TY - GEN
T1 - Detecting malicious logins in enterprise networks using visualization
AU - Siadati, Hossein
AU - Saket, Bahador
AU - Memon, Nasir
N1 - Publisher Copyright:
© 2016 IEEE.
Copyright:
Copyright 2017 Elsevier B.V., All rights reserved.
PY - 2016/11/8
Y1 - 2016/11/8
N2 - Enterprise networks have been a frequent target of data breaches and sabotage. In a widely used method, attackers establish a foothold in the target network by compromising a single computer or account. They then move laterally between computers to access valuable resources and information located deeper inside the network. To move laterally, attackers often steal valid user credentials. This paper is based on the observation that an attackers' pattern of access characteristics of the stolen credentials in the form of <User, Source, Destination> deviates from benign patterns and can be used to detect malicious logins. In this paper, we present APT-Hunter1, a visualization tool that helps security analysts to explore login data for discovering patterns and detecting malicious logins. To evaluate the proposed system, a pilot study was conducted over an open dataset of more than one billion logins of an enterprise network, provided by Los Alamos National Lab (LANL). Using APT-Hunter, security analysts (unfamiliar with the dataset) were able to detect 349 of 749 malicious logins related to lateral movements performed by a Red Team during a penetration test conducted at LANL. APT-Hunter is currently deployed in a global financial company and helps security analysts detect account compromises.
AB - Enterprise networks have been a frequent target of data breaches and sabotage. In a widely used method, attackers establish a foothold in the target network by compromising a single computer or account. They then move laterally between computers to access valuable resources and information located deeper inside the network. To move laterally, attackers often steal valid user credentials. This paper is based on the observation that an attackers' pattern of access characteristics of the stolen credentials in the form of <User, Source, Destination> deviates from benign patterns and can be used to detect malicious logins. In this paper, we present APT-Hunter1, a visualization tool that helps security analysts to explore login data for discovering patterns and detecting malicious logins. To evaluate the proposed system, a pilot study was conducted over an open dataset of more than one billion logins of an enterprise network, provided by Los Alamos National Lab (LANL). Using APT-Hunter, security analysts (unfamiliar with the dataset) were able to detect 349 of 749 malicious logins related to lateral movements performed by a Red Team during a penetration test conducted at LANL. APT-Hunter is currently deployed in a global financial company and helps security analysts detect account compromises.
KW - K.6.1 [Visualization, APT, Login, Security]
KW - K.7.m [Attack]-Alert
UR - http://www.scopus.com/inward/record.url?scp=85006841015&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85006841015&partnerID=8YFLogxK
U2 - 10.1109/VIZSEC.2016.7739582
DO - 10.1109/VIZSEC.2016.7739582
M3 - Conference contribution
AN - SCOPUS:85006841015
T3 - 2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016
BT - 2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016
A2 - Staheli, Diane
A2 - Harrison, Lane
A2 - Prigent, Nicolas
A2 - Best, Daniel M.
A2 - Engle, Sophie
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016
Y2 - 24 October 2016
ER -