Visible to the public MLTracer: Malicious Logins Detection System via Graph Neural Network

TitleMLTracer: Malicious Logins Detection System via Graph Neural Network
Publication TypeConference Paper
Year of Publication2020
AuthorsLiu, F., Wen, Y., Wu, Y., Liang, S., Jiang, X., Meng, D.
Conference Name2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)
Date PublishedJan. 2021
PublisherIEEE
ISBN Number978-0-7381-4380-4
Keywordsco-attention mechanism, Conferences, convolutional neural networks, Cyber-physical systems, data mining, expert systems, Graph Neural Network, graph neural networks, human factors, lateral movement, malicious logins detection, Metrics, Neural Network Security, policy-based governance, privacy, pubcrawl, Real-time Systems, Resiliency, Scalability, security
Abstract

Malicious login, especially lateral movement, has been a primary and costly threat for enterprises. However, there exist two critical challenges in the existing methods. Specifically, they heavily rely on a limited number of predefined rules and features. When the attack patterns change, security experts must manually design new ones. Besides, they cannot explore the attributes' mutual effect specific to login operations. We propose MLTracer, a graph neural network (GNN) based system for detecting such attacks. It has two core components to tackle the previous challenges. First, MLTracer adopts a novel method to differentiate crucial attributes of login operations from the rest without experts' designated features. Second, MLTracer leverages a GNN model to detect malicious logins. The model involves a convolutional neural network (CNN) to explore attributes of login operations, and a co-attention mechanism to mutually improve the representations (vectors) of login attributes through learning their login-specific relation. We implement an evaluation of such an approach. The results demonstrate that MLTracer significantly outperforms state-of-the-art methods. Moreover, MLTracer effectively detects various attack scenarios with a remarkably low false positive rate (FPR).

URLhttps://ieeexplore.ieee.org/document/9343121
DOI10.1109/TrustCom50675.2020.00099
Citation Keyliu_mltracer_2020