bipartite authentication graph partitioningweb.mst.edu/.../evobagpart_presentation.pdf · leverage...
TRANSCRIPT
![Page 1: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/1.jpg)
Bipartite Authentication Graph Partitioning
Aaron Scott Pope
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 1 / 26
![Page 2: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/2.jpg)
Authentication
Authentication
Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticate
Hashed credentials are often stored in a cacheCache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 2 / 26
![Page 3: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/3.jpg)
Authentication
Authentication
Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cache
Cache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 2 / 26
![Page 4: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/4.jpg)
Authentication
Authentication
Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cacheCache can be accessed on a compromised machine
Hashes can be just as useful to an adversary as the actual password
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 2 / 26
![Page 5: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/5.jpg)
Authentication
Authentication
Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cacheCache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 2 / 26
![Page 6: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/6.jpg)
Authentication
Authentication
Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cacheCache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 2 / 26
![Page 7: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/7.jpg)
Authentication
Authentication
Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cacheCache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 2 / 26
![Page 8: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/8.jpg)
Bipartite Authentication Graphs
Bipartite Authentication Graphs (BAGs)
Bipartite Authentication Graph (BAG)Bipartite graph with two independent sets of nodes:
User Nodes: represent a user accountComputer Nodes: represent computers on the network
Each edge connects a user node and a computer node and represent theaccount being used to access the computer.
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 3 / 26
![Page 9: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/9.jpg)
Bipartite Authentication Graphs
Bipartite Authentication Graphs (BAGs)
Edges could describe which credentials are contained in the cacheThis information isn’t usually availableGraph can instead be built from previous authentication eventsAssume cache contains all previously used credentials(worst-case scenario)
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 4 / 26
![Page 10: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/10.jpg)
Bipartite Authentication Graphs
Bipartite Authentication Graphs (BAGs)
Edges could describe which credentials are contained in the cacheThis information isn’t usually availableGraph can instead be built from previous authentication eventsAssume cache contains all previously used credentials(worst-case scenario)
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 4 / 26
![Page 11: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/11.jpg)
Bipartite Authentication Graphs
Bipartite Authentication Graph Properties
Connected components in a BAG can be traversed using pass-the-hashHaving lots of small connected components is good
Adversary must find a way into each component
Having a few large connected components is badAdversary only needs to access a few computers from the outside
Higher diameter components require more “hops” to traverseEach hop takes time and increases chance of detection
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 5 / 26
![Page 12: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/12.jpg)
Bipartite Authentication Graphs
Bipartite Authentication Graph Properties
Connected components in a BAG can be traversed using pass-the-hashHaving lots of small connected components is good
Adversary must find a way into each componentHaving a few large connected components is bad
Adversary only needs to access a few computers from the outside
Higher diameter components require more “hops” to traverseEach hop takes time and increases chance of detection
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 5 / 26
![Page 13: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/13.jpg)
Bipartite Authentication Graphs
Bipartite Authentication Graph Properties
Connected components in a BAG can be traversed using pass-the-hashHaving lots of small connected components is good
Adversary must find a way into each componentHaving a few large connected components is bad
Adversary only needs to access a few computers from the outsideHigher diameter components require more “hops” to traverse
Each hop takes time and increases chance of detection
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 5 / 26
![Page 14: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/14.jpg)
Bipartite Authentication Graphs
Bipartite Authentication Graph Properties
Connected components in a BAG can be traversed using pass-the-hashHaving lots of small connected components is good
Adversary must find a way into each componentHaving a few large connected components is bad
Adversary only needs to access a few computers from the outsideHigher diameter components require more “hops” to traverse
Each hop takes time and increases chance of detection
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 5 / 26
![Page 15: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/15.jpg)
Bipartite Authentication Graphs LANL BAG
Creating Bipartite Authentication Graphs fromAuthentication Data
Authentication data:Format: Timestamp, UserID, ComputerID
Example0, U1, C11, U1, C22, U2, C1
Simplifying assumptions:If U authenticates on computer C, assume U’s credentials are storedin computer C’s cacheUser U’s credentials can only be used to access computers it has beenseen accessing in the data
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 6 / 26
![Page 16: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/16.jpg)
Bipartite Authentication Graphs LANL BAG
Creating Bipartite Authentication Graphs fromAuthentication Data
Authentication data:Format: Timestamp, UserID, ComputerID
Example0, U1, C11, U1, C22, U2, C1
Simplifying assumptions:If U authenticates on computer C, assume U’s credentials are storedin computer C’s cacheUser U’s credentials can only be used to access computers it has beenseen accessing in the data
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 6 / 26
![Page 17: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/17.jpg)
Bipartite Authentication Graphs LANL BAG
LANL Data BAG
One month of LANLnetwork authenticationdata9924 user nodes14822 computer nodes106693 authenticationedges
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 7 / 26
![Page 18: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/18.jpg)
BAG Partitioning Edge Removal Partitioning
Edge Removal Partitioning
Edge removals can disconnect components and increase diameterTranslates to revoking a user’s access to a particular machine
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 8 / 26
![Page 19: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/19.jpg)
BAG Partitioning Edge Removal Partitioning
Edge Removal Partitioning
Edge removals can disconnect components and increase diameterTranslates to revoking a user’s access to a particular machine
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 8 / 26
![Page 20: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/20.jpg)
BAG Partitioning Edge Removal Partitioning
Edge Removal Partitioning
Removing computer access impacts user productivityDesirable BAG partitions minimize the number of edge removalsGeneral minimum k-cut partition problem is NP-Complete
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 9 / 26
![Page 21: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/21.jpg)
BAG Partitioning Naive Approach
Naive Approach
Iteratively “removes” highest degree node by removing incident edgesNot intended as a real partition method
Removes an excessive amount of edges
Extremely quickProvides a baseline for comparison
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 10 / 26
![Page 22: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/22.jpg)
BAG Partitioning Naive Approach
Naive Approach
Iteratively “removes” highest degree node by removing incident edgesNot intended as a real partition method
Removes an excessive amount of edgesExtremely quick
Provides a baseline for comparison
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 10 / 26
![Page 23: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/23.jpg)
BAG Partitioning Naive Approach
Naive Approach
Iteratively “removes” highest degree node by removing incident edgesNot intended as a real partition method
Removes an excessive amount of edgesExtremely quick
Provides a baseline for comparison
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 10 / 26
![Page 24: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/24.jpg)
BAG Partitioning Naive Approach
Naive Approach BAG Partition
LANL network BAGpartitioned using iterativenode removal1998 (of 14822) computernodes in the largestconnected component91226 (of 106693)authentication edgesremoved
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 11 / 26
![Page 25: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/25.jpg)
BAG Partitioning METIS
METIS
Finds approximate minimum cost edge removal k-way partitionFast, parallel, multi-level partition algorithmConsists of three phases:
Coarsen: Repeatedly contract the graph until it is smallPartition: Find optimal partition of small graphUncoarsen: Repeatedly expand contracted nodes and refine partition byexamining “border” nodes
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 12 / 26
![Page 26: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/26.jpg)
BAG Partitioning METIS
METIS BAG Partition
LANL network BAGpartitioned using METISk-way partitioning (k=9)1888 (of 14822) computernodes in the largestconnected component43163 (of 106693)authentication edgesremoved by the partition
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 13 / 26
![Page 27: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/27.jpg)
BAG Partitioning User Splits
User Splits
An alternative to edge removalsSplit a user node into sub-nodesCorresponds to giving a user additional authentication credentialsDifferent credentials are used to authenticate on different computers
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 14 / 26
![Page 28: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/28.jpg)
BAG Partitioning User Splits
User Splits
An alternative to edge removalsSplit a user node into sub-nodesCorresponds to giving a user additional authentication credentialsDifferent credentials are used to authenticate on different computers
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 14 / 26
![Page 29: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/29.jpg)
BAG Partitioning User Splits
User Splits
User retains access to all of their originally used computersManaging extra credentials can impact productivityUser nodes can be split more than once (more sets of credentials)A trivial solution:
Every user gets new credentials for each computer they useNo component will contain more than a single computer node
User node splits are limited to produce more practical solutions
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 15 / 26
![Page 30: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/30.jpg)
BAG Partitioning User Splits
User Splits
User retains access to all of their originally used computersManaging extra credentials can impact productivityUser nodes can be split more than once (more sets of credentials)A trivial solution:
Every user gets new credentials for each computer they useNo component will contain more than a single computer node
User node splits are limited to produce more practical solutions
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 15 / 26
![Page 31: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/31.jpg)
BAG Partitioning User Splits
User Splits
User retains access to all of their originally used computersManaging extra credentials can impact productivityUser nodes can be split more than once (more sets of credentials)A trivial solution:
Every user gets new credentials for each computer they useNo component will contain more than a single computer node
User node splits are limited to produce more practical solutions
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 15 / 26
![Page 32: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/32.jpg)
BAG Partitioning Combining Edge Removals and User Splits
Combining Edge Removals and User Splits
Edge removals and user node splits can be combined
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 16 / 26
![Page 33: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/33.jpg)
Methodology
Methodology
Leverage the edge removal partitioning strength of METISEdge weights: 1Computer node weight: 1User node weight: 0A variety of k values used for k-way partitioning (more on this later)
Evolutionary algorithm (EA) evolves a plan for splitting user nodesEnforce some limitations:
Can’t completely disconnect user nodesLimit the number of times a user node can be split(in this work, user nodes can be split into at most 5 sub-nodes)
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 17 / 26
![Page 34: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/34.jpg)
Methodology
Methodology
Leverage the edge removal partitioning strength of METISEdge weights: 1Computer node weight: 1User node weight: 0A variety of k values used for k-way partitioning (more on this later)
Evolutionary algorithm (EA) evolves a plan for splitting user nodesEnforce some limitations:
Can’t completely disconnect user nodesLimit the number of times a user node can be split(in this work, user nodes can be split into at most 5 sub-nodes)
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 17 / 26
![Page 35: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/35.jpg)
Methodology Evolutionary Algorithm
Evolutionary Algorithm
General purpose black box search algorithmPopulation basedGenerate-and-testEasily parallelized
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 18 / 26
![Page 36: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/36.jpg)
Methodology Multi-objective
Multi-objective
Solutions produce a trade-off between conflicting goals:Minimize user impactMinimize connected component sizePossibly others (e.g. maximize component diameter)
If a desired trade-off is known, solutions can be evolved directlyDesired trade-off is likely not known, or varies by application
Instead, evolve a set of solutions with a variety of trade-off valuesEnd-user can choose a solution from this set, or use it to define thedesired trade-off value
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 19 / 26
![Page 37: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/37.jpg)
Methodology Multi-objective
Multi-objective
Solutions produce a trade-off between conflicting goals:Minimize user impactMinimize connected component sizePossibly others (e.g. maximize component diameter)
If a desired trade-off is known, solutions can be evolved directlyDesired trade-off is likely not known, or varies by applicationInstead, evolve a set of solutions with a variety of trade-off valuesEnd-user can choose a solution from this set, or use it to define thedesired trade-off value
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 19 / 26
![Page 38: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/38.jpg)
Methodology Multi-objective
Multi-objective
Solutions produce a trade-off between conflicting goals:Minimize user impactMinimize connected component sizePossibly others (e.g. maximize component diameter)
If a desired trade-off is known, solutions can be evolved directlyDesired trade-off is likely not known, or varies by applicationInstead, evolve a set of solutions with a variety of trade-off valuesEnd-user can choose a solution from this set, or use it to define thedesired trade-off value
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 19 / 26
![Page 39: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/39.jpg)
Methodology Multi-objective
NSGA-II
Non-dominated Sorting Genetic Algorithm-II (NSGA-II)Multi-objective evolutionary algorithm (MOEA)Used to evolve a set of BAG partition solutionsUses a variety of k-values for METIS’ k-way partitioning
Increases the diversity of solutions produced
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 20 / 26
![Page 40: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/40.jpg)
Results MOEA BAG Partition
Multi-objective Evolutionary Algorithm BAG Partition
Method 1Preserves computer adjacency butcan connect components that weredisconnected by METIS
Method 2Discards edges that would connectcomponents that were disconnectedby METIS
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 21 / 26
![Page 41: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/41.jpg)
Results MOEA BAG Partition
Multi-objective Evolutionary Algorithm BAG Partition
LANL network BAGpartitioned usingmulti-objectiveevolutionary algorithm1962 (of 14822) computernodes in the largestconnected component(METIS: 1888)1602 (of 106693)authentication edgesremoved by the partition(METIS: 43163)13849 additional usernodes created by splitting
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 22 / 26
![Page 42: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/42.jpg)
Results MOEA BAG Partition
BAG Partition Results Comparison
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 23 / 26
![Page 43: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/43.jpg)
Results MOEA BAG Partition
BAG Partition Results Comparison
Superior Percentage
NSGA-II (1) 98.84% 1.06% METISNSGA-II (2) 88.03% 9.78% METISNSGA-II (1) 42.01% 56.09% NSGA-II (2)
A comparison of BAG partition objective trade-off results from the METISapproach as well as methods 1 and 2 with NSGA-II
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 24 / 26
![Page 44: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/44.jpg)
Future Work
Future Work
Consider splitting computer nodesHarder to implement than giving users additional credentialsCould be done with servers running virtual machines
Use more detailed network dataDetermine the purpose of a user’s access on a particular machineAllocate a suitable replacement computer
Evolve partition algorithms using genetic programming(MO)EAs are slowInvest a priori time to evolve fast partitioning algorithms
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 25 / 26
![Page 45: Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage the edge removal partitioning strength of METIS Edge weights: 1 Computer node weight:](https://reader034.vdocuments.us/reader034/viewer/2022051804/5ff07015a8b86c00504dab6c/html5/thumbnails/45.jpg)
Take Home Message
Take Home Message
Network partitioning can mitigate potential damage caused byadversaries using pass-the-hashCurrent graph partitioning algorithms do not take advantage of theparticular nature of BAGsEmploying user node splits allows superior partitioning at allreasonable levels of user impactGeneral purpose evolutionary computation can be used to solve thenew problem of spitting user nodes
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 26 / 26