bipartite authentication graph partitioningweb.mst.edu/.../evobagpart_presentation.pdf · leverage...

Bipartite Authentication Graph Partitioning

Aaron Scott Pope

Aaron Scott Pope BAG Partitioning LA-UR-15-26864 1 / 26

Authentication

Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticate

Hashed credentials are often stored in a cacheCache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password

Authentication

Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cache

Cache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password

Authentication

Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cacheCache can be accessed on a compromised machine

Hashes can be just as useful to an adversary as the actual password

Authentication

Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cacheCache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password

Authentication

Bipartite Authentication Graphs

Bipartite Authentication Graphs (BAGs)

Bipartite Authentication Graph (BAG)Bipartite graph with two independent sets of nodes:

User Nodes: represent a user accountComputer Nodes: represent computers on the network

Each edge connects a user node and a computer node and represent theaccount being used to access the computer.

Edges could describe which credentials are contained in the cacheThis information isn’t usually availableGraph can instead be built from previous authentication eventsAssume cache contains all previously used credentials(worst-case scenario)

Bipartite Authentication Graph Properties

Connected components in a BAG can be traversed using pass-the-hashHaving lots of small connected components is good

Adversary must find a way into each component

Having a few large connected components is badAdversary only needs to access a few computers from the outside

Higher diameter components require more “hops” to traverseEach hop takes time and increases chance of detection

Adversary must find a way into each componentHaving a few large connected components is bad

Adversary only needs to access a few computers from the outside

Higher diameter components require more “hops” to traverseEach hop takes time and increases chance of detection

Adversary only needs to access a few computers from the outsideHigher diameter components require more “hops” to traverse

Each hop takes time and increases chance of detection

Adversary only needs to access a few computers from the outsideHigher diameter components require more “hops” to traverse

Each hop takes time and increases chance of detection

Bipartite Authentication Graphs LANL BAG

Creating Bipartite Authentication Graphs fromAuthentication Data

Authentication data:Format: Timestamp, UserID, ComputerID

Example0, U1, C11, U1, C22, U2, C1

Simplifying assumptions:If U authenticates on computer C, assume U’s credentials are storedin computer C’s cacheUser U’s credentials can only be used to access computers it has beenseen accessing in the data

Creating Bipartite Authentication Graphs fromAuthentication Data

Authentication data:Format: Timestamp, UserID, ComputerID

Example0, U1, C11, U1, C22, U2, C1

Simplifying assumptions:If U authenticates on computer C, assume U’s credentials are storedin computer C’s cacheUser U’s credentials can only be used to access computers it has beenseen accessing in the data

LANL Data BAG

One month of LANLnetwork authenticationdata9924 user nodes14822 computer nodes106693 authenticationedges

BAG Partitioning Edge Removal Partitioning

Edge Removal Partitioning

Edge removals can disconnect components and increase diameterTranslates to revoking a user’s access to a particular machine

Removing computer access impacts user productivityDesirable BAG partitions minimize the number of edge removalsGeneral minimum k-cut partition problem is NP-Complete

BAG Partitioning Naive Approach

Naive Approach

Iteratively “removes” highest degree node by removing incident edgesNot intended as a real partition method

Removes an excessive amount of edges

Extremely quickProvides a baseline for comparison

Naive Approach

Removes an excessive amount of edgesExtremely quick

Provides a baseline for comparison

Naive Approach

Removes an excessive amount of edgesExtremely quick

Provides a baseline for comparison

Naive Approach BAG Partition

LANL network BAGpartitioned using iterativenode removal1998 (of 14822) computernodes in the largestconnected component91226 (of 106693)authentication edgesremoved

BAG Partitioning METIS

Finds approximate minimum cost edge removal k-way partitionFast, parallel, multi-level partition algorithmConsists of three phases:

Coarsen: Repeatedly contract the graph until it is smallPartition: Find optimal partition of small graphUncoarsen: Repeatedly expand contracted nodes and refine partition byexamining “border” nodes

BAG Partitioning METIS

METIS BAG Partition

LANL network BAGpartitioned using METISk-way partitioning (k=9)1888 (of 14822) computernodes in the largestconnected component43163 (of 106693)authentication edgesremoved by the partition

BAG Partitioning User Splits

User Splits

An alternative to edge removalsSplit a user node into sub-nodesCorresponds to giving a user additional authentication credentialsDifferent credentials are used to authenticate on different computers

User Splits

An alternative to edge removalsSplit a user node into sub-nodesCorresponds to giving a user additional authentication credentialsDifferent credentials are used to authenticate on different computers

User Splits

User retains access to all of their originally used computersManaging extra credentials can impact productivityUser nodes can be split more than once (more sets of credentials)A trivial solution:

Every user gets new credentials for each computer they useNo component will contain more than a single computer node

User node splits are limited to produce more practical solutions

User Splits

BAG Partitioning Combining Edge Removals and User Splits

Combining Edge Removals and User Splits

Edge removals and user node splits can be combined

Methodology

Leverage the edge removal partitioning strength of METISEdge weights: 1Computer node weight: 1User node weight: 0A variety of k values used for k-way partitioning (more on this later)

Evolutionary algorithm (EA) evolves a plan for splitting user nodesEnforce some limitations:

Can’t completely disconnect user nodesLimit the number of times a user node can be split(in this work, user nodes can be split into at most 5 sub-nodes)

Methodology

Leverage the edge removal partitioning strength of METISEdge weights: 1Computer node weight: 1User node weight: 0A variety of k values used for k-way partitioning (more on this later)

Evolutionary algorithm (EA) evolves a plan for splitting user nodesEnforce some limitations:

Can’t completely disconnect user nodesLimit the number of times a user node can be split(in this work, user nodes can be split into at most 5 sub-nodes)

Methodology Evolutionary Algorithm

Evolutionary Algorithm

General purpose black box search algorithmPopulation basedGenerate-and-testEasily parallelized

Methodology Multi-objective

Multi-objective

Solutions produce a trade-off between conflicting goals:Minimize user impactMinimize connected component sizePossibly others (e.g. maximize component diameter)

If a desired trade-off is known, solutions can be evolved directlyDesired trade-off is likely not known, or varies by application

Instead, evolve a set of solutions with a variety of trade-off valuesEnd-user can choose a solution from this set, or use it to define thedesired trade-off value

Multi-objective

If a desired trade-off is known, solutions can be evolved directlyDesired trade-off is likely not known, or varies by applicationInstead, evolve a set of solutions with a variety of trade-off valuesEnd-user can choose a solution from this set, or use it to define thedesired trade-off value

Multi-objective

If a desired trade-off is known, solutions can be evolved directlyDesired trade-off is likely not known, or varies by applicationInstead, evolve a set of solutions with a variety of trade-off valuesEnd-user can choose a solution from this set, or use it to define thedesired trade-off value

NSGA-II

Non-dominated Sorting Genetic Algorithm-II (NSGA-II)Multi-objective evolutionary algorithm (MOEA)Used to evolve a set of BAG partition solutionsUses a variety of k-values for METIS’ k-way partitioning

Increases the diversity of solutions produced

Results MOEA BAG Partition

Multi-objective Evolutionary Algorithm BAG Partition

Method 1Preserves computer adjacency butcan connect components that weredisconnected by METIS

Method 2Discards edges that would connectcomponents that were disconnectedby METIS

Multi-objective Evolutionary Algorithm BAG Partition

LANL network BAGpartitioned usingmulti-objectiveevolutionary algorithm1962 (of 14822) computernodes in the largestconnected component(METIS: 1888)1602 (of 106693)authentication edgesremoved by the partition(METIS: 43163)13849 additional usernodes created by splitting

BAG Partition Results Comparison

Superior Percentage

NSGA-II (1) 98.84% 1.06% METISNSGA-II (2) 88.03% 9.78% METISNSGA-II (1) 42.01% 56.09% NSGA-II (2)

A comparison of BAG partition objective trade-off results from the METISapproach as well as methods 1 and 2 with NSGA-II

Future Work

Consider splitting computer nodesHarder to implement than giving users additional credentialsCould be done with servers running virtual machines

Use more detailed network dataDetermine the purpose of a user’s access on a particular machineAllocate a suitable replacement computer

Evolve partition algorithms using genetic programming(MO)EAs are slowInvest a priori time to evolve fast partitioning algorithms

Take Home Message

Network partitioning can mitigate potential damage caused byadversaries using pass-the-hashCurrent graph partitioning algorithms do not take advantage of theparticular nature of BAGsEmploying user node splits allows superior partitioning at allreasonable levels of user impactGeneral purpose evolutionary computation can be used to solve thenew problem of spitting user nodes

bipartite authentication graph partitioningweb.mst.edu/.../evobagpart_presentation.pdf · leverage...

Documents

euro-med gnss i metis final eventgalileo.cs.telespazio.it...

20151020 metis

bipartite settlement 6

osgoode metis conference on metis treaties issues final 2016

controllability and matchings in random bipartite graphsof...

bipartite matching. unweighted bipartite matching

bipartite settlement 1

prezentacija metis

parallelizing metis

7.5 bipartite matching

metis demonstration for the use of gnss and egnos in...

bipartite graphs

maximum bipartite matching

bipartite index coding

package 'bipartite

metis apartments

bipartite settlement 7

metis identity symposium, b. c. metis federation: 2013...

the structure of sparse random bipartite...

canadian indians, inuit, metis, and metis: an exploration