Detecting malicious logins in enterprise networks using visualization

Hossein Siadati, Bahador Saket, Nasir Memon

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Enterprise networks have been a frequent target of data breaches and sabotage. In a widely used method, attackers establish a foothold in the target network by compromising a single computer or account. They then move laterally between computers to access valuable resources and information located deeper inside the network. To move laterally, attackers often steal valid user credentials. This paper is based on the observation that an attackers' pattern of access characteristics of the stolen credentials in the form of <User, Source, Destination> deviates from benign patterns and can be used to detect malicious logins. In this paper, we present APT-Hunter1, a visualization tool that helps security analysts to explore login data for discovering patterns and detecting malicious logins. To evaluate the proposed system, a pilot study was conducted over an open dataset of more than one billion logins of an enterprise network, provided by Los Alamos National Lab (LANL). Using APT-Hunter, security analysts (unfamiliar with the dataset) were able to detect 349 of 749 malicious logins related to lateral movements performed by a Red Team during a penetration test conducted at LANL. APT-Hunter is currently deployed in a global financial company and helps security analysts detect account compromises.

Original languageEnglish (US)
Title of host publication2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016
EditorsDiane Staheli, Lane Harrison, Nicolas Prigent, Daniel M. Best, Sophie Engle
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781509016051
DOIs
StatePublished - Nov 8 2016
Event2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016 - Baltimore, United States
Duration: Oct 24 2016 → …

Publication series

Name2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016

Other

Other2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016
Country/TerritoryUnited States
CityBaltimore
Period10/24/16 → …

Keywords

  • K.6.1 [Visualization, APT, Login, Security]
  • K.7.m [Attack]-Alert

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Media Technology
  • Modeling and Simulation

Fingerprint

Dive into the research topics of 'Detecting malicious logins in enterprise networks using visualization'. Together they form a unique fingerprint.

Cite this