Lateral Movement Detection via Time-aware Subgraph Classification on Authentication Logs

TL;DR

This paper introduces LMDetect, a novel framework that uses time-aware subgraph classification on authentication logs to effectively detect lateral movement in networks, addressing evasion tactics of attackers.

Contribution

The paper proposes a multi-scale, graph-based detection framework that leverages time-aware subgraph extraction and attention mechanisms for improved lateral movement detection.

Findings

Effective detection of lateral movement in real-world datasets

Outperforms existing methods in accuracy and robustness

Demonstrates the importance of time-aware subgraph analysis

Abstract

Lateral movement is a crucial component of advanced persistent threat (APT) attacks in networks. Attackers exploit security vulnerabilities in internal networks or IoT devices, expanding their control after initial infiltration to steal sensitive data or carry out other malicious activities, posing a serious threat to system security. Existing research suggests that attackers generally employ seemingly unrelated operations to mask their malicious intentions, thereby evading existing lateral movement detection methods and hiding their intrusion traces. In this regard, we analyze host authentication log data from a graph perspective and propose a multi-scale lateral movement detection framework called LMDetect. The main workflow of this framework proceeds as follows: 1) Construct a heterogeneous multigraph from host authentication log data to strengthen the correlations among internal system entities; 2) Design a time-aware subgraph generator to extract subgraphs centered on authentication events from the heterogeneous authentication multigraph; 3) Design a multi-scale attention encoder that leverages both local and global attention to capture hidden anomalous behavior patterns in the authentication subgraphs, thereby achieving lateral movement detection. Extensive experiments on two real-world authentication log datasets demonstrate the effectiveness and superiority of our framework in detecting lateral movement behaviors.