Microsoft Active Directory (AD) is the default security management system for Window domain network. We study the problem of placing decoys in AD network to detect potential attacks. We model the problem as a Stackelberg game between an attacker and a defender on AD attack graphs where the defender employs a set of decoys to detect the attacker on their way to Domain Admin (DA). Contrary to previous works, we consider time-varying (temporal) attack graphs. We proposed a novel metric called response time, to measure the effectiveness of our decoy placement in temporal attack graphs. Response time is defined as the duration from the moment attackers trigger the first decoy to when they compromise the DA. Our goal is to maximize the defender's response time to the worst-case attack paths. We establish the NP-hard nature of the defender's optimization problem, leading us to develop Evolutionary Diversity Optimization (EDO) algorithms. EDO algorithms identify diverse sets of high-quality solutions for the optimization problem. Despite the polynomial nature of the fitness function, it proves experimentally slow for larger graphs. To enhance scalability, we proposed an algorithm that exploits the static nature of AD infrastructure in the temporal setting. Then, we introduce tailored repair operations, ensuring the convergence to better results while maintaining scalability for larger graphs.

翻译：微软活动目录（AD）是Windows域网络的默认安全管理体系。我们研究在AD网络中部署诱饵以检测潜在攻击的问题。我们将该问题建模为AD攻击图上攻击者与防御者之间的斯塔克伯格博弈，其中防御者使用一组诱饵在攻击者通往域管理员（DA）的路径上对其进行检测。与先前研究不同，我们考虑时变（动态）攻击图。我们提出了一种名为"响应时间"的新指标，用于衡量诱饵在动态攻击图中的部署效果。响应时间定义为攻击者触发首个诱饵到其攻陷DA的持续时间。我们的目标是最大化防御者对最坏情况攻击路径的响应时间。我们证明了防御者优化问题的NP难特性，由此开发了进化多样性优化（EDO）算法。EDO算法能够识别优化问题中具有多样性的高质量解集。尽管适应度函数具有多项式特性，但实验表明其对于较大规模图的计算速度较慢。为提升可扩展性，我们提出了一种利用AD基础设施在动态场景中静态特性的算法。随后，我们引入定制化修复操作，在保证大规模图可扩展性的同时确保向更优结果的收敛。