Unraveling Network-based Pivoting Maneuvers: Empirical Insights and Challenges

Logo poskytovatele
Autoři

HUSÁK Martin YANG Shanchieh Jay KHOURY Joseph KLISURA Dorde BOU-HARB Elias

Rok publikování 2024
Druh Článek ve sborníku
Konference Digital Forensics and Cyber Crime
Fakulta / Pracoviště MU

Ústav výpočetní techniky

Citace
Doi http://dx.doi.org/10.1007/978-3-031-56583-0_9
Klíčová slova pivoting;lateral movement;monitoring;NetFlow
Přiložené soubory
Popis Pivoting is a sophisticated strategy employed by modern malware and Advanced Persistent Threats (APT) to complicate attack tracing and attribution. Detecting pivoting activities is of utmost importance in order to counter these threats effectively. In this study, we examined the detection of pivoting by analyzing network traffic data collected over a period of 10 days in a campus network. Through NetFlow monitoring , we initially identified potential pivoting candidates, which are traces in the network traffic that match known patterns. Subsequently, we conducted an in-depth analysis of these candidates and uncovered a significant number of false positives and benign pivoting-like patterns. To enhance investigation and understanding, we introduced a novel graph representation called a pivoting graph, which provides comprehensive vi-sualization capabilities. Unfortunately, investigating pivoting candidates is highly dependent on the specific context and necessitates a strong understanding of the local environment. To address this challenge, we applied principal component analysis and clustering techniques to a diverse range of features. This allowed us to identify the most meaningful features for automated pivoting detection, eliminating the need for prior knowledge of the local environment.
Související projekty:

Používáte starou verzi internetového prohlížeče. Doporučujeme aktualizovat Váš prohlížeč na nejnovější verzi.

Další info