Osgoode metis conference on metis treaties issues final 2016
Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage...
Transcript of Bipartite Authentication Graph Partitioningweb.mst.edu/.../EvoBAGPart_presentation.pdf · Leverage...
Bipartite Authentication Graph Partitioning
Aaron Scott Pope
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 1 / 26
Authentication
Authentication
Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticate
Hashed credentials are often stored in a cacheCache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 2 / 26
Authentication
Authentication
Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cache
Cache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 2 / 26
Authentication
Authentication
Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cacheCache can be accessed on a compromised machine
Hashes can be just as useful to an adversary as the actual password
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 2 / 26
Authentication
Authentication
Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cacheCache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 2 / 26
Authentication
Authentication
Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cacheCache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 2 / 26
Authentication
Authentication
Used to gain access to a machinePasswords are not usually exchangedPassword is used to generate a hashHash is compared to authenticateHashed credentials are often stored in a cacheCache can be accessed on a compromised machineHashes can be just as useful to an adversary as the actual password
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 2 / 26
Bipartite Authentication Graphs
Bipartite Authentication Graphs (BAGs)
Bipartite Authentication Graph (BAG)Bipartite graph with two independent sets of nodes:
User Nodes: represent a user accountComputer Nodes: represent computers on the network
Each edge connects a user node and a computer node and represent theaccount being used to access the computer.
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 3 / 26
Bipartite Authentication Graphs
Bipartite Authentication Graphs (BAGs)
Edges could describe which credentials are contained in the cacheThis information isn’t usually availableGraph can instead be built from previous authentication eventsAssume cache contains all previously used credentials(worst-case scenario)
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 4 / 26
Bipartite Authentication Graphs
Bipartite Authentication Graphs (BAGs)
Edges could describe which credentials are contained in the cacheThis information isn’t usually availableGraph can instead be built from previous authentication eventsAssume cache contains all previously used credentials(worst-case scenario)
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 4 / 26
Bipartite Authentication Graphs
Bipartite Authentication Graph Properties
Connected components in a BAG can be traversed using pass-the-hashHaving lots of small connected components is good
Adversary must find a way into each component
Having a few large connected components is badAdversary only needs to access a few computers from the outside
Higher diameter components require more “hops” to traverseEach hop takes time and increases chance of detection
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 5 / 26
Bipartite Authentication Graphs
Bipartite Authentication Graph Properties
Connected components in a BAG can be traversed using pass-the-hashHaving lots of small connected components is good
Adversary must find a way into each componentHaving a few large connected components is bad
Adversary only needs to access a few computers from the outside
Higher diameter components require more “hops” to traverseEach hop takes time and increases chance of detection
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 5 / 26
Bipartite Authentication Graphs
Bipartite Authentication Graph Properties
Connected components in a BAG can be traversed using pass-the-hashHaving lots of small connected components is good
Adversary must find a way into each componentHaving a few large connected components is bad
Adversary only needs to access a few computers from the outsideHigher diameter components require more “hops” to traverse
Each hop takes time and increases chance of detection
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 5 / 26
Bipartite Authentication Graphs
Bipartite Authentication Graph Properties
Connected components in a BAG can be traversed using pass-the-hashHaving lots of small connected components is good
Adversary must find a way into each componentHaving a few large connected components is bad
Adversary only needs to access a few computers from the outsideHigher diameter components require more “hops” to traverse
Each hop takes time and increases chance of detection
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 5 / 26
Bipartite Authentication Graphs LANL BAG
Creating Bipartite Authentication Graphs fromAuthentication Data
Authentication data:Format: Timestamp, UserID, ComputerID
Example0, U1, C11, U1, C22, U2, C1
Simplifying assumptions:If U authenticates on computer C, assume U’s credentials are storedin computer C’s cacheUser U’s credentials can only be used to access computers it has beenseen accessing in the data
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 6 / 26
Bipartite Authentication Graphs LANL BAG
Creating Bipartite Authentication Graphs fromAuthentication Data
Authentication data:Format: Timestamp, UserID, ComputerID
Example0, U1, C11, U1, C22, U2, C1
Simplifying assumptions:If U authenticates on computer C, assume U’s credentials are storedin computer C’s cacheUser U’s credentials can only be used to access computers it has beenseen accessing in the data
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 6 / 26
Bipartite Authentication Graphs LANL BAG
LANL Data BAG
One month of LANLnetwork authenticationdata9924 user nodes14822 computer nodes106693 authenticationedges
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 7 / 26
BAG Partitioning Edge Removal Partitioning
Edge Removal Partitioning
Edge removals can disconnect components and increase diameterTranslates to revoking a user’s access to a particular machine
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 8 / 26
BAG Partitioning Edge Removal Partitioning
Edge Removal Partitioning
Edge removals can disconnect components and increase diameterTranslates to revoking a user’s access to a particular machine
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 8 / 26
BAG Partitioning Edge Removal Partitioning
Edge Removal Partitioning
Removing computer access impacts user productivityDesirable BAG partitions minimize the number of edge removalsGeneral minimum k-cut partition problem is NP-Complete
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 9 / 26
BAG Partitioning Naive Approach
Naive Approach
Iteratively “removes” highest degree node by removing incident edgesNot intended as a real partition method
Removes an excessive amount of edges
Extremely quickProvides a baseline for comparison
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 10 / 26
BAG Partitioning Naive Approach
Naive Approach
Iteratively “removes” highest degree node by removing incident edgesNot intended as a real partition method
Removes an excessive amount of edgesExtremely quick
Provides a baseline for comparison
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 10 / 26
BAG Partitioning Naive Approach
Naive Approach
Iteratively “removes” highest degree node by removing incident edgesNot intended as a real partition method
Removes an excessive amount of edgesExtremely quick
Provides a baseline for comparison
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 10 / 26
BAG Partitioning Naive Approach
Naive Approach BAG Partition
LANL network BAGpartitioned using iterativenode removal1998 (of 14822) computernodes in the largestconnected component91226 (of 106693)authentication edgesremoved
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 11 / 26
BAG Partitioning METIS
METIS
Finds approximate minimum cost edge removal k-way partitionFast, parallel, multi-level partition algorithmConsists of three phases:
Coarsen: Repeatedly contract the graph until it is smallPartition: Find optimal partition of small graphUncoarsen: Repeatedly expand contracted nodes and refine partition byexamining “border” nodes
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 12 / 26
BAG Partitioning METIS
METIS BAG Partition
LANL network BAGpartitioned using METISk-way partitioning (k=9)1888 (of 14822) computernodes in the largestconnected component43163 (of 106693)authentication edgesremoved by the partition
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 13 / 26
BAG Partitioning User Splits
User Splits
An alternative to edge removalsSplit a user node into sub-nodesCorresponds to giving a user additional authentication credentialsDifferent credentials are used to authenticate on different computers
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 14 / 26
BAG Partitioning User Splits
User Splits
An alternative to edge removalsSplit a user node into sub-nodesCorresponds to giving a user additional authentication credentialsDifferent credentials are used to authenticate on different computers
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 14 / 26
BAG Partitioning User Splits
User Splits
User retains access to all of their originally used computersManaging extra credentials can impact productivityUser nodes can be split more than once (more sets of credentials)A trivial solution:
Every user gets new credentials for each computer they useNo component will contain more than a single computer node
User node splits are limited to produce more practical solutions
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 15 / 26
BAG Partitioning User Splits
User Splits
User retains access to all of their originally used computersManaging extra credentials can impact productivityUser nodes can be split more than once (more sets of credentials)A trivial solution:
Every user gets new credentials for each computer they useNo component will contain more than a single computer node
User node splits are limited to produce more practical solutions
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 15 / 26
BAG Partitioning User Splits
User Splits
User retains access to all of their originally used computersManaging extra credentials can impact productivityUser nodes can be split more than once (more sets of credentials)A trivial solution:
Every user gets new credentials for each computer they useNo component will contain more than a single computer node
User node splits are limited to produce more practical solutions
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 15 / 26
BAG Partitioning Combining Edge Removals and User Splits
Combining Edge Removals and User Splits
Edge removals and user node splits can be combined
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 16 / 26
Methodology
Methodology
Leverage the edge removal partitioning strength of METISEdge weights: 1Computer node weight: 1User node weight: 0A variety of k values used for k-way partitioning (more on this later)
Evolutionary algorithm (EA) evolves a plan for splitting user nodesEnforce some limitations:
Can’t completely disconnect user nodesLimit the number of times a user node can be split(in this work, user nodes can be split into at most 5 sub-nodes)
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 17 / 26
Methodology
Methodology
Leverage the edge removal partitioning strength of METISEdge weights: 1Computer node weight: 1User node weight: 0A variety of k values used for k-way partitioning (more on this later)
Evolutionary algorithm (EA) evolves a plan for splitting user nodesEnforce some limitations:
Can’t completely disconnect user nodesLimit the number of times a user node can be split(in this work, user nodes can be split into at most 5 sub-nodes)
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 17 / 26
Methodology Evolutionary Algorithm
Evolutionary Algorithm
General purpose black box search algorithmPopulation basedGenerate-and-testEasily parallelized
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 18 / 26
Methodology Multi-objective
Multi-objective
Solutions produce a trade-off between conflicting goals:Minimize user impactMinimize connected component sizePossibly others (e.g. maximize component diameter)
If a desired trade-off is known, solutions can be evolved directlyDesired trade-off is likely not known, or varies by application
Instead, evolve a set of solutions with a variety of trade-off valuesEnd-user can choose a solution from this set, or use it to define thedesired trade-off value
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 19 / 26
Methodology Multi-objective
Multi-objective
Solutions produce a trade-off between conflicting goals:Minimize user impactMinimize connected component sizePossibly others (e.g. maximize component diameter)
If a desired trade-off is known, solutions can be evolved directlyDesired trade-off is likely not known, or varies by applicationInstead, evolve a set of solutions with a variety of trade-off valuesEnd-user can choose a solution from this set, or use it to define thedesired trade-off value
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 19 / 26
Methodology Multi-objective
Multi-objective
Solutions produce a trade-off between conflicting goals:Minimize user impactMinimize connected component sizePossibly others (e.g. maximize component diameter)
If a desired trade-off is known, solutions can be evolved directlyDesired trade-off is likely not known, or varies by applicationInstead, evolve a set of solutions with a variety of trade-off valuesEnd-user can choose a solution from this set, or use it to define thedesired trade-off value
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 19 / 26
Methodology Multi-objective
NSGA-II
Non-dominated Sorting Genetic Algorithm-II (NSGA-II)Multi-objective evolutionary algorithm (MOEA)Used to evolve a set of BAG partition solutionsUses a variety of k-values for METIS’ k-way partitioning
Increases the diversity of solutions produced
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 20 / 26
Results MOEA BAG Partition
Multi-objective Evolutionary Algorithm BAG Partition
Method 1Preserves computer adjacency butcan connect components that weredisconnected by METIS
Method 2Discards edges that would connectcomponents that were disconnectedby METIS
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 21 / 26
Results MOEA BAG Partition
Multi-objective Evolutionary Algorithm BAG Partition
LANL network BAGpartitioned usingmulti-objectiveevolutionary algorithm1962 (of 14822) computernodes in the largestconnected component(METIS: 1888)1602 (of 106693)authentication edgesremoved by the partition(METIS: 43163)13849 additional usernodes created by splitting
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 22 / 26
Results MOEA BAG Partition
BAG Partition Results Comparison
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 23 / 26
Results MOEA BAG Partition
BAG Partition Results Comparison
Superior Percentage
NSGA-II (1) 98.84% 1.06% METISNSGA-II (2) 88.03% 9.78% METISNSGA-II (1) 42.01% 56.09% NSGA-II (2)
A comparison of BAG partition objective trade-off results from the METISapproach as well as methods 1 and 2 with NSGA-II
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 24 / 26
Future Work
Future Work
Consider splitting computer nodesHarder to implement than giving users additional credentialsCould be done with servers running virtual machines
Use more detailed network dataDetermine the purpose of a user’s access on a particular machineAllocate a suitable replacement computer
Evolve partition algorithms using genetic programming(MO)EAs are slowInvest a priori time to evolve fast partitioning algorithms
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 25 / 26
Take Home Message
Take Home Message
Network partitioning can mitigate potential damage caused byadversaries using pass-the-hashCurrent graph partitioning algorithms do not take advantage of theparticular nature of BAGsEmploying user node splits allows superior partitioning at allreasonable levels of user impactGeneral purpose evolutionary computation can be used to solve thenew problem of spitting user nodes
Aaron Scott Pope BAG Partitioning LA-UR-15-26864 26 / 26