Unraveling Network-based Pivoting Maneuvers: Empirical Insights and Challenges

Investor logo

Warning

This publication doesn't include Faculty of Economics and Administration. It includes Institute of Computer Science. Official publication website can be found on muni.cz.
Authors

HUSÁK Martin YANG Shanchieh Jay KHOURY Joseph KLISURA Dorde BOU-HARB Elias

Year of publication 2024
Type Article in Proceedings
Conference Digital Forensics and Cyber Crime
MU Faculty or unit

Institute of Computer Science

Citation
Doi http://dx.doi.org/10.1007/978-3-031-56583-0_9
Keywords pivoting;lateral movement;monitoring;NetFlow
Attached files
Description Pivoting is a sophisticated strategy employed by modern malware and Advanced Persistent Threats (APT) to complicate attack tracing and attribution. Detecting pivoting activities is of utmost importance in order to counter these threats effectively. In this study, we examined the detection of pivoting by analyzing network traffic data collected over a period of 10 days in a campus network. Through NetFlow monitoring , we initially identified potential pivoting candidates, which are traces in the network traffic that match known patterns. Subsequently, we conducted an in-depth analysis of these candidates and uncovered a significant number of false positives and benign pivoting-like patterns. To enhance investigation and understanding, we introduced a novel graph representation called a pivoting graph, which provides comprehensive vi-sualization capabilities. Unfortunately, investigating pivoting candidates is highly dependent on the specific context and necessitates a strong understanding of the local environment. To address this challenge, we applied principal component analysis and clustering techniques to a diverse range of features. This allowed us to identify the most meaningful features for automated pivoting detection, eliminating the need for prior knowledge of the local environment.
Related projects:

You are running an old browser version. We recommend updating your browser to its latest version.