Collaborative Research: SaTC: CORE: Small: Flanker: Automatically Detecting Lateral Movement in Organizations Using Heterogeneous Data and Graph Representation Learning

协作研究：SaTC：核心：小型：侧翼：使用异构数据和图表示学习自动检测组织中的横向运动

• 批准号: 2127200
• 负责人: Engin Kirda
• 金额: $ 24.99万
• 依托单位: Northeastern University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2127200&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Small

In modern cyberattacks, adversaries do not target single computer systems. Instead, they first set an initial foothold into a company's network and later amplify their breach by compromising additional assets, until they reach their final target inside an organization. This process of advancing computer breaches is known as lateral movement. Detecting lateral movement is challenging, because attackers can use multiple vectors for infection (e.g., phishing emails) and computer systems in a network present a large degree of diversity (e.g., workstations, network equipment). For this reason, no comprehensive system to effectively detect lateral movement is currently available. Yet, detecting and stopping computer breaches as soon as possible is critical to ensure the safety and the prosperity of U.S. corporations and citizens. The aim of this project is to fill this gap by developing Flanker, a system able to automatically detect lateral movement in the network of an organization. Unlike existing approaches, the goal of Flanker is to operate on a variety of data sources (e.g., data coming from network and applications) to be able to detect cyberattacks as they span different online services and computers across the organization.This project consists of four phases. In the first phase the investigators collect heterogeneous datasets from a variety of sources and develop techniques to clean them from noise and anonymize them to protect the identity of users. In the second phase this data is used to build a graph that represents network activity, and graph representation learning approaches are used to build a model for this network activity. In the third phase this model is used to automatically detect lateral movement attacks, by either applying anomaly detection or supervised learning techniques. Finally, the investigators develop visualization techniques to enable a security analyst to properly understand the detection results and adopt appropriate countermeasures against the attack.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

在现代网络攻击中，对手不会以单一计算机系统为目标。相反，他们首先在公司的网络中建立一个最初的立足点，然后通过牺牲额外的资产来扩大他们的漏洞，直到他们达到组织内部的最终目标。这种推进计算机入侵的过程被称为横向移动。检测横向移动是具有挑战性的，因为攻击者可以使用感染的多个媒介(例如，网络钓鱼电子邮件)，并且网络中的计算机系统呈现很大程度的多样性(例如，工作站、网络设备)。出于这个原因，目前还没有全面的系统来有效地检测横向移动。然而，尽快发现和阻止计算机入侵对于确保美国企业和公民的安全和繁荣至关重要。这个项目的目的是通过开发FLANKER来填补这一空白，这是一个能够自动检测组织网络中的横向移动的系统。与现有方法不同，Fanker的目标是对各种数据源(例如，来自网络和应用程序的数据)进行操作，以便能够检测跨越组织中不同在线服务和计算机的网络攻击。该项目包括四个阶段。在第一阶段，调查人员从各种来源收集不同的数据集，并开发技术将它们从噪音中清除出来，并将它们匿名化以保护用户的身份。在第二阶段，这些数据被用来构建表示网络活动的图，并使用图表示学习方法来构建该网络活动的模型。在第三阶段，该模型用于通过应用异常检测或有监督学习技术来自动检测侧向移动攻击。最后，调查人员开发可视化技术，使安全分析师能够正确了解检测结果并采取适当的攻击对策。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。