{"id":574425,"date":"2019-03-18T22:42:05","date_gmt":"2019-03-19T05:42:05","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/research\/?post_type=msr-research-item&p=574425"},"modified":"2019-03-18T23:06:11","modified_gmt":"2019-03-19T06:06:11","slug":"latte-large-scale-lateral-movement-detection","status":"publish","type":"msr-research-item","link":"https:\/\/www.microsoft.com\/en-us\/research\/publication\/latte-large-scale-lateral-movement-detection\/","title":{"rendered":"Latte: Large-Scale Lateral Movement Detection"},"content":{"rendered":"

The frequency of recent headlines indicates that attacks on governmental and corporate computer networks are increasing. Once they infect one computer, the attackers are quite likely to explore the network by accessing additional computers. Such \u201clateral movement\u201d, i.e., the process attackers use to move from one computer to the next in a compromised network, increases the difficulties of preventing data exfiltration. To deal with challenges from large-scale data and little knowledge of the attackers, we propose Latte, a graph-based detection system to discover potential malicious lateral movement paths. We model computers and accounts as nodes, and computer-to-computer connections or user logon events as edges. We address the lateral movement problem in two ways. Starting with an infected computer or account, forensic analysis quickly identifies other compromised computers. To discover a new attack, general detection identifies unknown lateral movement across nodes which are not known to be compromised. A key component for general detection is a remote file execution detector which filters out the majority of the rare paths in the network. We provide separate algorithms for these subproblems and validate their effectiveness and efficiency on two, large-scale datasets, including one with a confirmed attack and one from a penetration test.<\/p>\n","protected":false},"excerpt":{"rendered":"

The frequency of recent headlines indicates that attacks on governmental and corporate computer networks are increasing. Once they infect one computer, the attackers are quite likely to explore the network by accessing additional computers. Such \u201clateral movement\u201d, i.e., the process attackers use to move from one computer to the next in a compromised network, increases […]<\/p>\n","protected":false},"featured_media":0,"template":"","meta":{"msr-url-field":"","msr-podcast-episode":"","msrModifiedDate":"","msrModifiedDateEnabled":false,"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"msr-content-type":[3],"msr-research-highlight":[],"research-area":[13558],"msr-publication-type":[193716],"msr-product-type":[],"msr-focus-area":[],"msr-platform":[],"msr-download-source":[],"msr-locale":[268875],"msr-post-option":[],"msr-field-of-study":[],"msr-conference":[],"msr-journal":[],"msr-impact-theme":[],"msr-pillar":[],"class_list":["post-574425","msr-research-item","type-msr-research-item","status-publish","hentry","msr-research-area-security-privacy-cryptography","msr-locale-en_us"],"msr_publishername":"IEEE","msr_edition":"","msr_affiliation":"","msr_published_date":"2018-10-31","msr_host":"","msr_duration":"","msr_version":"","msr_speaker":"","msr_other_contributors":"","msr_booktitle":"","msr_pages_string":"","msr_chapter":"","msr_isbn":"","msr_journal":"","msr_volume":"","msr_number":"","msr_editors":"","msr_series":"","msr_issue":"","msr_organization":"","msr_how_published":"","msr_notes":"","msr_highlight_text":"","msr_release_tracker_id":"","msr_original_fields_of_study":"","msr_download_urls":"","msr_external_url":"","msr_secondary_video_url":"","msr_longbiography":"","msr_microsoftintellectualproperty":1,"msr_main_download":"","msr_publicationurl":"","msr_doi":"","msr_publication_uploader":[{"type":"file","viewUrl":"https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2019\/03\/Milcom2018_Liu.pdf","id":"574428","title":"milcom2018_liu","label_id":"243109","label":0}],"msr_related_uploader":"","msr_attachments":[{"id":574428,"url":"https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2019\/03\/Milcom2018_Liu.pdf"}],"msr-author-ordering":[{"type":"text","value":"Qingyun Liu","user_id":0,"rest_url":false},{"type":"edited_text","value":"Jack W. Stokes","user_id":32427,"rest_url":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/microsoft-research\/v1\/researchers?person=Jack W. Stokes"},{"type":"text","value":"Rob Mead","user_id":0,"rest_url":false},{"type":"text","value":"Tim Burrell","user_id":0,"rest_url":false},{"type":"text","value":"Ian Hellen","user_id":0,"rest_url":false},{"type":"text","value":"John Lambert","user_id":0,"rest_url":false},{"type":"edited_text","value":"Andrey Marochko","user_id":31019,"rest_url":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/microsoft-research\/v1\/researchers?person=Andrey Marochko"},{"type":"edited_text","value":"Weidong Cui","user_id":34789,"rest_url":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/microsoft-research\/v1\/researchers?person=Weidong Cui"}],"msr_impact_theme":[],"msr_research_lab":[199565],"msr_event":[],"msr_group":[381431],"msr_project":[385736],"publication":[],"video":[],"download":[],"msr_publication_type":"inproceedings","related_content":{"projects":[{"ID":385736,"post_title":"Organizational Infrastructure Security","post_name":"organizational-infrastructure-security","post_type":"msr-project","post_date":"2017-05-22 11:03:12","post_modified":"2020-03-13 17:39:09","post_status":"publish","permalink":"https:\/\/www.microsoft.com\/en-us\/research\/project\/organizational-infrastructure-security\/","post_excerpt":"Protecting an organization&#039;s infrastructure from attacks is critical to defending against cyber threats. In this project, we work on projects to detect targeted attacks as well as commodity malware on an organizational computer network.","_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-project\/385736"}]}}]},"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item\/574425"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/types\/msr-research-item"}],"version-history":[{"count":1,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item\/574425\/revisions"}],"predecessor-version":[{"id":574431,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item\/574425\/revisions\/574431"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media?parent=574425"}],"wp:term":[{"taxonomy":"msr-content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-content-type?post=574425"},{"taxonomy":"msr-research-highlight","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-highlight?post=574425"},{"taxonomy":"msr-research-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/research-area?post=574425"},{"taxonomy":"msr-publication-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-publication-type?post=574425"},{"taxonomy":"msr-product-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-product-type?post=574425"},{"taxonomy":"msr-focus-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-focus-area?post=574425"},{"taxonomy":"msr-platform","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-platform?post=574425"},{"taxonomy":"msr-download-source","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-download-source?post=574425"},{"taxonomy":"msr-locale","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-locale?post=574425"},{"taxonomy":"msr-post-option","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-post-option?post=574425"},{"taxonomy":"msr-field-of-study","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-field-of-study?post=574425"},{"taxonomy":"msr-conference","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-conference?post=574425"},{"taxonomy":"msr-journal","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-journal?post=574425"},{"taxonomy":"msr-impact-theme","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-impact-theme?post=574425"},{"taxonomy":"msr-pillar","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-pillar?post=574425"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}