Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Consensus-Bayesian Framework for Detecting Malicious Activity in Enterprise Directory Access Graphs

Pratyush Uppuluri, Shilpa Noushad, Sajan Kumar

TL;DR

This work addresses detecting malicious activity in enterprise directory access graphs by marrying consensus-based opinion dynamics with Bayesian anomaly detection. Directories are treated as topics and users as agents in a multi-level graph governed by a row-stochastic influence matrix $W$ and per-directory logic matrices $C_i$, with strongly connected components (SCCs) capturing cohesive groups and potential external influences. Anomalies are signaled by changes in $C_i$ and by deviations from predicted consensus, quantified through per-topic variance and online Bayesian updates using an exponential likelihood on the variance increment. The contributions include a formal SCC-based decomposition aligned with Ye2021Consensus, a variance-driven anomaly score with both static and online priors, and simulations showing sensitivity to logical perturbations and robustness under dynamic perturbations, enabling proactive anomaly detection in cloud/enterprise security settings.

Abstract

This work presents a consensus-based Bayesian framework to detect malicious user behavior in enterprise directory access graphs. By modeling directories as topics and users as agents within a multi-level interaction graph, we simulate access evolution using influence-weighted opinion dynamics. Logical dependencies between users are encoded in dynamic matrices Ci, and directory similarity is captured via a shared influence matrix W. Malicious behavior is injected as cross-component logical perturbations that violate structural norms of strongly connected components(SCCs). We apply theoretical guarantees from opinion dynamics literature to determine topic convergence and detect anomaly via scaled opinion variance. To quantify uncertainty, we introduce a Bayesian anomaly scoring mechanism that evolves over time, using both static and online priors. Simulations over synthetic access graphs validate our method, demonstrating its sensitivity to logical inconsistencies and robustness under dynamic perturbation.

A Consensus-Bayesian Framework for Detecting Malicious Activity in Enterprise Directory Access Graphs

TL;DR

This work addresses detecting malicious activity in enterprise directory access graphs by marrying consensus-based opinion dynamics with Bayesian anomaly detection. Directories are treated as topics and users as agents in a multi-level graph governed by a row-stochastic influence matrix and per-directory logic matrices , with strongly connected components (SCCs) capturing cohesive groups and potential external influences. Anomalies are signaled by changes in and by deviations from predicted consensus, quantified through per-topic variance and online Bayesian updates using an exponential likelihood on the variance increment. The contributions include a formal SCC-based decomposition aligned with Ye2021Consensus, a variance-driven anomaly score with both static and online priors, and simulations showing sensitivity to logical perturbations and robustness under dynamic perturbations, enabling proactive anomaly detection in cloud/enterprise security settings.

Abstract

This work presents a consensus-based Bayesian framework to detect malicious user behavior in enterprise directory access graphs. By modeling directories as topics and users as agents within a multi-level interaction graph, we simulate access evolution using influence-weighted opinion dynamics. Logical dependencies between users are encoded in dynamic matrices Ci, and directory similarity is captured via a shared influence matrix W. Malicious behavior is injected as cross-component logical perturbations that violate structural norms of strongly connected components(SCCs). We apply theoretical guarantees from opinion dynamics literature to determine topic convergence and detect anomaly via scaled opinion variance. To quantify uncertainty, we introduce a Bayesian anomaly scoring mechanism that evolves over time, using both static and online priors. Simulations over synthetic access graphs validate our method, demonstrating its sensitivity to logical inconsistencies and robustness under dynamic perturbation.
Paper Structure (51 sections, 31 equations, 10 figures, 2 algorithms)

This paper contains 51 sections, 31 equations, 10 figures, 2 algorithms.

Table of Contents

  1. Introduction
  2. Problem Formulation
  3. Directory-Level Graph $G[W]$.
  4. Strongly Connected Components (SCCs).
  5. Graph Interpretation (See Fig. \ref{['fig:dependency-graph']}):
  6. Structural Properties (weights) of $C_i$: Row-Stochasticity and Symmetry.
  7. Computing $C_i$ from Access Data.
  8. Visualization Example:
  9. Theorem 3: Singleton Topic Dynamics.
  10. Corollary 2.1: Open Singleton Topic.
  11. Theorem 3 (Necessity Condition).
  12. Theorem 4: Multi-Topic Open SCC.
  13. Theorem 2: Multi-Topic Closed SCC.
  14. When Does Convergence Fail?
  15. Singleton Topic Dynamics (Theorem 3).
  16. ...and 36 more sections

Figures (10)

  • Figure 1: User-user logical dependency graph across directories
  • Figure 2: User-user logical dependency graph across directories. Nodes represent users; arrows show influence based on directory-level access behavior. Colored clusters highlight strongly connected components (SCCs).
  • Figure 3: Pipeline for SCC decomposition and theorem annotation.
  • Figure 4: Annotated SCC blocks with assigned theorems, based on logical structure and dependency ordering in ye2018consensus.
  • Figure 5: Ground truth validation for Topics 1–5 under logic matrices $\hat{C}$ and $\bar{C}$. Topic 3 fails to converge as expected under $\bar{C}$.
  • ...and 5 more figures