Saved in:
Bibliographic Details
Main Authors: Ngo, Huy Q., Guo, Mingyu, Nguyen, Hung
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2505.01028
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866916716991217664
author Ngo, Huy Q.
Guo, Mingyu
Nguyen, Hung
author_facet Ngo, Huy Q.
Guo, Mingyu
Nguyen, Hung
contents Security vulnerabilities in Windows Active Directory (AD) systems are typically modeled using an attack graph and hardening AD systems involves an iterative workflow: security teams propose an edge to remove, and IT operations teams manually review these fixes before implementing the removal. As verification requires significant manual effort, we formulate an Adaptive Path Removal Problem to minimize the number of steps in this iterative removal process. In our model, a wizard proposes an attack path in each step and presents it as a set of multiple-choice options to the IT admin. The IT admin then selects one edge from the proposed set to remove. This process continues until the target $t$ is disconnected from source $s$ or the number of proposed paths reaches $B$. The model aims to optimize the human effort by minimizing the expected number of interactions between the IT admin and the security wizard. We first prove that the problem is $\mathcal{\#P}$-hard. We then propose a set of solutions including an exact algorithm, an approximate algorithm, and several scalable heuristics. Our best heuristic, called DPR, can operate effectively on larger-scale graphs compared to the exact algorithm and consistently outperforms the approximate algorithm across all graphs. We verify the effectiveness of our algorithms on several synthetic AD graphs and an AD attack graph collected from a real organization.
format Preprint
id arxiv_https___arxiv_org_abs_2505_01028
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Adaptive Wizard for Removing Cross-Tier Misconfigurations in Active Directory
Ngo, Huy Q.
Guo, Mingyu
Nguyen, Hung
Artificial Intelligence
Cryptography and Security
Security vulnerabilities in Windows Active Directory (AD) systems are typically modeled using an attack graph and hardening AD systems involves an iterative workflow: security teams propose an edge to remove, and IT operations teams manually review these fixes before implementing the removal. As verification requires significant manual effort, we formulate an Adaptive Path Removal Problem to minimize the number of steps in this iterative removal process. In our model, a wizard proposes an attack path in each step and presents it as a set of multiple-choice options to the IT admin. The IT admin then selects one edge from the proposed set to remove. This process continues until the target $t$ is disconnected from source $s$ or the number of proposed paths reaches $B$. The model aims to optimize the human effort by minimizing the expected number of interactions between the IT admin and the security wizard. We first prove that the problem is $\mathcal{\#P}$-hard. We then propose a set of solutions including an exact algorithm, an approximate algorithm, and several scalable heuristics. Our best heuristic, called DPR, can operate effectively on larger-scale graphs compared to the exact algorithm and consistently outperforms the approximate algorithm across all graphs. We verify the effectiveness of our algorithms on several synthetic AD graphs and an AD attack graph collected from a real organization.
title Adaptive Wizard for Removing Cross-Tier Misconfigurations in Active Directory
topic Artificial Intelligence
Cryptography and Security
url https://arxiv.org/abs/2505.01028