Skip to content
/ recognize-unusual-logins Public

This tool is used to find anomalies or suspicious login events, especially to detect lateral movement.

License

MIT license
3 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Richl-lab/recognize-unusual-logins

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

105 Commits
datasets
datasets
 
 
lib
lib
 
 
maintenance
maintenance
 
 
misc
misc
 
 
ml
ml
 
 
FindMaliciousEvents.R
FindMaliciousEvents.R
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
config.yaml
config.yaml
 
 
requirements.txt
requirements.txt
 
 
setup.sh
setup.sh
 
 
setup_requirements.R
setup_requirements.R
 
 

Repository files navigation

Logo

FindMaliciousEvents

This tool is used to find anomalies or suspicious login events, especially to detect lateral movement.
Explore the docs »

View Demo · Report Bug · See docs to add Features

About The Project

This tool is used to find anomalies or suspicious login events.

Built With

  • R & R-Studio
  • Python & Jupyter Notebook/Pycharm
  • Shell & Pycharm

Getting Started

Prerequisites & Installation

This tool will only work in Linux (tested with Ubuntu 20.04). To use the tool, R and Python 3.8 needs to be installed. Furthermore, is a requirement an existing python environment in the folder with conditions of the requirements.txt.

To install and configure, use the following script:

. setup.sh

Installs:

  • r-base
  • python 3.8
  • pip
  • python3-venv
  • wheel and some more python packages (requirments.txt)
  • r-packages (dplyr,...)

Configuration:

  • virtual environment named maliciousevents
  • create ~/.R directory for r site-packages

Optional Configuration:

Add a link to one of your $PATH locations. As example, it can look like:

ln -s -r FindMaliciousEvents.R ~/.local/bin/FindMaliciousEvents

Logon Data

The data needs the following structure:

Event ID Host Time Logon ID User Source Source Port Logon Type
Integer Char Date Numeric(hex) Char Char Integer Integer
4624 1112223 "2021-06-01 00:00:02" 0x233eef 33339993 3333888 0 2

(Default) Users with smaller numbers than 10000 will be removed, because they are interpreted as Well-Known-SIDs. The Software was tested with anonymized Users, Hosts and Sources, so there is no guarantee that it works without that.

Example data can be found here.

Usage

After usage, the r-script should be executable.

With set link:

FindMaliciousEvents args

Without:

FindMaliciousEvents.R args
or
Rscript FindMaliciousEvents.R args

Arguments:

FindMaliciousEvents [File location] [Directory to save] [Options]

For more information and options see:

FindMaliciousEvents --help

Examples

Find unusual logins from 2021-06-01 to 2021-07-01:

FindMaliciousEvents raw_data.csv . -d m 2021-06-01 2021-07-01

Find unusual logins with the use of kNN and rank it:

FindMaliciousEvents raw_data.csv . -m kNN -r

Find unusual logins from a existing feature set, that was created with this software:

FindMaliciousEvents features.csv . -e

Demo

Tool Demo

Maintenance

If you want to add new features, see Maintenance Directory. It contains a description to add different kind of features.

Roadmap

License

Distributed under the MIT License. See LICENSE for more information.

Contact

Richard Mey

Project Link/Location:

Github Repository

Acknowledgements

About

This tool is used to find anomalies or suspicious login events, especially to detect lateral movement.

Topics

machine-learning login bigdata anomaly-detection lateral-movement suspicious-behaviours

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages