Evolving Bipartite Authentication Graph Partitions

As large scale enterprise computer networks become more ubiquitous, finding the appropriate balance between user convenience and user access control is an increasingly challenging proposition. Suboptimal partitioning of users’ access and available services contributes to the vulnerability of enterprise networks. Previous edge-cut partitioning methods unduly restrict users’ access to network resources. This paper introduces a novel method of network partitioning superior to the current state-of-the-art which minimizes user impact by providing alternate avenues for access that reduce vulnerability. Networks are modeled as bipartite authentication access graphs and a multi-objective evolutionary algorithm is used to simultaneously minimize the size of large connected components while minimizing overall restrictions on network users. Results are presented on a real world data set that demonstrates the effectiveness of the introduced method compared to previous naive methods.

[1]  C. Hummel Why Crack When You Can Pass the Hash? , 2015 .

[2]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[3]  Lorie M. Liebrock,et al.  Authentication graphs: Analyzing user behavior within an enterprise network , 2015, Comput. Secur..

[4]  Graham Kendall,et al.  Hyper-Heuristics: An Emerging Direction in Modern Search Technology , 2003, Handbook of Metaheuristics.

[5]  Thierry Turletti,et al.  A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks , 2014, IEEE Communications Surveys & Tutorials.

[6]  Azizah Abdul Rahman,et al.  Signature-based Multi-Layer Distributed Intrusion Detection System using Mobile Agents , 2013, Int. J. Netw. Secur..

[7]  R. Cunningham,et al.  Validating and Restoring Defense in Depth Using Attack Graphs , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[8]  Vipin Kumar,et al.  A Fast and High Quality Multilevel Scheme for Partitioning Irregular Graphs , 1998, SIAM J. Sci. Comput..

[9]  Alex Kent Anonymized User-Computer Authentication Associations in Time , 2014 .

[10]  Chris Walshaw,et al.  A Combined Evolutionary Search and Multilevel Optimisation Approach to Graph-Partitioning , 2004, J. Glob. Optim..

[11]  Wei Li,et al.  Using Genetic Algorithm for Network Intrusion Detection , 2004 .

[12]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[13]  Kalyanmoy Deb,et al.  A fast and elitist multiobjective genetic algorithm: NSGA-II , 2002, IEEE Trans. Evol. Comput..

[14]  John Dunagan,et al.  Heat-ray: combating identity snowball attacks using machinelearning, combinatorial optimization and attack graphs , 2009, SOSP '09.

[15]  Rayford B. Vaughn,et al.  Cluster Security Research Involving the Modeling of Network Exploitations Using Exploitation Graphs , 2006, Sixth IEEE International Symposium on Cluster Computing and the Grid (CCGRID'06).

[16]  Thomas Sauerwald,et al.  A new diffusion-based multilevel algorithm for computing graph partitions of very high quality , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing.

[17]  N. Stander,et al.  A Study on the Convergence of Multiobjective Evolutionary Algorithms , 2009 .

[18]  Peter Sanders,et al.  Advanced Coarsening Schemes for Graph Partitioning , 2012, SEA.

[19]  Martin J. Oates,et al.  PESA-II: region-based selection in evolutionary multiobjective optimization , 2001 .

[20]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[21]  Jin-Kao Hao,et al.  A Multilevel Memetic Approach for Improving Graph k-Partitions , 2011, IEEE Transactions on Evolutionary Computation.

[22]  Yong-Hyuk Kim,et al.  Genetic approaches for graph partitioning: a survey , 2011, GECCO '11.

[23]  Andreas Emil Feldmann Fast Balanced Partitioning Is Hard Even on Grids and Trees , 2012, MFCS.

[24]  Peter Sanders,et al.  High quality graph partitioning , 2012, Graph Partitioning and Graph Clustering.

[25]  Chris Walshaw,et al.  JOSTLE: multilevel graph partitioning software: an overview , 2007 .

[26]  M. Feizi-Derakhshi,et al.  Multi-objective Optimization of Graph Partitioning Using Genetic Algorithms , 2009, 2009 Third International Conference on Advanced Engineering Computing and Applications in Sciences.

[27]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[28]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[29]  M Reyes Sierra,et al.  Multi-Objective Particle Swarm Optimizers: A Survey of the State-of-the-Art , 2006 .

[30]  Marco Laumanns,et al.  SPEA2: Improving the strength pareto evolutionary algorithm , 2001 .

[31]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[32]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[33]  David W. Corne,et al.  Approximating the Nondominated Front Using the Pareto Archived Evolution Strategy , 2000, Evolutionary Computation.

[34]  Chun-Hung Richard Lin,et al.  Intrusion detection system: A comprehensive review , 2013, J. Netw. Comput. Appl..

[35]  François Pellegrini,et al.  PT-Scotch: A tool for efficient parallel graph ordering , 2008, Parallel Comput..