We study a Stackelberg game between an attacker and a defender on large Active Directory (AD) attack graphs where the defender employs a set of honeypots to stop the attacker from reaching high-value targets. Contrary to existing works that focus on small and static attack graphs, AD graphs typically contain hundreds of thousands of nodes and edges and constantly change over time. We consider two types of attackers: a simple attacker who cannot observe honeypots and a competent attacker who can. To jointly solve the game, we propose a mixed-integer programming (MIP) formulation. We observed that the optimal blocking plan for static graphs performs poorly in dynamic graphs. To solve the dynamic graph problem, we re-design the mixed-integer programming formulation by combining m MIP (dyMIP(m)) instances to produce a near-optimal blocking plan. Furthermore, to handle a large number of dynamic graph instances, we use a clustering algorithm to efficiently find the m-most representative graph instances for a constant m (dyMIP(m)). We prove a lower bound on the optimal blocking strategy for dynamic graphs and show that our dyMIP(m) algorithms produce close to optimal results for a range of AD graphs under realistic conditions.

翻译：我们研究了大规模Active Directory (AD) 攻击图上攻击者与防御者之间的Stackelberg博弈，其中防御者部署一组蜜罐以阻止攻击者到达高价值目标。与现有专注于小型静态攻击图的研究不同，AD图通常包含数十万个节点和边，并随时间动态变化。我们考虑两类攻击者：无法观测蜜罐的简单攻击者与能识别蜜罐的熟练攻击者。为联合求解该博弈，我们提出混合整数规划 (MIP) 模型。研究发现，静态图上的最优阻断策略在动态图中表现不佳。针对动态图问题，我们通过组合m个MIP实例（dyMIP(m)）重新设计混合整数规划模型，以生成近似最优的阻断方案。此外，为处理大量动态图实例，我们利用聚类算法高效选取m个最具代表性的图实例（dyMIP(m)）。我们证明了动态图最优阻断策略的下界，并表明在现实条件下，dyMIP(m)算法对多种AD图均能产生接近最优的结果。