Skip to main content
SpringerLink
Log in

CTLMD: Continuous-Temporal Lateral Movement Detection Using Graph Embedding

  • Conference paper
  • First Online:
Information and Communications Security (ICICS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11999))

Included in the following conference series:

Abstract

Lateral movement technology is widely used in complex network attacks, especially in advanced persistent threats (APT). In order to evade the detection of security tools, attackers usually use the legal credentials retained on the compromised hosts to move laterally between computers across the enterprise intranet for searching valuable information. However, attackers cannot acquire the information about the normal action patterns of intranet users. So even the savviest attacker will “blindly move” in the intranet, making his lateral movement usually different from the typical users’ behavior. In order to identify this potential malicious lateral movement, we proposes a Continuous-Temporal Lateral Movement Detection framework CTLMD. The remote and local authentication events are represented as a Path Connection Graph and a Bipartite Graph respectively. We extract normal lateral movement paths with time constraints while abnormal lateral movement paths are generated based on several attack scenarios. Finally, we define multiple path features using graph embedding methods to complete the follow-up classification task. We evaluate our framework by using injected attack data in real enterprise network dataset (LANL). Our experimental results show that the proposed framework can classify normal and malicious lateral movement paths well with the highest AUC of 92%. Meanwhile, the framework can detect the lateral movement state timely and effectively.

This work was supported by the National Key R&D Program of China (2016YFB0801001).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Morgan, J.P.: Chase Hack Affects 76 Million Households. https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/. Accessed 30 May 2019

  2. Home Depot Hackers Exposed 53 Million Email Addresses. http://www.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282. Accessed 1 June 2019

  3. Smokescreen Technologies Pvt. Ltd.: Top 20 Lateral Movement Tactics. https://www.smokescreen.io/wp-content/uploads/2016/08/Top-20-Lateral-Movement-Tactics.pdf. Accessed 3 July 2019

  4. How Do Threat Actors Move Deeper Into Your Network. http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/tlp_lateral_movement.pdf. Accessed 10 July 2019

  5. Zeadally, S., Yu, B., Jeong, D.H., Liang, L.: Detecting insider threats: solutions and trends. Inf. Secur. J. Glob. Perspect. 21(3), 183–192 (2012)

    Article  Google Scholar 

  6. Nguyen, G.H., Lee, J.B., Rossi, R.A., Ahmed, N.K., Koh, E., Kim, S.: Continuous-time dynamic network embeddings. In: Companion Proceedings of the Web Conference 2018, Lyon, pp. 969–976. IWWWCSC (2018). https://doi.org/10.1145/3184558.3191526

  7. Gao, M., Chen, L., He, X., Zhou, A.: BiNE: bipartite network embedding. In: Ann, A. (ed.) The 41st International ACM SIGIR Conference on Research & Development in Information Retrieval, New York, pp. 715–724. ACM (2018). https://doi.org/10.1145/3209978.3209987

  8. Detecting malicious lateral movement across a computer network. http://www.freepatentsonline.com/20180367548.pdf. Accessed 14 May 2019

  9. Johnson, J.R., Hogan, E.A.: A graph analytic metric for mitigating advanced persistent threat. In: 2013 IEEE International Conference on Intelligence and Security Informatics, Seattle, pp. 129–133. IEEE (2013). https://doi.org/10.1109/ISI.2013.6578801

  10. Pope, A., Tauritz, D., Kent, A.: Evolving bipartite authentication graph partitions. IEEE Trans. Dependable Secure Comput. 16(1), 58–71 (2017)

    Article  Google Scholar 

  11. Kent, D., Liebrock, M., Neil, C.: Analyzing user behavior within an enterprise network. Comput. Secur. 48(1), 150–166 (2015)

    Article  Google Scholar 

  12. Siadati, H., Memon, N.: Detecting structurally anomalous logins within enterprise networks. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Texas, pp. 1273–1284. ACM (2017). https://doi.org/10.1145/3133956.3134003

  13. Eberle, W., Graves, J., Holder, L.: Insider threat detection using a graph-based approach. J. Appl. Secur. Res. 6(1), 32–81 (2010)

    Article  Google Scholar 

  14. Hogan, E., Johnson, J.R., Halappanavar, M.: Graph coarsening for path finding in cybersecurity graphs. In: Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop, Tennessee, p. 7. ACM (2013). https://doi.org/10.1145/2459976.2459984

  15. Xu, X., Liu, C., Feng, Q., Yin, H., Song, L., Song, D.: Neural network-based graph embedding for cross-platform binary code similarity detection. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, pp. 363–376. ACM (2017). https://doi.org/10.1145/3133956.3134018

  16. Ding, S., Fung, B., Charland, P.: Asm2Vec: boosting static representation robustness for binary clone search against code obfuscation and compiler optimization. In: Proceedings of the 2019 IEEE Symposium on Security and Privacy, San Francisco, pp. 38–55. IEEE (2019). https://doi.org/10.1109/SP.2019.00003

  17. Song, W., Yin, H., Liu, C., Song, D.: DeepMem: learning graph neural network models for fast and robust memory forensic analysis. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, pp. 606–618. ACM (2018). https://doi.org/10.1145/3243734.3243813

  18. Chen, M., Yao, Y., Liu, J., Jiang, B., Su, L., Lu, Z.: A novel approach for identifying lateral movement attacks based on network embedding. In: 2018 IEEE International Conference on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom), Melbourne, pp. 708–715. IEEE (2018). https://doi.org/10.1109/BDCloud.2018.00107

  19. Bohara, A., Noureddine, M., Fawaz, A., Sanders, W.: An unsupervised multi-detector approach for identifying malicious lateral movement. In: 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS), Hong Kong, pp. 224–233. IEEE (2017). https://doi.org/10.1109/SRDS.2017.31

  20. Dong, B., et al.: Efficient discovery of abnormal event sequences in enterprise security systems. In: Proceedings of the 2017 ACM on Conference on Information and Knowledge Management, Singapore, pp. 707–715. ACM (2017). https://doi.org/10.1145/3132847.3132854

  21. Junlin, Z.: Search Engine: Detailed Core Technology, 1st edn. Publishing House of Electronics Industry, Beijing (2012)

    Google Scholar 

  22. Dunagan, J., Zheng, A.X., Simon, D.R.: Heat-ray: combating identity snowball attacks using machine learning, combinatorial optimization and attack graphs. In: Proceedings of the 22nd ACM Symposium on Operating Systems Principles, , Montana, pp. 305–320. ACM (2009). https://doi.org/10.1145/1629575.1629605

  23. Perozzi, B., Al-Rfou, R., Skiena, S.: DeepWalk: online learning of social representations. In: Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, New York, pp. 701–710. ACM (2014). https://doi.org/10.1145/2623330.2623732

  24. Tang, J., Qu, M., Wang, M., Zhang, M., Yan, J., Mei, Q.: Line: large-scale information network embedding. In: Proceedings of the 24th International Conference on World Wide Web, Florence, pp. 1067–1077. ACM (2015). https://doi.org/10.1145/2736277.2741093

  25. Kent, D.: Cyber security data sources for dynamic network research. In: Dynamic Networks and Cyber-Security, pp. 37–65 (2016)

    Google Scholar 

  26. Buda, T.S., Caglayan, B., Assem, H.: DeepAD: a generic framework based on deep learning for time series anomaly detection. In: Phung, D., Tseng, V.S., Webb, G.I., Ho, B., Ganji, M., Rashidi, L. (eds.) PAKDD 2018. LNCS (LNAI), vol. 10937, pp. 577–588. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93034-3_46

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Suya Zhao, Renzheng Wei, Lijun Cai, Aimin Yu & Dan Meng

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Suya Zhao & Renzheng Wei

Authors
  1. Suya Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Renzheng Wei
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lijun Cai
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Aimin Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Dan Meng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aimin Yu .

Editor information

Editors and Affiliations

  1. Singapore University of Technology and Design, Singapore, Singapore

    Jianying Zhou

  2. The Hong Kong Polytechnic University, Kowloon, Hong Kong

    Xiapu Luo

  3. Peking University, Beijing, China

    Qingni Shen

  4. Institute of Information Engineering, Beijing, China

    Zhen Xu

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhao, S., Wei, R., Cai, L., Yu, A., Meng, D. (2020). CTLMD: Continuous-Temporal Lateral Movement Detection Using Graph Embedding. In: Zhou, J., Luo, X., Shen, Q., Xu, Z. (eds) Information and Communications Security. ICICS 2019. Lecture Notes in Computer Science(), vol 11999. Springer, Cham. https://doi.org/10.1007/978-3-030-41579-2_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-41579-2_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-41578-5

  • Online ISBN: 978-3-030-41579-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation