Abstract
Authenticated lateral movement via compromised accounts is a commonadversarial maneuver that is challenging to discover with signature- orrules-based intrusion detection systems. In this work a behavior-based approachto detecting malicious logins to novel systems indicative of lateral movementis presented, in which a user's historical login activity is used to build amodel of putative "normal" behavior. This historical login activity isrepresented as a collection of daily login graphs, which encode authenticationsamong accessed systems. Each system, or graph vertex, is described by a set ofgraph centrality measures that characterize it and the local topology of itslogin graph. The unsupervised technique of non-negative matrix factorization isthen applied to this set of features to assign each vertex to a role thatsummarizes how the system participates in logins. The reconstruction errorquantifying how well each vertex fits into its role is then computed, and thestatistics of this error can be used to identify outlier vertices thatcorrespond to systems involved in unusual logins. We test this technique with asmall cohort of privileged accounts using real login data from an operationalenterprise network. The ability of the method to identify malicious loginsamong normal activity is tested with simulated graphs of login activityrepresentative of adversarial lateral movement. We find that the method isgenerally successful at detecting a broad range of lateral movement for eachuser, with false positive rates significantly lower than those resulting fromalerts based solely on login novelty.