D²M: Dynamic Defense and Modeling of Adversarial Movement in Networks

Scott Freitas, Andrew Wicker, Duen Horng (Polo) Chau, Joshua Neil

Abstract

Given a large enterprise network of devices and their authentication history (e.g., device logons), how can we quantify network vulnerability to lateral attack and identify at-risk devices? We systematically address these problems through D²M, the first framework that models lateral attacks on enterprise networks using multiple attack strategies developed with researchers, engineers, and threat hunters in the Microsoft Defender Advanced Threat Protection group. These strategies integrate real-world adversarial actions (e.g., privilege escalation) to generate attack paths: a series of compromised machines. Leveraging these attack paths and a novel Monte-Carlo method, we formulate network vulnerability as a probabilistic function of the network topology, distribution of access credentials and initial penetration point. To identify machines at risk to lateral attack, we propose a suite of five fast graph mining techniques, including a novel technique called AnomalyShield inspired by node immunization research. Using three real-world authentication graphs from Microsoft and Los Alamos National Laboratory (up to 223,399 authentications), we report the first experimental results on network vulnerability to lateral attack, demonstrating D²M’s unique potential to empower IT admins to develop robust user access credential policies.

Citation

D²M: Dynamic Defense and Modeling of Adversarial Movement in Networks
Scott Freitas, Andrew Wicker, Duen Horng (Polo) Chau, Joshua Neil
SIAM International Conference on Data Mining (SDM). Cincinnati, Ohio, 2020.
Project PDF Blog BibTeX

			
@inproceedings{freitas2020d2m,
  title={D2M: Dynamic Defense and Modeling of Adversarial Movement in Networks},
  author={Freitas, Scott and Wicker, Andrew and Chau, Duen Horng and Neil, Joshua},
  journal={SIAM International Conference on Data Mining},
  year={2020},
  publisher={SIAM}
}