Automatically Detecting Computer Breaches in the Network

Khoury/ECE Professor Engin Kirda, in collaboration with Gianluca Stringhini from the Boston University, will be working on a $500K NSF grant for “Flanker: Automatically Detecting Lateral Movement in Organizations Using Heterogeneous Data and Graph Representation Learning.” Lateral movement is a very important cybersecurity problem these days. Countless organizations are compromised, and it is usually quite challenging to figure out attacks that are happening between the nodes in the same network. This funding will allow further study of this problem and have the opportunity to develop automated practical solutions to detect sophisticated attacks.

Abstract Source: NSF

In modern cyberattacks, adversaries do not target single computer systems. Instead, they first set an initial foothold into a company’s network and later amplify their breach by compromising additional assets, until they reach their final target inside an organization. This process of advancing computer breaches is known as lateral movement. Detecting lateral movement is challenging, because attackers can use multiple vectors for infection (e.g., phishing emails) and computer systems in a network present a large degree of diversity (e.g., workstations, network equipment). For this reason, no comprehensive system to effectively detect lateral movement is currently available. Yet, detecting and stopping computer breaches as soon as possible is critical to ensure the safety and the prosperity of U.S. corporations and citizens. The aim of this project is to fill this gap by developing Flanker, a system able to automatically detect lateral movement in the network of an organization. Unlike existing approaches, the goal of Flanker is to operate on a variety of data sources (e.g., data coming from network and applications) to be able to detect cyberattacks as they span different online services and computers across the organization.

This project consists of four phases. In the first phase the investigators collect heterogeneous datasets from a variety of sources and develop techniques to clean them from noise and anonymize them to protect the identity of users. In the second phase this data is used to build a graph that represents network activity, and graph representation learning approaches are used to build a model for this network activity. In the third phase this model is used to automatically detect lateral movement attacks, by either applying anomaly detection or supervised learning techniques. Finally, the investigators develop visualization techniques to enable a security analyst to properly understand the detection results and adopt appropriate countermeasures against the attack.

This award reflects NSF’s statutory mission and has been deemed worthy of support through evaluation using the Foundation’s intellectual merit and broader impacts review criteria.

Related Faculty: Engin Kirda

Related Departments:Electrical & Computer Engineering