Practical Fixed-Parameter Algorithms for Defending Active Directory Style Attack Graphs

Active Directory is the default security management system for Windows domain networks. We study the shortest path edge interdiction problem for defending Active Directory style attack graphs. The problem is formulated as a Stackelberg game between one defender and one attacker. The attack graph contains one destination node and multiple entry nodes. The attacker’s entry node is chosen by nature. The defender chooses to block a set of edges limited by his budget. The attacker then picks the shortest unblocked attack path. The defender aims to maximize the expected shortest path length for the attacker, where the expectation is taken over entry nodes. We observe that practical Active Directory attack graphs have small maximum attack path lengths and are structurally close to trees. We first show that even if the maximum attack path length is a constant, the problem is still W [1]-hard with respect to the defender’s budget. Having a small maximum attack path length and a small budget is not enough to design fixed-parameter algorithms. If we further assume that the number of entry nodes is small, then we derive a fixed-parameter tractable algorithm. We then propose two other fixed-parameter algorithms by exploiting the tree-like features. One is based on tree decomposition and requires a small tree width. The other assumes a small number of splitting nodes (nodes with multiple out-going edges). Finally, the last algorithm is converted into a graph convolutional neural network based heuristic, which scales to larger graphs with more splitting nodes.

[1]  Sarit Kraus,et al.  Efficient Algorithms to Solve Bayesian Stackelberg Games for Security Applications , 2008, AAAI.

[2]  Dimitrios M. Thilikos,et al.  On exact algorithms for treewidth , 2006, TALG.

[3]  John Dunagan,et al.  Heat-ray: combating identity snowball attacks using machinelearning, combinatorial optimization and attack graphs , 2009, SOSP '09.

[4]  Ge Xia,et al.  Improved Parameterized Upper Bounds for Vertex Cover , 2006, MFCS.

[5]  Derek G. Corneil,et al.  Complexity of finding embeddings in a k -tree , 1987 .

[6]  Enrico Nardelli,et al.  A faster computation of the most vital edge of a shortest path , 2001, Inf. Process. Lett..

[7]  Serge Gaspers,et al.  Weakening Covert Networks by Minimizing Inverse Geodesic Length , 2017, IJCAI.

[8]  Le Song,et al.  2 Common Formulation for Greedy Algorithms on Graphs , 2018 .

[9]  Jeffrey C Grossman,et al.  Crystal Graph Convolutional Neural Networks for an Accurate and Interpretable Prediction of Material Properties. , 2017, Physical review letters.

[10]  Viliam Lisý,et al.  Hardening networks against strategic attackers using attack graph games , 2019, Comput. Secur..

[11]  Milind Tambe,et al.  Using Graph Convolutional Networks to Learn Interdiction Games , 2019 .

[12]  Serge Gaspers,et al.  Defender Stackelberg Game with Inverse Geodesic Length as Utility Metric , 2018, AAMAS.

[13]  Michael R. Fellows,et al.  On the parameterized complexity of multiple-interval graph problems , 2009, Theor. Comput. Sci..

[14]  Harjinder Singh Lallie,et al.  A review of attack graph and attack tree visual syntax in cyber security , 2020, Comput. Sci. Rev..

[15]  Charles Kamhoua,et al.  Harnessing the Power of Deception in Attack Graph-Based Security Games , 2020, GameSec.

[16]  Rolf Niedermeier,et al.  A more fine‐grained complexity analysis of finding the most vital edges for undirected shortest paths , 2018, Networks.

[17]  Petr A. Golovach,et al.  Paths of bounded length and their cuts: Parameterized complexity and algorithms , 2009, Discret. Optim..

[18]  Sharon L. Milgram,et al.  The Small World Problem , 1967 .

[19]  Samir Khuller,et al.  The complexity of finding most vital arcs and nodes , 1995 .