Active Directory (AD) is a crucial element of large organizations, given its
central role in managing access to resources. Since AD is used by all users in
the organization, it is hard to detect attackers. We propose to generate and
place fake users (honeyusers) in AD structures to help detect attacks. However,
not any honeyuser will attract attackers. Our method generates honeyusers with
a Variational Autoencoder that enriches the AD structure with well-positioned
honeyusers. It first learns the embeddings of the original nodes and edges in
the AD, then it uses a modified Bidirectional DAG-RNN to encode the parameters
of the probability distribution of the latent space of node representations.
Finally, it samples nodes from this distribution and uses an MLP to decide
where the nodes are connected. The model was evaluated by the similarity of the
generated AD with the original, by the positions of the new nodes, by the
similarity with GraphRNN and finally by making real intruders attack the
generated AD structure to see if they select the honeyusers. Results show that
our machine learning model is good enough to generate well-placed honeyusers
for existing AD structures so that intruders are lured into them.

By admin