Detecting structurally anomalous logins within enterprise networks

Hossein Siadati, Nasir Memon

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Many network intrusion detection systems use byte sequences to detect lateral movements that exploit remote vulnerabilities. Attackers bypass such detection by stealing valid credentials and using them to transmit from one computer to another without creating abnormal network traffic. We call this method Credential-based Lateral Movement. To detect this type of lateral movement, we develop the concept of a Network Login Structure that specifies normal logins within a given network. Our method models a network login structure by automatically extracting a collection of login patterns by using a variation of the market-basket analysis algorithm. We then employ an anomaly detection approach to detect malicious logins that are inconsistent with the enterprise network's login structure. Evaluations show that the proposed method is able to detect malicious logins in a real setting. In a simulated attack, our system was able to detect 82% of malicious logins, with a 0.3% false positive rate. We used a real dataset of millions of logins over the course of five months within a global financial company for evaluation of this work.

Original languageEnglish (US)
Title of host publicationCCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages1273-1284
Number of pages12
VolumePart F131467
ISBN (Electronic)9781450349468
DOIs
StatePublished - Oct 30 2017
Event24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017 - Dallas, United States
Duration: Oct 30 2017Nov 3 2017

Other

Other24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017
CountryUnited States
CityDallas
Period10/30/1711/3/17

Fingerprint

Intrusion detection
Industry

Keywords

  • Anomalous Logins
  • Network Lateral Movement
  • Pattern Mining

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Siadati, H., & Memon, N. (2017). Detecting structurally anomalous logins within enterprise networks. In CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Vol. Part F131467, pp. 1273-1284). Association for Computing Machinery. https://doi.org/10.1145/3133956.3134003

Detecting structurally anomalous logins within enterprise networks. / Siadati, Hossein; Memon, Nasir.

CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Vol. Part F131467 Association for Computing Machinery, 2017. p. 1273-1284.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Siadati, H & Memon, N 2017, Detecting structurally anomalous logins within enterprise networks. in CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. vol. Part F131467, Association for Computing Machinery, pp. 1273-1284, 24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, United States, 10/30/17. https://doi.org/10.1145/3133956.3134003
Siadati H, Memon N. Detecting structurally anomalous logins within enterprise networks. In CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Vol. Part F131467. Association for Computing Machinery. 2017. p. 1273-1284 https://doi.org/10.1145/3133956.3134003
Siadati, Hossein ; Memon, Nasir. / Detecting structurally anomalous logins within enterprise networks. CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Vol. Part F131467 Association for Computing Machinery, 2017. pp. 1273-1284
@inproceedings{febbd902d2b1439d91aa834919ea346d,
title = "Detecting structurally anomalous logins within enterprise networks",
abstract = "Many network intrusion detection systems use byte sequences to detect lateral movements that exploit remote vulnerabilities. Attackers bypass such detection by stealing valid credentials and using them to transmit from one computer to another without creating abnormal network traffic. We call this method Credential-based Lateral Movement. To detect this type of lateral movement, we develop the concept of a Network Login Structure that specifies normal logins within a given network. Our method models a network login structure by automatically extracting a collection of login patterns by using a variation of the market-basket analysis algorithm. We then employ an anomaly detection approach to detect malicious logins that are inconsistent with the enterprise network's login structure. Evaluations show that the proposed method is able to detect malicious logins in a real setting. In a simulated attack, our system was able to detect 82{\%} of malicious logins, with a 0.3{\%} false positive rate. We used a real dataset of millions of logins over the course of five months within a global financial company for evaluation of this work.",
keywords = "Anomalous Logins, Network Lateral Movement, Pattern Mining",
author = "Hossein Siadati and Nasir Memon",
year = "2017",
month = "10",
day = "30",
doi = "10.1145/3133956.3134003",
language = "English (US)",
volume = "Part F131467",
pages = "1273--1284",
booktitle = "CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - Detecting structurally anomalous logins within enterprise networks

AU - Siadati, Hossein

AU - Memon, Nasir

PY - 2017/10/30

Y1 - 2017/10/30

N2 - Many network intrusion detection systems use byte sequences to detect lateral movements that exploit remote vulnerabilities. Attackers bypass such detection by stealing valid credentials and using them to transmit from one computer to another without creating abnormal network traffic. We call this method Credential-based Lateral Movement. To detect this type of lateral movement, we develop the concept of a Network Login Structure that specifies normal logins within a given network. Our method models a network login structure by automatically extracting a collection of login patterns by using a variation of the market-basket analysis algorithm. We then employ an anomaly detection approach to detect malicious logins that are inconsistent with the enterprise network's login structure. Evaluations show that the proposed method is able to detect malicious logins in a real setting. In a simulated attack, our system was able to detect 82% of malicious logins, with a 0.3% false positive rate. We used a real dataset of millions of logins over the course of five months within a global financial company for evaluation of this work.

AB - Many network intrusion detection systems use byte sequences to detect lateral movements that exploit remote vulnerabilities. Attackers bypass such detection by stealing valid credentials and using them to transmit from one computer to another without creating abnormal network traffic. We call this method Credential-based Lateral Movement. To detect this type of lateral movement, we develop the concept of a Network Login Structure that specifies normal logins within a given network. Our method models a network login structure by automatically extracting a collection of login patterns by using a variation of the market-basket analysis algorithm. We then employ an anomaly detection approach to detect malicious logins that are inconsistent with the enterprise network's login structure. Evaluations show that the proposed method is able to detect malicious logins in a real setting. In a simulated attack, our system was able to detect 82% of malicious logins, with a 0.3% false positive rate. We used a real dataset of millions of logins over the course of five months within a global financial company for evaluation of this work.

KW - Anomalous Logins

KW - Network Lateral Movement

KW - Pattern Mining

UR - http://www.scopus.com/inward/record.url?scp=85041441305&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85041441305&partnerID=8YFLogxK

U2 - 10.1145/3133956.3134003

DO - 10.1145/3133956.3134003

M3 - Conference contribution

VL - Part F131467

SP - 1273

EP - 1284

BT - CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

ER -