Abstract
Detecting anomalies in login activities is a critical step in response to credential-based lateral movement attacks. Although attackers with compromised credentials can impersonate legal users and move laterally between computers without triggering the alarm, his login activities would likely deviate from the users’ normal patterns. We propose AGE, an Authentication Graph Embedding based anomalous login activities detection system. The goal of authentication graph embedding is to capture comprehensive relationships that facilitate the construction of user profiles. Specifically, the user profiles contain three types of features: the familiarity-related features, the similarity-related features, and the lateral movement walks-related features. To evaluate AGE thoroughly, we use our synthetic malicious lateral movement traces as well as red team activities provided by CMU-CERT. Extensive experiments show that AGE achieves good performance and outperforms the baseline methods. Moreover, we also design experiments that will help us understand the authentication graph embedding.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We implement Algorithm 1 at https://github.com/WeiieW-cas/Malicious-Lateral-Movement-Traces-Generation.
References
Banjo, S.: Home depot hackers exposed 53 million email addresses. Wall Street J. (2014)
Bhattacharjee, S.D., Yuan, J., Jiaqi, Z., Tan, Y.P.: Context-aware graph-based analysis for detecting anomalous activities. In: 2017 IEEE International Conference on Multimedia and Expo (ICME), pp. 1021–1026. IEEE (2017)
Bohara, A., Noureddine, M.A., Fawaz, A., Sanders, W.H.: An unsupervised multi-detector approach for identifying malicious lateral movement. In: 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS), pp. 224–233. IEEE (2017)
Breunig, M.M., Kriegel, H.P., Ng, R.T., Sander, J.: LOF: identifying density-based local outliers. ACM SIGMOD Rec. 29, 93–104 (2000)
Brown, A., Tuor, A., Hutchinson, B., Nichols, N.: Recurrent neural network attention mechanisms for interpretable system log anomaly detection. In: Proceedings of the First Workshop on Machine Learning for Computing Systems, p. 1. ACM (2018)
Business insider: how the hackers broke into Sony and why it could happen to any company (2014). http://www.businessinsider.com/how-the-hackers-broke-into-sony-2014-12
Eberle, W., Graves, J., Holder, L.: Insider threat detection using a graph-based approach. J. Appl. Secur. Res. 6(1), 32–81 (2010)
Glasser, J., Lindauer, B.: Bridging the gap: a pragmatic approach to generating insider threat data. In: 2013 IEEE Security and Privacy Workshops, pp. 98–104. IEEE (2013)
Gonçalves, D., Bota, J., Correia, M.: Big data analytics for detecting host misbehavior in large logs. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 238–245. IEEE (2015)
Hagberg, A., Lemons, N., Kent, A., Neil, J.: Connected components and credential hopping in authentication graphs. In: 2014 Tenth International Conference on Signal-Image Technology and Internet-Based Systems, pp. 416–423. IEEE (2014)
Javed, M.: Detecting credential compromise in enterprise networks. Ph.D. thesis, UC Berkeley (2016)
Joyce, R.: Disrupting nation state hackers. USENIX Association, San Francisco, January 2016
Kent, A.D., Liebrock, L.M., Neil, J.C.: Authentication graphs: analyzing user behavior within an enterprise network. Comput. Secur. 48, 150–166 (2015)
Mikolov, T., Sutskever, I., Chen, K., Corrado, G.S., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Advances in Neural Information Processing Systems, pp. 3111–3119 (2013)
Niinuma, K., Jain, A.K.: Continuous user authentication using temporal information. In: Biometric Technology for Human Identification VII, vol. 7667, p. 76670L. International Society for Optics and Photonics (2010)
Oprea, A., Li, Z., Yen, T.F., Chin, S.H., Alrwais, S.: Detection of early-stage enterprise infection by mining large-scale log data. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 45–56. IEEE (2015)
Siadati, H., Memon, N.: Detecting structurally anomalous logins within enterprise networks. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1273–1284. ACM (2017)
Silver-Greenberg, J., Goldstein, M., Perlroth, N.: JPMorgan chase hack affects 76 million households. New York Times 2 (2014)
Traore, I.: Continuous Authentication Using Biometrics: Data, Models, and Metrics: Data, Models, and Metrics. IGI Global, Hershey (2011)
TrendMicro: Apt myths and challenges. https://blog.trendmicro.com/trendlabs-security-intelligence/infographic-apt-myths-and-challenges/. Accessed 4 April 2012
Tuor, A., Kaplan, S., Hutchinson, B., Nichols, N., Robinson, S.: Deep learning for unsupervised insider threat detection in structured cybersecurity data streams. In: Workshops at the Thirty-First AAAI Conference on Artificial Intelligence (2017)
Tuor, A.R., Baerwolf, R., Knowles, N., Hutchinson, B., Nichols, N., Jasper, R.: Recurrent neural network language models for open vocabulary event-level cyber anomaly detection. In: Workshops at the Thirty-Second AAAI Conference on Artificial Intelligence (2018)
Van Mieghem, P.: The N-intertwined SIS epidemic network model. Computing 93(2–4), 147–169 (2011)
Wang, D., Cheng, H., Wang, P., Yan, J., Huang, X.: A security analysis of honeywords. In: NDSS (2018)
Weiss, N.E., Miller, R.S.: The target and other financial data breaches: frequently asked questions. In: Congressional Research Service, Prepared for Members and Committees of Congress, February, vol. 4, p. 2015 (2015)
Wikipedia: Phishing – Wikipedia, the free encyclopedia (2019). http://en.wikipedia.org/w/index.php?title=Phishing&oldid=892015701. Accessed 14 April 2019
Wold, S., Esbensen, K., Geladi, P.: Principal component analysis. Chemometr. Intell. Lab. Syst. 2(1–3), 37–52 (1987)
Zhang, J., et al.: Safeguarding academic accounts and resources with the university credential abuse auditing system. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012), pp. 1–8. IEEE (2012)
Acknowledgements
This work is supported by the strategic Priority Research Program of Chinese Academy of Sciences, Grant No. XDC02040200.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Wei, R., Cai, L., Yu, A., Meng, D. (2020). AGE: Authentication Graph Embedding for Detecting Anomalous Login Activities. In: Zhou, J., Luo, X., Shen, Q., Xu, Z. (eds) Information and Communications Security. ICICS 2019. Lecture Notes in Computer Science(), vol 11999. Springer, Cham. https://doi.org/10.1007/978-3-030-41579-2_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-41579-2_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41578-5
Online ISBN: 978-3-030-41579-2
eBook Packages: Computer ScienceComputer Science (R0)