Master Thesis

Active Directory (AD) is a crucial element of large organizations, given its central role in managing access to resources. However, since AD is used by all users in the organization, it is hard to detect attackers. We propose to generate and place fake users (honeyusers) in AD structures to help detect attacks. However, not any honeyuser will attract attackers. Our method generates honeyusers with a Variational Autoencoder that enriches the AD structure with well-positioned honeyusers. Our model first learns the embeddings of the original nodes and edges in the AD, then it uses a modified Bidirectional DAG-RNN to encode the parameters of the probability distribution of the latent space of node representations. Finally, it samples nodes from this distribution and uses an MLP to decide where the nodes are connected. The model was first evaluated by the similarity of the generated AD with the original AD, second by the positions of the new nodes, and finally making real intruders attack the AD structure enriched with honeyusers to see if they selected the honeyusers. Results show that our machine learning model is good enough to generate well-placed honeyusers for existing AD structures so that intruders are lured into them.

Url: https://dspace.cvut.cz/handle/10467/90247