Logo image
Back
A Graph-Based Infrastructure for Characterizing Structural Risk and Lateral Movement Patterns in APT Campaigns
Journal article   Open access   Peer reviewed

A Graph-Based Infrastructure for Characterizing Structural Risk and Lateral Movement Patterns in APT Campaigns

Trever Knie, Dustin Mink, Sikha Bagui and Subhash Bagui
IEEE access, Vol.14, pp.73812-73841
05/07/2026
DOI: https://doi.org/10.1109/ACCESS.2026.3691599

Metrics

1 Record Views

Abstract

Advanced Persistent Threats (APTs) execute stealthy lateral movement that often evades traditional host-centric detection. This work addresses the triage bottleneck in Security Operations Centers (SOCs) by introducing a graph-based infrastructure for characterizing the structural risk of reconnaissance victims. By coupling the graph database capabilities of Neo4j with the structural learning power of Fast Random Projection (FastRP) graph neural network embeddings, the system maps the structural position of nodes within a massive dataset of 1.8 million Zeek telemetry edges from the UWF-ZeekData24 corpus [Appendix A]. We implement a dual-mode analysis: a label-aware branch leveraging MITRE ATT&CK ground truth and a label-agnostic branch using volume-based heuristics. Results demonstrate that pivot nodes exhibit distinct structural signatures, achieving a Cohen'sdof 0.588 and a FastRP similarity AUC-PR of 0.974. Statistical validation via Welch's t-test (p < 1e-271) confirms that structural context significantly differentiates potential pivots from dormant victims. While the high pivot rate in the dataset ( 94%) influences these metrics, the work establishes a scalable framework for multi-hop kill chain analytics and provides a foundational characterization of APT movement patterns. This infrastructure enables analysts to prioritize high-risk network segments, shifting the defensive posture toward proactive characterization.
url
A Graph-Based Infrastructure for Characterizing Structural Risk and Lateral Movement Patterns in APT CampaignsView
Published (Version of record) link to article Open

Related links

Details

Logo image