Lateral Movement Detection via Time-aware Subgraph Classification on Authentication Logs

• URL: http://arxiv.org/abs/2411.10279v1
• Date: Fri, 15 Nov 2024 15:35:56 GMT
• Title: Lateral Movement Detection via Time-aware Subgraph Classification on Authentication Logs
• Authors: Jiajun Zhou, Jiacheng Yao, Xuanze Chen, Shanqing Yu, Qi Xuan, Xiaoniu Yang,
• Abstract summary: Lateral movement is a crucial component of advanced persistent threat (APT) attacks in networks. We propose a multi-scale lateral movement detection framework called LMDetect.
• Score: 4.893077353126799
• License:
• Abstract: Lateral movement is a crucial component of advanced persistent threat (APT) attacks in networks. Attackers exploit security vulnerabilities in internal networks or IoT devices, expanding their control after initial infiltration to steal sensitive data or carry out other malicious activities, posing a serious threat to system security. Existing research suggests that attackers generally employ seemingly unrelated operations to mask their malicious intentions, thereby evading existing lateral movement detection methods and hiding their intrusion traces. In this regard, we analyze host authentication log data from a graph perspective and propose a multi-scale lateral movement detection framework called LMDetect. The main workflow of this framework proceeds as follows: 1) Construct a heterogeneous multigraph from host authentication log data to strengthen the correlations among internal system entities; 2) Design a time-aware subgraph generator to extract subgraphs centered on authentication events from the heterogeneous authentication multigraph; 3) Design a multi-scale attention encoder that leverages both local and global attention to capture hidden anomalous behavior patterns in the authentication subgraphs, thereby achieving lateral movement detection. Extensive experiments on two real-world authentication log datasets demonstrate the effectiveness and superiority of our framework in detecting lateral movement behaviors.

Related papers

• Twin Trigger Generative Networks for Backdoor Attacks against Object Detection [14.578800906364414]
  Object detectors, which are widely used in real-world applications, are vulnerable to backdoor attacks. Most research on backdoor attacks has focused on image classification, with limited investigation into object detection. We propose novel twin trigger generative networks to generate invisible triggers for implanting backdoors into models during training, and visible triggers for steady activation during inference.
  arXiv  Detail & Related papers  (2024-11-23T03:46:45Z)
• LLM-based Continuous Intrusion Detection Framework for Next-Gen Networks [0.7100520098029439]
  The framework employs a transformer encoder architecture, which captures hidden patterns in a bidirectional manner to differentiate between malicious and legitimate traffic. The system incrementally identifies unknown attack types by leveraging a Gaussian Mixture Model (GMM) to cluster features derived from high-dimensional BERT embeddings. Even after integrating additional unknown attack clusters, the framework continues to perform at a high level, achieving 95.6% in both classification accuracy and recall.
  arXiv  Detail & Related papers  (2024-11-04T18:12:14Z)
• UniForensics: Face Forgery Detection via General Facial Representation [60.5421627990707]
  High-level semantic features are less susceptible to perturbations and not limited to forgery-specific artifacts, thus having stronger generalization. We introduce UniForensics, a novel deepfake detection framework that leverages a transformer-based video network, with a meta-functional face classification for enriched facial representation.
  arXiv  Detail & Related papers  (2024-07-26T20:51:54Z)
• HADES: Detecting Active Directory Attacks via Whole Network Provenance Analytics [7.203330561731627]
  Active Directory (AD) is a top target of Advanced Persistence Threat (APT) actors. We propose HADES, the first PIDS capable of performing accurate causality-based cross-machine tracing. We introduce a novel lightweight authentication anomaly detection model rooted in our analysis of AD attacks.
  arXiv  Detail & Related papers  (2024-07-26T16:46:29Z)
• Task-Agnostic Detector for Insertion-Based Backdoor Attacks [53.77294614671166]
  We introduce TABDet (Task-Agnostic Backdoor Detector), a pioneering task-agnostic method for backdoor detection. TABDet leverages final layer logits combined with an efficient pooling technique, enabling unified logit representation across three prominent NLP tasks. TABDet can jointly learn from diverse task-specific models, demonstrating superior detection efficacy over traditional task-specific methods.
  arXiv  Detail & Related papers  (2024-03-25T20:12:02Z)
• Prov2vec: Learning Provenance Graph Representation for Unsupervised APT Detection [2.07180164747172]
  It is necessary to detect Advanced Persistent Threats as early in the campaign as possible. This paper proposes, Prov2Vec, a system for the continuous monitoring of enterprise host's behavior to detect attackers' activities.
  arXiv  Detail & Related papers  (2023-10-02T01:38:13Z)
• Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance [4.101641763092759]
  Provenance graphs are structured audit logs that describe the history of a system's execution. We identify four common dimensions that drive the development of provenance-based intrusion detection systems (PIDSes) We present KAIROS, the first PIDS that simultaneously satisfies the desiderata in all four dimensions.
  arXiv  Detail & Related papers  (2023-08-09T16:04:55Z)
• Unsupervised Out-of-Domain Detection via Pre-trained Transformers [56.689635664358256]
  Out-of-domain inputs can lead to unpredictable outputs and sometimes catastrophic safety issues. Our work tackles the problem of detecting out-of-domain samples with only unsupervised in-domain data. Two domain-specific fine-tuning approaches are further proposed to boost detection accuracy.
  arXiv  Detail & Related papers  (2021-06-02T05:21:25Z)
• Exploring Robustness of Unsupervised Domain Adaptation in Semantic Segmentation [74.05906222376608]
  We propose adversarial self-supervision UDA (or ASSUDA) that maximizes the agreement between clean images and their adversarial examples by a contrastive loss in the output space. This paper is rooted in two observations: (i) the robustness of UDA methods in semantic segmentation remains unexplored, which pose a security concern in this field; and (ii) although commonly used self-supervision (e.g., rotation and jigsaw) benefits image tasks such as classification and recognition, they fail to provide the critical supervision signals that could learn discriminative representation for segmentation tasks.
  arXiv  Detail & Related papers  (2021-05-23T01:50:44Z)
• No Need to Know Physics: Resilience of Process-based Model-free Anomaly Detection for Industrial Control Systems [95.54151664013011]
  We present a novel framework to generate adversarial spoofing signals that violate physical properties of the system. We analyze four anomaly detectors published at top security conferences.
  arXiv  Detail & Related papers  (2020-12-07T11:02:44Z)
• Graph Backdoor [53.70971502299977]
  We present GTA, the first backdoor attack on graph neural networks (GNNs) GTA departs in significant ways: it defines triggers as specific subgraphs, including both topological structures and descriptive features. It can be instantiated for both transductive (e.g., node classification) and inductive (e.g., graph classification) tasks.
  arXiv  Detail & Related papers  (2020-06-21T19:45:30Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.