LMDG: Advancing Lateral Movement Detection Through High-Fidelity Dataset Generation

TL;DR

This paper introduces LMDG, a framework for generating high-fidelity, well-labeled datasets for lateral movement attack detection, enabling more accurate evaluation of security systems through realistic multi-stage attack data.

Contribution

LMDG provides a reproducible, extensible method for creating detailed, labeled datasets with a novel Process Tree Labeling technique for precise attack step attribution.

Findings

Generated a 25-day enterprise dataset with 35 multi-stage LM attacks

Achieved high-precision labeling of malicious activities

Produced a realistic dataset with less than 1% malicious activity

Abstract

Lateral Movement (LM) attacks continue to pose a significant threat to enterprise security, enabling adversaries to stealthily compromise critical assets. However, the development and evaluation of LM detection systems are impeded by the absence of realistic, well-labeled datasets. To address this gap, we propose LMDG, a reproducible and extensible framework for generating high-fidelity LM datasets. LMDG automates benign activity generation, multi-stage attack execution, and comprehensive labeling of system and network logs, dramatically reducing manual effort and enabling scalable dataset creation. A central contribution of LMDG is Process Tree Labeling, a novel agent-based technique that traces all malicious activity back to its origin with high precision. Unlike prior methods such as Injection Timing or Behavioral Profiling, Process Tree Labeling enables accurate, step-wise labeling of malicious log entries, correlating each with a specific attack step and MITRE ATT\&CK TTPs. To our knowledge, this is the first approach to support fine-grained labeling of multi-step attacks, providing critical context for detection models such as attack path reconstruction. We used LMDG to generate a 25-day dataset within a 25-VM enterprise environment containing 22 user accounts. The dataset includes 944 GB of host and network logs and embeds 35 multi-stage LM attacks, with malicious events comprising less than 1% of total activity, reflecting a realistic benign-to-malicious ratio for evaluating detection systems. LMDG-generated datasets improve upon existing ones by offering diverse LM attacks, up-to-date attack patterns, longer attack timeframes, comprehensive data sources, realistic network architectures, and more accurate labeling.