查看文章

Detecting cyber threats has been an on-going research endeavor. In this era, advanced persistent threats (APTs) can incur significant cost for organizations and businesses. The ultimate goal of cyber security is to thwart attackers from achieving their malicious intent, whether it is credential stealing, infrastructure takeover, or program sabotage. Every cyber attack goes through several stages before its termination. Lateral movement (LM) is one of those stages which is of particular importance. Remote Desktop Protocol (RDP) is a method used in LM to successfully authenticate to an unauthorized host that leaves footprints on both host and network logs. In this paper, we propose to detect evidence of LM with an anomaly detection approach that leverages Windows RDP event logs. We evaluate various supervised machine learning (ML) techniques for classifying RDP sessions with high precision and recall. We also …