Real Time Lateral Movement Detection based on Evidence Reasoning Network for Edge Computing Environment

by   Zhihong Tian, et al.

Edge computing is providing higher class intelligent service and computing capabilities at the edge of the network. The aim is to ease the backhaul impacts and offer an improved user experience, however, the edge artificial intelligence exacerbates the security of the cloud computing environment due to the dissociation of data, access control and service stages. In order to prevent users from using the edge-cloud computing environment to carry out lateral movement attacks, we proposed a method named CloudSEC meaning real time lateral movement detection based on evidence reasoning network for the edge-cloud environment. The concept of vulnerability correlation is introduced. Based on the vulnerability knowledge and environmental information of the network system, the evidence reasoning network is constructed, and the lateral movement reasoning ability provided by the evidence reasoning network is used. CloudSEC realizes the reconfiguration of the efficient real-time attack process. The experiment shows that the results are complete and credible.


page 1

page 2

page 3

page 4


Deployment and configuration of MEC apps with Simu5G

Multi-access Edge Computing (MEC) is expected to act as the enabler for ...

Improved security solutions for DDoS mitigation in 5G Multi-access Edge Computing

Multi-access Edge Computing (MEC) is a 5G-enabling solution that aims to...

Calcium Vulnerability Scanner (CVS): A Deeper Look

Traditional vulnerability scanning methods are time-consuming and indeci...

Cognitive Honeypots against Lateral Movement for Mitigation of Long-Term Vulnerability

Lateral movement of advanced persistent threats (APTs) has posed a sever...

Training on the Edge: The why and the how

Edge computing is the natural progression from Cloud computing, where, i...

In-Network Computing With Function as a Service at the Edge

Offloading computation from user devices to nodes with processing capabi...

Renovation of EdgeCloudSim: An Efficient Discrete-Event Approach

Due to the growing popularity of the Internet of Things, edge computing ...

I Introduction

Cloud computing services are critical information platform, application and infrastructures resources that users access via Internet[1-3]. These services, offered by companies such as Google and Amazon, enable customers to leverage powerful computing resources that would otherwise be beyond their means to purchase and maintenance. The success of the cloud computing has already changed the appearance of the world information infrastructure.

In order to ease the backhaul impacts and offer an improved user experience, edge computing are designed to share the load of cloud center, provides an IT service environment and computing capabilities at the edge of the network[4,5]. The environment of edge computing is characterized by low latency, proximity, high bandwidth. Combined with the traditional cloud computing environment, the edge computing enables innovative services such as e-Health, augmented reality, smart camera, gaming and industry automation [6].

The ”edge-cloud” model extends the complexity of cloud services [7-11]. More authorities have to be transferred to the edge participants, and more stages and data interactions will be involved during the procedure of services [12-15]. As the result, it turns out to be impractical to prevent all intrusions. Thus, monitoring the operation of a system is essential to its security. To that end, researchers collect monitoring information to estimate the current state of the system based on the usage patterns, detect whether there exist intrusions, and drive response actions.

Lateral movement techniques are frequently used to launch cyber-attack, especially in the hierarchical architecture system. In the edge-cloud environment, two main challenges are involved in the lateral movement detection.

1. The data persistence in edge computing may be different with the traditional scenario, there is less certainty in where data originated from, whether the data would be persistence, and where it will be stored. Since the edge nodes are often the limited memory and computationally constrained devices. The traditional lateral movement detection methods which need significant manual effort and business correlated knowledges lacks the opportunity to flourish in such scenario.

2. The underlying architecture of the edge computing environment is often dynamic, for example, the vehicular frog computing system based on the vehicle ad hoc networks. As the result, the lateral movement detection methods that rely on detecting changes in nodes behaviors may not be applied successfully on the edge environment.

Existing solutions are with few considerations for such scenario. When a host is discovered to be compromised, there are a couple of fundamental questions that should always be asked: What was the route this attack traverse? How was the movement possible? What was the end target? What controls were executed to make the threat persistent? In order to meet these forensic requirement, the lateral movement detection method should be applied to the edge-cloud computing environments.

In this paper, we present a lateral movement detection method based on Evidence Reasoning Network (ERN) for edge-cloud computing environment referred to as CloudSEC. CloudSEC introduces the concept of vulnerability correlation and built an ERN based on the network system vulnerabilities and environmental information. Experimental results show that CloudSEC supplies a complete and credible evidence chain and it also has the capacity of real-time lateral movement reasoning. These provide a strong guarantee for the rapid and effective evidence investigation. The contributions of CloudSEC are threefold: First, it offers a list of concrete evidence on the detected attack which gives more confidence to the cloud service provider. Second, it enables the cloud service provider to be fully aware the consequences of an attack. Finally, it enables the cloud service provider to better determine an appropriate course of actions that needs to be taken.

The remainder of this paper is organized as follows: In section 2, we present related previous works, such as event correlation in virtual machine. In Section 3, we depict the overall structure of our method. In Section 4, we present the details of our proposed lateral movement detection method and its correlation algorithms. The experiments conducted to evaluate our method are discussed in Section 5. Section 6 concludes the paper with a summary and discussion of future research directions.

Ii Related Works

Up to today, there have been several proposed techniques of analyzing android malware cloud data [16-20]. In this paper, we focus exclusively on the related works using forensics techniques on monitoring virtual machines in cloud computing environment.

Most mature forensic investigation tools such as EnCase [21] and Safeback [22] focus on capturing and analyzing evidence from media stores on a single host. Mnemosyne is a dynamically configurable advanced packet capturing application that supports multi-stream capturing, sliding-window based logging to conserve space, and query support on collected packets [23]. Evidence graph network forensic analysis mechanism [24][25] includes effective evidence presentation, manipulation and automated reasoning. Although it is nice to present evidence correlation in graphic mode, this system is still a prototype and lacks the effective capability of inference. Tian et al. [26][27] developed a network intrusion forensics system based on transductive scheme and Dempster-Shafer Theory (DST) that can detect and analyze efficiently computer crimes in networked environments, and extract digital evidence automatically. ForNet [28] is a novel distributed logging mechanism that focuses on network forensic evidence collection rather than evidence analysis. These approaches rely on the long term log data collection or on the statistical-based methods are not suitable for the poor data persistence environment.

Different from the above-mentioned research, Walls et al. [29] developed DEC0DE, a system for recovering information from phones with unknown storage formats, which was a critical hurdle in forensic triage. Because phones have myriad of custom hardware and software, and all stored data must be examined. Via flexible descriptions of typical data structures, and using a classic dynamic programming algorithm, DEC0DE system is able to identify call logs and address book entries in phones across a wide range of models and manufacturers. In [30], authors perform extensive study on existing fuzzy hashing algorithms with the goal of understanding their applicability in clustering similar malware. They developed a memory triage tool that uses fuzzy hashing to intuitively identify malware by detecting common pieces of malicious code found within a process. In [31], a host-based intrusion detection system gained a high degree of visibility as it is integrated into the host’s monitoring process. A new approach, based on the k-Nearest Neighbor (kNN) classifier, is used to classify program behavior as normal or intrusive. Ko et al. [32] introduced an approach that integrates intrusion detection techniques with software wrapping technology to enhance a system’s ability to defend against intrusions. In particular, they employ the NAI Labs Generic Software Wrapper Toolkit to implement all or part of an intrusion detection system as ID wrappers.

Because the above host-based methods operate at a user level, unfortunately, these systems are quite susceptible to attacks once an attacker has gained access privilege to a host. Besides, an operating system crash will generally cause the system to fail to open. Since the host-based method runs in the same fault domain as the rest of the kernel, this will often cause the entire system to crash or allow the attacker to compromise the kernel [33-35].

Iii The Proposed CloudSEC Framework

The overview of the proposed CloudSEC architecture is shown in Figure 1. CloudSEC consists of two components: EventTracker and AlertCorrelator respectively. Each Virtual Machine (VM) or the Container has a built-in EventTracker that used to monitor user activities and detect intrusions by auditing the event log on this system and analyzing commands and tracing system calls made by the users. AlertCorrelator is located at the edge of the cloud computing environment. It correlates and analyzes alerts generated by multiple distributed network Intrusion Detection Sensors (NIDS) deployed in a specific cloud computing environment. A central management unit is responsible for exchanging information, and put in place a set of evaluation criteria used to evaluate the trustworthiness of the results. In the following sections, we describe these two above-mentioned components in detail.

The main idea behind CloudSEC is the modeling of ERN. It is known that lateral movement is a sequence of small attack units/steps happened in different times and network locations following a certain logic. Each step of an attack can be considered as a preparation step for the next one. In ERN model, a detected attack step is referred to as an evidence. If we can discover all hidden correlation in an evidence chain, then a lateral movement is detected. Based on the concept of vulnerability and vulnerability correlation, an ERN is constructed to correlate and reasoning out evidence chains and eventually achieve the goal of lateral movement detection. To ease the understanding of ERN, we first describe the concept of vulnerability and vulnerability correlation.

Fig. 1: The Architecture of CloudSEC

Iii-a Vulnerability and Vulnerability Correlation

The concept of vulnerability refers to the defects of the computer system following certain security strategy. Since the vulnerability is an intrinsic factor of security incidents, we define vulnerability and vulnerability correlation as the following:

Definition 1. (Vulnerability). A vulnerability is a defect exists in a software system or software component. The exploitation and utilization of such a defect would violate one or more security policies and adversely affect the confidentiality, identifiability, and usability of the software system. We note a vulnerability as v in the rest of this paper.

Definition 2. (Vulnerability Correlation). Supposing that a software system has vulnerabilities , if , so that the attacker could launch a multiple stages attack with , then we say are correlated, or we say there exists a correlation among .

Vulnerability correlation can be represented either as an AND or an OR structure (as shown in Figure 2).

Fig. 2: Two basic structures of vulnerability correlation

In an AND structure, the premise of utilizing vulnerability v to attack the target system is to utilize all the vulnerabilities of . In an OR structure, the premise of utilizing vulnerability v to attack the target system is to utilize any one of the vulnerabilities in .

Given the nature of an attack is to exploit one or more existing vulnerabilities on a computer system, we need to associate the attacks to the vulnerabilities. To do so, we map the attack feature space into the vulnerability space, so that we could describe the attack correlations in the perspective of vulnerability correlations. Therefore, in order to form a credible evidence chain, we construct an ERN to correlate discrete attack evidences based on vulnerability correlation.

Iii-B Evidence Reasoning Network Model

We use a directed graph to describe the connectivity and vulnerability correlations of an information system network, and denote it as an evidence reasoning network.

Definition 3. (Evidence Reasoning Network). Evidence reasoning network (ERN) is a directed graph G that is described using a set of 5-tuples

  • is a set of n vertex, each of which carries some vulnerabilities information. A tuple together represents a network node, where is the ID of the network node and is a set of vulnerabilities on and .

  • is a set of

    directed links, each of which is an ordered pair:

    , where contains and contains , , , . Such a link indicating that interconnects with , and and have vulnerability correlation. We say is a parent node, and is a child node. For simplicity, we denote each such directed link as . For , we define as a set of incoming link with node as a child node. Similarly, we define as a set of directed links that have node as a parent node.

  • is a set of logical expressions representing the relationships among the directed links using AND and OR logical expression operators along with brackets. is one-to-one mapped to , expressing the relationships among the directed links going in or out each specific node. , if and , where , Then parent nodes and both fall into an AND relationship with . On the other hand, and fall into an OR relationship.

  • is defined as a set of risk weights for each vertex in . has an one-to-one mapping to . , we define , where denotes the functional value of vertex , including information servers, database servers, work stations, etc;

    denotes the probability of successful exploitation of the vulnerability

    on vertex ; and denotes the security impact of vulnerability . is defined to setup standard for evaluating the generated evidence chain.

  • contains a set of data structures for each vertex in . It has an one-to-one mapping to . Here is a circular queue of length for evidence storage. Each element of the queue may be represented as , here is the timestamp; is the pointer pointing to the child node used to reconstruct an attacking process flow; is used to show the state of this node. Its value ranges from 0 to 3, representing respectively: a start node, both a start node and a virtual node, an intermediate node, or a virtual node; is the risk weight. stores a set of pointers pointing to the parent nodes of this vertex. Such reversed pointers (i.e. pointers pointing to the parent nodes) are used to speed up the evidence reasoning process. For simplicity, we use ‘.’ to index each specific element. For example, or .

The following set of steps describe briefly the procedures to generate an ERN:

  1. Report the topology of the target network by device users such as the administrators or the node hosts of the target network to be protect;

  2. Use existing vulnerability scanning tools such as Nmap and Nessus to probe the target network from different locations within and outside the managed network domain;

  3. Construct the vertex set;

  4. Traverse all vertex in the target network and construct recursively a set of directed links and the logical expression set based on node connectivity and vulnerability correlations;

  5. Compute using the predetermined risk weights and initialize data structure set .

Obviously, the execution of step 1 and 2 depend on the characteristics and scale of the target network topology. However the efficiency and executability of the forensics can be solved by pre-computing the ERN a priori.

Figure 3 illustrates an example of a network information system including 5 linux systems (, , , , and ). Server has vulnerability that threatens the root users, and vulnerability that threatens regular users. Service rshd is running on , which permits root users of and to gain remote access on executing shell command. The VM runs telnetd and rshd services. rshd allows only root user of VM to execute shell command remotely on . also has vulnerability that threatens all root users and vulnerability that threatens regular users. runs sshd service. It has vulnerability that threatens root users. The edge container has vulnerability that threatens all root users. All regular users of and the root user of could gain remote access to as root users via ssh. The root users of and could gain remote access to as a root user through telnet.

Fig. 3: Example of information system network

The constructed ERN of the above information system network is shown in Figure 4, including 10 network nodes, and 11 directed links.

Fig. 4: Example of evidence reasoning network

Iii-C Evidence Chain Reasoning

ERN provides a framework for the reconstruction of attacking flow and evidence chain reasoning. Each evidence chain can be represented using a subgraph of ERN. The main purpose of evidence preprocessing is to map the extracted evidence out of the attack flows to the vertex of ERN, noted as function .

Evidence chain reasoning could be abstracted as the following: assume there is a time sequenced evidence list: , for , searching for the evidence set within the range of , such that there exists a directed link from to in the ERN, noted as , .

The procedure of evidence chain reasoning includes the following 3 steps:

Step 1. Initialization: fetch an evidence , and map it to a vertex in the ERN of a given system, e.g., . Then set as the timestamp ;

Step 2. Association analysis: the analysis methods depend on the number of links pointing to a vertex in ERN:

  1. When , is the start point of this ERN. Then set , and ;

  2. When , use reverse index data structure to find all the parent nodes of . If a parent node ’s is non-empty, we say is a truth-value link.

    • If the logical expression returns a true value with all the above-mentioned truth-value links, then we say is an intermedia node. Thus we set for all parent nodes that make true, and set , ;

    • If the logical expression returns a false value with all the above-mentioned truth-value links, then we know that has no correlation with the other evidences. Thus we consider as a start node, and set , accordingly.

Step 3. Evidence chain generation: conduct breadth-first search from a vertex in the ERN, of which the in-degree is 0 (i.e. ), and generate evidence chain base on the of the traversed vertices.

Figure  5(a) illustrated the above-mentioned procedure. The elements in the data structure changes together with the evidences as shown in Figure 4.

(a) Evidence chain reasoning process
(b) Timing independent evidence chain reasoning process
Fig. 5: Evidence chain reasoning process examples

Iii-D Timing Independent Evidence Chain Reasoning

Whether the evidence chain reasoning algorithm can draw a correct conclusion depends on the correct time stamping of the evidences. In order to solve the inconsistent time-stamping problem, which is often a challenge, we propose a timing-independent evidence chain reasoning algorithm. The process is as follows:

Step 1. Initialization: fetch the next evidence and map it to a vertex of the ERN of the given system, i.e. . Then set as the timestamp ;

Step 2. Vertex checking: if or , then , , , then go back to step 1, otherwise go to step 3;

Step 3. Association analysis: the analysis methods vary based on different types of vertices of the ERN;

  1. Case A: When , is the start point, set , and ;

  2. Case B: When , if we substitute all truth-value links into and is true, then is an intermedia node. Thus we set for all parent nodes that make true, and set , ;

  3. Case C: , if we substitute all truth-value link into and is false, then traverse all parent nodes of to search for one of the parent nodes which makes true when we increase a virtual record to . The virtual record generated in the reasoning process indicates that the evidence is not acquired by EventTracker, so the risk weights are not taken into account (see further explanation later in subsection III-F). We further conduct association analysis on , if case A is met, then set , , , ; if case B is met, then set , , , ; if case C is met, then has no correlation with the other evidences. Thus we take as a start node, and set , .

Step 4. Evidence chain generation: conduct breadth-first search from a ERN vertex, of which the in-degree is 0, and generate evidence chain based on the of the traversed vertices.

Figure 5(b) shows the approximate reasoning process, where vertex 3 is a virtual record.

Iii-E Time Complexity Analysis

Let and be the number of vertices and edges/links in a given ERN. The first step of our evidence chain reasoning algorithm finishes in constant time. The time complexity of the second step is . And the time complexity of the third step is . Therefore, the overall time complexity of the evidence chain reasoning algorithm is .

For the time complexity of the ‘Timing Independent Evidence Chain Reasoning’ algorithm, the first and the second step finish in constant time. Since the algorithm needs to determine the status of one of the parents node of a virtual node, the average time complexity of step 3 is , and BFS time complexity is . For a directed complete graph, , thus . Hence, the time complexity of the ‘Timing Independent Evidence Chain Reasoning’ algorithm is .

Iii-F Power of the evidence chain

The power of electronic evidence refers to the persuasive power of an evidence in proving the case. Given of an ERN defines the risk weight of every vertex, EventTracker adds up the risk weight of all evidences on an evidence chain and it will be used to evaluation the power of an evidence chain.

As mentioned earlier, the virtual record generated in the reasoning process indicates that the evidence is not acquired by the EventTracker. Therefore, its risk weight is not added into the overall weights . Assume the sum of risk weights of all evidences in an evidence chain is , and the sum of risk weights of all the virtual records on this evidence chain is , the weight of the evidence chain should be calculated as shown in formula 1. The bigger the value of , the bigger the evidence chain power.


Iii-G The application of an ERN in EventTracker

System calls are generally used to change the states of an operation system, such as creating files, forking processes, changing registries, etc. Monitoring the changes of system calls can get many essential characteristics of program operations, and thus form the basis of dynamic security analysis. In an EventTracker, Virtual Machine Introspection technology (VMI) is used to monitor system calls in cloud computing hosts.

There are parameter dependencies among sequences of system calls generated by program operation. EventTracker maps system calls and their dependencies into an ERN model as the nodes and the links respectively. For example, Figure 6 illustrates an example of an Evidence Reasoning Network for system calls. First, an attacker uses useradd and groupadd commands to add system users and set permissions. This attacker then sets up passwords through passwd commands. After checking the kernel version information with command uname, ”admin.vbs” script is downloaded from the remote host 172.16.*.* through FTP.

The goal of an EventTracker is to identify complex lateral movement attacks inside the cloud hosts. In the intrusion detection literature, an attack scenario (or attack pattern) is a sequence of explicit attack steps, which are logically linked and lead to an objective. When a set of correlation is received, if an attack scenario is detected, it will raise an intermediate attack alarm, which will prompt the system to capture the causal relationships among the evidences.

Fig. 6: Example of evidence reasoning network for system calls

Iii-H Design and implementation of AlertCorrelator

AlertCorrelator is located at the edge of a cloud computing environment. It correlates and analyzes alerts generated by multiple NIDS deployed in the cloud computing environment. NIDS is responsible for monitoring network traffic in real time, finding intrusion events and storing corresponding IP packets in a database. According to the design of ERN, we can see that AlertCorrelator does not tolerate false positives in alerts, but it can accept a certain degree of false negatives.

AlertCorrelator collects and preprocesses the alerts first. Every collected alert is coded and normalized into a standardized format. Additional information, such as timestamps and source address of the attacker are also added into the database. Events generated by different NIDS and related with the same attack are merged into a single alarm. Then these preprocessed alarms are added into the ERN as evidences in a chronological order. At last, timing independent evidence chain reasoning algorithm is called. In this phase, the ERN model determines whether the attack is either a successful attack or a non-relevant attack, i.e., an attack that does not lead to lateral movement attack.

For large scale networks, when new NIDS are added to the cloud boundary, augmenting an existing ERN can be done easily in an iterative fashion. This demonstrates the high scalability and flexibility of AlertCorrelator.

Iv Experiment Evaluation

To further verify the effectiveness of our proposed method, we developed our EventTracker prototype system using C language on Linux RedHat 7.3. We use the intrusion detection system Snort 2.4.3 as the attack detection component, and use Graphviz to visualize the evidence chain. We conduct our experiments on Shuguang servers (CPU 2.4G, MEM 8G). We report in this section two sets of experiments.

Iv-a Parameter Setup

In order to evaluate the power of the evidence chain, we need to set an appropriate risk weights of ERN. Since the difficulty of utilizing each vulnerability in different situation is different, the probability of successful exploitation of each vulnerability is different. In our experiments, we assume that all the probability of successful exploitation of each vulnerability are equal, and the functional attributes of network nodes are also equal. As for the security impact of vulnerabilities, we classify the vulnerabilities with the impact scope into 9 categories and set each category with a certain weight, as shown in Table II.

Vulnerability impact scope Weight
1 System administrators, managing system resources, system files, system processes, and other resources 1.0
2 System administrator with partial permissions 0.8
3 Permissions of any number of system ordinary users with more independent and private resources 0.6
4 Permissions of a system ordinary user and partial permissions of other ordinary users 0.5
5 Permissions of a system ordinary user created by the system initialization or created by the system administrator with its own private resources 0.4
6 Partial permission of a ordinary user 0.2
7 Remote visitors who can access network services, usually trusted visitors, who can interact with network service processes, scan system information, and so on 0.1
8 Remote visitors who are connected to the target system at the physical layer, usually untrusted or firewalled visitors. 0.0
TABLE I: Weight of vulnerability impact

Iv-B Reasoning Result of the Lincoln Dataset

Experiment 1 uses the LLDOS1.0 and LLDOS2.0.2 data sets from MIT Lincoln Laboratories. The test bed producing this data set includes an external Internet environment simulated by 14 hosts, an internal network of 39 hosts, and a DMZ area consisting of 6 hosts, covering operating systems including Windows, Linux RedHat 5.0, SunOS 4.1.4, and Solaris 2.7. Attack detection component is used to produce an intranet data set of size 179 MB from each of the two LLDOS datasets. The type and amount of evidences generated are shown in Fig 7. Figure 8 shows the evidence chain deduced by EventTracker on LLDOS1.0.

This evidence chain indicates the attacker’s five attack phases: the attacker first scans the entire network from host to learn the target host’s IP address range; then it executes Sadmind Overflow program with the ping option checked in order to verify on each host whether the Sadmind service is running. It then determines the final destination host (e.g. in Figure 5(b)); next, the attacker uses the Solaris operating system’s Sadmind vulnerability to implement a buffer overflow attack; after gaining the root privileges, the attacker installs the Mstream backdoor program through telnet and rpc; finally, the attacker uses this compromised slave to launch a DDoS attack to host The evidence chain of the above-mentioned attacking process is shown in Figure 5(b). This result matches the documen provided by MIT Lincoln, which proves the effectiveness of the proposed EventTracker. Since there is no virtual records, the is 100% in this case.

The deducted evidence chain of LLDOS2.0.2 is shown in Figure 9. This evidence chain also contains a complete attack sequence, and uses a springboard attack. Similar to LLDOS 1.0, the attacker also implemented an attack on host, and succeeded in obtaining the root privileges of hosts and that are using the Solaris operating system with Sadmind vulnerability. However, comparing to the former one, the LLDOS2.0.2 attack process is more complex and with latency. For example, the attacker did not use the ”ICMP echo reply” which could be easily shielded. Instead, it uses the legitimate ”DNS HINFO” query to obtain the target host (a DNS server). It is noted that the shadow node ”FTP upload” in the evidence chain indicates that the attacker used ftp to upload the evidence of the Mstream backdoor program and attacking script. However, the attack detection component missed this event. To ensure the integrity of the evidence, EventTracker generated a virtual record. According to the weights set in Table I, the is reduced to 86% accordingly. Then we use the timestamp of the alert of “INFO TELNET access 119” to find the PCL. Two relations were found which is shown in Figure 9. This further proves the correctness of our reasoning algorithm.

(a) Types and quantity of evidences detected from LLDOS1.0 intranet dataset
(b) Types and quantity of evidences detected from LLDOS2.0.2 intranet dataset
Fig. 7: Categories and quantity of LLDOS dataset
Fig. 8: Evidence Chain of LLDOS1.0 Intranet Dataset
Fig. 9: Evidence chain of LLDOS2.0 data set.

Iv-C Detection Result of Treasure Hunt Dataset

The second experiment uses the Treasure Hunt dataset collected by the University of California Santa Barbara to guide students in the design of network offense and defense course. Its network topology is divided into three sub-networks: Alpha, Omega, and DMZ, which includs MySQL servers, event processing servers, file servers and WEB servers. Although the network topology is not complex, a wide range of attack methods are adopted in this network. Therefore, we believe that this dataset is suitable for the edge-cloud scenario functional testing of the proposed EventTracker. The corresponding evidence chains are shown in Figure 10 and Figure 11, respectively, with interval of 91.7% and 33.3%.

Fig. 10: Evidence Chain of the alpha sub-network.
Fig. 11: Evidence Chain of the Omega sub-network

Iv-D Performance Analysis

Table II gives the time overhead of CloudSEC in handling the above sets of data. It is shown that the number of evidence chains CloudSEC could handle per second is around 100. According to [29], about 10-20000 security events per day on average are detected by each detection point. CloudSEC greatly exceeds the current actual processing requirements under the conditions of real-time reasoning lateral movement, this frontage is suitable for deploying in the edge-cloud environment.

Data Sets Intrusion Events Process Time (sec) Average Processing Speed (one event per secnod)
MIT/LL 2000 LLDOS 1.0 DMZ 2498 15.9806 78.8505
Inside 905 16.7467
LLDOS 2.0.2 DMZ 1125 16.5234
Inside 624 16.0881
Treasure Hunt Alpha 732 15.8154 119.8598
Omega 732 15.8154
TABLE II: The time overhead of CloudSEC

V Conclusion

In this paper, we propose a new method to track events for Lateral Movement Detection. The concept of vulnerability correlation is introduced. Methods on how to construct an ERN based on the vulnerability knowledge and network environment information is provided. Then two lateral movement reasoning algorithms based on the constructed ERN are presented. The proposed CloudSEC provides a strong guarantee for the rapid and effective evidence investigation as well as real-time attack detection, this advantage is more suitable for those complex edge-cloud computing environments, for example, the services based on the collaboration between the edge artificial intelligence and the cloud computing. Experiments using various real network datasets proves the correctness of the proposed approach. Theoretical analysis concludes that both chain reasoning algorithms achieve linear time complexity. In the future, we aim at improving the performance on ERN generation which further improves the overall CloudSEC efficiency, at the same time multi-type of lateral movement tricks will be evaluated.


This work is supported by the National Natural Science Foundation of China under NO. 61572153, NO. 61702220, NO. 61702223, and NO. U1636215. And the National Key research and Development Plan (Grant No. 2018YFB0803504).


  • [1] X. Du, M. Guizani, Y. Xiao and H. H. Chen, Transactions papers, ”A Routing-Driven Elliptic Curve Cryptography based Key Management Scheme for Heterogeneous Sensor Networks,” IEEE Transactions on Wireless Communications, Vol. 8, No. 3, pp. 1223-1229, 2009.
  • [2] Y. Xiao, et al., ”A Survey of Key Management Schemes in Wireless Sensor Networks,” Journal of Computer Communications, Vol. 30, Issue 11-12, pp. 2314-2341, 2007.
  • [3] X. Du, Y. Xiao, M. Guizani, and H. H. Chen, ”An Effective Key Management Scheme for Heterogeneous Sensor Networks” Ad Hoc Networks, Elsevier, Vol. 5, Issue 1, pp 24 C34, 2007.
  • [4] Y. Xiao, et al., ”Internet Protocol Television (IPTV): the Killer Application for the Next Generation Internet,” IEEE Communications Magazine, Vol. 45, No. 11, pp. 126 C134, 2007.
  • [5] X. Du and H. H. Chen, ”Security in Wireless Sensor Networks” IEEE Wireless Communications Magazine, Vol. 15, Issue 4, pp. 60-66, 2008.
  • [6] Hu Y C, Patel M, Sabella D, et al. Mobile edge computing A key technology towards 5G[J]. ETSI white paper, 11(11). pp. 1-16. 2015.
  • [7] Tian Z, Su S, Shi W, et al. A data-driven method for future Internet route decision modeling[J]. Future Generation Computer Systems, 2019.
  • [8] Tan Q, Gao Y, Shi J, et al. Towards a Comprehensive Insight into the Eclipse Attacks of Tor Hidden Services[J]. IEEE Internet of Things Journal, 2018.
  • [9] Jieren Cheng, Ruomeng Xu, Xiangyan Tang, Victor S. Sheng and Canting Cai. An Abnormal Network Flow Feature Sequence Prediction Approach for DDoS Attacks Detection in Big Data Environment. CMC: Computers, Materials & Continua, Vol. 55, No. 1, pp. 095-119, 2018.
  • [10] Yuling Liu, Hua Peng and Jie Wang. Verifiable Diversity Ranking Search Over Encrypted Outsourced Data. CMC: Computers, Materials & Continua, Vol. 55, No. 1, pp. 037-057, 2018.
  • [11] Jinhua Cui, Yuanyuan Zhang, Zhiping Cai, Anfeng Liu and Yangyang Li. Securing Display Path for Security-Sensitive Applications on Mobile Devices. CMC: Computers, Materials & Continua, Vol. 55, No. 1, pp. 017-035, 2018.
  • [12] FANG Binxing, JIA Yan, LI Aiping, ZHANG Weizhe. Cyber Ranges: state-of-the-art and research challenges. Journal of Cyber Security. 2016(3)1, pp. 1-9. 2016.
  • [13] Jia G, Han G, Rao H, et al. Edge Computing-Based Intelligent Manhole Cover Management System for Smart Cities. IEEE Internet of Things Journal 5(3), pp. 1648-1656. 2018.
  • [14] Yuan W, He K, Guan D, et al. Edge-Dual Graph Preserving Sign Prediction for Signed Social Networks. IEEE Access 5, pp. 19383-19392. 2017.
  • [15] Zhu C, Leung V C M, Rodrigues J J P C, et al. Social Sensor Cloud: Framework, Greenness, Issues, and Outlook. IEEE Network 32(5), pp. 100-105. 2018.
  • [16] Zhu C, Shu L, Leung V C M, et al. Secure Multimedia Big Data in Trust-Assisted Sensor-Cloud for Smart City. IEEE Communications Magazine 55(12), pp. 24-30. 2017.
  • [17]

    Jin Li, Lichao Sun, Qiben Yan, Zhiqiang Li, Witawas Srisa-an, and Heng Ye. Significant permission identification for machine learning based android malware detection. In IEEE Transactions on Industrial Informatics. IEEE.

  • [18] Jin Li, Yinghui Zhang, Xiaofeng Chen, Yang Xiang. Secure attribute-based data sharing for resource-limited users in cloud computing. Computers & Security, 72, pp. 1-12. 2018.
  • [19] Ping Li, Jin Li, Zhengan Huang, Chong-Zhi Gao, Wen-Bin Chen, Kai Chen. Privacy-preserving outsourced classification in cloud computing. Cluster Computing, 2017.
  • [20]

    Ping Li, Jin Li, Zhengan Huang, Tong Li, Chong-Zhi Gao, Siu-Ming Yiu, Kai Chen. Multi-key privacy-preserving deep learning in cloud computing. Future Generation Computer Systems, 2017, 74, pp. 76-85. 2017.

  • [21] Chong-zhi Gao, Qiong Cheng, Xuan Li, Shi-bing Xia. Cloud-assisted privacy-preserving profile-matching scheme under multiple keys in mobile social network. Cluster Computing, 2018.
  • [22] EnCase Forensic Tool. Available at
  • [23] SafeBack Bit Stream Backup Software. Available at
  • [24] A. Mitchell and G. Vigna. Mnemosyne: Designing and implementing network short-term memory. In International Conference on Engineering of Complex Computer Systems. IEEE, Dec 2002.
  • [25] Wang W, Daniels TE. Network forensics analysis with evidence graph. In: Proc. of the 2005 Digital Forensic Research Workshop (DFRWS). New Orleans, 2005.
  • [26] Zhihong Tian, Wei JIANG, Yang LI. A Transductive Scheme Based Inference Techniques for Network Forensic Analysis. China Communications. 2015.12(2), pp. 167-176. 2015.
  • [27] Zhihong Tian, Wei Jiang, Yang Li, Lan Dong. A Digital Evidence Fusion Method in Network Forensics Systems with Dempster-Shafer Theory. China Communications. 2014.11(5), pp. 91-97. 2014.
  • [28] K. Shanmugasundaram, N. Memon, A. Savant, and H. Bronnimann. ForNet: A Distributed Forensics Network. In Proceedings of the Second International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security, St. Petersburg, Russia, 2003.
  • [29] R. J.Walls, E. Learned-Miller, and B. N. Levine. Forensic triage for mobile phones with DEC0DE. In SEC 11 Proceedings of the 20th USENIX conference on Security, page 7. USENIX Association, aug 2011.
  • [30]

    Y. Li, S. C. Sundaramurthy, A. G. Bardas, X. Ou, D. Caragea, X. Hu, and J. Jang. Experimental Study of Fuzzy Hashing in Malware Clustering Analysis. In 8th Workshop on Cyber Security Experimentation and Test (CSET 15), 2015.

  • [31] Y. Liao and V. R. Vemuri. Using text categorization techniques for intrusion detection. In Proceedings of the 11th USENIX Security Symposium, August 2002
  • [32] C. Ko, T. Fraser, L. Badger, and D. Kilpatrick. Detecting and countering system intrusions using software wrappers. In Proceedings of the 9th USENIX Security Symposium, August 2000.
  • [33] Garfinkel, Tal & Rosenblum, Mendel. (2003). A Virtual Machine Introspection Based Architecture for Intrusion Detection. NDSS. 3.
  • [34] N. Joseph, S. Sunny, S. Dija, and K. L. Thomas. Volatile Internet Evidence Extraction from Windows Systems. In 2014 IEEE International Conference on Computational Intelligence and Computing Research, pp. 1 C5. 2014.
  • [35] F. Jiang, YS.Fu, BB. Gupta, F.Lou,S. Rho, F.Meng, ZH.Tian, ”Deep Learning based Multi-channel intelligent attack detection for Data Security,” in IEEE Transactions on Sustainable Computing, 2018.