University of Twente Student Theses

Login

Detecting Lateral Movement Attacks through SMB using BRO

Ullah, I. (2016) Detecting Lateral Movement Attacks through SMB using BRO.

This is the latest version of this item.

[img]
Preview
PDF
2MB
Abstract:The purpose of this study is to develop an anomaly based intrusion detection technique to detect lateral movement attack and exerting it in BRO network analyser which is an open source network security platform. Lateral movement attack is one of the phase of Advance Persistent Threat attack during which the attacker progressively move from one system to another in the network, exploit credentials to perform pass the hash attack, escalate privileges, and finally reaching his final tar- gets which are critical systems where key data and assets resides. Lateral movement attack are performed using legitimate computer features and tools. The usage of legitimate features makes it hard to detect it. Although there are many methods of performing lateral movement attack, we have evaluated our detection mechanism against three of the most common lateral movement methods: PSEXEC Windows Management Instrumentation and Pass the hash. One of the consequences of a successful lateral movement attack can be the unauthorized access to personal and financial in- formation of a corporate or organization. This study is an initial attempt to detect lateral movement attack performed through Server Message Block protocol using BRO network analyser. Our pro- posed detection model is a multi-variant approach as it monitors and detects five different types of user behavioural anomalies in the network. Thus making it harder for any sophisticated lateral move- ment attack to be perform successfully. We model user behavioural anomalies through a supervised machine learning algorithm. The evaluation results demonstrate that this is a promising model to distinguish legitimate users from an intruder. Our detection model can be easily deployed in any environment and is inexpensive.
Item Type:Essay (Master)
Clients:
FOX-IT, Delft, Netherlands
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:55 traffic technology, transport technology
Programme:Computer Science MSc (60300)
Link to this item:http://purl.utwente.nl/essays/71415
Export this item as:BibTeX
EndNote
HTML Citation
Reference Manager

 

Repository Staff Only: item control page