Authenticated lateral movement via compromised accounts is a common adversarial maneuver that is challenging to discover with signature- or rules-based intrusion detection systems. In this work a behavior-based approach to detecting malicious logins to novel systems indicative of lateral movement is presented, in which a user’s historical login activity is used to build a model of putative “normal” behavior. This historical login activity is represented as a collection of daily login graphs, which encode authentications among accessed systems with vertices representing computer systems and directed edges logins between them. We devise a method of local graph anomaly detection capable of identifying unusual vertices that indicate potentially malicious login events to the systems they represent. We test this capability on a group of highly-privileged accounts using real login data from an operational enterprise network. The method enjoys false positive rates significantly lower than those resulting from alerts based solely on login novelty, and is generally successful at detecting a wide variety of simulated adversarial login activity.

通过受损帐户进行经过身份验证的横向移动是一种常见的对抗性策略，很难通过基于签名或基于规则的入侵检测系统来发现。在这项工作中，提出了一种基于行为的方法来检测对表示横向移动的新型系统的恶意登录，其中使用用户的历史登录活动来构建假定的“正常”行为模型。此历史登录活动表示为每日登录图的集合，该图每天对访问的系统之间的身份验证进行编码，其中顶点表示计算机系统，而它们之间的有向边登录。我们设计了一种本地图异常检测方法，该方法能够识别异常顶点，这些异常顶点指示潜在的恶意登录事件，这些异常代表它们所代表的系统。我们使用来自运营企业网络的真实登录数据在一组高度特权的帐户上测试此功能。该方法的误报率显着低于仅基于登录新颖性的警报所导致的误报率，并且通常可以成功地检测到各种模拟的对抗性登录活动。