Abstract
Advanced persistent threats routinely leverage lateral movements in networks to cause harm. In fact, lateral movements account for more than 80% of the time involved in attacks. Attackers typically use stolen credentials to make lateral movements. However, current detection methods are too coarse grained to detect lateral movements effectively because they focus on malicious users and hosts instead of abnormal log entries that indicate malicious logins.
This chapter proposes a malicious login detection method that focuses on attacks that steal credentials. The fine-grained method employs a temporal neural network embedding to learn host jumping representations. The learned host vectors and initialized attribute vectors in log entries are input to a long short-term memory with an attention mechanism for login feature extraction, which determines if logins are malicious. Experimental results demonstrate that the proposed method outperforms several baseline detection models.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
F. Amrouche, S. Lagraa, G. Kaiafas and R. State, Graph-based malicious login events investigation, Proceedings of the IFIP/IEEE Symposium on Integrated Network and Service Management, pp. 63–66, 2019.
T. Bai, H. Bian, A. Daya, M. Salahuddin, N. Limam and R. Boutaba, A machine learning approach for RDP-based lateral movement detection, Proceedings of the Forty-Fourth IEEE Conference on Local Computer Networks, pp. 242–245, 2019.
H. Bian, T. Bai, M. Salahuddin, N. Limam, A. Daya and R. Boutaba, Host in danger? Detecting network intrusions from authentication logs, Proceedings of the Fifteenth International Conference on Network and Service Management, 2019.
A. Bohara, M. Noureddine, A. Fawaz and W. Sanders, An unsupervised multi-detector approach for identifying malicious lateral movement, Proceedings of the Thirty-Sixth IEEE Symposium on Reliable Distributed Systems, pp. 224–233, 2017.
A. Brown, A. Tuor, B. Hutchinson and N. Nichols, Recurrent Neural Network Attention Mechanisms for Interpretable System Log Anomaly Detection, arXiv: 1803.04967 (arxiv.org/abs/1803.04967), 2018.
H. Chen, M. Sun, C. Tu, Y. Lin and Z. Liu, Neural sentiment classification with user and product attention, Proceedings of the Conference on Empirical Methods in Natural Language Processing, pp. 1650–1659, 2016.
M. Chen, Y. Yao, J. Liu, B. Jiang, L. Su and Z. Lu, A novel approach for identifying lateral movement attacks based on network embedding, Proceedings of the IEEE International Conference on Parallel and Distributed Processing with Applications, Ubiquitous Computing and Communications, Big Data and Cloud Computing, Social Computing and Networking, and Sustainable Computing and Communications, pp. 708–715, 2018.
I. Ghafir, M. Hammoudeh, V. Prenosil, L. Han, R. Hegarty, K. Rabie and F. Aparicio-Navarro, Detection of advanced persistent threat using machine learning correlation analysis, Future Generation Computer Systems, vol. 89, pp. 349–359, 2018.
R. Holt, S. Aubrey, A. DeVille, W. Haight, T. Gary and Q. Wang, Deep autoencoder neural networks for detecting lateral movement in computer networks, Proceedings of the International Conference on Artificial Intelligence, pp. 277–283, 2019.
G. Kaiafas, C. Hammerschmidt, S. Lagraa and R. State, Auto semi-supervised outlier detection for malicious authentication events, in Machine Learning and Knowledge Discovery in Databases, P. Cellier and K. Driessens (Eds.), Springer, Cham, Switzerland, pp. 176–190, 2020.
G. Kaiafas, G. Varisteas, S. Lagraa, R. State, C. Nguyen, T. Ries and M. Ourdane, Detecting malicious authentication events trustfully, Proceedings of the IEEE/IFIP Network Operations and Management Symposium, 2018.
A. Kent, Comprehensive, Multi-Source Cyber-Security Events, Los Alamos National Laboratory, Los Alamos, New Mexico (csr.lanl.gov/data/cyber1), 2015.
A. Kent, L. Liebrock and J. Neil, Authentication graphs: Analyzing user behavior within an enterprise network, Computers and Security, vol. 48, pp. 150–166, 2015.
F. Liu, Y. Wen, D. Zhang, X. Jiang, X. Xing and D. Meng, Log2vec: A heterogeneous graph embedding based approach for detecting cyber threats within an enterprise, Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 1777–1794, 2019.
P. Liu, X. Qiu and X. Huang, Recurrent Neural Network for Text Classification with Multi-Task Learning, arXiv: 1605.05101 (arxiv.org/abs/1605.05101), 2016.
B. Powell, Detecting malicious logins as graph anomalies, Journal of Information Security and Applications, vol. 54, article no. 102557, 2019.
M. Pritom, C. Li, B. Chu and X. Niu, A study on log analysis approaches using the Sandia dataset, Proceedings of the Twenty-Sixth International Conference on Computer Communications and Networks, 2017.
T. Schindler, Anomaly Detection in Log Data Using Graph Databases and Machine Learning to Defend Advanced Persistent Threats, arXiv: 1802.00259 (arxiv.org/abs/1802.00259), 2018.
Y. Shen, E. Mariconti, P. Vervier and G. Stringhini, Tiresias: Predicting security events through deep learning, Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 592–605, 2018.
H. Siadati and N. Memon, Detecting structurally-anomalous logins within enterprise networks, Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 1273–1284, 2017.
H. Siadati, B. Saket and N. Memon, Detecting malicious logins in enterprise networks using visualization, Proceedings of the IEEE Symposium on Visualization for Cyber Security, 2016.
G. Tang, M. Muller, A. Rios and R. Sennrich, Why Self-Attention? A Targeted Evaluation of Neural Machine Translation Architectures, arXiv: 1808.08946 (arxiv.org/abs/1808.08946), 2018.
A. Tuor, R. Baerwolf, N. Knowles, B. Hutchinson, N. Nichols and R. Jasper, Recurrent Neural Network Language Models for Open Vocabulary Event-Level Cyber Anomaly Detection, arXiv: 1712.00557 (arxiv.org/abs/1712.00557), 201.
L. Yang, P. Li, Y. Zhang, X. Yang, Y. Xiang and W. Zhou, Effective repair strategy against advanced persistent threat: A differential game approach, IEEE Transactions on Information Forensics and Security, vol. 14(7), pp. 1713–1728, 2019.
Z. Yang, D. Yang, C. Dyer, X. He and E. Hovy, Hierarchical attention networks for document classification, Proceedings of the Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, pp. 1480–1489, 2017.
Y. Zuo, G. Liu, H. Lin, J. Guo, X. Hu and J. Wu, Embedding temporal network via neighborhood formation, Proceedings of the Twenty-Fourth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 2857–2866, 2018.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Wu, Y., Liu, F., Wen, Y. (2021). MALICIOUS LOGIN DETECTION USING LONG SHORT-TERM MEMORY WITH AN ATTENTION MECHANISM. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XVII. DigitalForensics 2021. IFIP Advances in Information and Communication Technology, vol 612. Springer, Cham. https://doi.org/10.1007/978-3-030-88381-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-88381-2_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88380-5
Online ISBN: 978-3-030-88381-2
eBook Packages: Computer ScienceComputer Science (R0)
