Abstract
Honeypots have been a long-established form of passive defense in a wide variety of systems. They are often used for the reliability and low false positive rate. However, the deployment of honeypots in the Active Directory (AD) systems is still limited. Intrusion detection in AD systems is a difficult task due to the complexity of the system and its design, where any authenticated account is able to query other entities in the system. Therefore, the positioning of the honeypot in such structures brings two main con trains: (i) the placement has to be organic, with similar properties to other, real entities in the structure, and (ii) the placement must not give away the nature of the honeypot to the attacker. In this work, we present a model based on a variational autoencoder capable of producing organic placements for AD structures. We show that the proposed model is capable of learning meaningful latent representations of the nodes in the AD structures and predicting new node placement with similar properties. Analysis of the latent space shows that the model can capture complex relationships between nodes with low-dimensional latent space. Our method is evaluated based on the (i) similarity with the input graphs, (ii) properties of the generated nodes, and (iii) comparison with other generative graph models. Further experiments with human attackers show that the proposed method outperforms the random honeypot placement baseline.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Amizadeh, S., Matusevych, S., Weimer, M.: Learning to solve circuit-SAT: An unsupervised differentiable approach. In: International Conference on Learning Representations (2019). https://openreview.net/forum?id=BJxgz2R9t7
de Barros, A.P.: Res: Protocol anomaly detection ids - honeypots (2003). https://seclists.org/focus-ids/2003/Feb/95
Battaglia, P.W., et al.: Relational inductive biases, deep learning, and graph networks (2018)
Berg, L.: BlueHive (2019). https://github.com/leeberg/BlueHive
Bettke, J., Stewart, J.: DCEPT: An Open-Source Honeytoken Tripwire (2016). https://www.secureworks.com/blog/dcept
Case, D.U.: Analysis of the cyber attack on the ukrainian power grid. Electricity Information Sharing and Analysis Center (E-ISAC) p. 388 (2016)
Cho, K., et al.: Learning phrase representations using rnn encoder-decoder for statistical machine translation (2014)
Cimpanu, C.: Fortune 500 company ntt discloses security breach (2020). https://www.zdnet.com/article/fortune-500-company-ntt-discloses-security-breach
Cimpanu, C.: Hackers breached a1 telekom, austria’s largest isp (2020). https://www.zdnet.com/article/hackers-breached-a1-telekom-austrias-largest-isp
CorbanWorks: Fake name generator (2006). https://www.fakenamegenerator.com
Crabtree, J.: Active directory attacks hit the mainstream (2020). https://www.darkreading.com/endpoint/authentication/active-directory-attacks-hit-the-mainstream/a/d-id/1337405
Desmond, B., Richards, J., Allen, R., Lowe-Norris, A.G.: Active Directory: Designing, Deploying, and Running Active Directory. “ O’Reilly Media, Inc.” (2008)
Dowling, S., Schukat, M., Barrett, E.: Using reinforcement learning to conceal honeypot functionality. In: ECML/PKDD (2018)
Faraglia, D.: Faker (2012). https://pypi.org/project/Faker/
Glorot, X., Bengio, Y.: Understanding the difficulty of training deep feedforward neural networks. In: Proceedings of the International Conference on Artificial Intelligence and Statistics (AISTATS’10). Society for Artificial Intelligence and Statistics (2010)
Grattarola, D., Alippi, C.: Graph neural networks in tensorflow and keras with spektral (2020)
Grimes, R.A.: Honeypots for Windows. Apress (2006)
Guan, S., Loew, M.: Evaluation of generative adversarial network performance based on direct analysis of generated images. In: 2019 IEEE Applied Imagery Pattern Recognition Workshop (AIPR), pp. 1–5 (2019). https://doi.org/10.1109/AIPR47015.2019.9174595
Hagberg, A.A., Schult, D.A., Swart, P.J.: Exploring network structure, dynamics, and function using. In: Varoquaux, G., Vaught, T., Millman, J. (eds.) Proceedings of the 7th Python in Science Conference, pp. 11–15. Pasadena, CA USA (2008)
Han, X., Kheir, N., Balzarotti, D.: Deception techniques in computer security: A research perspective. ACM Comput. Surv. 51(4) (Jul 2018). https://doi.org/10.1145/3214305
Higgins, I., et al.: beta-vae: Learning basic visual concepts with a constrained variational framework. In: ICLR (2017)
Horn, R.A.: The hadamard product. In: Proc. Symp. Appl. Math. vol. 40, pp. 87–169 (1990)
Hossain, T., List, J.A.: The behavioralist visits the factory: Increasing productivity using simple framing manipulations. Manage. Sci. 58(12), 2151–2167 (2012). http://www.jstor.org/stable/23359584
Joyce, J.M.: Kullback-Leibler Divergence, pp. 720–722. Springer, Berlin Heidelberg, Berlin, Heidelberg (2011). https://doi.org/10.1007/978-3-642-04898-2_327
Kaluza, M., De Paolis, C., Amizadeh, S., Yu, R.: A neural framework for learning dag to dag translation. In: NeurIPS’2018 Workshop (2018)
Karlin, A.R., Bradley, M., Baldwin, M., Sagir, S.: What threats does ata look for? (2018). https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats
Kingma, D.P., Ba, J.: Adam: A method for stochastic optimization (2014)
Kingma, D.P., Welling, M.: Auto-encoding variational bayes (2014)
Koch, R.: What is considered personal data under the EU GDPR? (2020). https://gdpr.eu/eu-gdpr-personal-data/
Leita, C., Mermoud, K., Dacier, M.: Scriptgen: an automated script generation tool for honeyd. In: 21st Annual Computer Security Applications Conference (ACSAC’05), pp. 12 pp.-214 (2005)
Liao, R., et al.: Efficient graph generation with graph recurrent attention networks. In: NeurIPS (2019)
Lin, T.Y., Goyal, P., Girshick, R., He, K., Dollár, P.: Focal loss for dense object detection (2017)
Lukas, O., Garcia, S.: Deep generative models to extend active directory graphs with honeypot users. In: Proceedings of the 2nd International Conference on Deep Learning Theory and Applications, DeLTA 2021, pp. 140–147 (2021)
Manber, U.: Introduction to Algorithms: A Creative Approach. Addison-Wesley Longman Publishing Co., Inc, USA (1989)
Matsuda, W., Fujimoto, M., Mitsunaga, T.: Detecting apt attacks against active directory using machine leaning. In: 2018 IEEE Conference on Application, Information and Network Security (AINS), pp. 60–65. IEEE (2018)
McInnes, L., Healy, J., Melville, J.: Umap: Uniform manifold approximation and projection for dimension reduction (2018). https://doi.org/10.48550/ARXIV.1802.03426, https://arxiv.org/abs/1802.03426
Metcalf, S.: Red vs. blue: Modern active directory attacks, detection & protection (2015). https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection-wp.pdf
Microsoft: Advanced Threat Analytics documentation (2015). https://docs.microsoft.com/en-us/advanced-threat-analytics/
Nurfauzi, R.: Active directory kill chain attack & defense (2020). https://github.com/infosecn1nja/AD-Attack-Defense
Provos, N.: Honeyd-a virtual honeypot daemon (2003). http://www.honeyd.org/
Provos, N., et al.: A virtual honeypot framework. In: USENIX Security Symposium. vol. 173, pp. 1–14 (2004)
Simonovsky, M., Komodakis, N.: Graphvae: Towards generation of small graphs using variational autoencoders (2018)
Siniosoglou, I., et al.: Neuralpot: an industrial honeypot implementation based on convolutional neural networks (4 2020). http://gala.gre.ac.uk/id/eprint/27976/
Thomas, C., Balakrishnan, N.: Improvement in minority attack detection with skewness in network traffic. In: Tolone, W.J., Ribarsky, W. (eds.) Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2008. vol. 6973, pp. 226–237. International Society for Optics and Photonics, SPIE (2008). https://doi.org/10.1117/12.785623
Tian, W., et al.: Honeypot game-theoretical model for defending against apt attacks with limited resources in cyber-physical systems. ETRI J. 41(5), 585–598 (2019)
Tonin, M., Vlassopoulos, M.: Corporate philanthropy and productivity: Evidence from an online real effort experiment. Manage. Sci. 61(8), 1795–1811 (2015). https://doi.org/10.1287/mnsc.2014.1985
Valicek, M., Schramm, G., Pirker, M., Schrittwieser, S.: Creation and integration of remote high interaction honeypots. In: 2017 International Conference on Software Security and Assurance (ICSSA), pp. 50–55. IEEE (2017)
Vazarkar, R.: Sharphound (2016). https://github.com/BloodHoundAD/SharpHound3
Wang, M., et al.: Deep graph library: Towards efficient and scalable deep learning on graphs (2019)
Whittacker, Z.: Hackers went undetected in citrix’s internal network for six months (2019). https://techcrunch.com/2019/04/30/citrix-internal-network-breach
Wu, Z., Pan, S., Chen, F., Long, G., Zhang, C., Yu, P.S.: A comprehensive survey on graph neural networks. IEEE Transactions on Neural Networks and Learning Systems p. 1–21 (2020). https://doi.org/10.1109/TNNLS.2020.2978386
You, J., Ying, R., Ren, X., Hamilton, W.L., Leskovec, J.: Graphrnn: Generating realistic graphs with deep auto-regressive models (2018)
Zetter, K.: Sony got hacked hard: What we know and don’t know so far (2014). https://www.wired.com/2014/12/sony-hack-what-we-know
Acknowledgements
We acknowledge the support of NVIDIA Corporation with the donation of a Titan V GPU for this research. We would also like to thank the Stratosphere team for their support.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lukas, O., Garcia, S. (2023). Disrupting Active Directory Attacks with Deep Learning for Organic Honeyuser Placement. In: Fred, A., Sansone, C., Madani, K. (eds) Deep Learning Theory and Applications. DeLTA DeLTA 2020 2021. Communications in Computer and Information Science, vol 1854. Springer, Cham. https://doi.org/10.1007/978-3-031-37320-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-37320-6_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-37319-0
Online ISBN: 978-3-031-37320-6
eBook Packages: Computer ScienceComputer Science (R0)