Right Place, Right Time: ML-Based Data Acquisition for Lateral Movement Detection in Science Networks
Guardat en:
| Publicat a: | ProQuest Dissertations and Theses (2025) |
|---|---|
| Autor principal: | |
| Publicat: |
ProQuest Dissertations & Theses
|
| Matèries: | |
| Accés en línia: | Citation/Abstract Full Text - PDF |
| Etiquetes: |
Sense etiquetes, Sigues el primer a etiquetar aquest registre!
|
| Resum: | This thesis presents a novel system for enhancing the security of Science DMZs, specialized networks designed for high performance scientific applications and large data transfers. Given the performance-sensitive nature of Science DMZs, traditional security controls such as hardware firewalls are unsuitable due to their latency and throughput limitations. Network Intrusion Detection Systems (NIDS), which analyze traffic out-of-line through mirroring techniques, offer security value without compromising performance. Logs of network traffic represent ground truth of communication and provide significant value to security investigations. Traditional NIDS deployments leverage Switchport Analyzer (SPAN) to mirror Internet-bound traffic to the NIDS at the border of the network. Capturing lateral movement traffic after an intrusion is challenging due to the cost of high performance NIDS hardware and the geographically distributed nature of the network. While Encapsulated Remote SPAN allows for mirroring traffic over IP, it is often seen as impractical due to the challenge of effectively controlling its bandwidth usage. This work leverages Deep Learning techniques to develop an intelligent, dynamic NIDS capable of real-time lateral movement detection while preserving network performance. Our proposed system combines SPAN for mirroring Internet-bound traffic with filtered ERSPAN for selective East-West traffic mirroring. Unsupervised Autoencoder models detect anomalous behavior by comparing traffic flows to learned normal traffic patterns. When anomaly scores exceed operator-configured thresholds, the system dynamically adjusts access control lists (ACLs) to mirror East-West traffic from only these potentially compromised hosts. The system was evaluated through functional and operational scenarios. In the functional scenario, the system successfully detected an attack chain and captured lateral movement traffic, even within a VLAN. During an operational evaluation in a production Science DMZ environment, the system demonstrated that typical control plane infrastructure can handle the additional overhead of the system with an acceptable bandwidth usage. This work introduces a first-of-a-kind approach to intelligently manage East-West traffic mirroring based on real-time anomaly detection, which enhances security, preserves operational integrity, and yields significant cost savings over traditional NIDS deploys that provide similar coverage. |
|---|---|
| ISBN: | 9798315785873 |
| Font: | ProQuest Dissertations & Theses Global |