Assessing the detection of lateral movement through unsupervised learning techniques

IF 4.8 2区 计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS Computers & Security Pub Date : 2024-11-06 DOI:10.1016/j.cose.2024.104190
Christos Smiliotopoulos , Georgios Kambourakis , Constantinos Kolias , Stefanos Gritzalis
{"title":"Assessing the detection of lateral movement through unsupervised learning techniques","authors":"Christos Smiliotopoulos ,&nbsp;Georgios Kambourakis ,&nbsp;Constantinos Kolias ,&nbsp;Stefanos Gritzalis","doi":"10.1016/j.cose.2024.104190","DOIUrl":null,"url":null,"abstract":"<div><div>Lateral movement (LM) is an umbrella term for techniques through which attackers spread from an entry point to the rest of the network. Typically, LM involves both pivoting through multiple systems and privilege escalation. As LM techniques proliferate and evolve, there is a need for advanced security controls able to detect and possibly nip such attacks in the bud. Based on the published literature, we argue that although LM-focused intrusion detection systems have received considerable attention, a prominent issue remains largely unaddressed. This concerns the detection of LM through unsupervised machine learning (ML) techniques. This work contributes to this field by capitalizing on the LMD-2023 dataset containing traces of 15 diverse LM attack techniques as they were logged by the system monitor (Sysmon) service of the MS Windows platform. We provide a panorama of this sub-field and associated methodologies, exploring the potential of standard ML-based detection. In further detail, in addition to analyzing feature selection and preprocessing, we detail and evaluate a plethora of unsupervised ML techniques, both shallow and deep. The derived scores for the best performer in terms of the AUC and F1 metrics are quite promising, around 94.7%/93% and 95.2%/93.8%, for the best shallow and deep neural network model, respectively. On top of that, in an effort to further improve on those metrics, we devise and evaluate a two-stage ML model, surpassing the previous best score by approximately 3.5%. Overall, to our knowledge, this work provides the first full-blown study on LM detection via unsupervised learning techniques, therefore it is anticipated to serve as a groundwork for anyone working in this timely field.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104190"},"PeriodicalIF":4.8000,"publicationDate":"2024-11-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824004954","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Lateral movement (LM) is an umbrella term for techniques through which attackers spread from an entry point to the rest of the network. Typically, LM involves both pivoting through multiple systems and privilege escalation. As LM techniques proliferate and evolve, there is a need for advanced security controls able to detect and possibly nip such attacks in the bud. Based on the published literature, we argue that although LM-focused intrusion detection systems have received considerable attention, a prominent issue remains largely unaddressed. This concerns the detection of LM through unsupervised machine learning (ML) techniques. This work contributes to this field by capitalizing on the LMD-2023 dataset containing traces of 15 diverse LM attack techniques as they were logged by the system monitor (Sysmon) service of the MS Windows platform. We provide a panorama of this sub-field and associated methodologies, exploring the potential of standard ML-based detection. In further detail, in addition to analyzing feature selection and preprocessing, we detail and evaluate a plethora of unsupervised ML techniques, both shallow and deep. The derived scores for the best performer in terms of the AUC and F1 metrics are quite promising, around 94.7%/93% and 95.2%/93.8%, for the best shallow and deep neural network model, respectively. On top of that, in an effort to further improve on those metrics, we devise and evaluate a two-stage ML model, surpassing the previous best score by approximately 3.5%. Overall, to our knowledge, this work provides the first full-blown study on LM detection via unsupervised learning techniques, therefore it is anticipated to serve as a groundwork for anyone working in this timely field.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
评估通过无监督学习技术检测横向移动的情况
横向移动(LM)是一种技术的总称,攻击者通过这种技术从一个入口点扩散到网络的其他部分。通常情况下,横向移动包括在多个系统中移动和权限升级。随着 LM 技术的扩散和发展,需要有先进的安全控制手段来检测此类攻击并将其扼杀在萌芽状态。根据已发表的文献,我们认为,尽管以 LM 为重点的入侵检测系统已受到广泛关注,但一个突出的问题在很大程度上仍未得到解决。这涉及通过无监督机器学习(ML)技术检测 LM。本研究利用 LMD-2023 数据集,其中包含 MS Windows 平台系统监控(Sysmon)服务记录的 15 种不同 LM 攻击技术的痕迹,为这一领域做出了贡献。我们提供了这一子领域和相关方法的全景图,探索了基于标准 ML 的检测的潜力。更详细地说,除了分析特征选择和预处理外,我们还详细介绍并评估了大量无监督 ML 技术,包括浅层和深层技术。从 AUC 和 F1 指标来看,最佳浅层神经网络模型和深度神经网络模型的最佳表现得分相当可观,分别约为 94.7%/93% 和 95.2%/93.8% 。此外,为了进一步提高这些指标,我们设计并评估了一个两阶段 ML 模型,比之前的最佳成绩高出约 3.5%。总之,据我们所知,这项工作首次通过无监督学习技术对 LM 检测进行了全面研究,因此有望为这一适时领域的工作奠定基础。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
Computers & Security
Computers & Security 工程技术-计算机:信息系统
CiteScore
12.40
自引率
7.10%
发文量
365
审稿时长
10.7 months
期刊介绍: Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.
期刊最新文献
Beyond the sandbox: Leveraging symbolic execution for evasive malware classification Trust my IDS: An explainable AI integrated deep learning-based transparent threat detection system for industrial networks PdGAT-ID: An intrusion detection method for industrial control systems based on periodic extraction and spatiotemporal graph attention Dynamic trigger-based attacks against next-generation IoT malware family classifiers Assessing cybersecurity awareness among bank employees: A multi-stage analytical approach using PLS-SEM, ANN, and fsQCA in a developing country context
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1