Data center security traditionally is implemented at the external network access points, i.e., the perimeter of the data center network, and focuses on preventing malicious software from entering the data center. However, these defenses do not cover all possible entry points for malicious software, and they are not 100% effective at preventing infiltration through the connection points. Therefore, security is required within the data center to detect malicious software activity including its lateral movement within the data center. In this paper, we present a machine learning-based network traffic analysis approach to detect the lateral movement of malicious software within the data center. Our approach employs an unsupervised learning approach that uses the metadata of network transactions to learn the normal application network traffic behavior and detect anomalous communications. Utilizing over two million records for the training data and four hundred thousand records for validation, our approach identified 0.61% of the communications as anomalous. The fact that any anomalies were successfully identified further confirms our theory that monitoring data center traffic for anomalous communications is an effective and necessary approach to detecting malicious software activity that remains internal to the data center.

Creative Commons License

Creative Commons Attribution-Noncommercial 4.0 License
This work is licensed under a Creative Commons Attribution-Noncommercial 4.0 License