Collaborative Research: SaTC: CORE: Small: Flanker: Automatically Detecting Lateral Movement in Organizations Using Heterogeneous Data and Graph Representation Learning

协作研究：SaTC：核心：小型：侧翼：使用异构数据和图表示学习自动检测组织中的横向运动

• 批准号: 2127200
• 负责人: Engin Kirda
• 金额: $ 24.99万
• 依托单位: Northeastern University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2127200&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Small

In modern cyberattacks, adversaries do not target single computer systems. Instead, they first set an initial foothold into a company's network and later amplify their breach by compromising additional assets, until they reach their final target inside an organization. This process of advancing computer breaches is known as lateral movement. Detecting lateral movement is challenging, because attackers can use multiple vectors for infection (e.g., phishing emails) and computer systems in a network present a large degree of diversity (e.g., workstations, network equipment). For this reason, no comprehensive system to effectively detect lateral movement is currently available. Yet, detecting and stopping computer breaches as soon as possible is critical to ensure the safety and the prosperity of U.S. corporations and citizens. The aim of this project is to fill this gap by developing Flanker, a system able to automatically detect lateral movement in the network of an organization. Unlike existing approaches, the goal of Flanker is to operate on a variety of data sources (e.g., data coming from network and applications) to be able to detect cyberattacks as they span different online services and computers across the organization.This project consists of four phases. In the first phase the investigators collect heterogeneous datasets from a variety of sources and develop techniques to clean them from noise and anonymize them to protect the identity of users. In the second phase this data is used to build a graph that represents network activity, and graph representation learning approaches are used to build a model for this network activity. In the third phase this model is used to automatically detect lateral movement attacks, by either applying anomaly detection or supervised learning techniques. Finally, the investigators develop visualization techniques to enable a security analyst to properly understand the detection results and adopt appropriate countermeasures against the attack.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

在现代网络攻击中，对手并不针对单个计算机系统。 相反，他们首先在公司网络中建立了最初的立足点，然后通过损害额外的资产来扩大他们的破坏，直到他们在组织内部达到最终目标。这种推进计算机漏洞的过程称为横向移动。检测横向移动具有挑战性，因为攻击者可以使用多个载体进行感染（例如网络钓鱼电子邮件），并且网络中的计算机系统呈现出很大程度的多样性（例如工作站、网络设备）。因此，目前还没有有效检测横向运动的综合系统。然而，尽快检测和阻止计算机泄露对于确保美国企业和公民的安全和繁荣至关重要。该项目的目的是通过开发 Flanker 来填补这一空白，Flanker 是一个能够自动检测组织网络中横向移动的系统。与现有方法不同，Flanker 的目标是对各种数据源（例如来自网络和应用程序的数据）进行操作，以便能够检测跨组织不同在线服务和计算机的网络攻击。该项目由四个部分组成阶段。在第一阶段，研究人员从各种来源收集异构数据集，并开发技术来清除数据中的噪音并对其进行匿名化，以保护用户的身份。在第二阶段，这些数据用于构建表示网络活动的图，并使用图表示学习方法来构建该网络活动的模型。在第三阶段，该模型用于通过应用异常检测或监督学习技术来自动检测横向移动攻击。最后，调查人员开发可视化技术，使安全分析师能够正确理解检测结果并针对攻击采取适当的对策。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查进行评估，被认为值得支持标准。