| 引用本文: |
-
王天,董聪,刘松,田甜,卢志刚,姜波.基于异质图网络的横向移动攻击检测方法[J].信息安全学报,已采用 [点击复制]
- wangtian,dongcong,liusong,tiantian,luzhigang,jiangbo.Lateral Movement Detection Using Heterogeneous Graph Network[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 近年来,随着互联网的高速发展,高级持续性威胁日益频繁,而横向移动作为其攻击流程的重要一环,通常伴随着内部网络的破坏以及机密数据的失窃,对企业危害巨大,但其高度的隐蔽性往往使横向移动攻击难以检测并预防。因此,本文提出一种基于异质图网络的两阶段横向移动攻击检测方法HGLM。首先基于内网的认证日志,将用户与主机的登录行为图结构化,构建用户登录图和源主机路径图,然后在图上进行两阶段异常检测。第一阶段基于用户登录图,使用以最大化互信息为目标的图模型进行无监督训练,得到用户在主机间的认证行为特征表示,再通过局部异常因子算法计算得到部分异常样本;第二阶段基于源主机路径图和第一阶段得到的少量异常样本,使用异质图注意力网络算法进行半监督训练,检测横向移动攻击行为。进一步地,在真实数据集CMCS Events上对本文提出的方法进行了评估和验证。与其他方法相比,本文提出的方法具有高精确率和低误报率,且不需要样本标签。 |
| 关键词: 入侵检测 横向移动 图神经网络 异常检测 恶意登录 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2023.08.12 |
| 投稿时间:2021-02-01修订日期:2021-03-10 |
| 基金项目: |
|
| Lateral Movement Detection Using Heterogeneous Graph Network |
|
wangtian, dongcong, liusong, tiantian, luzhigang, jiangbo
|
| (Institute of Information Engineering, Chinese Academy of Sciences) |
| Abstract: |
| With the rapid development of the Internet, advanced persistent threats have become more frequent. While, lateral movement, as an important part of its attack cycle, usually co-occurs with the destruction of internal networks and the theft of confidential data, causing great harm to enterprises. The high degree of concealment often makes lateral movement attacks difficult to detect and prevent. Therefore, we propose a two-stage approach based on heterogeneous graph network to detect lateral movement attack called HGLM. First, based on the authentication log of the internal network, we construct the User Authentication Graph and Host Path Graph to represent the login behavior between users and hosts, and then perform the two-stage anomaly detection on the graphs. In the first stage, we use a graph model with the goal of maximizing mutual information for unsupervised training to learn a characteristic representation of the user''s authentication behavior among hosts based on the User Authentication Graph, and then detect some abnormal samples through the Local Outlier Factor algorithm. In the second stage, we use Heterogene-ous Graph Attention Network algorithm to train a semi-supervised model which is used to detect lateral movement attacks based on the Host Path Graph and a small number of abnormal samples obtained in the first stage. Furthermore, our approach is evaluated and verified on the dataset CMCS Events. Compared with other methods, our approach has high TPR and low FPR, and does not require labeled samples. |
| Key words: intrusion detection lateral movement graph neural network anomaly detection malicious login |
