Collaborative Research: SaTC: CORE: Small: Flanker: Automatically Detecting Lateral Movement in Organizations Using Heterogeneous Data and Graph Representation Learning

协作研究：SaTC：核心：小型：侧翼：使用异构数据和图表示学习自动检测组织中的横向运动

• 批准号: 2127232
• 负责人: Gianluca Stringhini
• 金额: $ 25万
• 依托单位: Trustees of Boston University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2127232&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Small

In modern cyberattacks, adversaries do not target single computer systems. Instead, they first set an initial foothold into a company's network and later amplify their breach by compromising additional assets, until they reach their final target inside an organization. This process of advancing computer breaches is known as lateral movement. Detecting lateral movement is challenging, because attackers can use multiple vectors for infection (e.g., phishing emails) and computer systems in a network present a large degree of diversity (e.g., workstations, network equipment). For this reason, no comprehensive system to effectively detect lateral movement is currently available. Yet, detecting and stopping computer breaches as soon as possible is critical to ensure the safety and the prosperity of U.S. corporations and citizens. The aim of this project is to fill this gap by developing Flanker, a system able to automatically detect lateral movement in the network of an organization. Unlike existing approaches, the goal of Flanker is to operate on a variety of data sources (e.g., data coming from network and applications) to be able to detect cyberattacks as they span different online services and computers across the organization.This project consists of four phases. In the first phase the investigators collect heterogeneous datasets from a variety of sources and develop techniques to clean them from noise and anonymize them to protect the identity of users. In the second phase this data is used to build a graph that represents network activity, and graph representation learning approaches are used to build a model for this network activity. In the third phase this model is used to automatically detect lateral movement attacks, by either applying anomaly detection or supervised learning techniques. Finally, the investigators develop visualization techniques to enable a security analyst to properly understand the detection results and adopt appropriate countermeasures against the attack.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

在现代的网络攻击中，对手并不针对单一计算机系统。 取而代之的是，他们首先将初始立足点设置为公司的网络，然后通过损害其他资产来扩大其违约，直到他们达到组织内部的最终目标。这种推进计算机漏洞的过程称为横向运动。检测横向运动是具有挑战性的，因为攻击者可以使用多个向量的感染（例如网络钓鱼电子邮件）和网络中的计算机系统具有很大程度的多样性（例如，工作站，网络设备）。因此，目前没有有效检测横向运动的全面系统。但是，尽快发现和停止计算机漏洞对于确保美国公司和公民的安全和繁荣至关重要。该项目的目的是通过开发侧翼来填补这一空白，该系统能够自动检测组织网络中的横向运动。与现有方法不同，侧翼的目标是在各种数据源（例如来自网络和应用程序的数据）上运行，以便能够检测到网络攻击，因为它们跨越了整个组织的不同在线服务和计算机。该项目构成了四个阶段。在第一阶段，研究人员从各种来源收集了异质数据集，并开发技术以清除噪声并匿名化以保护用户的身份。在第二阶段中，该数据用于构建代表网络活动的图，并使用图表表示方法来构建该网络活动的模型。在第三阶段，该模型用于通过应用异常检测或监督学习技术自动检测横向运动攻击。最后，研究人员开发了可视化技术，以使安全分析师能够正确理解检测结果并采取适当的对策，以反对袭击。该奖项反映了NSF的法定任务，并被认为是通过基金会的智力优点和更广泛的影响来通过评估来获得支持的。

项目成果

FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules

• 发表时间: 2023
• 作者: Ioannis Angelakopoulos;G. Stringhini;Manuel Egele

Shedding Light on the Targeted Victim Profiles of Malicious Downloaders

• DOI: 10.1145/3538969.3544435
• 发表时间: 2022-08
• 期刊: Proceedings of the 17th International Conference on Availability, Reliability and Security
• 作者: François Labrèche;Enrico Mariconti;G. Stringhini

Cerberus: Exploring Federated Prediction of Security Events

• DOI: 10.1145/3548606.3560580
• 发表时间: 2022-09
• 期刊: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Mohammad Naseri;Yufei Han;Enrico Mariconti;Yun Shen;G. Stringhini;Emiliano De Cristofaro

Finding MNEMON: Reviving Memories of Node Embeddings

• DOI: 10.1145/3548606.3559358
• 发表时间: 2022-04
• 期刊: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Yun Shen;Yufei Han;Zhikun Zhang;Min Chen;Tingyue Yu;Michael Backes;Yang Zhang;G. Stringhini