Role-based lateral movement detection with unsupervised learning

Adversarial lateral movement via compromised accounts remains difficult to discover via traditional rule-based defenses because it generally lacks explicit indicators of compromise. We propose a behavior-based, unsupervised method of lateral movement detection that makes essential use system role-the functions it performs on the network-to identify anomalous inter-system connections. It is based on the observation that the remote hosts a particular system communicates with over time can be organized into a stable and learnable set of roles, and that the roles of the two hosts on either end of a normal connection determine the dynamics of the processes that support the connection, e.g. authentication of a workstation against a Domain Controller involves an idiosyncratic sequences of processes. If a process is compromised by an attacker and used to facilitate lateral movement, these normal patterns might be disrupted in discernible ways. We use unsupervised learning to cluster systems according to role, and then apply frequent-itemset mining to process sequences to establish regular patterns of communication between systems based on role. Rare process sequences might indicate malicious lateral movement, as might generic connections made to remote hosts with novel roles.