HADES: Detecting Active Directory Attacks via Whole Network Provenance Analytics
Qi Liu, Kaibin Bao, Wajih Ul Hassan, Veit Hagenmeyer
TL;DR
HADES is a novel provenance-based intrusion detection system that enables accurate cross-machine tracing of Active Directory attacks, significantly improving detection over existing methods.
Contribution
HADES introduces a new causality-based cross-machine tracing approach using logon session partitioning, enhancing detection of stealthy Active Directory attacks.
Findings
HADES outperforms existing open-source detection systems.
HADES surpasses a prominent commercial AD attack detector.
The system effectively detects authentication anomalies indicating AD attacks.
Abstract
Due to its crucial role in identity and access management in modern enterprise networks, Active Directory (AD) is a top target of Advanced Persistence Threat (APT) actors. Conventional intrusion detection systems (IDS) excel at identifying malicious behaviors caused by malware, but often fail to detect stealthy attacks launched by APT actors. Recent advance in provenance-based IDS (PIDS) shows promises by exposing malicious system activities in causal attack graphs. However, existing approaches are restricted to intra-machine tracing, and unable to reveal the scope of attackers' traversal inside a network. We propose HADES, the first PIDS capable of performing accurate causality-based cross-machine tracing by leveraging a novel concept called logon session based execution partitioning to overcome several challenges in cross-machine tracing. We design HADES as an efficient on-demand…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.