Abstract:Due to its crucial role in identity and access management in modern enterprise networks, Active Directory (AD) is a top target of Advanced Persistence Threat (APT) actors. Conventional intrusion detection systems (IDS) excel at identifying malicious behaviors caused by malware, but often fail to detect stealthy attacks launched by APT actors. Recent advance in provenance-based IDS (PIDS) shows promises by exposing malicious system activities in causal attack graphs. However, existing approaches are restricted to intra-machine tracing, and unable to reveal the scope of attackers' traversal inside a network. We propose HADES, the first PIDS capable of performing accurate causality-based cross-machine tracing by leveraging a novel concept called logon session based execution partitioning to overcome several challenges in cross-machine tracing. We design HADES as an efficient on-demand tracing system, which performs whole-network tracing only when it first identifies an authentication anomaly signifying an ongoing AD attack, for which we introduce a novel lightweight authentication anomaly detection model rooted in our extensive analysis of AD attacks. To triage attack alerts, we present a new algorithm integrating two key insights we identified in AD attacks. Our evaluations show that HADES outperforms both popular open source detection systems and a prominent commercial AD attack detector.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is: in modern enterprise networks, existing intrusion detection systems (IDS) are difficult to effectively detect covert attacks launched by advanced persistent threat (APT) attackers against Active Directory (AD). Specifically: 1. **Limitations of existing IDS**: - Conventional IDS are good at identifying malicious behaviors caused by malware, but are often ineffective against covert attacks by APT attackers (such as using "Living - Off - the - Land Binaries" and low - frequency, slow - speed strategies). - Existing process - based intrusion detection systems (PIDS) which are based on data source analysis are limited to single - machine internal tracking and cannot track across machines, so they cannot reveal the scope of attackers' activities in the network. 2. **Challenges of cross - machine tracking**: - The problem of cross - machine dependency explosion makes simple cross - machine connection methods (such as those based on network connections) lead to a large number of false dependencies. - Identifying the correct logon session ID and its associated system activities is a complex and crucial problem because the same credentials may be used by multiple users or attackers. 3. **Characteristics of AD attacks**: - Attackers often use AD functions for internal reconnaissance, credential access, lateral movement, and privilege escalation. - AD attack techniques (such as Kerberoasting, Pass - the - Hash, etc.) are similar and easily confused, and need to be accurately distinguished for effective threat scoring and alert classification. To solve these problems, the paper proposes the HADES system, which improves AD attack detection in the following ways: - **Lightweight authentication anomaly detection model**: It is used to identify potential AD attacks and pass the results to the second - stage components. - **Login - session - based execution partitioning and tracking**: Use the logon session ID to achieve fine - grained cross - machine causal tracking and reduce the dependency explosion problem. - **New alert classification algorithm**: Combine in - depth analysis of AD attacks to improve the reliability and interpretability of detection. Through these improvements, HADES can provide more accurate and reliable attack graphs and threat scores when detecting AD attacks, thus helping security analysts better understand and respond to complex APT attacks.

HADES: Detecting Active Directory Attacks via Whole Network Provenance Analytics

Hiding and Trapping: A Deceptive Approach for Defending against Network Reconnaissance with Software-Defined Network

Combating Advanced Persistent Threats: Challenges and Solutions

Accurate and Scalable Detection and Investigation of Cyber Persistence Threats

DISTDET: A Cost-Effective Distributed Cyber Threat Detection System

D2M: Dynamic Defense and Modeling of Adversarial Movement in Networks

TBDetector:Transformer-Based Detector for Advanced Persistent Threats with Provenance Graph

LTRDetector: Exploring Long-Term Relationship for Advanced Persistent Threats Detection

NODLINK: An Online System for Fine-Grained APT Attack Detection and Investigation

MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning

threaTrace: Detecting and Tracing Host-based Threats in Node Level Through Provenance Graph Learning

Towards securing Duplicate Address Detection using P4

ATLAS: A Sequence-based Learning Approach for Attack Investigation

ACTIDS: An Active Strategy For Detecting And Localizing Network Attacks

P4DAD: Securing Duplicate Address Detection Using P4

ANUBIS: A Provenance Graph-Based Framework for Advanced Persistent Threat Detection

APT-KGL: an Intelligent APT Detection System Based on Threat Knowledge and Heterogeneous Provenance Graph Learning

Unsupervised Learning for Lateral-Movement-Based Threat Mitigation in Active Directory Attack Graphs

A Hierarchical Approach for Advanced Persistent Threat Detection with Attention-Based Graph Neural Networks

Detecting APT attacks using an attack intent-driven and sequence-based learning approach

Anteater: Advanced Persistent Threat Detection With Program Network Traffic Behavior