1 / 39

From Survivability To Risk Management

From Survivability To Risk Management. Near Optimal Defense Resource Allocation Strategies for Minimization of Information Leakage. Presented by Lillian Tseng. Outline. Introduction to Survivability and Risk Management Introduction to Model of Minimization of Maximal Damage.

lindamiranda
Download Presentation

From Survivability To Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. From Survivability To Risk Management Near Optimal Defense Resource Allocation Strategies for Minimization of Information Leakage Presented by Lillian Tseng

  2. Outline • Introduction to Survivability and Risk Management • Introduction to Model of Minimization of Maximal Damage

  3. Introduction to survivability and risk management • Security & Survivability • Survivability Introduction • Quantitative Analysis for Survivability • Risk Management Introduction • Survivability & Risk Management

  4. Security & Survivability

  5. Survivability Introduction • Definition of survivability • Survivability is the capability of a system (including networks and large-scale systems) to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents. Source: R. J. Ellison, D. A. Fisher, R. C. Linger, H. F. Lipson, T. A. Longstaff, and N. R. Mead, “Survivable Network Systems: An Emerging Discipline,”Technical Report CMU/SEI-97-TR-013, Software Engineering Institute, Carnegie Mellon University, November 1997 (Revised: May 1999).

  6. Survivability Introduction (Cont’d) • Survivability is the degree to which essential functions are still available even though some part of the system is down. Source: M. S. Deutsch and R. R. Willis, Software Quality Engineering: A Total Technical and Management Approach, Englewood Cliffs, NJ: Prentice-Hall, 1988.

  7. Survivability Introduction (Cont’d) • Survivability is a property of a system, subsystem, equipment, process, or procedure that provides a defined degree of assurance that the named entitywill continue to function during and after a natural or man-made disturbance; e.g., nuclear burst. Note: For a given application, survivability must be qualified by specifying the range of conditions over which the entity will survive, the minimum acceptable level or post-disturbance functionality, and the maximum acceptable outage duration. Source:“Telecom Glossary 2000 (American National Standard, T1.523-2001),” Alliance for Telecommunications Industry Solutions, http://www.atis.org/tg2k/.

  8. Survivability Introduction (Cont’d) • Four components of survivability • System • Usage • Minimal level of service (survivability metrics) • Threats • Accidental threats (random errors) • Intentional or malicious threats (malicious attacks) • Catastrophic threats Source: V. R. Westmark, “A Definition for Information System Survivability,”Proceedings of the 37th IEEE Hawaii International Conference on System Sciences, Volume 9, p. 90303.1, 2004.

  9. Quantitative Analysis of Survivability

  10. Quantitative Analysis of Survivability (Cont’d) • Survivability functions • Expected survivability E[S] • Worst-case survivability SW • R-percentile survivability Sr • Zero survivability

  11. Risk Management Introduction • Risk • Combination of the probability of an event and its consequence (ISO/IEC Guide 73:2002). • The possibility of something adverse happening. • The function of the likelihood of a given threat-source’s exploiting a particular potential vulnerability. • The resulting impact of that adverse event on assets of the organization or on individuals. • In Business Continuity/Disaster Planning • Risk = Threat x Vulnerability x Asset

  12. Risk Management Introduction (Cont’d) • Risk management • The coordinated activities to direct and control an organization with regard to risk (ISO/IEC Guide 73:2002, BS7799-2:2002). • The process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost (ISO/IEC 17799:2000). • The systematic application of management policies, procedures and practices to the tasks of analyzing, evaluating and treating risk (ISO 300-3-9:1995).

  13. Risk Management Introduction (Cont’d) • Stages of risk management • Risk assessment • Risk analysis • Source identification • Risk estimation • Risk evaluation • Risk treatment • Risk avoidance • Risk deduction • Risk transfer • Risk retention • Risk acceptance

  14. Risk Management Introduction (Cont’d)

  15. Survivability & Risk Management • Maximization of survivability ≣ Minimization of risk • Threats to survivability ≣ Sources of risk • Random errors • Malicious attacks • Through analyzing the survivability of networks quantitatively, we could also understand their risk levels in reality and enforce other activities belonging to risk management.

  16. Introduction to Model of Minimization of Maximal Damage • Background • Motivation • Problem Assumptions and Scenarios • Problem Description • Problem Notation • Problem Formulation • Problem Decomposition • Conclusions • Appendices

  17. Background • Information leakage is one of the most serious cyber-crime. • No direct or immediate impact • Ignorance of the victims • Profound consequences • Network survivability comes to the front. • There’s no error-free or attack-proof system in the world. • Safe/compromised is not enough to describe the states of a system. • How well can a system sustain normal service under abnormal conditions?

  18. Motivation • Damage and loss incurred by information theft is unendurable. • How should network operators do to decrease the impact? • Understand the vulnerabilities of networks • Know your enemies • Model the real offense-defense game into mathematical formulation. • DRAS model – Defense Resource Allocation Strategy (outer problem) • AS model – Attack Strategy (inner problem)

  19. Problem Assumptions and Scenarios – DRAS Model • The objective of the attacker is to maximize the total damage by constructing an “attack tree” of the targeted network. • The objective of the defender is to minimize the total damage through allocating different budget on each node in the network. • Both the attacker and the defender has resource budget limitation. • Only node attacks are considered • Only malicious attacks are considered (no random error is concerned). • A node is subject to attack only if a path exists from attacker’s position to this node where all intermediate nodes on the path have been compromised. • A node is compromised if attack power applied to the node is more than defense power of the node.

  20. s s Attack Procedure

  21. Problem Description – DRAS Model • Given: • Defense Budget B • Attack Budget A • Damage diincurred by compromising node i • Attacker’s position s, which is connected to the target network • The network topology and the network size • Objective: • To minimize the maximized total damage • Subject to: • Total defense cost must be no more than B • Total attack cost must be no more than A • The node to be attacked must be connected to the existing attack tree • To determine: • Defender: budget allocation strategy • Attacker: which nodes will be attacked

  22. Problem Notation – DRAS Model • Given parameters:

  23. Problem Notation – DRAS Model (Cont’d) • Decision variables:

  24. (IP 2) (IP 2.1) (IP 2.2) (IP 2.3) (IP 2.4) (IP 2.5) (IP 2.6) (IP 2.7) (IP 2.8) (IP 1) (IP 1.1) (IP 1.2) (IP 1.3) (IP 1.4) (IP 1.5) (IP 1.6) (IP 1.7) (IP 1.8) (IP 1.9) (IP 1.10) Problem Formulation – DRAS Model Problem Formulation – AS Model min – yi, ai Objective function:

  25. Problem Description – AS Model • Solving the inner problem – AS model • Assume the budget allocation strategy is given, i.e. bi and are given parameters. • . • Maximize the total damage. • Transform maximization problem into minimization problem by adding a minus sign to objective function. • Using two-stage Lagrangian relaxation method to solve this problem.

  26. Problem Decomposition – First Stage • By applying the Lagrangean relaxation method, the primal problem (IP 2) can be transformed into a Lagrangean relaxation problem (LR 1) where constraints (2.1), (2.2), and (2.8) are relaxed. • Optimization Problem (LR 1): • The LR problem is further decomposed into two independent sub-problems.

  27. (Sub 2.1) Subject to (Sub 2.1.1) (Sub 2.1.2) Time Complexity Problem Decomposition – First Stage (Cont’d) • Subproblem 1.1 (related to decision variable xp ) • Subproblem 1.1 can further be decomposed into |W| independent problems. We apply Dijkstra’s shortest cost path algorithm once and optimally solve each independent problem.

  28. (Sub 1.2) Subject to (Sub 1.2.1) TimeComplexity Problem Decomposition – First Stage (Cont’d) • Subproblem 1.2 (related to decision variable yi) • Subproblem 1.2 can further be decomposed into |N| independent problems. We examine the parameter of each yi , and set it to 1 if the result is negative, 0 otherwise.

  29. (Sub 1.3) Subject to (Sub 1.3.1) (Sub 1.3.2) TimeComplexity Problem Decomposition – First Stage (Cont’d) • Subproblem 1.3 (related to decision variable ai) • Subproblem 1.3 can be viewed as a fractional knapsack problem, where is profit, and is weight. It can be solve optimally by greedy method.

  30. Problem Decomposition – Second Stage • By applying the Lagrangean relaxation method, the primal problem (IP 2) can be transformed into a Lagrangean relaxation problem (LR 2) where constraints (2.1), (2.2), and (2.7) are relaxed. • Optimization Problem (LR 2): • The LR problem is further decomposed into two independent sub-problems.

  31. (Sub 2.1) Subject to (Sub 2.1.1) (Sub 2.1.2) Time Complexity Problem Decomposition – Second Stage (Cont’d) • Subproblem 2.1 (related to decision variable xp ) • Subproblem 2.1 can further be decomposed into |W| independent problems. We apply Dijkstra’s shortest cost path algorithm once and optimally solve each independent problem.

  32. (Sub 2.2) Subject to (Sub 2.2.1) (Sub 2.2.2) (Sub 2.2.3) TimeComplexity Problem Decomposition – Second Stage (Cont’d) • Subproblem 2.2 (related to decision variable yi ,ai) • Subproblem 2.2 can further be decomposed into |N| independent problems. We determine the value of each yi and ai by examining its associated parameters.

  33. Conclusions • Damage incurred by information leakage is the subject of both DRAS and AS model. • Know your enemy and know yourself. The best solution of DRAS model depends on the best solution of AS model. • AS model is a knapsack-like problem with tree constraint.

  34. Conclusions (Cont’d) • Future works — DRAS model • Simulated annealing • Treat LR result as evaluation for budget allocation policy decided by simulated annealing. • Neighbor searching • Pick an uncompromised node randomly and extract half of its allocated resources. Then distribute them to compromised node averagely. • Subgradient-based algorithm • Extract little resources from uncompromised node, and allocate them to compromised node proportionally. • If the solution quality doesn’t improve within a certain iteration count, decrease the percentage of resources being extracted. • Compare the survivability of different defense resource allocation strategies. • .

  35. Appendix 1 • Scale-free networks • Can be characterized by a P(k) ~k-r. • Also known as power law distributions. • Internet, WWW, and other large networks are these kinds of networks. • The features of scale-free networks • Growth • Preferential attachment Source: R. Albert, H. Jeong, and A.-L. Barabási, “Error and Attack Tolerance of Complex Networks,”Nature, Volume 406, pp. 378-382, July 2000.

  36. Appendix 2 • The creation of inhomogeneous networks • Start with mo nodes • At every time step t, a new node is introduced, connecting to m existed nodes in the network • The probability Πi that the new node is connected to node i depends on the connectivity ki of node i such that =ki /Σkj • For large t, the connectivity distribution follows P(k) = 2m2/k3.

  37. Appendix 3 • Cut-off property • Only part of the graph follows power-law distribution. • “Scale-free” property • The slope (r) of the simulated line doesn’t affected by corresponding node number.

  38. Appendix 4 • Initial state doesn’t matter • Growth property • New edge number (m) doesn’t matter • Different ms only result in different total edge number. • The slope of simulated lines with different ms are parallel.

  39. Thanks for your listening^^

More Related