Network infiltrations due to advanced persistent threats (APTs) have significantly grown in recent years. Their primary objective is to gain unauthorized access to network assets, compromise system and data. APTs are stealthy and remain dormant for an extended period of time, which makes their detection challenging. In this article, we leverage machine learning (ML) to detect hosts in a network that are a target of an APT attack. We evaluate a number of ML classifiers to detect susceptible hosts in the Los Alamos National Lab dataset. We (i) scrutinize graph-based features extracted from host authentication logs, (ii) use feature engineering to reduce dimensionality, (iii) explore balancing the training dataset using over- and under-sampling techniques, (iv) evaluate numerous supervised ML techniques and their ensemble, (v) compare our classification model to the state-of-the-art approaches that leverage the same dataset, and show that our model outperforms them with respect to prediction performance and overhead, and (vi) perturb the attack patterns to study the influence of change in attack frequency and scale on classification performance, and propose a solution for such adversarial behavior.

中文翻译：

---

使用身份验证日志发现横向移动

近年来，由于高级持续性威胁（APT）引起的网络渗透已大大增加。他们的主要目标是获得对网络资产的未经授权的访问，破坏系统和数据。APT是隐身的，并且在很长一段时间内都处于休眠状态，这使其检测具有挑战性。在本文中，我们利用机器学习（ML）来检测网络中作为APT攻击目标的主机。我们评估了许多机器学习分类器，以检测洛斯阿拉莫斯国家实验室数据集中的易感宿主。我们（i）仔细检查从主机身份验证日志中提取的基于图的特征，（ii）使用特征工程来降低维度，（iii）探索使用过采样和欠采样技术来平衡训练数据集，（iv）评估众多监督的ML技术和他们的合奏，