IT systems are no longer modelled on castles, with high walls and a portcullis over the gate. Instead, security teams have accepted that determined attackers will find a way in, and now spend as much time on being able to identify attackers and prevent them from being able to do any damage while they are inside as they do on maintaining the perimeter.
What can you do, however, when you have no way of even knowing that an attacker has slipped inside the gates? This is the reality posed by Advanced Persistent Threats (APTs), a genre of attack in which well-funded teams of hackers can spend years silently infiltrating and navigating your system to spy on your activities.
Georgios Kaiafas, an industry PhD Candidate at the Interdisciplinary Centre for Security, Reliability and Trust, has taken a step forward in the fight against APTs. His paper, Detecting Malicious Authentication Events Trustfully, co-authored by Georgios Varisteas, Sofiane Lagraa and Radu State (SnT) and Cu D. Nguyen, Thorsten Ries and Mohamed Ourdane (POST Luxembourg), presents a new Machine Learning method to identify such attacks.
Once an APT has gained access to a computer on a network, it moves from machine to machine, building backdoors, harvesting credentials and gaining administrative rights. Some of these actions will leave traces in the IT system’s log, but APTs move slowly, hiding in the crowd; for every three malicious actions there are some 100,000 actions logged by legitimate users.
“We use Machine Learning, training our predictive algorithms in these logs to spot malicious actions,” says Kaiafas. “In an APT the attacker is impersonating an employer, using their computer and their credentials, which makes it very hard to spot. But our algorithm has been trained on historic data featuring known attacks, so it knows the subtle differences between malicious and normal user behavior. For example, on a basic level it will notice if a user has been working on one computer every day and suddenly logs into a different machine.”
This is among the first attempts to use Machine Learning algorithms to identify malicious actions, and the approach is showing a great deal of promise. During testing, Kaiafas’ algorithms recognized 100% of malicious actions, with only 0.0019% false positives. This success was recognized with a Best Paper Award at the Third IEEE/IFIP International Workshop on Analytics for Network and Service Management (AnNet 2018) in Taipei, Taiwan.
“We’ve made a good start, greatly reducing the amount of data that security teams need to go through to identify an APT”, says Kaiafas, who worked in industry in Greece before joining SnT. “This is a problem for big enterprises and government organisations, which makes it a problem for society at large. APTs are a major challenge to our privacy and security.”
The research was carried out in collaboration with SnT industry partner POST Luxembourg, whose industry knowledge shaped the topic.