Table of Contents
Fetching ...

Adaptive Wizard for Removing Cross-Tier Misconfigurations in Active Directory

Huy Q. Ngo, Mingyu Guo, Hung Nguyen

TL;DR

The paper addresses the problem of removing cross-tier misconfigurations in Active Directory by introducing Adaptive Path Removal (APR), a human-in-the-loop framework that presents attack-path proposals and requires admins to remove a single edge per path. It models APR as an MDP and develops an exact Dynamic Programming approach (OPT), an adaptive-submodular approximation (APP), and a scalable heuristic (DPR), proving $\#\\mathcal{P}$-hardness and achieving a $(\ln{|P_{s_r}|+1})^2$-approximation for the adaptive greedy method. Empirical results on ADSynth-generated graphs and a real ORG AD graph show that DPR consistently outperforms baselines and scales to large networks, with RL-based methods performing well on synthetic data but less so on real-world graphs. The work demonstrates that path-based adaptive fixes can guarantee cuts with budgeted queries, offering a practical tool to reduce security-team workload and improve AD hardening workflows.

Abstract

Security vulnerabilities in Windows Active Directory (AD) systems are typically modeled using an attack graph and hardening AD systems involves an iterative workflow: security teams propose an edge to remove, and IT operations teams manually review these fixes before implementing the removal. As verification requires significant manual effort, we formulate an Adaptive Path Removal Problem to minimize the number of steps in this iterative removal process. In our model, a wizard proposes an attack path in each step and presents it as a set of multiple-choice options to the IT admin. The IT admin then selects one edge from the proposed set to remove. This process continues until the target $t$ is disconnected from source $s$ or the number of proposed paths reaches $B$. The model aims to optimize the human effort by minimizing the expected number of interactions between the IT admin and the security wizard. We first prove that the problem is $\mathcal{\#P}$-hard. We then propose a set of solutions including an exact algorithm, an approximate algorithm, and several scalable heuristics. Our best heuristic, called DPR, can operate effectively on larger-scale graphs compared to the exact algorithm and consistently outperforms the approximate algorithm across all graphs. We verify the effectiveness of our algorithms on several synthetic AD graphs and an AD attack graph collected from a real organization.

Adaptive Wizard for Removing Cross-Tier Misconfigurations in Active Directory

TL;DR

The paper addresses the problem of removing cross-tier misconfigurations in Active Directory by introducing Adaptive Path Removal (APR), a human-in-the-loop framework that presents attack-path proposals and requires admins to remove a single edge per path. It models APR as an MDP and develops an exact Dynamic Programming approach (OPT), an adaptive-submodular approximation (APP), and a scalable heuristic (DPR), proving -hardness and achieving a -approximation for the adaptive greedy method. Empirical results on ADSynth-generated graphs and a real ORG AD graph show that DPR consistently outperforms baselines and scales to large networks, with RL-based methods performing well on synthetic data but less so on real-world graphs. The work demonstrates that path-based adaptive fixes can guarantee cuts with budgeted queries, offering a practical tool to reduce security-team workload and improve AD hardening workflows.

Abstract

Security vulnerabilities in Windows Active Directory (AD) systems are typically modeled using an attack graph and hardening AD systems involves an iterative workflow: security teams propose an edge to remove, and IT operations teams manually review these fixes before implementing the removal. As verification requires significant manual effort, we formulate an Adaptive Path Removal Problem to minimize the number of steps in this iterative removal process. In our model, a wizard proposes an attack path in each step and presents it as a set of multiple-choice options to the IT admin. The IT admin then selects one edge from the proposed set to remove. This process continues until the target is disconnected from source or the number of proposed paths reaches . The model aims to optimize the human effort by minimizing the expected number of interactions between the IT admin and the security wizard. We first prove that the problem is -hard. We then propose a set of solutions including an exact algorithm, an approximate algorithm, and several scalable heuristics. Our best heuristic, called DPR, can operate effectively on larger-scale graphs compared to the exact algorithm and consistently outperforms the approximate algorithm across all graphs. We verify the effectiveness of our algorithms on several synthetic AD graphs and an AD attack graph collected from a real organization.
Paper Structure (28 sections, 6 theorems, 12 equations, 1 figure, 5 tables, 3 algorithms)

This paper contains 28 sections, 6 theorems, 12 equations, 1 figure, 5 tables, 3 algorithms.

Key Result

Theorem 1

The APR Problem is $\#\mathcal{P}$-hard

Figures (1)

  • Figure 1: The wizard is a software step-by-step guide to assist the user in performing correction actions without requiring extensive technical knowledge.

Theorems & Definitions (18)

  • Theorem 1
  • proof
  • Lemma 2
  • proof
  • Definition 1
  • Definition 2
  • Definition 3
  • Lemma 3
  • proof
  • Theorem 4
  • ...and 8 more