{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,9]],"date-time":"2026-03-09T14:41:07Z","timestamp":1773067267758,"version":"3.50.1"},"reference-count":37,"publisher":"Springer Science and Business Media LLC","issue":"6","license":[{"start":{"date-parts":[[2023,7,19]],"date-time":"2023-07-19T00:00:00Z","timestamp":1689724800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,7,19]],"date-time":"2023-07-19T00:00:00Z","timestamp":1689724800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100007778","name":"Aegean University","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100007778","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2023,12]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>\n                    Lateral movement (LM) is a principal, increasingly common, tactic in the arsenal of advanced persistent threat (APT) groups and other less or more powerful threat actors. It concerns techniques that enable a cyberattacker, after establishing a foothold, to maintain ongoing access and penetrate further into a network in quest of prized booty. This is done by moving through the infiltrated network and gaining elevated privileges using an assortment of tools. Concentrating on the MS Windows platform, this work provides the first to our knowledge holistic methodology supported by an abundance of experimental results towards the detection of LM via supervised machine learning (ML) techniques. We specifically detail feature selection, data preprocessing, and feature importance processes, and elaborate on the configuration of the ML models used. A plethora of ML techniques are assessed, including 10 base estimators, one ensemble meta-estimator, and five deep learning models. Vis-\u00e0-vis the relevant literature, and by considering a highly unbalanced dataset and a multiclass classification problem, we report superior scores in terms of the\n                    <jats:italic>F<\/jats:italic>\n                    1 and AUC metrics, 99.41% and 99.84%, respectively. Last but not least, as a side contribution, we offer a publicly available, open-source tool, which can convert Windows system monitor logs to turnkey datasets, ready to be fed into ML models.\n                  <\/jats:p>","DOI":"10.1007\/s10207-023-00725-8","type":"journal-article","created":{"date-parts":[[2023,7,19]],"date-time":"2023-07-19T11:04:30Z","timestamp":1689764670000},"page":"1893-1919","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":22,"title":["On the detection of lateral movement through supervised machine learning and an open-source tool to create turnkey datasets from Sysmon logs"],"prefix":"10.1007","volume":"22","author":[{"given":"Christos","family":"Smiliotopoulos","sequence":"first","affiliation":[]},{"given":"Georgios","family":"Kambourakis","sequence":"additional","affiliation":[]},{"given":"Konstantia","family":"Barbatsalou","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,7,19]]},"reference":[{"key":"725_CR1","doi-asserted-by":"publisher","first-page":"165295","DOI":"10.1109\/ACCESS.2021.3133348","volume":"9","author":"GM Makrakis","year":"2021","unstructured":"Makrakis, G.M., et al.: Industrial and critical infrastructure security: technical analysis of real-life security incidents. IEEE Access 9, 165295\u2013165325 (2021). https:\/\/doi.org\/10.1109\/ACCESS.2021.3133348","journal-title":"IEEE Access"},{"key":"725_CR2","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-023-00706-x","author":"L Gonz\u00e1lez-Manzano","year":"2023","unstructured":"Gonz\u00e1lez-Manzano, L., et al.: A technical characterization of APTs by leveraging public resources. Int. J. Inf. Secur. (2023). https:\/\/doi.org\/10.1007\/s10207-023-00706-x","journal-title":"Int. J. Inf. Secur."},{"key":"725_CR3","unstructured":"MITRE: Lateral movement\u2014the adversary is trying to move through your environment (2019)"},{"key":"725_CR4","unstructured":"Sarah Hawley - Ben Read - Cristiana Brafman_Kittner - Nalani Fraser - Andrew Thompson - Yuri Rozhansky - Sanaz Yashar. APT39\u2014An Iranian Cyber Espionage Group Focused on Personal Information (2021)"},{"key":"725_CR5","unstructured":"Corfield, G.: SolarWinds hack was done by Kremlin\u2019s APT29 crew, say UK and US (2021)"},{"key":"725_CR6","unstructured":"Gillis, T., et al.: Lateral movement in the real world\u2014a quantitative analysis (2022). https:\/\/blogs.vmware.com\/security\/2022\/06\/lateral-movement-in-the-real-worlda-quantitative-analysis.html. Visited on 2022"},{"key":"725_CR7","doi-asserted-by":"publisher","unstructured":"Kaiafas, G., et al.: Detecting malicious authentication events trustfully. In: NOMS 2018\u20142018 IEEE\/IFIP Network Operations and Management Symposium, pp. 1\u20136 (2018). https:\/\/doi.org\/10.1109\/NOMS.2018.8406295","DOI":"10.1109\/NOMS.2018.8406295"},{"key":"725_CR8","doi-asserted-by":"crossref","unstructured":"Kent, A.D.: Cybersecurity data sources for dynamic network research. In: Dynamic Networks in Cybersecurity. Imperial College Press (2015)","DOI":"10.1142\/9781786340757_0002"},{"key":"725_CR9","doi-asserted-by":"publisher","unstructured":"Bian, H. et al.: Host in danger? Detecting network intrusions from authentication logs. In: 2019 15th International Conference on Network and Service Management (CNSM), pp. 1\u20139 (2019). https:\/\/doi.org\/10.23919\/CNSM46954.2019.9012700","DOI":"10.23919\/CNSM46954.2019.9012700"},{"key":"725_CR10","doi-asserted-by":"publisher","unstructured":"Bai, T., et al.: A machine learning approach for RDP-based lateral movement detection. In: 2019 IEEE 44th Conference on Local Computer Networks (LCN), pp. 242\u2013245 (2019). https:\/\/doi.org\/10.1109\/LCN44214.2019.8990853","DOI":"10.1109\/LCN44214.2019.8990853"},{"issue":"1","key":"725_CR11","doi-asserted-by":"publisher","first-page":"1049","DOI":"10.1109\/TNSM.2021.3054356","volume":"18","author":"H Bian","year":"2021","unstructured":"Bian, H., et al.: Uncovering lateral movement using authentication logs. IEEE Trans. Netw. Serv. Manag. 18(1), 1049\u20131063 (2021). https:\/\/doi.org\/10.1109\/TNSM.2021.3054356","journal-title":"IEEE Trans. Netw. Serv. Manag."},{"issue":"6","key":"725_CR12","first-page":"925","volume":"22","author":"C-M Chen","year":"2020","unstructured":"Chen, C.-M., Syu, G.-H., Cai, Z.-X.: Analyzing system log based on machine learning model. Int. J. Netw. Secur. 22(6), 925\u2013933 (2020)","journal-title":"Int. J. Netw. Secur."},{"key":"725_CR13","doi-asserted-by":"publisher","unstructured":"Bohara, A., et al.: An unsupervised multi-detector approach for identifying malicious lateral movement. In: 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS), pp. 224\u2013233 (2017). https:\/\/doi.org\/10.1109\/SRDS.2017.31","DOI":"10.1109\/SRDS.2017.31"},{"issue":"2","key":"725_CR14","doi-asserted-by":"publisher","first-page":"1152","DOI":"10.1109\/TNSM.2021.3071928","volume":"18","author":"DC Le","year":"2021","unstructured":"Le, D.C., Zincir-Heywood, N.: Anomaly detection for insider threats using unsupervised ensembles. IEEE Trans. Netw. Serv. Manag. 18(2), 1152\u20131164 (2021). https:\/\/doi.org\/10.1109\/TNSM.2021.3071928","journal-title":"IEEE Trans. Netw. Serv. Manag."},{"key":"725_CR15","unstructured":"Center, C., Trzeciak, R.: The CERT insider threat database. In: Carnegie Mellon University\u2019s Software Engineering Institute Blog (2011)"},{"key":"725_CR16","doi-asserted-by":"publisher","unstructured":"Harilal, A., et al.: TWOS: a dataset of malicious insider threat behavior based on a Gamified competition. In: Proceedings of the 2017 International Workshop on Managing Insider Security Threats. MIST \u201917. Association for Computing Machinery, Dallas, Texas, USA, pp. 45\u201356 (2017). ISBN: 9781450351775. https:\/\/doi.org\/10.1145\/3139923.3139929","DOI":"10.1145\/3139923.3139929"},{"key":"725_CR17","doi-asserted-by":"publisher","unstructured":"Chen, M., et al.: A novel approach for identifying lateral movement attacks based on network embedding. In: 2018 IEEE international conference on parallel & distributed processing with applications, ubiquitous computing & communications, big data & cloud computing, social computing & networking, sustainable computing & communications (ISPA\/IUCC\/BDCloud\/Social-Com\/SustainCom), pp. 708\u2013715 (2018). https:\/\/doi.org\/10.1109\/BDCloud.2018.00107","DOI":"10.1109\/BDCloud.2018.00107"},{"issue":"2","key":"725_CR18","first-page":"10","volume":"1","author":"HPS Bhasin","year":"2018","unstructured":"Bhasin, H.P.S., et al.: Data center application security: lateral movement detection of malware using behavioral models. SMU Data Sci. Rev. 1(2), 10 (2018)","journal-title":"SMU Data Sci. Rev."},{"key":"725_CR19","volume":"16","author":"BA Powell","year":"2022","unstructured":"Powell, B.A.: Role-based lateral movement detection with unsupervised learning. Intell. Syst. Appl. 16, 200106 (2022)","journal-title":"Intell. Syst. Appl."},{"key":"725_CR20","doi-asserted-by":"publisher","unstructured":"Purvine, E., Johnson, J.R., Lo, C.: A graph-based impact metric for mitigating lateral movement cyber attacks. In: Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense. SafeConfig \u201916. Association for Computing Machinery, Vienna, Austria, pp. 45\u201352 (2016). ISBN: 9781450345668. https:\/\/doi.org\/10.1145\/2994475.2994476","DOI":"10.1145\/2994475.2994476"},{"key":"725_CR21","doi-asserted-by":"publisher","unstructured":"Liu, Q., et al.: Latte: large-scale lateral movement detection. In: MILCOM 2018\u20142018 IEEE Military Communications Conference (MILCOM), pp. 1\u20136 (2018). https:\/\/doi.org\/10.1109\/MILCOM.2018.8599748","DOI":"10.1109\/MILCOM.2018.8599748"},{"key":"725_CR22","unstructured":"Ho, G., et al.: Hopper: modeling and detecting lateral movement. In: 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, pp. 3093\u20133110 (2021). ISBN: 978- 1-939133-24-3"},{"key":"725_CR23","doi-asserted-by":"publisher","first-page":"37","DOI":"10.1016\/j.neucom.2021.12.026","volume":"474","author":"Y Fang","year":"2022","unstructured":"Fang, Y., et al.: LMTracker: lateral movement path detection based on heterogeneous graph embedding. Neurocomputing 474, 37\u201347 (2022). https:\/\/doi.org\/10.1016\/j.neucom.2021.12.026. (ISSN: 0925-2312)","journal-title":"Neurocomputing"},{"key":"725_CR24","doi-asserted-by":"publisher","DOI":"10.3390\/app12157746","author":"C Smiliotopoulos","year":"2022","unstructured":"Smiliotopoulos, C., Barmpatsalou, K.: Revisiting the detection of lateral movement through Sysmon. Appl. Sci. (2022). https:\/\/doi.org\/10.3390\/app12157746. (ISSN: 2076-3417)","journal-title":"Appl. Sci."},{"key":"725_CR25","unstructured":"Smiliotopoulos, C., Barbatsalou, K., Kambourakis, G.: Python_Evtx_Analyzer (PeX - v1) (2022). https:\/\/github.com\/ChristosSmiliotopoulos\/Python_Evtx_Analyzer.git. Visited on 2022"},{"key":"725_CR26","unstructured":"Russinovich, M., Garnier, T.: Sysmon v13. 22. In: Retrieved 28 June 2021 (2021)"},{"key":"725_CR27","unstructured":"Smiliotopoulos, C., Kambourakis, G.: evtx_To_CSV_Export Tool (ETCExp) (2023). https:\/\/github.com\/ChristosSmiliotopoulos\/evtx_To_CSV_ExportTool. Visited on 2023"},{"key":"725_CR28","unstructured":"Smiliotopoulos, C., Kambourakis, G.: \u201cLMD\u201d Sysmon Dataset Collections (2023). https:\/\/github.com\/ChristosSmiliotopoulos\/Lateral-Movement-Dataset--LMD_Collections. Visited on 2023"},{"key":"725_CR29","doi-asserted-by":"publisher","first-page":"113","DOI":"10.1016\/j.comcom.2022.12.010","volume":"199","author":"SM Kasongo","year":"2023","unstructured":"Kasongo, S.M.: A deep learning technique for intrusion detection system using a recurrent neural networks based framework. Comput. Commun. 199, 113\u2013125 (2023). https:\/\/doi.org\/10.1016\/j.comcom.2022.12.010. (ISSN: 0140-3664)","journal-title":"Comput. Commun."},{"issue":"1","key":"725_CR30","doi-asserted-by":"publisher","first-page":"65","DOI":"10.1186\/s40537-021-00448-4","volume":"8","author":"F Laghrissi","year":"2021","unstructured":"Laghrissi, F., et al.: Intrusion detection systems using long short-term memory (LSTM). J. Big Data 8(1), 65 (2021). https:\/\/doi.org\/10.1186\/s40537-021-00448-4","journal-title":"J. Big Data"},{"key":"725_CR31","doi-asserted-by":"publisher","unstructured":"Tang, T.A., et al.: Deep recurrent neural network for intrusion detection in SDN-based networks. In: 2018 4th IEEE Conference on Network Softwarization and Workshops (NetSoft), pp. 202\u2013206 (2018). https:\/\/doi.org\/10.1109\/NETSOFT.2018.8460090","DOI":"10.1109\/NETSOFT.2018.8460090"},{"key":"725_CR32","doi-asserted-by":"publisher","DOI":"10.3390\/s21134294","author":"Y Song","year":"2021","unstructured":"Song, Y., Hyun, S., Cheong, Y.-G.: Analysis of autoencoders for network intrusion detection. Sensors (2021). https:\/\/doi.org\/10.3390\/s21134294. (ISSN: 1424-8220)","journal-title":"Sensors"},{"key":"725_CR33","doi-asserted-by":"publisher","unstructured":"Singh, A., Jang-Jaccard, J.: Autoencoder-based unsupervised intrusion detection using multi-scale convolutional recurrent networks. In: CoRR abs\/2204.03779 (2022). https:\/\/doi.org\/10.48550\/arXiv.2204.03779. arXiv: 2204.03779","DOI":"10.48550\/arXiv.2204.03779"},{"key":"725_CR34","doi-asserted-by":"publisher","unstructured":"Kamalov, F., et al.: Autoencoder-based intrusion detection system. In: 2021 International Conference on Engineering and Emerging Technologies (ICEET), pp. 1\u20135 (2021). https:\/\/doi.org\/10.1109\/ICEET53442.2021.9659562","DOI":"10.1109\/ICEET53442.2021.9659562"},{"key":"725_CR35","doi-asserted-by":"publisher","first-page":"77","DOI":"10.1016\/j.comcom.2021.08.026","volume":"180","author":"K Narayana Rao","year":"2021","unstructured":"Narayana Rao, K., Venkata Rao, K., Prasad Reddy, P.V.G.D.: A hybrid intrusion detection system based on sparse autoencoder and deep neural network. Comput. Commun. 180, 77\u201388 (2021). https:\/\/doi.org\/10.1016\/j.comcom.2021.08.026. (ISSN: 0140-3664)","journal-title":"Comput. Commun."},{"key":"725_CR36","doi-asserted-by":"publisher","first-page":"64761","DOI":"10.1109\/ACCESS.2022.3183597","volume":"10","author":"E Chatzoglou","year":"2022","unstructured":"Chatzoglou, E., et al.: Pick quality over quantity: expert feature selection and data preprocessing for 802.11 intrusion detection systems. IEEE Access 10, 64761\u201364784 (2022). https:\/\/doi.org\/10.1109\/ACCESS.2022.3183597","journal-title":"IEEE Access"},{"key":"725_CR37","doi-asserted-by":"publisher","DOI":"10.3390\/s22155633","author":"E Chatzoglou","year":"2022","unstructured":"Chatzoglou, E., et al.: Best of BothWorlds: detecting application layer attacks through 802.11 and non-802.11 features. Sensors (2022). https:\/\/doi.org\/10.3390\/s22155633","journal-title":"Sensors"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-023-00725-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-023-00725-8\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-023-00725-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,9,25]],"date-time":"2023-09-25T22:19:49Z","timestamp":1695680389000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-023-00725-8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,7,19]]},"references-count":37,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2023,12]]}},"alternative-id":["725"],"URL":"https:\/\/doi.org\/10.1007\/s10207-023-00725-8","relation":{"has-preprint":[{"id-type":"doi","id":"10.21203\/rs.3.rs-2845318\/v1","asserted-by":"object"}]},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,7,19]]},"assertion":[{"value":"19 July 2023","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no conflicts of interest regarding the publication of this study.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"This article does not contain any studies with human participants or animals performed by any of the authors.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}}]}}