Practical Anytime Algorithms for Judicious Partitioning of Active Directory Attack Graphs

Practical Anytime Algorithms for Judicious Partitioning of Active Directory Attack Graphs

Yumeng Zhang, Max Ward, Hung Nguyen

Proceedings of the Thirty-Third International Joint Conference on Artificial Intelligence
Main Track. Pages 7074-7081. https://doi.org/10.24963/ijcai.2024/782

Given a directed graph, a set of source nodes, a target node and a budget, we study the problem of maximizing the number of source nodes disconnected from the target node by removing edges not exceeding the budget. Our model is mainly motivated by a cyber security use case where we need to minimize the attack surface of a Windows Active Directory system. In these high-profile attacks, the attackers first compromise a source (i.e., a compromised user node) and then laterally move to a destination (i.e., a high-privileged admin node). Our aim is to minimize the number of users with a path to the admin. We first prove that the problem is NP-hard. Algorithms for exact optimality usually struggle to converge on graphs that approach real-world network scales and therefore are not practical for usage. In light of this, we study anytime algorithms that return an acceptable result whenever the algorithm is terminated, and can improve optimality by allowing longer computational time. We observe the source connectivity of directed graphs, based on which we propose a novel anytime algorithm---the spiral algorithm. We also develop two Monte Carlo Tree Search (MCTS) algorithms as a baseline to study the performance of typical anytime algorithms for our problem, and show that the spiral algorithm improves the optimality at a significantly faster speed and therefore exhibits better anytime behavior compared with MCTS.
Keywords:
Search: S: Combinatorial search and optimisation
Multidisciplinary Topics and Applications: MTA: Security and privacy