Assessing the detection of lateral movement through unsupervised learning techniques

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2024-11-06 DOI:10.1016/j.cose.2024.104190

Christos Smiliotopoulos , Georgios Kambourakis , Constantinos Kolias , Stefanos Gritzalis

{"title":"Assessing the detection of lateral movement through unsupervised learning techniques","authors":"Christos Smiliotopoulos , Georgios Kambourakis , Constantinos Kolias , Stefanos Gritzalis","doi":"10.1016/j.cose.2024.104190","DOIUrl":null,"url":null,"abstract":"<div><div>Lateral movement (LM) is an umbrella term for techniques through which attackers spread from an entry point to the rest of the network. Typically, LM involves both pivoting through multiple systems and privilege escalation. As LM techniques proliferate and evolve, there is a need for advanced security controls able to detect and possibly nip such attacks in the bud. Based on the published literature, we argue that although LM-focused intrusion detection systems have received considerable attention, a prominent issue remains largely unaddressed. This concerns the detection of LM through unsupervised machine learning (ML) techniques. This work contributes to this field by capitalizing on the LMD-2023 dataset containing traces of 15 diverse LM attack techniques as they were logged by the system monitor (Sysmon) service of the MS Windows platform. We provide a panorama of this sub-field and associated methodologies, exploring the potential of standard ML-based detection. In further detail, in addition to analyzing feature selection and preprocessing, we detail and evaluate a plethora of unsupervised ML techniques, both shallow and deep. The derived scores for the best performer in terms of the AUC and F1 metrics are quite promising, around 94.7%/93% and 95.2%/93.8%, for the best shallow and deep neural network model, respectively. On top of that, in an effort to further improve on those metrics, we devise and evaluate a two-stage ML model, surpassing the previous best score by approximately 3.5%. Overall, to our knowledge, this work provides the first full-blown study on LM detection via unsupervised learning techniques, therefore it is anticipated to serve as a groundwork for anyone working in this timely field.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104190"},"PeriodicalIF":4.8000,"publicationDate":"2024-11-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824004954","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Lateral movement (LM) is an umbrella term for techniques through which attackers spread from an entry point to the rest of the network. Typically, LM involves both pivoting through multiple systems and privilege escalation. As LM techniques proliferate and evolve, there is a need for advanced security controls able to detect and possibly nip such attacks in the bud. Based on the published literature, we argue that although LM-focused intrusion detection systems have received considerable attention, a prominent issue remains largely unaddressed. This concerns the detection of LM through unsupervised machine learning (ML) techniques. This work contributes to this field by capitalizing on the LMD-2023 dataset containing traces of 15 diverse LM attack techniques as they were logged by the system monitor (Sysmon) service of the MS Windows platform. We provide a panorama of this sub-field and associated methodologies, exploring the potential of standard ML-based detection. In further detail, in addition to analyzing feature selection and preprocessing, we detail and evaluate a plethora of unsupervised ML techniques, both shallow and deep. The derived scores for the best performer in terms of the AUC and F1 metrics are quite promising, around 94.7%/93% and 95.2%/93.8%, for the best shallow and deep neural network model, respectively. On top of that, in an effort to further improve on those metrics, we devise and evaluate a two-stage ML model, surpassing the previous best score by approximately 3.5%. Overall, to our knowledge, this work provides the first full-blown study on LM detection via unsupervised learning techniques, therefore it is anticipated to serve as a groundwork for anyone working in this timely field.

查看原文本刊更多论文

评估通过无监督学习技术检测横向移动的情况

横向移动（LM）是一种技术的总称，攻击者通过这种技术从一个入口点扩散到网络的其他部分。通常情况下，横向移动包括在多个系统中移动和权限升级。随着 LM 技术的扩散和发展，需要有先进的安全控制手段来检测此类攻击并将其扼杀在萌芽状态。根据已发表的文献，我们认为，尽管以 LM 为重点的入侵检测系统已受到广泛关注，但一个突出的问题在很大程度上仍未得到解决。这涉及通过无监督机器学习（ML）技术检测 LM。本研究利用 LMD-2023 数据集，其中包含 MS Windows 平台系统监控（Sysmon）服务记录的 15 种不同 LM 攻击技术的痕迹，为这一领域做出了贡献。我们提供了这一子领域和相关方法的全景图，探索了基于标准 ML 的检测的潜力。更详细地说，除了分析特征选择和预处理外，我们还详细介绍并评估了大量无监督 ML 技术，包括浅层和深层技术。从 AUC 和 F1 指标来看，最佳浅层神经网络模型和深度神经网络模型的最佳表现得分相当可观，分别约为 94.7%/93% 和 95.2%/93.8% 。此外，为了进一步提高这些指标，我们设计并评估了一个两阶段 ML 模型，比之前的最佳成绩高出约 3.5%。总之，据我们所知，这项工作首次通过无监督学习技术对 LM 检测进行了全面研究，因此有望为这一适时领域的工作奠定基础。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.