Skip to main content
SpringerLink
Log in

AGE: Authentication Graph Embedding for Detecting Anomalous Login Activities

  • Conference paper
  • First Online:
Information and Communications Security (ICICS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11999))

Included in the following conference series:

Abstract

Detecting anomalies in login activities is a critical step in response to credential-based lateral movement attacks. Although attackers with compromised credentials can impersonate legal users and move laterally between computers without triggering the alarm, his login activities would likely deviate from the users’ normal patterns. We propose AGE, an Authentication Graph Embedding based anomalous login activities detection system. The goal of authentication graph embedding is to capture comprehensive relationships that facilitate the construction of user profiles. Specifically, the user profiles contain three types of features: the familiarity-related features, the similarity-related features, and the lateral movement walks-related features. To evaluate AGE thoroughly, we use our synthetic malicious lateral movement traces as well as red team activities provided by CMU-CERT. Extensive experiments show that AGE achieves good performance and outperforms the baseline methods. Moreover, we also design experiments that will help us understand the authentication graph embedding.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We implement Algorithm 1 at https://github.com/WeiieW-cas/Malicious-Lateral-Movement-Traces-Generation.

References

  1. Banjo, S.: Home depot hackers exposed 53 million email addresses. Wall Street J. (2014)

    Google Scholar 

  2. Bhattacharjee, S.D., Yuan, J., Jiaqi, Z., Tan, Y.P.: Context-aware graph-based analysis for detecting anomalous activities. In: 2017 IEEE International Conference on Multimedia and Expo (ICME), pp. 1021–1026. IEEE (2017)

    Google Scholar 

  3. Bohara, A., Noureddine, M.A., Fawaz, A., Sanders, W.H.: An unsupervised multi-detector approach for identifying malicious lateral movement. In: 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS), pp. 224–233. IEEE (2017)

    Google Scholar 

  4. Breunig, M.M., Kriegel, H.P., Ng, R.T., Sander, J.: LOF: identifying density-based local outliers. ACM SIGMOD Rec. 29, 93–104 (2000)

    Article  Google Scholar 

  5. Brown, A., Tuor, A., Hutchinson, B., Nichols, N.: Recurrent neural network attention mechanisms for interpretable system log anomaly detection. In: Proceedings of the First Workshop on Machine Learning for Computing Systems, p. 1. ACM (2018)

    Google Scholar 

  6. Business insider: how the hackers broke into Sony and why it could happen to any company (2014). http://www.businessinsider.com/how-the-hackers-broke-into-sony-2014-12

  7. Eberle, W., Graves, J., Holder, L.: Insider threat detection using a graph-based approach. J. Appl. Secur. Res. 6(1), 32–81 (2010)

    Article  Google Scholar 

  8. Glasser, J., Lindauer, B.: Bridging the gap: a pragmatic approach to generating insider threat data. In: 2013 IEEE Security and Privacy Workshops, pp. 98–104. IEEE (2013)

    Google Scholar 

  9. Gonçalves, D., Bota, J., Correia, M.: Big data analytics for detecting host misbehavior in large logs. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 238–245. IEEE (2015)

    Google Scholar 

  10. Hagberg, A., Lemons, N., Kent, A., Neil, J.: Connected components and credential hopping in authentication graphs. In: 2014 Tenth International Conference on Signal-Image Technology and Internet-Based Systems, pp. 416–423. IEEE (2014)

    Google Scholar 

  11. Javed, M.: Detecting credential compromise in enterprise networks. Ph.D. thesis, UC Berkeley (2016)

    Google Scholar 

  12. Joyce, R.: Disrupting nation state hackers. USENIX Association, San Francisco, January 2016

    Google Scholar 

  13. Kent, A.D., Liebrock, L.M., Neil, J.C.: Authentication graphs: analyzing user behavior within an enterprise network. Comput. Secur. 48, 150–166 (2015)

    Article  Google Scholar 

  14. Mikolov, T., Sutskever, I., Chen, K., Corrado, G.S., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Advances in Neural Information Processing Systems, pp. 3111–3119 (2013)

    Google Scholar 

  15. Niinuma, K., Jain, A.K.: Continuous user authentication using temporal information. In: Biometric Technology for Human Identification VII, vol. 7667, p. 76670L. International Society for Optics and Photonics (2010)

    Google Scholar 

  16. Oprea, A., Li, Z., Yen, T.F., Chin, S.H., Alrwais, S.: Detection of early-stage enterprise infection by mining large-scale log data. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 45–56. IEEE (2015)

    Google Scholar 

  17. Siadati, H., Memon, N.: Detecting structurally anomalous logins within enterprise networks. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1273–1284. ACM (2017)

    Google Scholar 

  18. Silver-Greenberg, J., Goldstein, M., Perlroth, N.: JPMorgan chase hack affects 76 million households. New York Times 2 (2014)

    Google Scholar 

  19. Traore, I.: Continuous Authentication Using Biometrics: Data, Models, and Metrics: Data, Models, and Metrics. IGI Global, Hershey (2011)

    Google Scholar 

  20. TrendMicro: Apt myths and challenges. https://blog.trendmicro.com/trendlabs-security-intelligence/infographic-apt-myths-and-challenges/. Accessed 4 April 2012

  21. Tuor, A., Kaplan, S., Hutchinson, B., Nichols, N., Robinson, S.: Deep learning for unsupervised insider threat detection in structured cybersecurity data streams. In: Workshops at the Thirty-First AAAI Conference on Artificial Intelligence (2017)

    Google Scholar 

  22. Tuor, A.R., Baerwolf, R., Knowles, N., Hutchinson, B., Nichols, N., Jasper, R.: Recurrent neural network language models for open vocabulary event-level cyber anomaly detection. In: Workshops at the Thirty-Second AAAI Conference on Artificial Intelligence (2018)

    Google Scholar 

  23. Van Mieghem, P.: The N-intertwined SIS epidemic network model. Computing 93(2–4), 147–169 (2011)

    Article  MathSciNet  Google Scholar 

  24. Wang, D., Cheng, H., Wang, P., Yan, J., Huang, X.: A security analysis of honeywords. In: NDSS (2018)

    Google Scholar 

  25. Weiss, N.E., Miller, R.S.: The target and other financial data breaches: frequently asked questions. In: Congressional Research Service, Prepared for Members and Committees of Congress, February, vol. 4, p. 2015 (2015)

    Google Scholar 

  26. Wikipedia: Phishing – Wikipedia, the free encyclopedia (2019). http://en.wikipedia.org/w/index.php?title=Phishing&oldid=892015701. Accessed 14 April 2019

  27. Wold, S., Esbensen, K., Geladi, P.: Principal component analysis. Chemometr. Intell. Lab. Syst. 2(1–3), 37–52 (1987)

    Article  Google Scholar 

  28. Zhang, J., et al.: Safeguarding academic accounts and resources with the university credential abuse auditing system. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012), pp. 1–8. IEEE (2012)

    Google Scholar 

Download references

Acknowledgements

This work is supported by the strategic Priority Research Program of Chinese Academy of Sciences, Grant No. XDC02040200.

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Renzheng Wei, Lijun Cai, Aimin Yu & Dan Meng

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Renzheng Wei

Authors
  1. Renzheng Wei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lijun Cai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Aimin Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dan Meng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aimin Yu .

Editor information

Editors and Affiliations

  1. Singapore University of Technology and Design, Singapore, Singapore

    Jianying Zhou

  2. The Hong Kong Polytechnic University, Kowloon, Hong Kong

    Xiapu Luo

  3. Peking University, Beijing, China

    Qingni Shen

  4. Institute of Information Engineering, Beijing, China

    Zhen Xu

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wei, R., Cai, L., Yu, A., Meng, D. (2020). AGE: Authentication Graph Embedding for Detecting Anomalous Login Activities. In: Zhou, J., Luo, X., Shen, Q., Xu, Z. (eds) Information and Communications Security. ICICS 2019. Lecture Notes in Computer Science(), vol 11999. Springer, Cham. https://doi.org/10.1007/978-3-030-41579-2_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-41579-2_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-41578-5

  • Online ISBN: 978-3-030-41579-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation