A Comprehensive Detection Method for the Lateral Movement Stage of APT Attacks

Authors

Daojing He, Harbin Institute of Technology
Hongjie Gu, East China Normal University
Shanshan Zhu, Harbin Institute of Technology
Sammy Chan, City University of Hong Kong
Mohsen Guizani, Mohamed Bin Zayed University of Artificial IntelligenceFollow

Document Type

Article

Publication Title

IEEE Internet of Things Journal

Abstract

Due to the outbreak of the new crown epidemic, more companies prefer to use telecommuting for work, which also provides more attack surfaces for APT attacks. After initially gaining access to the intranet, attackers will use SMB, RDP and other remote sharing or connection protocols to move horizontally to achieve the purpose of privilege escalation. In this work, we design a multi-dimensional detection framework to detect lateral movement behavior based on the SMB protocol in the intranet environment. This framework combines active trapping and passive scanning, and uses neural networks to determine the attack samples used by the adversary when moving laterally. We test the effectiveness of the active trapping technology in a simulation environment, and verify through real malware samples that the accuracy of neural network detection can reach about 90%. The experimental results show that our work can effectively detect the lateral movement behavior using the SMB protocol in the intranet environment.

First Page

8440

Last Page

8447

DOI

10.1109/JIOT.2023.3322412

Publication Date

10-6-2023

Keywords

Advanced persistent threats, Behavioral sciences, Complex networks, Computer network, Internet of Things, Protocols, Security, Security, Servers, Telecommunication traffic

Comments

IR conditions: non-described

Recommended Citation

D. He, H. Gu, S. Zhu, S. Chan and M. Guizani, "A Comprehensive Detection Method for the Lateral Movement Stage of APT Attacks," in IEEE Internet of Things Journal, vol. 11, no. 5, pp. 8440-8447, 1 March1, 2024, doi: 10.1109/JIOT.2023.3322412.