social - hunter:一种基于社会启发式的方法,用于早期发现使用有效帐户的未知恶意登录

IF 6.8 2区 计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS Computers & Security Pub Date : 2025-03-01 Epub Date: 2024-12-14 DOI:10.1016/j.cose.2024.104269
Mingsheng Tang , Binbin Ge
{"title":"social - hunter:一种基于社会启发式的方法,用于早期发现使用有效帐户的未知恶意登录","authors":"Mingsheng Tang ,&nbsp;Binbin Ge","doi":"10.1016/j.cose.2024.104269","DOIUrl":null,"url":null,"abstract":"<div><div>Using valid accounts has become a prevalent tactic among Advanced Persistent Threat (APT) actors for executing malicious logins. By exploiting stolen credentials, they bypass rule-based and traffic-based detection mechanisms, enabling sustained network infiltration without triggering anomalous network traffic alerts. The scarcity of feature-rich datasets and labeled samples for identifying malicious logins by unknown APT actors presents a significant challenge. To address this, we propose Social-Hunter, an innovative approach for detecting unknown malicious logins without prior knowledge or training on specific APT behaviors. Social-Hunter integrates sociological heuristics and multi-viewpoint modeling to partition groups based on social and role-based perspectives. Iterative partitioning assesses whether new login nodes fit within established group contexts, thereby identifying potential malicious intent. A threshold parameter evaluates source node capability during cross-group logins, flagging insufficient capability as indicators of malicious behavior. The core algorithm detects deviations from social norms and predefined thresholds. Evaluation on a 58-day dataset of authentication events from a real-world Los Alamos National Laboratory’s (LANL) network demonstrates Social-Hunter’s effectiveness. It achieves a true positive rate (TPR) nearing 90% with a significantly reduced false positive rate (FPR) of 0.2%. Comparative analysis against state-of-art unsupervised methods such as graph learning, Local Outlier Factor (LOF), Isolation Forest (IF), One-Class Support Vector Machine (One-Class SVM), Ensemble Multi-Detector (EMD), and AutoEncoder (AE) shows Social-Hunter improving TPR by at least 5% and reducing FPR by more than 77%. In practical event auditing for threats hunting, Social-Hunter maintains a minimal false positives rate of 0.00014% with nearly 90% TPR. Over 28 days, it triggered 956 alerts, with 672 true positives and just 284 false alarms. The average daily false alarm rate is around 10, while valid alerts average 20 per day. These findings underscore Social-Hunter’s potential for early detection of APT activities in large enterprise networks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104269"},"PeriodicalIF":6.8000,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Social-Hunter: A social heuristics-based approach to early unveiling unknown malicious logins using valid accounts\",\"authors\":\"Mingsheng Tang ,&nbsp;Binbin Ge\",\"doi\":\"10.1016/j.cose.2024.104269\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Using valid accounts has become a prevalent tactic among Advanced Persistent Threat (APT) actors for executing malicious logins. By exploiting stolen credentials, they bypass rule-based and traffic-based detection mechanisms, enabling sustained network infiltration without triggering anomalous network traffic alerts. The scarcity of feature-rich datasets and labeled samples for identifying malicious logins by unknown APT actors presents a significant challenge. To address this, we propose Social-Hunter, an innovative approach for detecting unknown malicious logins without prior knowledge or training on specific APT behaviors. Social-Hunter integrates sociological heuristics and multi-viewpoint modeling to partition groups based on social and role-based perspectives. Iterative partitioning assesses whether new login nodes fit within established group contexts, thereby identifying potential malicious intent. A threshold parameter evaluates source node capability during cross-group logins, flagging insufficient capability as indicators of malicious behavior. The core algorithm detects deviations from social norms and predefined thresholds. Evaluation on a 58-day dataset of authentication events from a real-world Los Alamos National Laboratory’s (LANL) network demonstrates Social-Hunter’s effectiveness. It achieves a true positive rate (TPR) nearing 90% with a significantly reduced false positive rate (FPR) of 0.2%. Comparative analysis against state-of-art unsupervised methods such as graph learning, Local Outlier Factor (LOF), Isolation Forest (IF), One-Class Support Vector Machine (One-Class SVM), Ensemble Multi-Detector (EMD), and AutoEncoder (AE) shows Social-Hunter improving TPR by at least 5% and reducing FPR by more than 77%. In practical event auditing for threats hunting, Social-Hunter maintains a minimal false positives rate of 0.00014% with nearly 90% TPR. Over 28 days, it triggered 956 alerts, with 672 true positives and just 284 false alarms. The average daily false alarm rate is around 10, while valid alerts average 20 per day. These findings underscore Social-Hunter’s potential for early detection of APT activities in large enterprise networks.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"150 \",\"pages\":\"Article 104269\"},\"PeriodicalIF\":6.8000,\"publicationDate\":\"2025-03-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404824005753\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"2024/12/14 0:00:00\",\"PubModel\":\"Epub\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824005753","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"2024/12/14 0:00:00","PubModel":"Epub","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

使用有效帐户已成为高级持续性威胁(APT)参与者执行恶意登录的普遍策略。通过利用窃取的凭证,他们绕过基于规则和基于流量的检测机制,在不触发异常网络流量警报的情况下实现持续的网络渗透。用于识别未知APT参与者恶意登录的特征丰富的数据集和标记样本的稀缺提出了一个重大挑战。为了解决这个问题,我们提出了Social-Hunter,这是一种创新的方法,用于检测未知的恶意登录,而无需事先了解或培训特定的APT行为。social - hunter整合了社会学启发式和多视点建模来划分基于社会和角色视角的群体。迭代分区评估新的登录节点是否适合已建立的组上下文,从而识别潜在的恶意意图。阈值参数评估跨组登录期间源节点的能力,将能力不足标记为恶意行为的指示器。核心算法检测偏离社会规范和预定义阈值的情况。对来自现实世界洛斯阿拉莫斯国家实验室(Los Alamos National Laboratory, LANL)网络的为期58天的认证事件数据集的评估证明了Social-Hunter的有效性。该方法的真阳性率(TPR)接近90%,假阳性率(FPR)显著降低0.2%。与最先进的无监督方法(如图学习、局部离群因子(LOF)、隔离森林(IF)、一类支持向量机(One-Class SVM)、集成多检测器(EMD)和自动编码器(AE))进行比较分析表明,Social-Hunter将TPR提高了至少5%,将FPR降低了77%以上。在威胁搜索的实际事件审计中,Social-Hunter保持了0.00014%的最小误报率,TPR接近90%。在28天的时间里,它触发了956次警报,其中672次为真阳性,只有284次为假警报。平均每天的误报率约为10次,而有效警报平均每天为20次。这些发现强调了Social-Hunter在大型企业网络中早期发现APT活动的潜力。
本文章由计算机程序翻译,如有差异,请以英文原文为准。

摘要图片

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Social-Hunter: A social heuristics-based approach to early unveiling unknown malicious logins using valid accounts
Using valid accounts has become a prevalent tactic among Advanced Persistent Threat (APT) actors for executing malicious logins. By exploiting stolen credentials, they bypass rule-based and traffic-based detection mechanisms, enabling sustained network infiltration without triggering anomalous network traffic alerts. The scarcity of feature-rich datasets and labeled samples for identifying malicious logins by unknown APT actors presents a significant challenge. To address this, we propose Social-Hunter, an innovative approach for detecting unknown malicious logins without prior knowledge or training on specific APT behaviors. Social-Hunter integrates sociological heuristics and multi-viewpoint modeling to partition groups based on social and role-based perspectives. Iterative partitioning assesses whether new login nodes fit within established group contexts, thereby identifying potential malicious intent. A threshold parameter evaluates source node capability during cross-group logins, flagging insufficient capability as indicators of malicious behavior. The core algorithm detects deviations from social norms and predefined thresholds. Evaluation on a 58-day dataset of authentication events from a real-world Los Alamos National Laboratory’s (LANL) network demonstrates Social-Hunter’s effectiveness. It achieves a true positive rate (TPR) nearing 90% with a significantly reduced false positive rate (FPR) of 0.2%. Comparative analysis against state-of-art unsupervised methods such as graph learning, Local Outlier Factor (LOF), Isolation Forest (IF), One-Class Support Vector Machine (One-Class SVM), Ensemble Multi-Detector (EMD), and AutoEncoder (AE) shows Social-Hunter improving TPR by at least 5% and reducing FPR by more than 77%. In practical event auditing for threats hunting, Social-Hunter maintains a minimal false positives rate of 0.00014% with nearly 90% TPR. Over 28 days, it triggered 956 alerts, with 672 true positives and just 284 false alarms. The average daily false alarm rate is around 10, while valid alerts average 20 per day. These findings underscore Social-Hunter’s potential for early detection of APT activities in large enterprise networks.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Computers & Security
Computers & Security 工程技术-计算机:信息系统
CiteScore
12.40
自引率
7.10%
发文量
365
审稿时长
10.7 months
期刊介绍: Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.
期刊最新文献
A Multi-Frequency Temporal Spatio-Transformer for adversarially robust IoT intrusion detection Debapt: Ontology-driven multi-agent debate for APT adversary profile construction from cyber threat intelligence CoolTest: Randomness test suited for small data volumes ODHD: On-Demand Helper Data generation for reliable NVM-free key derivation from SRAM PUF From Systematic Threat Search to pentesting: Industrial Control Systems threat models
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1