Detection of Current Attacks in Active Directory Environment with Log Correlation Methods
| Autor: | Mehmet Sabri Elmastaş |
|---|---|
| Jazyk: | angličtina |
| Rok vydání: | 2023 |
| Předmět: | |
| Zdroj: | Havacılık ve Uzay Teknolojileri Dergisi, Vol 16, Iss 2, Pp 36-55 (2023) |
| Druh dokumentu: | article |
| ISSN: | 1304-0448 2148-1059 98997963 |
| Popis: | Active Directory is a directory service that provides control and integrity with a centralized management and identity management to cyber structures that expand over time and increase the number of devices. Protecting user credentials, corporate systems and sensitive data from unauthorized access is one of the basic principles of information security. Security monitoring of active directory environments is usually performed using signature-based detection rules. However, these rules are not always effective and sufficient, especially for attacks that resemble legitimate activities in terms of control. In this study, log correlation techniques are applied to detect lateral movement and kerberoasting attacks. Based on features from the Windows Event Log, various machine learning algorithms were used and evaluated on data from a real active directory environment. It has been implemented as detection rules for practical use on the Splunk platform, which is a Security Information and Event Management (SIEM) software. In the experimental comparison with signature-based approaches, it is observed that the proposed solution improves the detection capabilities and also reduces the number of false alarms for both attack techniques considered. |
| Databáze: | Directory of Open Access Journals |
| Externí odkaz: |
|