AGE: Authentication Graph Embedding for Detecting Anomalous Login Activities

Abstract

Detecting anomalies in login activities is a critical step in response to credential-based lateral movement attacks. Although attackers with compromised credentials can impersonate legal users and move laterally between computers without triggering the alarm, his login activities would likely deviate from the users’ normal patterns. We propose AGE, an Authentication Graph Embedding based anomalous login activities detection system. The goal of authentication graph embedding is to capture comprehensive relationships that facilitate the construction of user profiles. Specifically, the user profiles contain three types of features: the familiarity-related features, the similarity-related features, and the lateral movement walks-related features. To evaluate AGE thoroughly, we use our synthetic malicious lateral movement traces as well as red team activities provided by CMU-CERT. Extensive experiments show that AGE achieves good performance and outperforms the baseline methods. Moreover, we also design experiments that will help us understand the authentication graph embedding.