Visible to the public Detecting Structurally Anomalous Logins Within Enterprise Networks

TitleDetecting Structurally Anomalous Logins Within Enterprise Networks
Publication TypeConference Paper
Year of Publication2017
AuthorsSiadati, Hossein, Memon, Nasir
Conference NameProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4946-8
Keywordsanomaly detection, authentication, composability, cyber physical systems, data-driven security, False Data Detection, Human Behavior, Network security, pubcrawl, resilience, Resiliency

Many network intrusion detection systems use byte sequences to detect lateral movements that exploit remote vulnerabilities. Attackers bypass such detection by stealing valid credentials and using them to transmit from one computer to another without creating abnormal network traffic. We call this method Credential-based Lateral Movement. To detect this type of lateral movement, we develop the concept of a Network Login Structure that specifies normal logins within a given network. Our method models a network login structure by automatically extracting a collection of login patterns by using a variation of the market-basket algorithm. We then employ an anomaly detection approach to detect malicious logins that are inconsistent with the enterprise network's login structure. Evaluations show that the proposed method is able to detect malicious logins in a real setting. In a simulated attack, our system was able to detect 82% of malicious logins, with a 0.3% false positive rate. We used a real dataset of millions of logins over the course of five months within a global financial company for evaluation of this work.

Citation Keysiadati_detecting_2017