Abstract. Advanced Persistence Threat (APT) attacks use various strategies and techniques to move laterally within an enterprise environment; however, the existing strategies and techniques have limitations such as requiring elevated permissions, creating new connections, performing new authentications, or requiring process injections. Based on these characteristics, many host and network-based solutions have been proposed to prevent or detect such lateral movement attempts. In this paper, we present a novel stealthy lateral movement strategy, ShadowMove, in which only established connections between systems in an enterprise network are misused for lateral movements. It has a set of unique features such as requiring no elevated privilege, no new connection, no extra authentication, and no process injection, which makes it stealthy against state-of-the-art detection mechanisms. ShadowMove is enabled by a novel socket duplication approach that allows a malicious process to silently abuse TCP connections established by benign processes. We design and implement ShadowMove for current Windows and Linux operating systems. To validate the feasibility of ShadowMove, we build several prototypes that successfully hijack three kinds of enterprise protocols, FTP, Microsoft SQL, and Window Remote Management, to perform lateral movement actions such as copying malware to the next target machine and launching malware on the target machine. We also confirm that our prototypes cannot be detected by existing host and network-based solutions, such as five top-notch anti-virus products (McAfee, Norton, Webroot, Bitdefender, and Windows Defender), four IDSes (Snort, OSSEC, Osquery, and Wazuh), and two Endpoint Detection and Response systems (CrowdStrike Falcon Prevent and Cisco AMP).

Abstract. Implicit authentication (IA) is gaining popularity over recent years due to its use of user behavior as the main input, relieving users from explicit actions such as remembering and entering passwords. However, such convenience comes with a cost of authentication accuracy and delay which we propose to improve in this paper. Authentication accuracy deteriorates as users' behaviors change as a result of mood, age, a change of routine, etc. Current authentication systems handle failed authentication attempts by locking the users out of their mobile devices. It is unsuitable for IA whose accuracy deterioration induces a high false reject rate, rendering the IA system unusable. Furthermore, existing IA systems leverage computationally expensive machine learning, which can introduce a large authentication delay. It is challenging to improve the authentication accuracy of these systems without sacrificing authentication delay. In this paper, we propose a multi-level privilege control (MPC) scheme that dynamically adjusts users' access privilege based on their behavior change. MPC increases the system's confidence in users' legitimacy even when their behaviors deviate from historical data, thus improving authentication accuracy. It is a lightweight feature added to the existing IA schemes that helps avoid frequent and expensive retraining of machine learning models, thus improving authentication delay. We demonstrate that MPC increases authentication accuracy by 18.63% and reduces authentication delay by 7.02 minutes on average, using a public dataset that contains comprehensive user behavior data.

Abstract. Energy theft causes large economic losses to utility companies around the world. In recent years, energy theft detection approaches based on machine learning (ML) techniques, especially neural networks, are becoming popular in the research community and shown to achieve state-of-the-art detection performance. However, in this work, we demonstrate that the well-trained ML models for energy theft detection are highly vulnerable to adversarial attacks. In particular, we design an adversarial measurement generation approach that enables the attacker to report extremely low power consumption measurements to utilities while bypassing the ML energy theft detection. We evaluate our approach with three kinds of neural networks based on a real-world smart meter dataset. The evaluation results demonstrate that our approach is able to significantly decrease the ML models' detection accuracy, even for black-box attackers.