MALICIOUS LATERAL MOVEMENT DETECTION USING REMOTE SYSTEM PROTOCOLS

Organization Name

Armis Security Ltd.

Inventor(s)

Evgeny Luk-zilberman of Herzliya (IL)

Gil Ben Zvi of Hod Hasharon (IL)

Ron Shoham of Tel Aviv (IL)

Yuval Friedlander of Petah-Tiqwa (IL)

MALICIOUS LATERAL MOVEMENT DETECTION USING REMOTE SYSTEM PROTOCOLS - A simplified explanation of the abstract

This abstract first appeared for US patent application 20240015177 titled 'MALICIOUS LATERAL MOVEMENT DETECTION USING REMOTE SYSTEM PROTOCOLS

Simplified Explanation

The patent application describes a system and method for detecting malicious lateral movement in a network. It involves identifying atomic tunnels in packets exchanged between devices, determining potentially malicious atomic tunnels by comparing their edges to previously observed tunnel constructs, and mitigating the potentially malicious tunnels.

• The system identifies atomic tunnels in packets exchanged between devices.
• Atomic tunnels are structures representing communications between devices, defined by at least three nodes and at least two edges.
• Each node represents a device, and each edge represents a connection between two devices.
• Atomic tunnels have two hops, where each hop represents a level of communication between devices.
• The system also identifies tunnel constructs, which are structures including at least one atomic tunnel.
• Potentially malicious atomic tunnels are determined by comparing their edges to edges of previously observed tunnel constructs.
• Potentially malicious tunnels are determined by including the potentially malicious atomic tunnels.
• The system mitigates the potentially malicious tunnels.

Potential Applications:

• Network security: This technology can be used to detect and prevent lateral movement of malicious actors within a network, enhancing overall network security.
• Intrusion detection: By identifying potentially malicious tunnels, this technology can aid in the detection of unauthorized access attempts or suspicious activities within a network.

Problems Solved:

• Malicious lateral movement: The technology addresses the problem of detecting and mitigating malicious lateral movement within a network, preventing unauthorized access and potential data breaches.

Benefits:

• Enhanced network security: By detecting and mitigating potentially malicious tunnels, this technology improves the overall security of a network, protecting against unauthorized access and data breaches.
• Early detection of threats: The system's ability to compare edges of atomic tunnels to previously observed tunnel constructs allows for the early detection of potentially malicious activities, enabling prompt response and mitigation measures.

Original Abstract Submitted

a system and method for malicious lateral movement detection. a method includes identifying atomic tunnels in packets sent between devices; identifying tunnel constructs; determining a potentially malicious atomic tunnel among the atomic tunnels by comparing edges of each of the atomic tunnels to edges of previously observed tunnel constructs; determining a potentially malicious tunnel including the potentially malicious atomic tunnel; and mitigating the potentially malicious tunnel. each atomic tunnel is a structure representing communications among the devices defined with respect to at least three nodes and at least two edges. each node represents a respective device, and each edge represents a connection between two of the devices. each atomic tunnel has two hops, where each hop is a level of communication in which a packet is sent from one device to another device. each tunnel construct is a structure including at least one of the atomic tunnels.