A Graph-Based Method For Cross-Entity Threat Detection

Slides PDF Video

I propose to use a distributed graph-based approach to detect cross-entity attacks via correlating global events on multi-tenant platforms. Detection efforts have mostly focused on detecting each incident individually, while in most attack scenarios, it is a single attacker or attacker group that goes after multiple targets often via stolen credentials within a rather concentrated time window. Coordinated or concurrent attacks seriously impact the trust of the multi-tenant service platform provider when customers get infiltrated on their platform. How can we detect these cross-account attacks by quickly making connections across concurrent incidences? MConnections are often buried under terabytes of data and among tens of millions of legitimate connections. Only a complete graph with a proper level of abstraction of all information and smart algorithms provide us a viable solution. By representing all entities of interest (i.e., an organization or an IP address) in a graph, we can efficiently track the connectivities among these entities that allows us to differentiate unexpected connections that is indicative of cross-account attacks from legitimate cross-account relationship (for example, two accounts belong to the same customer) by identifying correlated threats. Change detection algorithm is proposed to identify unexpected connectivities of accounts with a graph. For example, as we detect suspicious behavior across multiple accounts, how do we know if this is a large-scale account take-over, or just a legitimate license upgrade that results in novel behavior across multiple users. If affected accounts are already densely connected, a suspicious concurrent behavior detected is not as interesting as where it is detected among highly disjoint accounts. A graph provides a holistic view of how components are connected. A graph-based solution is essential to security defense techniques. It gives us a number of opportunities beyond cross-account attack detection such as intuitive context retrieval and interactive visualization,

Herman Kwong, Senior Director of Engineering at

About Herman

Herman spent the majority of his 13 years of software engineering career in management roles. His experience with enterprise software ranges from user interface to the back-end, and spans major industries. He currently runs the Kernel group at Salesforce as Senior Director of Engineering, and puts a significant focus of his team on security and threat detection. Herman holds a BSE in Computer Science and a BSE in Computer Engineering from the University of Michigan, Ann Arbor.

Ping Yan, Research Scientist at

About Ping

Ping spent a decade innovating ways of making sense of data in various domains, from consumer behavior modeling to algorithmic security detection. Her works were published as journal articles, monographs and books. Ping holds a PhD in Management Information System from the University of Arizona with a focus on machine learning, consumer analytics and healthcare surveillance. She is a currently a research scientist with the Salesforce Security Analytics team. Ping spoke at various conferences in the field of management science such as ICIS, WITS, BioSecure among others, and InfoSec events including BayThreat, BSidesSF and CanSecWest 2013, OWASP AppSec 2015.