Many modern attacks on computer networks begin with an initial penetration of the perimeter defences, commonly through a phishing email. Often the hacker does not stop at this initial penetration, however, but proceeds to traverse the network, moving from one machine to the next.
This behaviour is motivated by several goals, including the escalation of access privileges, the identification of valuable data to exfiltrate, and the establishment of a broad presence in the network.
We introduce a method based on scan statistics for detecting this traversal. Through parallel enumeration of sub graphs of the network graph, we search for sets of communications which have deviated from a stochastic baseline, and which indicate the presence of an attacker.
The approach has proven successful in detecting advanced persistent threat attacks on LANL networks, as well as those of other US government and industry partners.
In the talk, I will give a more detailed description of typical network traversal attacks, describe the models and methods used to detect such traversal, and will present results from synthetic and real events.
Biography
Dr Joshua Neil is a Research Statistician in the Advanced Computing Solutions Program Office (ACS-PO) at Los Alamos National Laboratory (LANL). He leads research into anomaly/change detection with an emphasis in cyber security problems and has worked at LANL since 2000, obtaining his PhD in Statistics from the University of New Mexico in 2011.
The ACS-PO focus is to enable LANL to become nationally recognized as the capability leader in information security and networking science that predicts and solves critical problems in the cyber domain using novel yet practical solutions.