*WINNER* Detecting Illegitimate Use of Legitimate Credentials

Abstract

Any organization with sensitive, valuable, or critical data, or direct access to such data, is at risk of being attacked by cyber criminals who steal and use legitimate credentials for a multitude of purposes. This poses one of the highest threats to critical, sensitive, or even classified information for an organization. If a nefarious actor is able to access a network with legitimate credentials there are currently very limited ways to detect the malice of the activity.

By establishing a per-user behavior profile, we aim to apply machine learning anomaly detection algorithms to determine when a user account’s activity indicates that it has been compromised by an attacker with stolen credentials. In this way, we will map a user’s normal activity to a high dimensional space to predict what the user is likely to do and when. Within a threshold, deviation from this prediction indicates that an action may need to be taken to verify this user’s identity.

Our data set is a sample of mixed enterprise logs from Los Alamos National Laboratory covering three months of authentication, network flow, process history, and DNS service. Some of the log items represent offensive red-team exercises, and we propose a system to identify these events based on their dissimilarity from regular user behavior.