Graph Neural Network-Guided TrapManager for Critical Path Identification and Decoy Deployment

Static honeypot deployment and one-shot attack-path analysis often become ineffective against adaptive adversaries because fixed decoy layouts are easy to fingerprint and risk estimates quickly go stale. This paper presents a unified, mathematically grounded TrapManager framework that couples graph representation learning with budget-constrained combinatorial optimization for dynamic cyber deception. We model attacker progression on vulnerability-based attack graphs and learn context-aware node embeddings using a Graph Attention Network (GAT) that fuses vulnerability-driven risk signals (e.g., CVSS-derived node scores) with structural features. The learned representations are used to estimate edge plausibility and rank candidate source–target routes at the path level. Given limited resources, we formulate pointTrap placement as a Mixed-Integer Programming (MIP) problem that maximizes the expected interception of high-risk paths while penalizing deployment cost under explicit budget constraints, including mandatory coverage of the top-ranked critical paths. To enable online adaptiveness, a pointTrap-triggered, event-driven feedback mechanism locally amplifies risk around alerted regions, updates path weights without retraining the GAT, and re-solves the MIP for rapid redeployment. Experiments on MulVAL-generated benchmark attack graphs and cross-domain transfer settings demonstrate fast convergence, strong discrimination between attack and non-attack edges, and early interception within a small number of hops even with minimal decoy budgets. Overall, the proposed framework provides a scalable and resource-efficient approach to closed-loop attack-path defense by integrating attention-based learning and integer optimization.