To address the ineffectiveness of traditional static defenses against dynamically adaptive attackers in Active Directory (AD) networks, this paper formulates a Stackelberg game model between attacker and defender to enable co-evolution of strategic behaviors. We propose a novel framework integrating graph neural network–driven approximate dynamic programming with evolutionary diversity optimization. Additionally, we design a fixed-parameter tractable graph reduction method that preserves strategic structure, overcoming key limitations of static defenses—namely, poor generalizability and weak scalability. Experiments demonstrate that our approach achieves 99.9% optimality on the r500 graph; on large-scale r1000 and r2000 graphs, it significantly outperforms baseline methods while maintaining high solution accuracy, strong scalability, and robustness to strategic perturbations.

Modern enterprise networks increasingly rely on Active Directory (AD) for identity and access management. However, this centralization exposes a single point of failure, allowing adversaries to compromise high-value assets. Existing AD defense approaches often assume static attacker behavior, but real-world adversaries adapt dynamically, rendering such methods brittle. To address this, we model attacker-defender interactions in AD as a Stackelberg game between an adaptive attacker and a proactive defender. We propose a co-evolutionary defense framework that combines Graph Neural Network Approximated Dynamic Programming (GNNDP) to model attacker strategies, with Evolutionary Diversity Optimization (EDO) to generate resilient blocking strategies. To ensure scalability, we introduce a Fixed-Parameter Tractable (FPT) graph reduction method that reduces complexity while preserving strategic structure. Our framework jointly refines attacker and defender policies to improve generalization and prevent premature convergence. Experiments on synthetic AD graphs show near-optimal results (within 0.1 percent of optimality on r500) and improved performance on larger graphs (r1000 and r2000), demonstrating the framework's scalability and effectiveness.