ABSTRACT
Many network intrusion detection systems use byte sequences to detect lateral movements that exploit remote vulnerabilities. Attackers bypass such detection by stealing valid credentials and using them to transmit from one computer to another without creating abnormal network traffic. We call this method Credential-based Lateral Movement. To detect this type of lateral movement, we develop the concept of a Network Login Structure that specifies normal logins within a given network. Our method models a network login structure by automatically extracting a collection of login patterns by using a variation of the market-basket algorithm. We then employ an anomaly detection approach to detect malicious logins that are inconsistent with the enterprise network's login structure. Evaluations show that the proposed method is able to detect malicious logins in a real setting. In a simulated attack, our system was able to detect 82% of malicious logins, with a 0.3% false positive rate. We used a real dataset of millions of logins over the course of five months within a global financial company for evaluation of this work.
Supplemental Material
- APACHE. 2017. Spark: A lightning-fast cluster computing. https://spark.apache. org. (2017).Google Scholar
- Stefan Axelsson. 2000. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (TISSEC) 3, 3 (2000), 186--205. Google ScholarDigital Library
- Schneier B. 2016. Credential Stealing as an Attack Vector. https://www.schneier. com/blog/archives/2016/05/credential_stea.html. (2016). [Online; accessed 15- Feb-2017].Google Scholar
- Schneier B. 2016. Real-World Access Control. https://www.schneier.com/blog/ archives/2009/09/real-world_acce.html. (2016). [Online; accessed 19-May-2017].Google Scholar
- Businessinsider. 2014. How The Hackers Broke Into Sony And Why It Could Happen To Any Company. http://www.businessinsider.com/ how-the-hackers-broke-into-sony-2014-12. (2014).Google Scholar
- Baris Coskun, Sven Dietrich, and Nasir Memon. 2010. Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts. In Proceedings of the 26th Annual Computer Security Applications Conference. ACM, 131--140. Google ScholarDigital Library
- Kaustav Das and Jeff Schneider. 2007. Detecting anomalous records in categorical datasets. In Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, 220--229.Google ScholarDigital Library
- Benjamin DELPY. 2014. A little tool to play with Windows security. https: //github.com/gentilkiwi/mimikatz. (2014).Google Scholar
- William Eberle, Jeffrey Graves, and Lawrence Holder. 2010. Insider threat de- tection using a graph-based approach. Journal of Applied Security Research 6, 1 (2010), 32--81. Google ScholarCross Ref
- Hadi Fanaee-T and Joao Gama. 2014. Event labeling combining ensemble detectors and background knowledge. Progress in Artificial Intelligence 2, 2--3 (2014), 113--127.Google Scholar
- Ahmed Fawaz, Atul Bohara, Carmen Cheh, and William H Sanders. 2016. Lateral Movement Detection Using Distributed Data Fusion. In Reliable Distributed Systems (SRDS), 2016 IEEE 35th Symposium on. IEEE, 21--30.Google ScholarCross Ref
- David Mandell Freeman, Sakshi Jain, Markus Dürmuth, Battista Biggio, and Giorgio Giacinto. 2016. Who Are You? A Statistical Approach to Measuring User Authenticity. In NDSS, The Internet Society. Google ScholarCross Ref
- Daniel Gonçalves, João Bota, and Miguel Correia. 2015. Big Data Analytics for Detecting Host Misbehavior in Large Logs. In Trustcom/BigDataSE/ISPA, 2015 IEEE, Vol. 1. IEEE, 238--245. Google ScholarDigital Library
- Jochen Hipp, Ulrich Güntzer, and Gholamreza Nakhaeizadeh. 2000. Algorithms for association rule mining--a general survey and comparison. ACM sigkdd explorations newsletter 2, 1 (2000), 58--64.Google Scholar
- Jaeyeon Jung, Vern Paxson, Arthur W Berger, and Hari Balakrishnan. 2004. Fast portscan detection using sequential hypothesis testing. In Security and Privacy, 2004. Proceedings. 2004 IEEE Symposium on. IEEE, 211--225.Google ScholarCross Ref
- Krebsonsecurity. 2014. Target Hackers Broke in Via HVAC Company. http: //krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/. (2014).Google Scholar
- Anukool Lakhina, Mark Crovella, and Christophe Diot. 2004. Diagnosing network-wide traffic anomalies. In ACM SIGCOMM Computer Communication Review, Vol. 34. ACM, 219--230. Google ScholarDigital Library
- Richard Lippmann, Joshua W Haines, David J Fried, Jonathan Korba, and Kumar Das. 2000. The 1999 DARPA off-line intrusion detection evaluation. Computer networks 34, 4 (2000), 579--595. Google ScholarDigital Library
- Alistair G Lowe-Norris and Robert Denn. 2000. Windows 2000 active directory. O'Reilly & Associates, Inc.Google Scholar
- Matthew V Mahoney and Philip K Chan. 2003. An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection. In International Workshop on Recent Advances in Intrusion Detection. Springer, 220--237.Google ScholarCross Ref
- George Nychis, Vyas Sekar, David G Andersen, Hyong Kim, and Hui Zhang. 2008. An empirical evaluation of entropy-based traffic anomaly detection. In Proceedings of the 8th ACM SIGCOMM conference on Internet measurement. ACM, 151--156. Google ScholarDigital Library
- NYTimes. 2014. Neglected Server Provided Entry for JP- Morgan Hackers. http://dealbook.nytimes.com/2014/12/22/ entry-point-of-jpmorgan-data-breach-is-identified/. (2014).Google Scholar
- Alina Oprea, Zhou Li, Ting-Fang Yen, Sang H Chin, and Sumayah Alrwais. 2015. Detection of early-stage enterprise infection by mining large-scale log data. In Dependable Systems and Networks (DSN), 2015 45th Annual IEEE/IFIP International Conference on. IEEE, 45--56.Google ScholarDigital Library
- Joyce R. 2016. USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers. https://www.youtube.com/watch?v=bDJb8WOJYdA. (2016). [Online; accessed 15-Feb-2017].Google Scholar
- Benjamin IP Rubinstein, Blaine Nelson, Ling Huang, Anthony D Joseph, Shinghon Lau, Satish Rao, Nina Taft, and JD Tygar. 2009. Antidote: understanding and defending against poisoning of anomaly detectors. In Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference. ACM, 1--14.Google ScholarDigital Library
- Jerome H Saltzer. 1974. Protection and the control of information sharing in Multics. Commun. ACM 17, 7 (1974), 388--402. Google ScholarDigital Library
- Taeshik Shon, Yongdae Kim, Cheolwon Lee, and Jongsub Moon. 2005. A machine learning framework for network anomaly detection using SVM and GA. In Information Assurance Workshop, 2005. IAW'05. Proceedings from the Sixth Annual IEEE SMC. IEEE, 176--183.Google Scholar
- Hossein Siadati, Bahador Saket, and Nasir Memon. 2016. Detecting malicious logins in enterprise networks using visualization. In Visualization for Cyber Security (VizSec), 2016 IEEE Symposium on. IEEE, 1--8. Google ScholarCross Ref
- Jessica Silver-Greenberg, Matthew Goldstein, and Nicole Perlroth. 2014. JPMorgan Chase Hack Affects 76 Million Households. New York Times 2 (2014).Google Scholar
- Sara Sinclair, Sean W Smith, Stephanie Trudeau, M Eric Johnson, and Anthony Portera. 2007. Information risk in financial institutions: Field study and research roadmap. In International Workshop on Enterprise Applications and Services in the Finance Industry. Springer, 165--180.Google Scholar
- Robin Sommer and Vern Paxson. 2010. Outside the closed world: On using machine learning for network intrusion detection. In 2010 IEEE symposium on security and privacy. IEEE, 305--316.Google ScholarDigital Library
- Verizon RISK Team. 2017. 2017 Data Breach Investigations Report. (2017).Google Scholar
- Florian Tegeler, Xiaoming Fu, Giovanni Vigna, and Christopher Kruegel. 2012. Botfinder: Finding bots in network traffic without deep packet inspection. In Proceedings of the 8th international conference on Emerging networking experiments and technologies. ACM, 349--360. Google ScholarDigital Library
- WSJ. 2014. Home Depot Hackers Exposed 53 Mil- lion Email Addresses. http://www.wsj.com/articles/ home-depot-hackers-used-password-stolen-from-vendor-1415309282. (2014).Google Scholar
- Ting-Fang Yen, Alina Oprea, Kaan Onarlioglu, Todd Leetham, William Robertson, Ari Juels, and Engin Kirda. 2013. Beehive: Large-scale log analysis for detecting suspicious activity in enterprise networks. In Proceedings of the 29th Annual Computer Security Applications Conference. ACM, 199--208.Google ScholarDigital Library
Index Terms
- Detecting Structurally Anomalous Logins Within Enterprise Networks
Recommendations
Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes
This paper reports the design principles and evaluation results of a new experimental hybrid intrusion detection system (HIDS). This hybrid system combines the advantages of low false-positive rate of signature-based intrusion detection system (IDS) and ...
Optimizing network anomaly detection scheme using instance selection mechanism
GLOBECOM'09: Proceedings of the 28th IEEE conference on Global telecommunicationsNetwork anomaly detection is a classically difficult research topic in intrusion detection. However, existing research has been solely focused on the detection algorithm. An important issue that has not been well studied so far is the selection of ...
TCM-KNN scheme for network anomaly detection using feature-based optimizations
SAC '08: Proceedings of the 2008 ACM symposium on Applied computingWith the rapid increase of network threats and cyber attacks, network security problem is becoming more and more serious. Network anomaly detection is a key technique to secure information systems and resist cyber attacks. In this paper, we first ...
Comments