CTLMD: Continuous-Temporal Lateral Movement Detection Using Graph Embedding

Abstract

Lateral movement technology is widely used in complex network attacks, especially in advanced persistent threats (APT). In order to evade the detection of security tools, attackers usually use the legal credentials retained on the compromised hosts to move laterally between computers across the enterprise intranet for searching valuable information. However, attackers cannot acquire the information about the normal action patterns of intranet users. So even the savviest attacker will “blindly move” in the intranet, making his lateral movement usually different from the typical users’ behavior. In order to identify this potential malicious lateral movement, we proposes a Continuous-Temporal Lateral Movement Detection framework CTLMD. The remote and local authentication events are represented as a Path Connection Graph and a Bipartite Graph respectively. We extract normal lateral movement paths with time constraints while abnormal lateral movement paths are generated based on several attack scenarios. Finally, we define multiple path features using graph embedding methods to complete the follow-up classification task. We evaluate our framework by using injected attack data in real enterprise network dataset (LANL). Our experimental results show that the proposed framework can classify normal and malicious lateral movement paths well with the highest AUC of 92%. Meanwhile, the framework can detect the lateral movement state timely and effectively.