HetGLM: Lateral Movement Detection by Discovering Anomalous Links with Heterogeneous Graph Neural Network

As a critical stage in the Advanced Persistent Threat (APT) lifecycle, lateral movement (LM) has become a major concern in cybersecurity due to its stealthy nature. Recent authentication graph-based LM detection systems have achieved promising results. However, these methods have some unpractical requirements on data collection and model deployment, which severely affects their performance in real-world scenarios. In this paper, we propose HetGLM, a more accurate and practical LM detection system. Specifically, to fully explore the scenario, HetGLM constructs a heterogeneous graph with various network entities like users, devices, processes, etc. On this basis, we design MADR, a Graph neural network (GNN)-based anomaly link detection algorithm, to spot lateral movements. With the metapath-based sampling strategy, attention mechanism, the dual-decoder structure, and a mutual information regularization term, MADR can detect anomaly links on heterogeneous graphs, requiring neither labeled or purely benign training datasets nor manually preset thresholds. We implement a prototype of HetGLM and evaluate its performance via comprehensive experiments over public datasets. Comparison results show that HetGLM outperforms the state-of-the-art approaches in accuracy and practicality.