Role-based lateral movement detection with unsupervised learning

TL;DR

This paper introduces an unsupervised, behavior-based framework for detecting lateral movement in enterprise networks by analyzing system roles and process communication patterns to identify anomalies indicative of malicious activity.

Contribution

It presents two novel methods: one clustering systems by role to detect unusual connections, and another analyzing process sequences to find disruptions, enhancing detection of lateral movement techniques.

Findings

Unsupervised clustering effectively identifies connections to systems with unusual roles.

Frequent-itemset mining detects abnormal process sequences indicating potential compromise.

Framework improves detection of lateral movement without relying on signatures or rules.

Abstract

Adversarial lateral movement via compromised accounts remains difficult to discover via traditional rule-based defenses because it generally lacks explicit indicators of compromise. We propose a behavior-based, unsupervised framework comprising two methods of lateral movement detection on enterprise networks: one aimed at generic lateral movement via either exploit or authenticated connections, and one targeting the specific techniques of process injection and hijacking. The first method is based on the premise that the role of a system---the functions it performs on the network---determines the roles of the systems it should make connections with. The adversary meanwhile might move between any systems whatever, possibly seeking out systems with unusual roles that facilitate certain accesses. We use unsupervised learning to cluster systems according to role and identify connections to systems with novel roles as potentially malicious. The second method is based on the premise that the temporal patterns of inter-system processes that facilitate these connections depend on the roles of the systems involved. If a process is compromised by an attacker, these normal patterns might be disrupted in discernible ways. We apply frequent-itemset mining to process sequences to establish regular patterns of communication between systems based on role, and identify rare process sequences as signalling potentially malicious connections.