Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Lateral Movement Detection via Time-aware Subgraph Classification on Authentication Logs

Jiajun Zhou, Jiacheng Yao, Xuanze Chen, Shanqing Yu, Qi Xuan, Xiaoniu Yang

TL;DR

This work analyzes host authentication log data from a graph perspective and proposes a multi-scale lateral movement detection framework called LMDetect, which demonstrates the effectiveness and superiority of this framework in detecting lateral movement behaviors.

Abstract

Lateral movement is a crucial component of advanced persistent threat (APT) attacks in networks. Attackers exploit security vulnerabilities in internal networks or IoT devices, expanding their control after initial infiltration to steal sensitive data or carry out other malicious activities, posing a serious threat to system security. Existing research suggests that attackers generally employ seemingly unrelated operations to mask their malicious intentions, thereby evading existing lateral movement detection methods and hiding their intrusion traces. In this regard, we analyze host authentication log data from a graph perspective and propose a multi-scale lateral movement detection framework called LMDetect. The main workflow of this framework proceeds as follows: 1) Construct a heterogeneous multigraph from host authentication log data to strengthen the correlations among internal system entities; 2) Design a time-aware subgraph generator to extract subgraphs centered on authentication events from the heterogeneous authentication multigraph; 3) Design a multi-scale attention encoder that leverages both local and global attention to capture hidden anomalous behavior patterns in the authentication subgraphs, thereby achieving lateral movement detection. Extensive experiments on two real-world authentication log datasets demonstrate the effectiveness and superiority of our framework in detecting lateral movement behaviors.

Lateral Movement Detection via Time-aware Subgraph Classification on Authentication Logs

TL;DR

This work analyzes host authentication log data from a graph perspective and proposes a multi-scale lateral movement detection framework called LMDetect, which demonstrates the effectiveness and superiority of this framework in detecting lateral movement behaviors.

Abstract

Lateral movement is a crucial component of advanced persistent threat (APT) attacks in networks. Attackers exploit security vulnerabilities in internal networks or IoT devices, expanding their control after initial infiltration to steal sensitive data or carry out other malicious activities, posing a serious threat to system security. Existing research suggests that attackers generally employ seemingly unrelated operations to mask their malicious intentions, thereby evading existing lateral movement detection methods and hiding their intrusion traces. In this regard, we analyze host authentication log data from a graph perspective and propose a multi-scale lateral movement detection framework called LMDetect. The main workflow of this framework proceeds as follows: 1) Construct a heterogeneous multigraph from host authentication log data to strengthen the correlations among internal system entities; 2) Design a time-aware subgraph generator to extract subgraphs centered on authentication events from the heterogeneous authentication multigraph; 3) Design a multi-scale attention encoder that leverages both local and global attention to capture hidden anomalous behavior patterns in the authentication subgraphs, thereby achieving lateral movement detection. Extensive experiments on two real-world authentication log datasets demonstrate the effectiveness and superiority of our framework in detecting lateral movement behaviors.

Paper Structure

This paper contains 26 sections, 14 equations, 7 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related work
  3. Traditional Lateral Movement Detection
  4. Lateral Movement Detection Based on GNNs
  5. Heterogeneous Authentication Multigraph
  6. Authentication Log Analysis
  7. Graph Construction
  8. Methodology
  9. Time-aware Subgraph Generation
  10. Multi-Scale Attention Encoding
  11. Local Attention Encoding
  12. Relative Position Encoding
  13. Global Attention Encoding
  14. Model Training
  15. Experiment
  16. ...and 11 more sections

Figures (7)

  • Figure 1: Two lateral movement scenarios in the enterprise internal network: 1) External threat actors employ advanced persistent threat (APT) techniques to infiltrate the internal network; 2) Internal personnel exploit initial privileges for unauthorized access. Both leverage lateral movement tactics to expand their control and accomplish the objective of exfiltrating sensitive data.
  • Figure 2: Workflow of the LMDetect framework.
  • Figure 3: Illustration of the Heterogeneous Authentication Multigraph.
  • Figure 4: Illustration of LMDetect framework. The complete workflow is as follows: 1) Constructing heterogeneous authentication multigraph using authentication logs; 2) Sampling authentication subgraphs for target events via time-aware subgraph generator; 3) Learning the behavior patterns of authentication events via multi-scale attention encoder and detecting lateral movement behavior via subgraph classification.
  • Figure 5: Illustration of global attention encoding.
  • ...and 2 more figures

Theorems & Definitions (1)

  • Definition 1