, Carmen

AU - Sanders, William H.

PY - 2016/12/21

Y1 - 2016/12/21

N2 - Attackers often attempt to move laterally from host to host, infecting them until an overall goal is achieved. One possible defense against this strategy is to detect such coordinated and sequential actions by fusing data from multiple sources. In this paper, we propose a framework for distributed data fusion that specifies the communication architecture and data transformation functions. Then, we use this framework to specify an approach for lateral movement detection that uses host-level process communication graphs to infer network connection causations. The connection causations are then aggregated into system-wide host-communication graphs that expose possible lateral movement in the system. In order to provide a balance between the resource usage and the robustness of the fusion architecture, we propose a multilevel fusion hierarchy that uses different clustering techniques. We evaluate the scalability of the hierarchical fusion scheme in terms of storage overhead, number of message updates sent, fairness of resource sharing among clusters, and quality of local graphs. Finally, we implement a host-level monitor prototype to collect connection causations, and evaluate its overhead. The results show that our approach provides an effective method to detect lateral movement between hosts, and can be implemented with acceptable overhead.

AB - Attackers often attempt to move laterally from host to host, infecting them until an overall goal is achieved. One possible defense against this strategy is to detect such coordinated and sequential actions by fusing data from multiple sources. In this paper, we propose a framework for distributed data fusion that specifies the communication architecture and data transformation functions. Then, we use this framework to specify an approach for lateral movement detection that uses host-level process communication graphs to infer network connection causations. The connection causations are then aggregated into system-wide host-communication graphs that expose possible lateral movement in the system. In order to provide a balance between the resource usage and the robustness of the fusion architecture, we propose a multilevel fusion hierarchy that uses different clustering techniques. We evaluate the scalability of the hierarchical fusion scheme in terms of storage overhead, number of message updates sent, fairness of resource sharing among clusters, and quality of local graphs. Finally, we implement a host-level monitor prototype to collect connection causations, and evaluate its overhead. The results show that our approach provides an effective method to detect lateral movement between hosts, and can be implemented with acceptable overhead.

UR - http://www.scopus.com/inward/record.url?scp=85010219972&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85010219972&partnerID=8YFLogxK

U2 - 10.1109/SRDS.2016.014

DO - 10.1109/SRDS.2016.014

M3 - Conference contribution

AN - SCOPUS:85010219972

T3 - Proceedings of the IEEE Symposium on Reliable Distributed Systems

SP - 21

EP - 30

BT - Proceedings - 2016 IEEE 35th International Symposium on Reliable Distributed Systems, SRDS 2016

PB - IEEE Computer Society

ER -