2 Years Impact Factor:
2.85
5 Years Impact Factor: 1.53
Author: Lohith Vanama
Abstract:
After initial compromise, adversaries often rely on stealthy lateral movement and privilege escalation to complete their objectives. Detecting such activity requires correlating diverse events across users, systems, and time. This paper introduces a graph-based anomaly detection approach for identifying post-compromise behaviors in enterprise networks. Using authentication logs, Active Directory data, VPN access logs, and process trees, we build dynamic user-resource interaction graphs. These are processed using GraphSAGE and subgraph matching algorithms to identify deviations from normal communication paths and resource usage patterns. The system is evaluated on real-world datasets from two enterprise SOCs and enriched with simulated attack paths involving techniques from the MITRE ATT&CK framework. Our model achieves a precision of 89% and recall of 84% in identifying suspicious privilege escalation chains and unusual remote desktop access paths. Time-aware embeddings impr
Download PDF