Collaborative Research: SaTC: CORE: Small: Flanker: Automatically Detecting Lateral Movement in Organizations Using Heterogeneous Data and Graph Representation Learning

协作研究：SaTC：核心：小型：侧翼：使用异构数据和图表示学习自动检测组织中的横向运动

• 批准号: 2127232
• 负责人: Gianluca Stringhini
• 金额: $ 25万
• 依托单位: Trustees of Boston University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2127232&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Small

In modern cyberattacks, adversaries do not target single computer systems. Instead, they first set an initial foothold into a company's network and later amplify their breach by compromising additional assets, until they reach their final target inside an organization. This process of advancing computer breaches is known as lateral movement. Detecting lateral movement is challenging, because attackers can use multiple vectors for infection (e.g., phishing emails) and computer systems in a network present a large degree of diversity (e.g., workstations, network equipment). For this reason, no comprehensive system to effectively detect lateral movement is currently available. Yet, detecting and stopping computer breaches as soon as possible is critical to ensure the safety and the prosperity of U.S. corporations and citizens. The aim of this project is to fill this gap by developing Flanker, a system able to automatically detect lateral movement in the network of an organization. Unlike existing approaches, the goal of Flanker is to operate on a variety of data sources (e.g., data coming from network and applications) to be able to detect cyberattacks as they span different online services and computers across the organization.This project consists of four phases. In the first phase the investigators collect heterogeneous datasets from a variety of sources and develop techniques to clean them from noise and anonymize them to protect the identity of users. In the second phase this data is used to build a graph that represents network activity, and graph representation learning approaches are used to build a model for this network activity. In the third phase this model is used to automatically detect lateral movement attacks, by either applying anomaly detection or supervised learning techniques. Finally, the investigators develop visualization techniques to enable a security analyst to properly understand the detection results and adopt appropriate countermeasures against the attack.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

在现代网络攻击中，对手不会以单个计算机系统为目标。相反，他们首先在公司网络中建立一个最初的立足点，然后通过破坏其他资产来扩大他们的破坏，直到他们到达组织内部的最终目标。这种推进计算机入侵的过程被称为横向移动。检测横向移动是具有挑战性的，因为攻击者可以使用多种感染媒介（例如，网络钓鱼电子邮件），并且网络中的计算机系统存在很大程度的多样性（例如，工作站，网络设备）。由于这个原因，目前还没有全面的系统可以有效地检测横向移动。然而，尽快发现并阻止计算机入侵对确保美国企业和公民的安全和繁荣至关重要。这个项目的目的是通过开发Flanker来填补这一空白，Flanker是一个能够自动检测组织网络中的横向移动的系统。与现有的方法不同，Flanker的目标是对各种数据源（例如，来自网络和应用程序的数据）进行操作，以便能够检测跨组织中不同在线服务和计算机的网络攻击。本项目分为四个阶段。在第一阶段，研究人员从各种来源收集异构数据集，并开发技术来清除噪声并将其匿名化以保护用户的身份。在第二阶段，使用这些数据构建表示网络活动的图，并使用图表示学习方法为该网络活动构建模型。在第三阶段，通过应用异常检测或监督学习技术，将该模型用于自动检测横向移动攻击。最后，调查人员开发可视化技术，使安全分析人员能够正确地理解检测结果并采取适当的对策来应对攻击。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules

• 发表时间: 2023
• 作者: Ioannis Angelakopoulos;G. Stringhini;Manuel Egele

Shedding Light on the Targeted Victim Profiles of Malicious Downloaders

• DOI: 10.1145/3538969.3544435
• 发表时间: 2022-08
• 期刊: Proceedings of the 17th International Conference on Availability, Reliability and Security
• 作者: François Labrèche;Enrico Mariconti;G. Stringhini

Cerberus: Exploring Federated Prediction of Security Events

• DOI: 10.1145/3548606.3560580
• 发表时间: 2022-09
• 期刊: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Mohammad Naseri;Yufei Han;Enrico Mariconti;Yun Shen;G. Stringhini;Emiliano De Cristofaro

Finding MNEMON: Reviving Memories of Node Embeddings

• DOI: 10.1145/3548606.3559358
• 发表时间: 2022-04
• 期刊: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Yun Shen;Yufei Han;Zhikun Zhang;Min Chen;Tingyue Yu;Michael Backes;Yang Zhang;G. Stringhini