Detecting Structurally Anomalous Logins Within Enterprise Networks

Hossein Siadati, Nasir Memon
2017 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security - CCS '17  
Many network intrusion detection systems use byte sequences to detect lateral movements that exploit remote vulnerabilities. Attackers bypass such detection by stealing valid credentials and using them to transmit from one computer to another without creating abnormal network traffic. We call this method Credential-based Lateral Movement. To detect this type of lateral movement, we develop the concept of a Network Login Structure that specifies normal logins within a given network. Our method
more » ... dels a network login structure by automatically extracting a collection of login patterns by using a variation of the market-basket analysis algorithm. We then employ an anomaly detection approach to detect malicious logins that are inconsistent with the enterprise network's login structure. Evaluations show that the proposed method is able to detect malicious logins in a real setting. In a simulated attack, our system was able to detect 82% of malicious logins, with a 0.3% false positive rate. We used a real dataset of millions of logins over the course of five months within a global financial company for evaluation of this work.
doi:10.1145/3133956.3134003 dblp:conf/ccs/SiadatiM17 fatcat:qe53ush76zhvbjxipsazwmvabm