Abstract
Authenticated lateral movement via compromised accounts is a common adversarial maneuver that is challenging to discover with signature- or rules-based intrusion detection systems. In this work a behavior-based approach to detecting malicious logins to novel systems indicative of lateral movement is presented, in which a user’s historical login activity is used to build a model of putative “normal” behavior. This historical login activity is represented as a collection of daily login graphs, which encode authentications among accessed systems with vertices representing computer systems and directed edges logins between them. We devise a method of local graph anomaly detection capable of identifying unusual vertices that indicate potentially malicious login events to the systems they represent. We test this capability on a group of highly-privileged accounts using real login data from an operational enterprise network. The method enjoys false positive rates significantly lower than those resulting from alerts based solely on login novelty, and is generally successful at detecting a wide variety of simulated adversarial login activity.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
