Credential Theft Powered Unauthorized Login Detection through Spatial Augmentation

Simple item page
dc.contributor.authorBurch, Zachary Campbellen
dc.contributor.committeechairTront, Joseph G.en
dc.contributor.committeememberPrakash, B. Adityaen
dc.contributor.committeememberWang, Gang Alanen
dc.contributor.departmentComputer Scienceen
dc.date.accessioned2018-10-30T08:00:49Zen
dc.date.available2018-10-30T08:00:49Zen
dc.date.issued2018-10-29en
dc.description.abstractCredential theft is a network intrusion vector that subverts traditional defenses of a campus network, with a malicious login being the act of an attacker using those stolen credentials to access the target network. Historically, this approach is simple for an attacker to conduct and hard for a defender to detect. Alternative mitigation strategies require an in depth view of the network hosts, an untenable proposition in a campus network. We introduce a method of spatial augmentation of login events, creating a user and source IP trajectory for each event. These location mappings, built using user wireless activity and network state information, provide features needed for login classification. From this, we design and build a real time data collection, augmentation, and classification system for generating alerts on malicious events. With a relational database for data processing and a trained weighted random forests ensemble classifier, generated alerts are both timely and few enough to allow human analyst review of all generated events. We evaluate this design for three levels of attacker ability with a defined threat model. We evaluate our approach with a proof of concept system on weeks of live data collected from the Virginia Tech campus, under an IRB approved research protocol.en
dc.description.abstractgeneralFor a computer network, a common mode of access is a login; the entering of a valid username and password for authentication. Attackers use a variety of methods to steal user login credentials and several of these approaches are unnoticeable by network defenders. Providing further complications, a higher educational campus network, such as Virginia Tech, inherently has less information about the state of the network, since students and teachers bring their privately owned devices. To prevent this attack method, we determine the class, authorized or unauthorized, of login events using data that can be consistently provided by a campus network. After classification, alerts are generated for security analysts, helping to further defend the network. Spatial augmentation is a process we introduce to allow login classification with machine learning algorithms. For every login event at the campus, a history of user locations and source event locations can be provided, using data collected from the campus network infrastructure. Location data provides stronger classification of login events, since studies show attackers inherently have a physical distance between the normal user of an account when performing an unauthorized login. For evaluation, we build a system to augment and classify login events, while limiting the number of false alerts to a useable level.en
dc.description.degreeMaster of Scienceen
dc.format.mediumETDen
dc.identifier.othervt_gsexam:17585en
dc.identifier.urihttp://hdl.handle.net/10919/85583en
dc.publisherVirginia Techen
dc.rightsIn Copyrighten
dc.rights.urihttp://rightsstatements.org/vocab/InC/1.0/en
dc.subjectSecurityen
dc.subjectMachine learningen
dc.subjectLogin Classificationen
dc.subjectSpatial Augmentationen
dc.titleCredential Theft Powered Unauthorized Login Detection through Spatial Augmentationen
dc.typeThesisen
thesis.degree.disciplineComputer Science and Applicationsen
thesis.degree.grantorVirginia Polytechnic Institute and State Universityen
thesis.degree.levelmastersen
thesis.degree.nameMaster of Scienceen

Files

Original bundle
Now showing 1 - 1 of 1
Thumbnail Image
Name:
Burch_ZC_T_2018.pdf
Size:
645.04 KB
Format:
Adobe Portable Document Format
Download

Collections

Masters Theses