Detecting Lateral Movement with a Compute-intense Graph Kernel presented at FloCon2019 2019

by Steve Reinhardt,

Summary : Both successful intruders and internal abusers of computer networks seek to move laterally in an enterprise network, to discover other sources of valuable information; detection of lateral movement remains a valuable analytic for cybersecurity analysts. We calculate maximum independent set, an NP-hard graph kernel, on a graph composed of point-to-point (e.g., ssh and RDP) connections, to detect lateral movement. In addition to assessing whether the atypical lateral movement is tree-like and suspect, we display it in the network graph context so an analyst can judge the likely risk. We seek data with known lateral movement to validate the analytic. This work extends the cybersecurity trend of applying more computing to a smaller fraction of the data, such as O(n^2) analytics like betweenness centrality. This trend anticipates the rapidly growing computational performance of early quantum computers from D-Wave Systems, enabling use of graph kernels with exponential computational cost on small (by cyber standards) datasets. We discuss the implications of using these more compute-intense kernels.Attendees will Learn: •How a set of analytic kernels that detect global characteristics and that analysts may not have considered are useful•Add an additional tool to the analytic toolbox