Role-based lateral movement detection with unsupervised learning

被引:5
|
作者
Powell, Brian A. [1 ]
机构
[1] Johns Hopkins Univ, Appl Phys Lab, Laurel, MD 20723 USA
来源
关键词
Intrusion detection; Lateral movement; Unsupervised learning; INTRUSION DETECTION; TRAFFIC CLASSIFICATION; ANOMALY DETECTION; BEHAVIOR; SIMILARITY; SYSTEMS;
D O I
10.1016/j.iswa.2022.200106
中图分类号
TP18 [人工智能理论];
学科分类号
081104 ; 0812 ; 0835 ; 1405 ;
摘要
Adversarial lateral movement via compromised accounts remains difficult to discover via traditional rule-based defenses because it generally lacks explicit indicators of compromise. We propose a behavior-based, unsupervised method of lateral movement detection that makes essential use system role-the functions it performs on the network-to identify anomalous inter-system connections. It is based on the observation that the remote hosts a particular system communicates with over time can be organized into a stable and learnable set of roles, and that the roles of the two hosts on either end of a normal connection determine the dynamics of the processes that support the connection, e.g. authentication of a workstation against a Domain Controller involves an idiosyncratic sequences of processes. If a process is compromised by an attacker and used to facilitate lateral movement, these normal patterns might be disrupted in discernible ways. We use unsupervised learning to cluster systems according to role, and then apply frequent-itemset mining to process sequences to establish regular patterns of communication between systems based on role. Rare process sequences might indicate malicious lateral movement, as might generic connections made to remote hosts with novel roles.
引用
收藏
页数:20
相关论文
共 50 条
  • [1] Online Anomal Movement Detection Based on Unsupervised Incremental Learning
    Sudo, Kyoko
    Osawa, Tatsuya
    Tanaka, Hidenori
    Koike, Hideki
    Arakawa, Kenichi
    [J]. 19TH INTERNATIONAL CONFERENCE ON PATTERN RECOGNITION, VOLS 1-6, 2008, : 3366 - 3369
  • [2] Research on role-based learning technologies
    Slator, BM
    Clark, J
    Juell, P
    McClean, P
    Saini-Eidukat, B
    Schwert, DP
    White, AR
    [J]. IEEE INTERNATIONAL CONFERENCE ON ADVANCED LEARNING TECHNOLOGIES, PROCEEDINGS, 2001, : 37 - 40
  • [3] A Graph Learning-Based Approach for Lateral Movement Detection
    Rabbani, Mahdi
    Rashidi, Leila
    Ghorbani, Ali A.
    [J]. IEEE Transactions on Network and Service Management, 2024, 21 (05): : 5361 - 5373
  • [4] Role-based Log Analysis Applying Deep Learning for Insider Threat Detection
    Zhang, Dongxue
    Zheng, Yang
    Wen, Yu
    Xu, Yujue
    Wang, Jingchuo
    Yu, Yang
    Meng, Dan
    [J]. PROCEEDINGS OF THE 1ST WORKSHOP ON SECURITY-ORIENTED DESIGNS OF COMPUTER ARCHITECTURES AND PROCESSORS (SECARCH'18), 2018, : 18 - 20
  • [5] Unsupervised Learning for Lateral-Movement-Based Threat Mitigation in Active Directory Attack Graphs
    Herranz-Oliveros, David
    Tejedor-Romero, Marino
    Gimenez-Guzman, Jose Manuel
    Cruz-Piris, Luis
    [J]. ELECTRONICS, 2024, 13 (19)
  • [6] A Machine Learning Approach for RDP-based Lateral Movement Detection
    Bai, Tim
    Bian, Haibo
    Abou Daya, Abbas
    Salahuddin, Mohammad A.
    Limam, Noura
    Boutaba, Raouf
    [J]. PROCEEDINGS OF THE IEEE LCN: 2019 44TH ANNUAL IEEE CONFERENCE ON LOCAL COMPUTER NETWORKS (LCN 2019), 2019, : 242 - 245
  • [7] RDP-based Lateral Movement detection using Machine Learning
    Bai, Tim
    Bian, Haibo
    Salahuddin, Mohammad A.
    Abou Daya, Abbas
    Limam, Noura
    Boutaba, Raouf
    [J]. COMPUTER COMMUNICATIONS, 2021, 165 : 9 - 19
  • [8] The power of role-based e-learning
    Smyth, Robyn
    [J]. BRITISH JOURNAL OF EDUCATIONAL TECHNOLOGY, 2012, 43 (01) : E40 - E41
  • [9] Role-based Deceptive Detection and Filtering in WSNs
    Wang, Shinan
    Sha, Kewei
    Shi, Weisong
    [J]. 2009 INTERNATIONAL CONFERENCE ON INFORMATION PROCESSING IN SENSOR NETWORKS (IPSN 2009), 2009, : 387 - +
  • [10] Role-Based Administration of Role-Based Smart Home IoT
    Shakarami, Mehrnoosh
    Sandhu, Ravi
    [J]. SAT-CPS'21: PROCEEDINGS OF THE 2021 ACM WORKSHOP ON SECURE AND TRUSTWORTHY CYBER-PHYSICAL SYSTEMS, 2021, : 49 - 58