Several advanced cyber attacks adopt the technique of “pivoting” through which attackers create a command propagation tunnel through two or more hosts in order to reach their final target. Identifying such malicious activities is one of the most tough research problems because of several challenges: command propagation is a rare event that cannot be detected through signatures, the huge amount of internal communications facilitates attackers evasion, timely pivoting discovery is computationally demanding. This paper describes the first pivoting detection algorithm that is based on network flows analyses, does not rely on any a-priori assumption on protocols and hosts, and leverages an original problem formalization in terms of temporal graph analytics. We also introduce a prioritization algorithm that ranks the detected paths on the basis of a threat score thus letting security analysts investigate just the most suspicious pivoting tunnels. Feasibility and effectiveness of our proposal are assessed through a broad set of experiments that demonstrate its higher accuracy and performance against related algorithms.

中文翻译：

---

大型网络中枢轴攻击的检测和威胁优先排序

一些高级网络攻击采用“旋转”技术，攻击者通过该技术创建一个通过两个或更多主机的命令传播隧道，以达到他们的最终目标。由于以下几个挑战，识别此类恶意活动是最棘手的研究问题之一：命令传播是一种无法通过签名检测到的罕见事件，大量的内部通信有利于攻击者规避，及时的枢轴发现在计算上要求很高。本文描述了第一个基于网络流分析的旋转检测算法，不依赖于对协议和主机的任何先验假设，并利用时间图分析方面的原始问题形式化。我们还引入了一种优先级算法，该算法根据威胁评分对检测到的路径进行排序，从而让安全分析师只调查最可疑的枢轴隧道。我们的提案的可行性和有效性是通过一系列广泛的实验来评估的，这些实验证明了其相对于相关算法具有更高的准确性和性能。