Skip to main content
SpringerLink
Log in

Disrupting Active Directory Attacks with Deep Learning for Organic Honeyuser Placement

  • Conference paper
  • First Online:
Deep Learning Theory and Applications (DeLTA 2020, DeLTA 2021)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1854))

Abstract

Honeypots have been a long-established form of passive defense in a wide variety of systems. They are often used for the reliability and low false positive rate. However, the deployment of honeypots in the Active Directory (AD) systems is still limited. Intrusion detection in AD systems is a difficult task due to the complexity of the system and its design, where any authenticated account is able to query other entities in the system. Therefore, the positioning of the honeypot in such structures brings two main con trains: (i) the placement has to be organic, with similar properties to other, real entities in the structure, and (ii) the placement must not give away the nature of the honeypot to the attacker. In this work, we present a model based on a variational autoencoder capable of producing organic placements for AD structures. We show that the proposed model is capable of learning meaningful latent representations of the nodes in the AD structures and predicting new node placement with similar properties. Analysis of the latent space shows that the model can capture complex relationships between nodes with low-dimensional latent space. Our method is evaluated based on the (i) similarity with the input graphs, (ii) properties of the generated nodes, and (iii) comparison with other generative graph models. Further experiments with human attackers show that the proposed method outperforms the random honeypot placement baseline.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/stratosphereips/AD-Honeypot.

References

  1. Amizadeh, S., Matusevych, S., Weimer, M.: Learning to solve circuit-SAT: An unsupervised differentiable approach. In: International Conference on Learning Representations (2019). https://openreview.net/forum?id=BJxgz2R9t7

  2. de Barros, A.P.: Res: Protocol anomaly detection ids - honeypots (2003). https://seclists.org/focus-ids/2003/Feb/95

  3. Battaglia, P.W., et al.: Relational inductive biases, deep learning, and graph networks (2018)

    Google Scholar 

  4. Berg, L.: BlueHive (2019). https://github.com/leeberg/BlueHive

  5. Bettke, J., Stewart, J.: DCEPT: An Open-Source Honeytoken Tripwire (2016). https://www.secureworks.com/blog/dcept

  6. Case, D.U.: Analysis of the cyber attack on the ukrainian power grid. Electricity Information Sharing and Analysis Center (E-ISAC) p. 388 (2016)

    Google Scholar 

  7. Cho, K., et al.: Learning phrase representations using rnn encoder-decoder for statistical machine translation (2014)

    Google Scholar 

  8. Cimpanu, C.: Fortune 500 company ntt discloses security breach (2020). https://www.zdnet.com/article/fortune-500-company-ntt-discloses-security-breach

  9. Cimpanu, C.: Hackers breached a1 telekom, austria’s largest isp (2020). https://www.zdnet.com/article/hackers-breached-a1-telekom-austrias-largest-isp

  10. CorbanWorks: Fake name generator (2006). https://www.fakenamegenerator.com

  11. Crabtree, J.: Active directory attacks hit the mainstream (2020). https://www.darkreading.com/endpoint/authentication/active-directory-attacks-hit-the-mainstream/a/d-id/1337405

  12. Desmond, B., Richards, J., Allen, R., Lowe-Norris, A.G.: Active Directory: Designing, Deploying, and Running Active Directory. “ O’Reilly Media, Inc.” (2008)

    Google Scholar 

  13. Dowling, S., Schukat, M., Barrett, E.: Using reinforcement learning to conceal honeypot functionality. In: ECML/PKDD (2018)

    Google Scholar 

  14. Faraglia, D.: Faker (2012). https://pypi.org/project/Faker/

  15. Glorot, X., Bengio, Y.: Understanding the difficulty of training deep feedforward neural networks. In: Proceedings of the International Conference on Artificial Intelligence and Statistics (AISTATS’10). Society for Artificial Intelligence and Statistics (2010)

    Google Scholar 

  16. Grattarola, D., Alippi, C.: Graph neural networks in tensorflow and keras with spektral (2020)

    Google Scholar 

  17. Grimes, R.A.: Honeypots for Windows. Apress (2006)

    Google Scholar 

  18. Guan, S., Loew, M.: Evaluation of generative adversarial network performance based on direct analysis of generated images. In: 2019 IEEE Applied Imagery Pattern Recognition Workshop (AIPR), pp. 1–5 (2019). https://doi.org/10.1109/AIPR47015.2019.9174595

  19. Hagberg, A.A., Schult, D.A., Swart, P.J.: Exploring network structure, dynamics, and function using. In: Varoquaux, G., Vaught, T., Millman, J. (eds.) Proceedings of the 7th Python in Science Conference, pp. 11–15. Pasadena, CA USA (2008)

    Google Scholar 

  20. Han, X., Kheir, N., Balzarotti, D.: Deception techniques in computer security: A research perspective. ACM Comput. Surv. 51(4) (Jul 2018). https://doi.org/10.1145/3214305

  21. Higgins, I., et al.: beta-vae: Learning basic visual concepts with a constrained variational framework. In: ICLR (2017)

    Google Scholar 

  22. Horn, R.A.: The hadamard product. In: Proc. Symp. Appl. Math. vol. 40, pp. 87–169 (1990)

    Google Scholar 

  23. Hossain, T., List, J.A.: The behavioralist visits the factory: Increasing productivity using simple framing manipulations. Manage. Sci. 58(12), 2151–2167 (2012). http://www.jstor.org/stable/23359584

  24. Joyce, J.M.: Kullback-Leibler Divergence, pp. 720–722. Springer, Berlin Heidelberg, Berlin, Heidelberg (2011). https://doi.org/10.1007/978-3-642-04898-2_327

  25. Kaluza, M., De Paolis, C., Amizadeh, S., Yu, R.: A neural framework for learning dag to dag translation. In: NeurIPS’2018 Workshop (2018)

    Google Scholar 

  26. Karlin, A.R., Bradley, M., Baldwin, M., Sagir, S.: What threats does ata look for? (2018). https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats

  27. Kingma, D.P., Ba, J.: Adam: A method for stochastic optimization (2014)

    Google Scholar 

  28. Kingma, D.P., Welling, M.: Auto-encoding variational bayes (2014)

    Google Scholar 

  29. Koch, R.: What is considered personal data under the EU GDPR? (2020). https://gdpr.eu/eu-gdpr-personal-data/

  30. Leita, C., Mermoud, K., Dacier, M.: Scriptgen: an automated script generation tool for honeyd. In: 21st Annual Computer Security Applications Conference (ACSAC’05), pp. 12 pp.-214 (2005)

    Google Scholar 

  31. Liao, R., et al.: Efficient graph generation with graph recurrent attention networks. In: NeurIPS (2019)

    Google Scholar 

  32. Lin, T.Y., Goyal, P., Girshick, R., He, K., Dollár, P.: Focal loss for dense object detection (2017)

    Google Scholar 

  33. Lukas, O., Garcia, S.: Deep generative models to extend active directory graphs with honeypot users. In: Proceedings of the 2nd International Conference on Deep Learning Theory and Applications, DeLTA 2021, pp. 140–147 (2021)

    Google Scholar 

  34. Manber, U.: Introduction to Algorithms: A Creative Approach. Addison-Wesley Longman Publishing Co., Inc, USA (1989)

    MATH  Google Scholar 

  35. Matsuda, W., Fujimoto, M., Mitsunaga, T.: Detecting apt attacks against active directory using machine leaning. In: 2018 IEEE Conference on Application, Information and Network Security (AINS), pp. 60–65. IEEE (2018)

    Google Scholar 

  36. McInnes, L., Healy, J., Melville, J.: Umap: Uniform manifold approximation and projection for dimension reduction (2018). https://doi.org/10.48550/ARXIV.1802.03426, https://arxiv.org/abs/1802.03426

  37. Metcalf, S.: Red vs. blue: Modern active directory attacks, detection & protection (2015). https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection-wp.pdf

  38. Microsoft: Advanced Threat Analytics documentation (2015). https://docs.microsoft.com/en-us/advanced-threat-analytics/

  39. Nurfauzi, R.: Active directory kill chain attack & defense (2020). https://github.com/infosecn1nja/AD-Attack-Defense

  40. Provos, N.: Honeyd-a virtual honeypot daemon (2003). http://www.honeyd.org/

  41. Provos, N., et al.: A virtual honeypot framework. In: USENIX Security Symposium. vol. 173, pp. 1–14 (2004)

    Google Scholar 

  42. Simonovsky, M., Komodakis, N.: Graphvae: Towards generation of small graphs using variational autoencoders (2018)

    Google Scholar 

  43. Siniosoglou, I., et al.: Neuralpot: an industrial honeypot implementation based on convolutional neural networks (4 2020). http://gala.gre.ac.uk/id/eprint/27976/

  44. Thomas, C., Balakrishnan, N.: Improvement in minority attack detection with skewness in network traffic. In: Tolone, W.J., Ribarsky, W. (eds.) Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2008. vol. 6973, pp. 226–237. International Society for Optics and Photonics, SPIE (2008). https://doi.org/10.1117/12.785623

  45. Tian, W., et al.: Honeypot game-theoretical model for defending against apt attacks with limited resources in cyber-physical systems. ETRI J. 41(5), 585–598 (2019)

    Article  Google Scholar 

  46. Tonin, M., Vlassopoulos, M.: Corporate philanthropy and productivity: Evidence from an online real effort experiment. Manage. Sci. 61(8), 1795–1811 (2015). https://doi.org/10.1287/mnsc.2014.1985

  47. Valicek, M., Schramm, G., Pirker, M., Schrittwieser, S.: Creation and integration of remote high interaction honeypots. In: 2017 International Conference on Software Security and Assurance (ICSSA), pp. 50–55. IEEE (2017)

    Google Scholar 

  48. Vazarkar, R.: Sharphound (2016). https://github.com/BloodHoundAD/SharpHound3

  49. Wang, M., et al.: Deep graph library: Towards efficient and scalable deep learning on graphs (2019)

    Google Scholar 

  50. Whittacker, Z.: Hackers went undetected in citrix’s internal network for six months (2019). https://techcrunch.com/2019/04/30/citrix-internal-network-breach

  51. Wu, Z., Pan, S., Chen, F., Long, G., Zhang, C., Yu, P.S.: A comprehensive survey on graph neural networks. IEEE Transactions on Neural Networks and Learning Systems p. 1–21 (2020). https://doi.org/10.1109/TNNLS.2020.2978386

  52. You, J., Ying, R., Ren, X., Hamilton, W.L., Leskovec, J.: Graphrnn: Generating realistic graphs with deep auto-regressive models (2018)

    Google Scholar 

  53. Zetter, K.: Sony got hacked hard: What we know and don’t know so far (2014). https://www.wired.com/2014/12/sony-hack-what-we-know

Download references

Acknowledgements

We acknowledge the support of NVIDIA Corporation with the donation of a Titan V GPU for this research. We would also like to thank the Stratosphere team for their support.

Author information

Authors and Affiliations

  1. Faculty of Electrical Engineering, Czech Technical University in Prague, Prague, Czech Republic

    Ondrej Lukas & Sebastian Garcia

Authors
  1. Ondrej Lukas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sebastian Garcia
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ondrej Lukas .

Editor information

Editors and Affiliations

  1. University of Lisbon, Lisbon, Portugal

    Ana Fred

  2. Università degli Studi di Napoli, Napoli, Italy

    Carlo Sansone

  3. Université Paris-Est Créteil (UPEC), Créteil, France

    Kurosh Madani

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lukas, O., Garcia, S. (2023). Disrupting Active Directory Attacks with Deep Learning for Organic Honeyuser Placement. In: Fred, A., Sansone, C., Madani, K. (eds) Deep Learning Theory and Applications. DeLTA DeLTA 2020 2021. Communications in Computer and Information Science, vol 1854. Springer, Cham. https://doi.org/10.1007/978-3-031-37320-6_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-37320-6_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-37319-0

  • Online ISBN: 978-3-031-37320-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation