Modern enterprise networks increasingly rely on Active Directory (AD) for identity and access management. However, this centralization exposes a single point of failure, allowing adversaries to compromise high-value assets. Existing AD defense approaches often assume static attacker behavior, but real-world adversaries adapt dynamically, rendering such methods brittle. To address this, we model attacker-defender interactions in AD as a Stackelberg game between an adaptive attacker and a proactive defender. We propose a co-evolutionary defense framework that combines Graph Neural Network Approximated Dynamic Programming (GNNDP) to model attacker strategies, with Evolutionary Diversity Optimization (EDO) to generate resilient blocking strategies. To ensure scalability, we introduce a Fixed-Parameter Tractable (FPT) graph reduction method that reduces complexity while preserving strategic structure. Our framework jointly refines attacker and defender policies to improve generalization and prevent premature convergence. Experiments on synthetic AD graphs show near-optimal results (within 0.1 percent of optimality on r500) and improved performance on larger graphs (r1000 and r2000), demonstrating the framework's scalability and effectiveness.

翻译：现代企业网络日益依赖Active Directory（AD）进行身份与访问管理。然而，这种集中化架构引入了单点故障风险，使得攻击者能够渗透高价值资产。现有AD防御方法通常假设攻击者行为是静态的，但实际攻击者会动态调整策略，导致此类方法存在脆弱性。为解决该问题，我们将AD中的攻防交互建模为自适应攻击者与主动防御者之间的Stackelberg博弈。我们提出一种协同演化防御框架，该框架结合图神经网络近似动态规划（GNNDP）来建模攻击者策略，并采用演化多样性优化（EDO）生成鲁棒的阻断策略。为保障可扩展性，我们引入固定参数可处理（FPT）图约简方法，在保持策略结构的同时降低计算复杂度。该框架通过联合优化攻击者与防御者策略来提升泛化能力并避免早熟收敛。在合成AD图谱上的实验表明，本框架能取得接近最优的结果（在r500图谱上达到与最优解0.1%的误差），并在更大规模图谱（r1000与r2000）上实现性能提升，验证了框架的可扩展性与有效性。