KIT | KIT-Bibliothek | Impressum | Datenschutz

HADES: Detecting Active Directory Attacks via Whole Network Provenance Analytics

Liu, Qi ORCID iD icon 1; Bao, Kaibin ORCID iD icon 1; Hassan, Wajih Ul; Hagenmeyer, Veit ORCID iD icon 1
1 Institut für Automation und angewandte Informatik (IAI), Karlsruher Institut für Technologie (KIT)

Abstract:

Due to its crucial role in identity and access management in modern enterprise networks, Active Directory (AD) is a top target of Advanced Persistence Threat (APT) actors. Conventional intrusion detection systems (IDS) excel at identifying malicious behaviors caused by malware, but often fail to detect stealthy attacks launched by APT actors. Recent advance in provenance-based IDS (PIDS) shows promises by exposing malicious system activities in causal attack graphs. However, existing approaches are restricted to intra-machine tracing, and unable to reveal the scope of attackers' traversal inside a network. We propose HADES, the first PIDS capable of performing accurate causality-based cross-machine tracing by leveraging a novel concept called logon session based execution partitioning to overcome several challenges in cross-machine tracing. We design HADES as an efficient on-demand tracing system, which performs whole-network tracing only when it first identifies an authentication anomaly signifying an ongoing AD attack, for which we introduce a novel lightweight authentication anomaly detection model rooted in our extensive analysis of AD attacks. ... mehr


Volltext §
DOI: 10.5445/IR/1000175791
Veröffentlicht am 31.10.2024
Cover der Publikation
Zugehörige Institution(en) am KIT Institut für Automation und angewandte Informatik (IAI)
Publikationstyp Forschungsbericht/Preprint
Publikationsdatum 26.07.2024
Sprache Englisch
Identifikator KITopen-ID: 1000175791
HGF-Programm 37.12.01 (POF IV, LK 01) Digitalization & System Technology for Flexibility Solutions
Weitere HGF-Programme 46.23.02 (POF IV, LK 01) Engineering Security for Energy Systems
Verlag arxiv
Serie Computer Science > Cryptography and Security
Schlagwörter Advanced Persistence Threat detection, Active Directory security, enterprise security, data provenance analysis, auditing, logging
Nachgewiesen in arXiv
Dimensions
KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft
KITopen Landing Page