Microsoft Active Directory (AD) is the default security management system for Window domain network. We study the problem of placing decoys in AD network to detect potential attacks. We model the problem as a Stackelberg game between an attacker and a defender on AD attack graphs where the defender employs a set of decoys to detect the attacker on their way to Domain Admin (DA). Contrary to previous works, we consider time-varying (temporal) attack graphs. We proposed a novel metric called response time, to measure the effectiveness of our decoy placement in temporal attack graphs. Response time is defined as the duration from the moment attackers trigger the first decoy to when they compromise the DA. Our goal is to maximize the defender's response time to the worst-case attack paths. We establish the NP-hard nature of the defender's optimization problem, leading us to develop Evolutionary Diversity Optimization (EDO) algorithms. EDO algorithms identify diverse sets of high-quality solutions for the optimization problem. Despite the polynomial nature of the fitness function, it proves experimentally slow for larger graphs. To enhance scalability, we proposed an algorithm that exploits the static nature of AD infrastructure in the temporal setting. Then, we introduce tailored repair operations, ensuring the convergence to better results while maintaining scalability for larger graphs.

翻译：Microsoft Active Directory (AD) 是Windows域网络的默认安全管理体系。我们研究在AD网络中部署诱饵以检测潜在攻击的问题。我们将该问题建模为AD攻击图上攻击者与防御者之间的Stackelberg博弈，其中防御者部署一组诱饵，用于在攻击者向域管理员(DA)渗透的过程中实施检测。与以往研究不同，我们考虑时变（时间动态）攻击图。我们提出了一种名为响应时间的新指标，用于衡量诱饵部署在时变攻击图中的有效性。响应时间定义为从攻击者触发首个诱饵到其攻陷DA的持续时长。我们的目标是最大化防御者在最坏攻击路径上的响应时间。我们证实了防御者优化问题的NP难性质，进而开发了进化多样性优化(EDO)算法。EDO算法能够识别优化问题中不同类别的高质量解。尽管适应度函数具有多项式特性，但实验表明该函数在较大规模图上计算较慢。为提升可扩展性，我们提出一种利用时变场景中AD基础设施静态特性的算法。随后引入定制化修复操作，在保持大规模图可扩展性的同时，确保向更优结果的收敛。