| 摘要: |
| 近年来,随着互联网的高速发展,高级持续性威胁日益频繁。而横向移动作为其攻击流程的重要一环,是攻击者进入内网后实施攻击的主要过程,通常伴随着内部网络的破坏以及机密数据的失窃,对企业危害巨大。由于其高度的不可预测性和深度的隐蔽性,传统的入侵检测技术难以应对此类攻击。因此,本文提出一种基于异质图网络的两阶段横向移动攻击检测方法HGLM,通过日志图结构化的方法将横向移动攻击检测转换为一个图上的异常检测任务。首先基于内网的认证日志,将用户与主机的登录行为图结构化,构建用户登录图和源主机路径图,然后在图上进行两阶段异常检测。第一阶段基于用户登录图,使用以最大化互信息为目标的图模型进行无监督训练,得到用户在主机间的认证行为特征表示,再通过局部异常因子算法计算得到部分异常样本;第二阶段基于源主机路径图和第一阶段得到的少量异常样本,使用异质图注意力网络算法进行半监督训练,检测横向移动攻击行为。进一步地,本文在真实数据集CMCS Events上对提出的方法进行了评估和验证。实验结果表明,本文提出的方法可以在没有样本标签的情况下有效检测横向移动行为,在数据集上的AUC值达到95.53%,相比较于传统的SVM和GBDT模型,HGLM不需要有标签样本,且模型的TPR有超过10%以上的大幅提升,具有高召回率和低误报率。 |
| 关键词: 入侵检测 横向移动 图神经网络 异常检测 恶意登录 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2023.08.12 |
| 投稿时间:2021-02-01修订日期:2021-03-10 |
| 基金项目:本论文得到国家重点研发计划(No. 2019QY1300,No.2018YFB0803602), 中国科学院青年创新促进会(No. 2021156), 中国科学院战略性先导 C 类(No. XDC02040100), 国家自然科学青年基金(No. 61802404)的资助。这项工作也得到了中国科学院网络评估技术重点实验室和北京市网络安全与保护技术重点实验室的部分支持。 |
|
| Lateral Movement Detection Using Heterogeneous Graph Network |
| WANG Tian,DONG Cong,LIU Song,TIAN Tian,LU Zhigang,JIANG Bo |
| Institute of Information Engineering, Chinese Academy of Sciences, Beijing China, 100093;School of Cyber Security, University of Chinese Academy of Sciences, Beijing China, 100049 |
| Abstract: |
| With the rapid development of the Internet, advanced persistent threats have become more frequent. While, the lateral movement as an important part of its attack cycle, is the main process by which attackers conduct an attack behind the internal network and usually co-occurs with the destruction of internal networks and the theft of confidential data, causing great harm to enterprises. Due to its high unpredictability and depth of concealment, traditional intrusion detection technology is difficult to deal with such attacks. Therefore, we propose a two-phase lateral movement attack detection method HGLM based on heterogeneous graph networks, which converts lateral movement attack detection into an anomaly detection task on the graph by means of log graph structuring. First, based on the authentication log of the internal network, we construct the User Authentication Graph and Host Path Graph to represent the login behavior between users and hosts, and then perform the two-stage anomaly detection on the graphs. In the first stage, we use a graph model with the goal of maximizing mutual information for unsupervised training to learn a characteristic representation of the user’s authentication behavior among hosts based on the User Authentication Graph, and then detect some abnormal samples through the Local Outlier Factor algorithm. In the second stage, we use the Heterogeneous Graph Attention Network algorithm to train a semi-supervised model which is used to detect lateral movement attacks based on the Host Path Graph and a small number of abnormal samples obtained in the first stage. Furthermore, our approach is evaluated and verified on the dataset CMCS Events. The experimental results show our approach can effectively detect lateral movement behavior without sample labels, with an AUC value of 95.53% on the dataset. Compared with traditional SVM and GBDT models, HGLM does not need labeled samples, and the TPR of the model has a substantial improvement of more than 10%, with a high recall and low false alarm rate. |
| Key words: intrusion detection lateral movement graph neural network anomaly detection malicious login |
