LMTracker: Lateral movement path detection based on heterogeneous graph embedding

Abstract

Advanced Persistent Threats(APT) with the purpose of stealing confidential data take place all the time. In the APT life cycle, lateral movement is a critical stage towards high-level authority and confidential data. Existing lateral movement detection mainly concentrates on endpoint protection to distinguish compromised hosts. These approaches not only have unfortunate effect but also can not detect lateral movement behavior comprehensively. We design LMTracker, an attack path detection algorithm based on the heterogeneous graph, in order to make up for above shortcomings. LMTracker consists of three modules: heterogeneous graph construction, path representation generation, and unsupervised anomaly-based attack path detection. The core idea of LMTracker is to use event logs and traffic to establish heterogeneous graphs and generate representation vectors for lateral movement paths, then use unsupervised algorithm to implement anomaly-based path detection. This method can not only detect lateral movement paths effectively but also preserve the path relationships. Security professionals can use these paths to analyze attack activities. In two frequently-used public datasets, the evaluation results demonstrate that LMTracker performs significantly better than other methods and can adapt to attack detection in different scenarios. The area under the ROC curve is as high as 0.95.