TY - GEN
T1 - Detecting structurally anomalous logins within enterprise networks
AU - Siadati, Hossein
AU - Memon, Nasir
N1 - Publisher Copyright:
© 2017 author(s).
PY - 2017/10/30
Y1 - 2017/10/30
N2 - Many network intrusion detection systems use byte sequences to detect lateral movements that exploit remote vulnerabilities. Attackers bypass such detection by stealing valid credentials and using them to transmit from one computer to another without creating abnormal network traffic. We call this method Credential-based Lateral Movement. To detect this type of lateral movement, we develop the concept of a Network Login Structure that specifies normal logins within a given network. Our method models a network login structure by automatically extracting a collection of login patterns by using a variation of the market-basket analysis algorithm. We then employ an anomaly detection approach to detect malicious logins that are inconsistent with the enterprise network's login structure. Evaluations show that the proposed method is able to detect malicious logins in a real setting. In a simulated attack, our system was able to detect 82% of malicious logins, with a 0.3% false positive rate. We used a real dataset of millions of logins over the course of five months within a global financial company for evaluation of this work.
AB - Many network intrusion detection systems use byte sequences to detect lateral movements that exploit remote vulnerabilities. Attackers bypass such detection by stealing valid credentials and using them to transmit from one computer to another without creating abnormal network traffic. We call this method Credential-based Lateral Movement. To detect this type of lateral movement, we develop the concept of a Network Login Structure that specifies normal logins within a given network. Our method models a network login structure by automatically extracting a collection of login patterns by using a variation of the market-basket analysis algorithm. We then employ an anomaly detection approach to detect malicious logins that are inconsistent with the enterprise network's login structure. Evaluations show that the proposed method is able to detect malicious logins in a real setting. In a simulated attack, our system was able to detect 82% of malicious logins, with a 0.3% false positive rate. We used a real dataset of millions of logins over the course of five months within a global financial company for evaluation of this work.
KW - Anomalous Logins
KW - Network Lateral Movement
KW - Pattern Mining
UR - http://www.scopus.com/inward/record.url?scp=85041441305&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85041441305&partnerID=8YFLogxK
U2 - 10.1145/3133956.3134003
DO - 10.1145/3133956.3134003
M3 - Conference contribution
AN - SCOPUS:85041441305
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 1273
EP - 1284
BT - CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
T2 - 24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017
Y2 - 30 October 2017 through 3 November 2017
ER -