Towards efficient reconstruction of attacker lateral movement

Publikationstyp
Conference Paper
Date Issued
2019
Sprache
German
Author(s)
Wilkens, Florian  
Haas, Steffen  
Kaaser, Dominik 
Kling, Peter  
Fischer, Mathias  
TORE-URI
http://hdl.handle.net/11420/15139
Start Page
1
End Page
9
Article Number
3339254
Citation
ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security: 3339254 1-9 (2019)
Contribution to Conference
14th International Conference on Availability, Reliability and Security, ARES 2019  
Publisher DOI
10.1145/3339252.3339254
Scopus ID
2-s2.0-85071731147
Publisher
Association for Computing Machinery
Organization and government networks are a target of Advanced Persistent Threats (APTs), i.e., stealthy attackers that infiltrate networks slowly and usually stay undetected for long periods of time. After an attack has been discovered, security administrators have to manually determine which hosts were compromised to clean and restore them. For that, they have to analyze a large number of hosts. In this paper, we propose an approach to efficiently reconstruct the lateral movement of attackers from a given set of indicators of compromise (IoCs) that can help security administrators to identify and prioritize potentially compromised hosts. To reconstruct attacker paths in a network, we link hosts with IoCs via two methods: k-shortest-paths and biased random walks. To evaluate the accuracy of these approaches in reconstructing attack paths, we introduce three models of attackers that differ in their network knowledge. Our results indicate that we can approximate the lateral movement of the three proposed attacker models, even when the attacker significantly deviates from them. For insider attackers that deviate up to 75% from our models, the method based on k-shortest-paths achieves a true positive rate of 88% and can significantly narrow down the set of nodes to analyse to 5% of all network hosts.
DDC Class
004: Informatik