METHOD AND SYSTEM FOR DETECTING LATERAL MOVEMENT IN ENTERPRISE COMPUTER NETWORKS

摘要

A system includes a log receiving module, an authentication graph module, a sampling module, an embedding module, a training module, a link prediction module, and an anomaly detection module. The log receiving module is configured to receive a first plurality of network-level authentication logs. The authentication graph module is configured to generate an authentication graph. The sampling module is configured to generate a plurality of sequences. The embedding module is configured to tune a plurality of node embeddings according to the plurality of sequences. The training module is configured to train a link predictor according to the plurality of node embeddings and ground-truth edge information from the authentication graph. The link prediction module is configured to apply the link predictor to performs a link prediction. The anomaly detection module is configured to perform anomaly detection according to the link prediction.