Detecting APT attacks against Active Directory using Machine Leaning

In Advanced Persistent Threat (APT) attacks, attackers who can intrude into an organization network tend to stay inside the network or repeat intrusion multiple times until they are able to accomplish their goals. When Active Directory(AD), a centralization management system for Windows computers, is in place, attackers try to disguise themselves as users of legitimate Domain Administrator accounts, which is the highest privileged account of the AD environment. Activities on the Windows system are recorded in the built-in Windows activity logging system called the Event logs and is commonly used for investigation of attacks. However, if attackers leverage legitimate accounts or built-in Windows tools in order to avoid detection, it is quite difficult to detect attacks from Event logs since attackers' activities are recorded as activities of legitimate administrator accounts. Although there are various antivirus software, detecting such a sophisticated attack is often very difficult. In this research, we focus on processing attack activity data recorded in the Event logs, and propose a new method based on outlier detection and machine learning for detecting attacks that utilize legitimate accounts. We achieved a high precision rate even if legitimate Domain Administrator accounts are leveraged in attacks.