Connected Components and Credential Hopping in Authentication Graphs

Modern enterprise computer networks rely on centrally managed authentication schemes that allow users to easily communicate access credentials to many computer systems and applications. The authentication events typically consist of a user connecting to a computer with an authorized credential. These credentials are often cached on the application servers which creates a risk that they may be stolen and used to hop between computers in the network. We examine computer network risk associated with credential hopping by creating and studying the structure of the authentication graph, a bipartite graph built from authentication events. We assume that an authentication graph with many short paths between computers represents a network that is more vulnerable to such attacks. Under this natural assumption, we use a measure of graph connectivity, namely the size of the largest connected component, to give a quantitative indicator of the network's susceptibility to such attacks. Motivated by graph theoretical results for component sizes in random intersection graphs, we propose a mitigation strategy, and perform experiments simulating an implementation using data from a large enterprise network. The results lead to realistic, actionable risk reduction strategies. To facilitate continued research opportunities we are also providing our authentication bipartite graph data set spanning 9 months and 708 million time-series edge records.