D2M: Dynamic Defense and Modeling of Adversarial Movement in Networks

@inproceedings{Freitas2020D2MDD,
  title={D2M: Dynamic Defense and Modeling of Adversarial Movement in Networks},
  author={Scott Freitas and Andrew W. Wicker and Duen Horng Chau and Joshua Neil},
  booktitle={SDM},
  year={2020}
}
Given a large enterprise network of devices and their authentication history (e.g., device logons), how can we quantify network vulnerability to lateral attack and identify at-risk devices? We systematically address these problems through D2M, the first framework that models lateral attacks on enterprise networks using multiple attack strategies developed with researchers, engineers, and threat hunters in the Microsoft Defender Advanced Threat Protection group. These strategies integrate real… Expand
Hopper: Modeling and Detecting Lateral Movement
TLDR
Hopper is presented, a system for detecting lateral movement based on commonly available enterprise logs that achieves a 94.5% detection rate across over 300 realistic attack scenarios, including one red team attack, while generating an average of < 9 alerts per day. Expand
Hopper: Modeling and Detecting Lateral Movement (Extended Report)
TLDR
Hopper is presented, a system for detecting lateral movement based on commonly available enterprise logs that achieves a 94.5% detection rate across over 300 realistic attack scenarios, including one red team attack, while generating an average of < 9 alerts per day. Expand
MalNet: A Large-Scale Cybersecurity Image Database of Malicious Software
TLDR
MALNET is introduced, the largest publicly available cybersecurity image database, offering 133× more images and 27× more classes than the only other public binary-image database, and unlocks new and exciting cybersecurity opportunities to the computer vision community. Expand
Evaluating Graph Vulnerability and Robustness using TIGER
TLDR
TIGER, an open-sourced Python toolbox that democratizing the tools required to study network robustness, is contributed to assist researchers and practitioners in analyzing their own networks; and facilitate the development of new research in the field. Expand
Graph Vulnerability and Robustness: A Survey
TLDR
This survey guides researchers and practitioners in navigating the expansive field of network robustness, while summarizing answers to key questions, and highlights current research directions and open problems. Expand

References

SHOWING 1-10 OF 32 REFERENCES
Latte: Large-Scale Lateral Movement Detection
TLDR
Latte, a graph-based detection system to discover potential malicious lateral movement paths in a compromised network, model computers and accounts as nodes, and computer-to-computer connections or user logon events as edges to deal with challenges from large-scale data and little knowledge of the attackers. Expand
A Game-Theoretic Approach to Respond to Attacker Lateral Movement
TLDR
This paper builds a defense-based zero-sum game in which the engine can efficiently delay an attacker that is moving laterally in the network from reaching the sensitive target, thus giving network administrators enough time to analyze the monitoring data and deploy effective actions to neutralize any impending threats. Expand
Attack chain detection
TLDR
It is shown empirically that events in different parts of the attack chain are largely independent under nonattack conditions, which suggests that a powerful detector can be constructed by combining across events spanning the attack. Expand
Scalable, graph-based network vulnerability analysis
TLDR
This paper revisits the idea of attack graphs themselves, and argues that they represent more information explicitly than is necessary for the analyst, and proposes a more compact and scalable representation. Expand
Connected Components and Credential Hopping in Authentication Graphs
TLDR
This work examines computer network risk associated with credential hopping by creating and studying the structure of the authentication graph, a bipartite graph built from authentication events, and proposes a mitigation strategy and performs experiments simulating an implementation using data from a large enterprise network. Expand
Authentication graphs: Analyzing user behavior within an enterprise network
TLDR
Graph-based approaches to user classification and intrusion detection with practical results and a method for assessing network authentication trust risk and cyber attack mitigation within an enterprise network using bipartite authentication graphs are shown. Expand
Lateral Movement Detection Using Distributed Data Fusion
TLDR
This paper proposes a framework for distributed data fusion that specifies the communication architecture and data transformation functions, and specifies an approach for lateral movement detection that uses host-level process communication graphs to infer network connection causations. Expand
Anatomy of Drive-by Download Attack
TLDR
This paper presents a framework derived from an analysis of of drive-by download attacks that focus upon potential state changes seen when Internet browsers render HTML documents that can be used to identify potential features that have not yet been exploited and to reason about the challenges for using those features in detection drive- by download attack. Expand
Two formal analyses of attack graphs
TLDR
This paper presents an algorithm for generating attack graphs using model checking as a subroutine, and provides a formal characterization of this problem, proving that it is polynomially equivalent to the minimum hitting set problem and presenting a greedy algorithm with provable bounds. Expand
Node Immunization on Large Graphs: Theory and Algorithms
TLDR
A novel `bridging' score Dλ is proposed, inspired by immunology, and it is shown that its results agree with intuition for several realistic settings and the proposed fast solution is up to seven orders of magnitude faster than straightforward alternatives. Expand
...
1
2
3
4
...