Machine Learning Technology for Detecting Living-Off-the-Land (LOTL) Cyberattacks

Identifying anomalous client–server behavior in network traffic using K-Means clustering and Graph Convolutional Networks.
Technology No. CW-25-20

Summary

This software applies machine learning to detect Living-Off-the-Land (LOTL) cyberattacks by analyzing network traffic rather than command-line data. The system processes Zeek network logs generated from packet captures and converts them into structured features suitable for modeling. A K-Means model first classifies each device as a client or server, after which a Graph Convolutional Network (GCN) learns low-dimensional representations of network behavior. These embeddings are then re-clustered to identify anomalous transitions—patterns where a device begins to behave unexpectedly, such as a client exhibiting server-like activity.

The solution is open and reproducible, designed to enable researchers and practitioners to apply or extend the model in detecting stealthy network-based attacks.

Solution

  • Network-Level Detection: Uses Zeek-derived network logs instead of host-based command data.
  • Hybrid Modeling Pipeline: Combines K-Means clustering for behavioral labeling with GCN-based embeddings for structural relationship analysis.
  • Behavioral Transition Analysis: Flags unusual changes from expected client to server roles within network traffic.

Key Advantages

  • Data Accessibility: Operates on widely available Zeek logs instead of restricted command data.
  • Improved Stealth Attack Detection: Identifies behavioral shifts characteristic of LOTL activity.
  • Reproducible Research: Publicly released to promote transparency and facilitate peer extension.
  • Model Flexibility: Framework can be retrained or adapted to new environments and datasets.

Market Applications

  • Cybersecurity Operations Centers (CSOCs): Enhancing anomaly detection workflows in network monitoring.
  • Research Institutions: Benchmarking and extending LOTL detection methodologies.
  • Machine Learning Teams: Applying graph-based learning to network security datasets.
  • Cyber Defense Training Environments: Demonstrating LOTL detection techniques using real network data.

Access

This software is available as open-source and can be accessed via the software's GitHub Page.

  • expand_more mode_edit Authors (3)
    Anna T Quach
    Dempsey D Rogers
    Alaguvalliappan Thiagarajan
  • expand_more cloud_download Supporting documents (1)
    Product brochure
    Machine Learning Technology for Detecting Living-Off-the-Land (LOTL) Cyberattacks.pdf
    DOWNLOAD