Disrupting Active Directory Attacks with Deep Learning for Organic Honeyuser Placement

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F68407700%3A21230%2F23%3A00367810" target="_blank" >RIV/68407700:21230/23:00367810 - isvavai.cz</a>

Výsledek na webu

<a href="https://doi.org/10.1007/978-3-031-37320-6_6" target="_blank" >https://doi.org/10.1007/978-3-031-37320-6_6</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1007/978-3-031-37320-6_6" target="_blank" >10.1007/978-3-031-37320-6_6</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Disrupting Active Directory Attacks with Deep Learning for Organic Honeyuser Placement

Popis výsledku v původním jazyce

Honeypots have been a long-established form of passive defense in a wide variety of systems. They are often used for the reliability and low false positive rate. However, the deployment of honeypots in the Active Directory (AD) systems is still limited. Intrusion detection in AD systems is a difficult task due to the complexity of the system and its design, where any authenticated account is able to query other entities in the system. Therefore, the positioning of the honeypot in such structures brings two main con trains: (i) the placement has to be organic, with similar properties to other, real entities in the structure, and (ii) the placement must not give away the nature of the honeypot to the attacker. In this work, we present a model based on a variational autoencoder capable of producing organic placements for AD structures. We show that the proposed model is capable of learning meaningful latent representations of the nodes in the AD structures and predicting new node placement with similar properties. Analysis of the latent space shows that the model can capture complex relationships between nodes with low-dimensional latent space. Our method is evaluated based on the (i) similarity with the input graphs, (ii) properties of the generated nodes, and (iii) comparison with other generative graph models. Further experiments with human attackers show that the proposed method outperforms the random honeypot placement baseline.

Název v anglickém jazyce

Disrupting Active Directory Attacks with Deep Learning for Organic Honeyuser Placement

Popis výsledku anglicky

Honeypots have been a long-established form of passive defense in a wide variety of systems. They are often used for the reliability and low false positive rate. However, the deployment of honeypots in the Active Directory (AD) systems is still limited. Intrusion detection in AD systems is a difficult task due to the complexity of the system and its design, where any authenticated account is able to query other entities in the system. Therefore, the positioning of the honeypot in such structures brings two main con trains: (i) the placement has to be organic, with similar properties to other, real entities in the structure, and (ii) the placement must not give away the nature of the honeypot to the attacker. In this work, we present a model based on a variational autoencoder capable of producing organic placements for AD structures. We show that the proposed model is capable of learning meaningful latent representations of the nodes in the AD structures and predicting new node placement with similar properties. Analysis of the latent space shows that the model can capture complex relationships between nodes with low-dimensional latent space. Our method is evaluated based on the (i) similarity with the input graphs, (ii) properties of the generated nodes, and (iii) comparison with other generative graph models. Further experiments with human attackers show that the proposed method outperforms the random honeypot placement baseline.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

—

Návaznosti

I - Institucionalni podpora na dlouhodoby koncepcni rozvoj vyzkumne organizace

Rok uplatnění

2023

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

Deep Learning Theory and Applications

ISBN

978-3-031-37319-0

ISSN

1865-0929

e-ISSN

1865-0937

Počet stran výsledku

23

Strana od-do

111-133

Název nakladatele

Springer Nature Switzerland AG

Místo vydání

Basel

Místo konání akce

Virtual

Datum konání akce

8. 7. 2021

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

—