Detecting lateral movement and anomalous nodes using network spectral embedding

Detecting lateral movement in large graphs is an important task for computer network security. Attackers typically gain access to one of the machines and move laterally within the network, trying to reach the most important nodes. In this project, spectral embedding, a well-known mathematical tool for extracting latent features in large graphs, is used for selection of anomalous subgraphs and nodes in computer networks. First, spectral embedding scores can be used for link prediction purposes and identification of suspicious subgraphs, providing a tool for detection of lateral movement. Second, comparisons between different spectral embeddings over time give evidence of changes in the normal behavior of the nodes, allowing to select and flag anomalous nodes. The two algorithms for anomalous subgraph selection and anomalous node selection will be shown to be successful in the detection of red team exercises in real world networks.