Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage...

Bipartite Authentication Graph Partitioning

Aaron Scott Pope

Aaron Scott Pope BAG Partitioning LA-UR-15-26864 1 / 26

Authentication

Authentication

Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticate

Hashed credentials are often stored in a cacheCache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password


Authentication

Authentication

Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cache

Cache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password


Authentication

Authentication

Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cacheCache can be accessed on a compromised machine

Hashes can be just as useful to an adversary as the actual password


Authentication

Authentication

Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cacheCache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password


Bipartite Authentication Graphs

Bipartite Authentication Graphs (BAGs)

Bipartite Authentication Graph (BAG)Bipartite graph with two independent sets of nodes:

User Nodes: represent a user accountComputer Nodes: represent computers on the network

Each edge connects a user node and a computer node and represent theaccount being used to access the computer.



Bipartite Authentication Graphs (BAGs)

Edges could describe which credentials are contained in the cacheThis information isn’t usually availableGraph can instead be built from previous authentication eventsAssume cache contains all previously used credentials(worst-case scenario)



Bipartite Authentication Graph Properties

Connected components in a BAG can be traversed using pass-the-hashHaving lots of small connected components is good

Adversary must find a way into each component

Having a few large connected components is badAdversary only needs to access a few computers from the outside

Higher diameter components require more “hops” to traverseEach hop takes time and increases chance of detection





Adversary must find a way into each componentHaving a few large connected components is bad

Adversary only needs to access a few computers from the outside

Higher diameter components require more “hops” to traverseEach hop takes time and increases chance of detection





Adversary must find a way into each componentHaving a few large connected components is bad

Adversary only needs to access a few computers from the outsideHigher diameter components require more “hops” to traverse

Each hop takes time and increases chance of detection


Bipartite Authentication Graphs LANL BAG

Creating Bipartite Authentication Graphs fromAuthentication Data

Authentication data:Format: Timestamp, UserID, ComputerID

Example0, U1, C11, U1, C22, U2, C1

Simplifying assumptions:If U authenticates on computer C, assume U’s credentials are storedin computer C’s cacheUser U’s credentials can only be used to access computers it has beenseen accessing in the data


Bipartite Authentication Graphs LANL BAG

LANL Data BAG

One month of LANLnetwork authenticationdata9924 user nodes14822 computer nodes106693 authenticationedges


BAG Partitioning Edge Removal Partitioning

Edge Removal Partitioning

Edge removals can disconnect components and increase diameterTranslates to revoking a user’s access to a particular machine


BAG Partitioning Edge Removal Partitioning

Edge Removal Partitioning

Removing computer access impacts user productivityDesirable BAG partitions minimize the number of edge removalsGeneral minimum k-cut partition problem is NP-Complete


BAG Partitioning Naive Approach

Naive Approach

Iteratively “removes” highest degree node by removing incident edgesNot intended as a real partition method

Removes an excessive amount of edges

Extremely quickProvides a baseline for comparison



Naive Approach

Iteratively “removes” highest degree node by removing incident edgesNot intended as a real partition method

Removes an excessive amount of edgesExtremely quick

Provides a baseline for comparison



Naive Approach BAG Partition

LANL network BAGpartitioned using iterativenode removal1998 (of 14822) computernodes in the largestconnected component91226 (of 106693)authentication edgesremoved


BAG Partitioning METIS

METIS

Finds approximate minimum cost edge removal k-way partitionFast, parallel, multi-level partition algorithmConsists of three phases:

Coarsen: Repeatedly contract the graph until it is smallPartition: Find optimal partition of small graphUncoarsen: Repeatedly expand contracted nodes and refine partition byexamining “border” nodes


BAG Partitioning METIS

METIS BAG Partition

LANL network BAGpartitioned using METISk-way partitioning (k=9)1888 (of 14822) computernodes in the largestconnected component43163 (of 106693)authentication edgesremoved by the partition


BAG Partitioning User Splits

User Splits

An alternative to edge removalsSplit a user node into sub-nodesCorresponds to giving a user additional authentication credentialsDifferent credentials are used to authenticate on different computers


BAG Partitioning User Splits

User Splits

User retains access to all of their originally used computersManaging extra credentials can impact productivityUser nodes can be split more than once (more sets of credentials)A trivial solution:

Every user gets new credentials for each computer they useNo component will contain more than a single computer node

User node splits are limited to produce more practical solutions


BAG Partitioning Combining Edge Removals and User Splits

Combining Edge Removals and User Splits

Edge removals and user node splits can be combined


Methodology

Methodology

Leverage the edge removal partitioning strength of METISEdge weights: 1Computer node weight: 1User node weight: 0A variety of k values used for k-way partitioning (more on this later)

Evolutionary algorithm (EA) evolves a plan for splitting user nodesEnforce some limitations:

Can’t completely disconnect user nodesLimit the number of times a user node can be split(in this work, user nodes can be split into at most 5 sub-nodes)


Methodology Evolutionary Algorithm

Evolutionary Algorithm

General purpose black box search algorithmPopulation basedGenerate-and-testEasily parallelized


Methodology Multi-objective

Multi-objective

Solutions produce a trade-off between conflicting goals:Minimize user impactMinimize connected component sizePossibly others (e.g. maximize component diameter)

If a desired trade-off is known, solutions can be evolved directlyDesired trade-off is likely not known, or varies by application

Instead, evolve a set of solutions with a variety of trade-off valuesEnd-user can choose a solution from this set, or use it to define thedesired trade-off value



Multi-objective

Solutions produce a trade-off between conflicting goals:Minimize user impactMinimize connected component sizePossibly others (e.g. maximize component diameter)

If a desired trade-off is known, solutions can be evolved directlyDesired trade-off is likely not known, or varies by applicationInstead, evolve a set of solutions with a variety of trade-off valuesEnd-user can choose a solution from this set, or use it to define thedesired trade-off value



NSGA-II

Non-dominated Sorting Genetic Algorithm-II (NSGA-II)Multi-objective evolutionary algorithm (MOEA)Used to evolve a set of BAG partition solutionsUses a variety of k-values for METIS’ k-way partitioning

Increases the diversity of solutions produced


Results MOEA BAG Partition

Multi-objective Evolutionary Algorithm BAG Partition

Method 1Preserves computer adjacency butcan connect components that weredisconnected by METIS

Method 2Discards edges that would connectcomponents that were disconnectedby METIS



Multi-objective Evolutionary Algorithm BAG Partition

LANL network BAGpartitioned usingmulti-objectiveevolutionary algorithm1962 (of 14822) computernodes in the largestconnected component(METIS: 1888)1602 (of 106693)authentication edgesremoved by the partition(METIS: 43163)13849 additional usernodes created by splitting



BAG Partition Results Comparison



BAG Partition Results Comparison

Superior Percentage

NSGA-II (1) 98.84% 1.06% METISNSGA-II (2) 88.03% 9.78% METISNSGA-II (1) 42.01% 56.09% NSGA-II (2)

A comparison of BAG partition objective trade-off results from the METISapproach as well as methods 1 and 2 with NSGA-II


Future Work

Future Work

Consider splitting computer nodesHarder to implement than giving users additional credentialsCould be done with servers running virtual machines

Use more detailed network dataDetermine the purpose of a user’s access on a particular machineAllocate a suitable replacement computer

Evolve partition algorithms using genetic programming(MO)EAs are slowInvest a priori time to evolve fast partitioning algorithms


Take Home Message

Take Home Message

Network partitioning can mitigate potential damage caused byadversaries using pass-the-hashCurrent graph partitioning algorithms do not take advantage of theparticular nature of BAGsEmploying user node splits allows superior partitioning at allreasonable levels of user impactGeneral purpose evolutionary computation can be used to solve thenew problem of spitting user nodes


Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage...

Documents

Transcript of Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage...