Detecting malicious logins in enterprise networks using visualization

Hossein Siadati, Bahador Saket, Nasir Memon

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Enterprise networks have been a frequent target of data breaches and sabotage. In a widely used method, attackers establish a foothold in the target network by compromising a single computer or account. They then move laterally between computers to access valuable resources and information located deeper inside the network. To move laterally, attackers often steal valid user credentials. This paper is based on the observation that an attackers' pattern of access characteristics of the stolen credentials in the form of <User, Source, Destination> deviates from benign patterns and can be used to detect malicious logins. In this paper, we present APT-Hunter1, a visualization tool that helps security analysts to explore login data for discovering patterns and detecting malicious logins. To evaluate the proposed system, a pilot study was conducted over an open dataset of more than one billion logins of an enterprise network, provided by Los Alamos National Lab (LANL). Using APT-Hunter, security analysts (unfamiliar with the dataset) were able to detect 349 of 749 malicious logins related to lateral movements performed by a Red Team during a penetration test conducted at LANL. APT-Hunter is currently deployed in a global financial company and helps security analysts detect account compromises.

Original languageEnglish (US)
Title of host publication2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781509016051
DOIs
StatePublished - Nov 8 2016
Event2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016 - Baltimore, United States
Duration: Oct 24 2016 → …

Other

Other2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016
CountryUnited States
CityBaltimore
Period10/24/16 → …

Fingerprint

Visualization
Industry
Target
Penetration
Lateral
Valid
Resources
Evaluate

Keywords

  • K.6.1 [Visualization, APT, Login, Security]
  • K.7.m [Attack]-Alert

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Media Technology
  • Modeling and Simulation

Cite this

Siadati, H., Saket, B., & Memon, N. (2016). Detecting malicious logins in enterprise networks using visualization. In 2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016 [7739582] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/VIZSEC.2016.7739582

Detecting malicious logins in enterprise networks using visualization. / Siadati, Hossein; Saket, Bahador; Memon, Nasir.

2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016. Institute of Electrical and Electronics Engineers Inc., 2016. 7739582.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Siadati, H, Saket, B & Memon, N 2016, Detecting malicious logins in enterprise networks using visualization. in 2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016., 7739582, Institute of Electrical and Electronics Engineers Inc., 2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016, Baltimore, United States, 10/24/16. https://doi.org/10.1109/VIZSEC.2016.7739582
Siadati H, Saket B, Memon N. Detecting malicious logins in enterprise networks using visualization. In 2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016. Institute of Electrical and Electronics Engineers Inc. 2016. 7739582 https://doi.org/10.1109/VIZSEC.2016.7739582
Siadati, Hossein ; Saket, Bahador ; Memon, Nasir. / Detecting malicious logins in enterprise networks using visualization. 2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016. Institute of Electrical and Electronics Engineers Inc., 2016.
@inproceedings{c59344c96b4e46e4b64fdfcc2c95a19b,
title = "Detecting malicious logins in enterprise networks using visualization",
abstract = "Enterprise networks have been a frequent target of data breaches and sabotage. In a widely used method, attackers establish a foothold in the target network by compromising a single computer or account. They then move laterally between computers to access valuable resources and information located deeper inside the network. To move laterally, attackers often steal valid user credentials. This paper is based on the observation that an attackers' pattern of access characteristics of the stolen credentials in the form of <User, Source, Destination> deviates from benign patterns and can be used to detect malicious logins. In this paper, we present APT-Hunter1, a visualization tool that helps security analysts to explore login data for discovering patterns and detecting malicious logins. To evaluate the proposed system, a pilot study was conducted over an open dataset of more than one billion logins of an enterprise network, provided by Los Alamos National Lab (LANL). Using APT-Hunter, security analysts (unfamiliar with the dataset) were able to detect 349 of 749 malicious logins related to lateral movements performed by a Red Team during a penetration test conducted at LANL. APT-Hunter is currently deployed in a global financial company and helps security analysts detect account compromises.",
keywords = "K.6.1 [Visualization, APT, Login, Security], K.7.m [Attack]-Alert",
author = "Hossein Siadati and Bahador Saket and Nasir Memon",
year = "2016",
month = "11",
day = "8",
doi = "10.1109/VIZSEC.2016.7739582",
language = "English (US)",
booktitle = "2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
address = "United States",

}

TY - GEN

T1 - Detecting malicious logins in enterprise networks using visualization

AU - Siadati, Hossein

AU - Saket, Bahador

AU - Memon, Nasir

PY - 2016/11/8

Y1 - 2016/11/8

N2 - Enterprise networks have been a frequent target of data breaches and sabotage. In a widely used method, attackers establish a foothold in the target network by compromising a single computer or account. They then move laterally between computers to access valuable resources and information located deeper inside the network. To move laterally, attackers often steal valid user credentials. This paper is based on the observation that an attackers' pattern of access characteristics of the stolen credentials in the form of <User, Source, Destination> deviates from benign patterns and can be used to detect malicious logins. In this paper, we present APT-Hunter1, a visualization tool that helps security analysts to explore login data for discovering patterns and detecting malicious logins. To evaluate the proposed system, a pilot study was conducted over an open dataset of more than one billion logins of an enterprise network, provided by Los Alamos National Lab (LANL). Using APT-Hunter, security analysts (unfamiliar with the dataset) were able to detect 349 of 749 malicious logins related to lateral movements performed by a Red Team during a penetration test conducted at LANL. APT-Hunter is currently deployed in a global financial company and helps security analysts detect account compromises.

AB - Enterprise networks have been a frequent target of data breaches and sabotage. In a widely used method, attackers establish a foothold in the target network by compromising a single computer or account. They then move laterally between computers to access valuable resources and information located deeper inside the network. To move laterally, attackers often steal valid user credentials. This paper is based on the observation that an attackers' pattern of access characteristics of the stolen credentials in the form of <User, Source, Destination> deviates from benign patterns and can be used to detect malicious logins. In this paper, we present APT-Hunter1, a visualization tool that helps security analysts to explore login data for discovering patterns and detecting malicious logins. To evaluate the proposed system, a pilot study was conducted over an open dataset of more than one billion logins of an enterprise network, provided by Los Alamos National Lab (LANL). Using APT-Hunter, security analysts (unfamiliar with the dataset) were able to detect 349 of 749 malicious logins related to lateral movements performed by a Red Team during a penetration test conducted at LANL. APT-Hunter is currently deployed in a global financial company and helps security analysts detect account compromises.

KW - K.6.1 [Visualization, APT, Login, Security]

KW - K.7.m [Attack]-Alert

UR - http://www.scopus.com/inward/record.url?scp=85006841015&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85006841015&partnerID=8YFLogxK

U2 - 10.1109/VIZSEC.2016.7739582

DO - 10.1109/VIZSEC.2016.7739582

M3 - Conference contribution

AN - SCOPUS:85006841015

BT - 2016 IEEE Symposium on Visualization for Cyber Security, VizSec 2016

PB - Institute of Electrical and Electronics Engineers Inc.

ER -