Co-Evolutionary Defence of Active Directory Attack Graphs via GNN-Approximated Dynamic Programming

TL;DR

This paper presents a novel co-evolutionary framework using GNN-approximated dynamic programming and evolutionary optimization to enhance Active Directory defense against adaptive attackers, demonstrating scalability and near-optimal results.

Contribution

It introduces a co-evolutionary defense framework combining GNN-based dynamic programming and evolutionary diversity optimization for adaptive AD attack graph defense.

Findings

Achieves near-optimal defense strategies on synthetic AD graphs.

Demonstrates scalability to larger graphs with improved performance.

Effectively models attacker-defender interactions as a Stackelberg game.

Abstract

Modern enterprise networks increasingly rely on Active Directory (AD) for identity and access management. However, this centralization exposes a single point of failure, allowing adversaries to compromise high-value assets. Existing AD defense approaches often assume static attacker behavior, but real-world adversaries adapt dynamically, rendering such methods brittle. To address this, we model attacker-defender interactions in AD as a Stackelberg game between an adaptive attacker and a proactive defender. We propose a co-evolutionary defense framework that combines Graph Neural Network Approximated Dynamic Programming (GNNDP) to model attacker strategies, with Evolutionary Diversity Optimization (EDO) to generate resilient blocking strategies. To ensure scalability, we introduce a Fixed-Parameter Tractable (FPT) graph reduction method that reduces complexity while preserving strategic structure. Our framework jointly refines attacker and defender policies to improve generalization and prevent premature convergence. Experiments on synthetic AD graphs show near-optimal results (within 0.1 percent of optimality on r500) and improved performance on larger graphs (r1000 and r2000), demonstrating the framework's scalability and effectiveness.