Role-based lateral movement detection with unsupervised learning

Powell, Brian A.

doi:10.1016/j.iswa.2022.200106

Cited by 10 publications

(6 citation statements)

References 53 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The proposed approach relies on Net-Flow data collected on the pivot and, thus, it is a de-facto host-based method, even though network-based data are used. Powell [20] proposed a role-based lateral movement detection using unsupervised learning, utilizing systems calls and network connections alike, leveraging earlier work on graph-based anomaly detection in authentication logs [19]. Smiliotopoulos et al [24] propose a Sysmon log-based lateral movement detection technique encompassing the labelling and pre-processing of the data, as well as the classification through a supervised machine learning approach.…”

Section: Related Work On Pivoting Detectionmentioning

confidence: 99%

Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and Challenges

Husák,

Yang,

Khoury

et al. 2024

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Pivoting is a sophisticated strategy employed by modern malware and Advanced Persistent Threats (APT) to complicate attack tracing and attribution. Detecting pivoting activities is of utmost importance in order to counter these threats effectively. In this study, we examined the detection of pivoting by analyzing network traffic data collected over a period of 10 days in a campus network. Through NetFlow monitoring, we initially identified potential pivoting candidates, which are traces in the network traffic that match known patterns. Subsequently, we conducted an in-depth analysis of these candidates and uncovered a significant number of false positives and benign pivoting-like patterns. To enhance investigation and understanding, we introduced a novel graph representation called a pivoting graph, which provides comprehensive visualization capabilities. Unfortunately, investigating pivoting candidates is highly dependent on the specific context and necessitates a strong understanding of the local environment. To address this challenge, we applied principal component analysis and clustering techniques to a diverse range of features. This allowed us to identify the most meaningful features for automated pivoting detection, eliminating the need for prior knowledge of the local environment.

show abstract

Section: Related Work On Pivoting Detectionmentioning

confidence: 99%

Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and Challenges

Husák,

Yang,

Khoury

et al. 2024

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

show abstract

“…The vulnerabilities in IoT device services can lead to lateral movement attacks to compromise other IoT devices through remote attacks. Some of those attacks might be stealthy and can go undetected when their generated traffic fits into accepted categories [34], [35]. To address those attacks, in CMXsafe, the services forwarded to the CMX-GW are only accessible by devices and platforms that are previously authenticated and have enabling SCs for communications, limiting the risk of anonymous fuzzy/injection attacks [36].…”

Section: Secure Communication Path Establishment (P3)mentioning

confidence: 99%

CMXsafe: A Proxy Layer for Securing Internet-of-Things Communications

de Hoz Diego,

Madi,

Konstantinou

2024

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Security in Internet-of-Things (IoT) environments has become a major concern. This is partly due to a large number of remotely exploitable IoT vulnerabilities in service authentication and access control combined with the lack of timely technical support. To reduce the threat surface of remote vulnerability exploitation, we propose CMXsafe, a secure-bydesign application-agnostic proxy layer that can be updated and managed independently of the IoT device application. CMXsafe places IoT devices behind gateways operating as 4th OSI transport layer relayers to offload security concerns of IoT network communications into the proxy layer. More specifically, the proxy layer produces secure communication paths between IoT applications and platforms while enforcing mutual authentication and access control to proxied services. We evaluate the performance of our architecture on the MQTT protocol used in a standard publisher-broker-subscriber configuration provided by Eclipse Mosquitto. More specifically, we compare the performance penalty on the protocol when securing communications with TLS following a monolithic implementation and with CMXsafe. The experimental results suggest that CMXsafe outperforms integrated security by providing at least a 25% latency reduction and a 22% bandwidth improvement.

show abstract

“…Moreover, 6 out of 9 works included k-fold cross validation (all with 10 folds) as a precaution step for avoiding overfitting. Additionally, the majority of the contributions employ an imbalanced dataset, whereas each one of the works [15,17,7] incorporate balanced traffic. Nevertheless, it is generally accepted that the imbalanced nature of real-life log-based traffic is the basic principle that governs real-world scenarios.…”

Section: Comparison With Related Workmentioning

confidence: 99%

“…Anomaly detection was conducted on the application layer network traffic of data centers via the Jaccard Similarity Coefficient and clustering measurement technique (JSCC) on several balanced datasets. On the other hand, the authors in [17] presented an unsupervised learning model of LM detection, based on the rolebased approach of clustering the system connections to remote hosts into distinct roles. We argue, that the type of traffic, and therefore the features obtained in both the environments of [16] and [17], are significantly different compared to this study.…”

Section: Unsupervised Learning Based Schemesmentioning

confidence: 99%

“…On the other hand, the authors in [17] presented an unsupervised learning model of LM detection, based on the rolebased approach of clustering the system connections to remote hosts into distinct roles. We argue, that the type of traffic, and therefore the features obtained in both the environments of [16] and [17], are significantly different compared to this study. Namely, the traffic considered by the authors is inappropriate for detecting LM.…”

Section: Unsupervised Learning Based Schemesmentioning

confidence: 99%

See 1 more Smart Citation

On the detection of lateral movement through supervised machine learning and an open-source tool to create turnkey datasets from Sysmon logs

Smiliotopoulos

Kambourakis

Barmpatsalou

2023

Preprint

View full text Add to dashboard Cite

Lateral movement (LM) is a principal, increasingly common, tactic in the arsenal of advanced persistent threat (APT) groups and other less or more powerful threat actors. It concerns techniques that enable a cyberattacker, after establishing foothold, to maintain ongoing access and penetrate further into a network in quest of prized booty. This is done by moving through the infiltrated network and gaining elevated privileges using an assortment of tools. Concentrating on the MS Windows platform, this work provides the first to our knowledge holistic methodology supported by an abundance of experimental results towards the identification of LM via machine learning (ML) techniques. We not only assess this potential by means of both traditional and deep learning models, but also contribute a publicly available, open-source tool, which can convert Windows system monitor logs to turnkey datasets, ready to be fed into ML models. Vis-`a-vis the relevant literature, and by considering a highly unblalanced dataset and a multiclass classification problem, we report superior scores in terms of the F1 and AUC metrics, 99.41% and 99.84%, respectively.

show abstract

Role-based lateral movement detection with unsupervised learning

Cited by 10 publications

References 53 publications

Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and Challenges

Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and Challenges

CMXsafe: A Proxy Layer for Securing Internet-of-Things Communications

On the detection of lateral movement through supervised machine learning and an open-source tool to create turnkey datasets from Sysmon logs

Contact Info

Product

Resources

About