A Study of Detecting Lateral Movement Using Large-Scale Authentication Log 


Vol. 46,  No. 11, pp. 1862-1872, Nov.  2021
10.7840/kics.2021.46.11.1862


PDF
  Abstract

Lateral Movement is one of the stages of the Cyber Kill Chain, in which attackers increase the number of targets they control after initial compromise. Since the attacker can gradually expand the range of activity by repeating the lateral movement and reach the final target, if the defender detects the lateral movement and blocks the attacker"s attack in the middle, the attacker"s achievement of the objective can be stopped. However, it is not easy to detect the actions of such attackers because attackers secretly perform attacks through advanced attack methods to prevent their attacks from being detected. In this study, we propose a method to detect an attacker"s lateral movement by using a large-scale authentication log, and calculate the normality index of the login paths. By comparing the normality index score, we can detect abnormal login to detect the lateral movement of potential attackers. The method proposed in this study was applied to the Los Alamos National Laboratory public data set and tested, and in the case of 1-hop path analysis, the TPR was 98.66%, the FPR was 0.74%, and the accuracy was 99.26%. It was confirmed that the method was effective when applied to actual data.

  Statistics
Cumulative Counts from November, 2022
Multiple requests among the same browser session are counted as one view. If you mouse over a chart, the values of data points will be shown.


  Cite this article

[IEEE Style]

S. Shim, S. Kim, S. Im, S. Koo, B. Cho, K. Kim, T. Kim, "A Study of Detecting Lateral Movement Using Large-Scale Authentication Log," The Journal of Korean Institute of Communications and Information Sciences, vol. 46, no. 11, pp. 1862-1872, 2021. DOI: 10.7840/kics.2021.46.11.1862.

[ACM Style]

Shinwoo Shim, Sang-soo Kim, Sun-Young Im, Sung-mo Koo, Byoungmo Cho, Kwangsoo Kim, and Taekyu Kim. 2021. A Study of Detecting Lateral Movement Using Large-Scale Authentication Log. The Journal of Korean Institute of Communications and Information Sciences, 46, 11, (2021), 1862-1872. DOI: 10.7840/kics.2021.46.11.1862.

[KICS Style]

Shinwoo Shim, Sang-soo Kim, Sun-Young Im, Sung-mo Koo, Byoungmo Cho, Kwangsoo Kim, Taekyu Kim, "A Study of Detecting Lateral Movement Using Large-Scale Authentication Log," The Journal of Korean Institute of Communications and Information Sciences, vol. 46, no. 11, pp. 1862-1872, 11. 2021. (https://doi.org/10.7840/kics.2021.46.11.1862)

Search
(IN TITLE, AUTHOR, ABSTRACT,KEYWORDS)

Advanced Search

POPULAR KEYWORDS
(TOP 10 KEYWORDS)

Recent Publications
(LAST 3 YEARS)






pISSN : 1226 - 4717
eISSN : 2287 - 3880