Digital Forensics and Cyber Crime. 14th EAI International Conference, ICDF2C 2023, New York City, NY, USA, November 30, 2023, Proceedings, Part II

Research Article

Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and Challenges

Cite
BibTeX Plain Text
  • @INPROCEEDINGS{10.1007/978-3-031-56583-0_9,
    author={Martin Hus\^{a}k and Shanchieh Jay Yang and Joseph Khoury and Đorđe Klisura and Elias Bou-Harb},
    title={Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and Challenges},
    proceedings={Digital Forensics and Cyber Crime. 14th EAI International Conference, ICDF2C 2023, New York City, NY, USA, November 30, 2023, Proceedings, Part II},
    proceedings_a={ICDF2C PART 2},
    year={2024},
    month={4},
    keywords={pivoting lateral movement monitoring NetFlow},
    doi={10.1007/978-3-031-56583-0_9}
}
  • Martin Husák
    Shanchieh Jay Yang
    Joseph Khoury
    Đorđe Klisura
    Elias Bou-Harb
    Year: 2024
    Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and Challenges
    ICDF2C PART 2
    Springer
    DOI: 10.1007/978-3-031-56583-0_9
Martin Husák1,*, Shanchieh Jay Yang2, Joseph Khoury3, Đorđe Klisura3, Elias Bou-Harb3
  • 1: Institute of Computer Science
  • 2: Department of Computer Engineering, Rochester Institute of Technology
  • 3: The Cyber Center for Security and Analytics, The University of Texas at San Antonio
*Contact email: husakm@ics.muni.cz

Abstract

Pivoting is a sophisticated strategy employed by modern malware and Advanced Persistent Threats (APT) to complicate attack tracing and attribution. Detecting pivoting activities is of utmost importance in order to counter these threats effectively. In this study, we examined the detection of pivoting by analyzing network traffic data collected over a period of10days in a campus network. Through NetFlow monitoring, we initially identified potential pivoting candidates, which are traces in the network traffic that match known patterns. Subsequently, we conducted an in-depth analysis of these candidates and uncovered a significant number of false positives and benign pivoting-like patterns. To enhance investigation and understanding, we introduced a novel graph representation called a pivoting graph, which provides comprehensive visualization capabilities. Unfortunately, investigating pivoting candidates is highly dependent on the specific context and necessitates a strong understanding of the local environment. To address this challenge, we applied principal component analysis and clustering techniques to a diverse range of features. This allowed us to identify the most meaningful features for automated pivoting detection, eliminating the need for prior knowledge of the local environment.

Keywords
pivoting lateral movement monitoring NetFlow
Published
2024-04-03
Appears in
SpringerLink
http://dx.doi.org/10.1007/978-3-031-56583-0_9
Copyright © 2023–2025 ICST
EAI Logo

About EAI

Community

Publish with EAI