近年來駭客的攻擊手法不斷的更新，駭客為了達到政治上或者經濟上的效益，逐漸繁衍出一種針對特定政府或者企業的攻擊手法。一旦成功滲透進企業內部一台電腦，駭客會在企業中長期潛伏，讓一般的入侵偵測系統 (IDS) 難以偵測和預防，我們稱這的攻擊方式為進階式持續攻擊(Advanced Persistent Threats; APT)。 APT是非常複雜的攻擊，所以有人將APT分為六階段，其中橫向移動階段是最重要也最花時間並且留下最多紀錄的階段，駭客會在這個階段探索內網的架構，並且試圖擴散到其他電腦。 因此，在本論文中，我們提出一個系統可以偵測在整個內網中，那些電腦是有可能進行橫向移動。

在先前的研究中，都是在駭客移動到其他電腦後根據移動所留下來的痕跡去偵測，但是駭客已經對企業造成傷害。在我們的研究中發現，在駭客移動到其他電腦之前會有固定前兆，駭客必需要先作內網偵測才能夠知道內網的整個架構，也需要權限跳脫才能得到儲存在記憶體中的使用者密碼。 我們參考許多實際案例，發現在內網偵測和權限跳脫中駭客都會使用到不尋常的事件，因此提出了Rare Behavior Score來判斷哪些事件是不尋常的。我們也根據實際案例統整成7個特徵，並且使用這些特徵成功的偵測到潛在橫向移動。

在本實驗中，我們使用由資策會提供的模擬真實企業內網平台，並使用該平台蒐集Windows Event Logs，分析Windows Event Logs來偵測潛在橫向移動。 根據實驗結果，本研究所提出的偵測機制，對於潛在橫向移動偵測，可以到達73.86% 的F1-measure。本研究有以下幾點貢獻：(1)發展出一個輕量級的系統，並且能夠在橫向移動發生之前提早偵測。(2)統整出了內網偵查跟權限跳脫的特徵。(3)先前研究的攻擊資料是去模擬駭客的攻擊，我們的研究是使用真實世界中駭客會使用的工具來產生我們的攻擊資料。

In recent years, hackers' attack techniques have constantly updated. To achieve political or economic benefits, hackers have gradually developed an attack method for specific governments or enterprises. When successfully entry the company intranet, hackers will latent in the enterprise for a long time that making the Intrusion-detection system (IDS) challenging to detect and prevent. This kind attack is called "Advanced Persistent Threats, APT." APT is a very sophisticated attack, so some people divide APT into six stages. The lateral movement phase is the most important, time-consuming and leaves the most records. Hackers will explore the topography of the intranet at this stage and try to spread to other computers. Therefore, in this paper, we propose a system that can detect that the computer is trying to move laterally throughout the intranet.

In previous studies, researchers detected lateral movement after hackers successfully move within enterprises, which means that the damage has already been caused to the enterprises. In our research, we observe that a precursor often occurs before hackers move through the network. To understand the internal network topography of an enterprise, hackers always scan the internal network through intranet reconnaissance. Moreover, hackers obtain the highest privilege to acquire users password through privilege escalation. According to the cased in the real world environment, we observe that hackers generate unusual events in intranet reconnaissance and privilege escalation. Therefore, we integrate seven features based on the real cases and verify that potential lateral movement is successfully detected with these features.

The proposed approach gives the following contributions: (1) Developing an efficient system that can early detect lateral movement. (2)Investigating the feature of Internal Reconnaissance and Privilege Escalation. (3)Implementing a more realistic evaluation of lateral movement comparing with previous work. Our experiment runs in a simulated real enterprise intranet provided by Institute for Information Industry. Our proposed approach can achieve 73.86% F1-measure in the average case.

[1] “Dump password hash tools.” https://github.com/gentilkiwi/ mimikatz/wiki, 2016.
[2] “First bank pathway.” https://www.ithome.com.tw/news/107294, 2016.
[3] M. Ussath, D. Jaeger, F. Cheng, and C. Meinel, “Identifying suspicious user behavior with neural networks,” in 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 255–263, June 2017.
[4] H. Siadati and N. Memon, “Detecting structurally anomalous logins within enterprise networks,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, (New York, NY, USA), pp. 12731284, ACM, 2017.
[5] A. Oberle, P. Larbig, R. Marx, F. G. Weber, D. Scheuermann, D. Fages, and F. Thomas, “Preventing pass-the-hash and similar impersonation attacks in enterprise infrastructures,” in 2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA), pp. 800–807, March 2016.
[6] “Ms17-010.” https://en.wikipedia.org/wiki/EternalBlue, 2017.
[7] “Targets hospitality sector, presents threat to travelers.” https://www.fireeye.com/blog/threat-research/2017/08/apt28targets-hospitality-sector.html, 2017.
[8] “Fireeye apt1 report.” https://www.fireeye.com/content/dam/ fireeye-www/services/pdfs/mandiant-apt1-report.pdf, 2017.
[9] A. Bohara, M. A. Noureddine, A. Fawaz, and W. H. Sanders, “An unsupervised multi-detector approach for identifying malicious lateral movement,” in 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS), pp. 224–233, Sept 2017.
[10] “Penetration testing framework.” https://www.metasploit.com, 2018.
[11] I. Jeun, Y. Lee, and D. Won, “A practical study on advanced persistent threats,” in Computer Applications for Security, Control and System Engineering (T.-h. Kim, A. Stoica, W.-c. Fang, T. Vasilakos, J. G. Villalba, K. P. Arnett, M. K. Khan, and B.-H. Kang, eds.), (Berlin, Heidelberg), pp. 144–152, Springer Berlin Heidelberg, 2012.
[12] P. Chen, L. Desmet, and C. Huygens, “A study on advanced persistent threats,” in Communications and Multimedia Security (B. De Decker and A. Z´uquete, eds.), (Berlin, Heidelberg), pp. 63–72, Springer Berlin Heidelberg, 2014.
[13] E. M. Hutchins, M. J. Cloppert, , and R. M. Amin, “Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains,” in Leading Issues in Information Warfare & Security Research, vol. 1, p. 80, 2011.
[14] P. Bhatt, E. T. Yano, and P. Gustavsson, “Towards a framework to detect multistage advanced persistent threats attacks,” in 2014 IEEE 8th International Symposium on Service Oriented System Engineering, pp. 390–395, April 2014.
[15] “Update the cyber kill chain for better defense.” https://www.helpnetsecurity.com/2015/02/10/kill-chain-30-updatethe-cyber-kill-chain-for-better-defense/, 2018.
[16] B. I. D. Messaoud, K. Guennoun, M. Wahbi, and M. Sadik, “Advanced persistent threat: New analysis driven by life cycle phases and their challenges,” in 2016 International Conference on Advanced Communication Systems and Information Security (ACOSIS), pp. 1–6, Oct 2016.
[17] “Identify lateral movements.” https://www.cybersecurityinsiders.com/faster-detection-of-cyber-attacksusing-deep-packet-inspection-to-identify-lateralmovements/, 2017.
[18] H. Siadati, B. Saket, and N. Memon, “Detecting malicious logins in enterprise networks using visualization,” in 2016 IEEE Symposium on Visualization for Cyber Security (VizSec), pp. 1–8, Oct 2016.
[19] M. A. Noureddine, A. Fawaz, W. H. Sanders, and T. Bas¸ar, “A game-theoretic approach to respond to attacker lateral movement,” in 7th International Conference on Decision and Game Theory for Security - Volume 9996, GameSec 2016, (New York, NY, USA), pp. 294–313, Springer-Verlag New York, Inc., 2016.
[20] E. Purvine, J. R. Johnson, and C. Lo, “A graph-based impact metric for mitigating lateral movement cyber attacks,” in Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense, SafeConfig ’16, (New York, NY, USA), pp. 45–52, ACM, 2016.
[21] N. Jadeja and M. Vaghasia, “Analysis and impact of different mechanisms of defending pass-the-hash attacks,” in Cyber Security (M. U. Bokhari, N. Agrawal, and D. Saini, eds.), (Singapore), pp. 179–191, Springer Singapore, 2018.
[22] H. C. Chang, “Based on standard descriptors and dynamic key features to detect malicious usb storage devices in apt,” in 2017 12th Asia Joint Conference on Information Security (AsiaJCIS), pp. 65–68, Aug 2017.
[23] H.-J. Liao, C.-H. R. Lin, Y.-C. Lin, and K.-Y. Tung, “Intrusion detection system: A comprehensive review,” Journal of Network and Computer Applications, vol. 36, no. 1, pp. 16 – 24, 2013.
[24] S. Singh, P. K. Sharma, S. Y. Moon, D. Moon, and J. H. Park, “A comprehensive study on apt attacks and countermeasures for future networks and communications: challenges and solutions,” The Journal of Supercomputing, Sep 2016.
[25] A. H. Almutairi and N. T. Abdelmajeed, “Innovative signature based intrusion detection system: Parallel processing and minimized database,” in 2017 International Conference on the Frontiers and Advances in Data Science (FADS), pp. 114–119, Oct 2017.
[26] M. Lee, J. Choi, C. Choi, and P. Kim, “Apt attack behavior pattern mining using the fp-growth algorithm,” in 2017 14
[27] G. Mamalakis, C. Diou, and A. L. Symeonidis, “Analysing behaviours for intrusion detection,” in 2015 IEEE International Conference on Communication Workshop (ICCW), pp. 2645–2651, June 2015.
[28] O. Koucham, T. Rachidi, and N. Assem, “Host intrusion detection using system call argument-based clustering combined with bayesian classification,” in 2015 SAI Intelligent Systems Conference (IntelliSys), pp. 1010–1016, Nov 2015.
[29] M. Du, F. Li, G. Zheng, and V. Srikumar, “Deeplog: Anomaly detection and diagnosis from system logs through deep learning,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, (New York, NY, USA), pp. 1285–1298, ACM, 2017.
[30] D. Moon, H. Im, I. Kim, and J. H. Park, “Dtb-ids: an intrusion detection system based on decision tree using behavior analysis for preventing apt attacks,” The Journal of Supercomputing, vol. 73, pp. 2881–2895, Jul 2017.
[31] S. Jose, D. Malathi, B. Reddy, and D. Jayaseeli, “A survey on anomaly based host intrusion detection system,” Journal of Physics: Conference Series, vol. 1000, no. 1, p. 012049, 2018.
[32] N. Assem and M. T. E. Graini, “Intrusion detection using bayesian classifier for arbitrarily long system call sequences,” in International Journal of Computer Science and Information Systems, vol. 9, pp. 71–81, 2013.
[33] A. Greco, A. Caponi, and G. Bianchi, “Facing lateral movements using widespread behavioral probes,” in 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST), pp. 159–160, Dec 2016.
[34] I. Friedberg, F. Skopik, G. Settanni, and R. Fiedler, “Combating advanced persistent threats: From network event correlation to incident detection,” Computers & Security, vol. 48, pp. 35 – 57, 2015.
[35] P. K. Sharma, S. Y. Moon, D. Moon, and J. H. Park, “Dfa-ad: a distributed framework architecture for the detection of advanced persistent threats,” Cluster Computing, vol. 20, pp. 597–609, Mar 2017.
[36] S. Gupta, P. Kumar, and A. Abraham, “A profile based network intrusion detection and prevention system for securing cloud environment,” International Journal of Distributed Sensor Networks, vol. 9, no. 3, p. 364575, 2013.
[37] J. Peng, K.-K. R. Choo, and H. Ashman, “User profiling in intrusion detection: A review,” Journal of Network and Computer Applications, vol. 72, pp. 14 – 27, 2016.
[38] M. Marchetti, F. Pierazzi, M. Colajanni, and A. Guido, “Analysis of high volumes of network traffic for advanced persistent threat detection,” Computer Networks, vol. 109, pp. 127 – 141, 2016. Traffic and Performance in the Big Data Era.
[39] S. Latha and S. J. Prakash, “A survey on network attacks and intrusion detection systems,” in 2017 4th International Conference on Advanced Computing and Communication Systems (ICACCS), pp. 1–7, Jan 2017.
[40] J. T. John, “State of the art analysis of defense techniques against advanced persistent threats,” Future Internet (FI) and Innovative Internet Technologies and Mobile Communication (IITM) Focal Topic: Advanced Persistent Threats, vol. 63, 2017.
[41] “data collector.” https://www.elastic.co/guide/en/beats/ winlogbeat/current/_winlogbeat_overview.html, 2018.
[42] R. Anthony, “Detecting security incidents using windows workstation event logs,” tech. rep., SANS, 2013.
[43] “Spotting the adversary with windows event log monitoring.” https:// cryptome.org/2014/01/nsa-windows-event.pdf, 2014.
[44] T. Roelleke and J. Wang, “Tf-idf uncovered: A study of theories and probabilities,” in Proceedings of the 31st Annual International ACM SIGIR Conference on Research and Development in Information Retrieval, SIGIR ’08, (New York, NY, USA), pp. 435–442, ACM, 2008.
[45] “Machine learning in python.” http://scikit-learn.org/stable/ index.html, 2018.
[46] “Dataset.” https://www.iii.org.tw/, 2017.
[47] “Software-based network routing.” https://vyos.io/, 2018.
[48] G. Research and A. Team, “Athe projectsauron apt. technical analysis.,” tech. rep., Kaspersky Lab, 2016.
[49] “Network scan.” https://www.secureworks.com/research/ bronze-butler-targets-japanese-businesses, 2017.
[50] K. Baumgartner and M. Golovkin, “The msnmm campaigns. the earliest naikon apt campaigns,” tech. rep., Kaspersky Lab, 2015.
[51] “Image file execution options.” https://www.fireeye.com/blog/ threat-research/2017/03/apt29_domain_frontin.html, 2017.
[52] “Bypass uac.” https://researchcenter.paloaltonetworks.com/ 2016/11/unit42-shamoon-2-return-disttrack-wiper/, 2016.
[53] “Antivirus." https://www.avira.com/zh-tw/buy-antivirus, 2018.
[54] “Antivirus.” https://www.avast.com/zh-tw/index, 2018.
[55] “Antivirus.” https://www.bitdefender.com/solutions/free.html, 2018.
[56] “Antivirus.” https://www.pandasecurity.com/taiwan/, 2018.
[57] S. Andropov, A. Guirik, M. Budko, and M. Budko, “Network anomaly detection using artificial neural networks,” in 2017 20th Conference of Open Innovations Association (FRUCT), pp. 26–31, April 2017.