Summary: | Credential theft is a network intrusion vector that subverts traditional defenses of a campus
network, with a malicious login being the act of an attacker using those stolen credentials
to access the target network. Historically, this approach is simple for an attacker to conduct
and hard for a defender to detect. Alternative mitigation strategies require an in depth
view of the network hosts, an untenable proposition in a campus network. We introduce a
method of spatial augmentation of login events, creating a user and source IP trajectory for
each event. These location mappings, built using user wireless activity and network state
information, provide features needed for login classification. From this, we design and build
a real time data collection, augmentation, and classification system for generating alerts on
malicious events. With a relational database for data processing and a trained weighted
random forests ensemble classifier, generated alerts are both timely and few enough to allow
human analyst review of all generated events. We evaluate this design for three levels of
attacker ability with a defined threat model. We evaluate our approach with a proof of
concept system on weeks of live data collected from the Virginia Tech campus, under an
IRB approved research protocol. === Master of Science === For a computer network, a common mode of access is a login; the entering of a valid username and password for authentication. Attackers use a variety of methods to steal user login credentials and several of these approaches are unnoticeable by network defenders. Providing further complications, a higher educational campus network, such as Virginia Tech, inherently has less information about the state of the network, since students and teachers bring their privately owned devices. To prevent this attack method, we determine the class, authorized or unauthorized, of login events using data that can be consistently provided by a campus network. After classification, alerts are generated for security analysts, helping to further defend the network. Spatial augmentation is a process we introduce to allow login classification with machine learning algorithms. For every login event at the campus, a history of user locations and source event locations can be provided, using data collected from the campus network infrastructure. Location data provides stronger classification of login events, since studies show attackers inherently have a physical distance between the normal user of an account when performing an unauthorized login. For evaluation, we build a system to augment and classify login events, while limiting the number of false alerts to a useable level.
|