520 likes | 656 Views
Modeling and Security Analysis of Enterprise Network Using Attack-defense Stochastic Game Petri Nets. Presenter : Jen- Hua Chi Advisor: Frank, Yeong -Sung Lin. Agenda. Part I Introduction (Game T heory, Petri Net) Part II Model Part III Enterprise Network
E N D
Modeling and Security Analysis of Enterprise Network Using Attack-defense Stochastic Game Petri Nets Presenter: Jen-Hua Chi Advisor: Frank, Yeong-Sung Lin
Agenda Part I Introduction (Game Theory, Petri Net) Part II Model Part III Enterprise Network Part IV Analysis and Conclusion
Introduction • Journal: • Security and Communication Networks • Security Comm. Networks 2013 • Impact Factor: 0.414 • Author: • Yuanzhuo Wang(王卓元)
Introduction • Enterprise network • firewall, VPN, IDS/IPS, antivirus software, content monitoring • prevent or to counteractattacks more effective
Introduction - ADSGN ADSGN
Game Theory: • Nash Equilibrium(NE) • Limitations: • do not have enough modeling abilities to describe interaction relations • existing modeling methods are nearly impossible to model the dynamic behaviors because of the complexity of state transitions • the full state space can be extremely large Introduction- SGN
Introduction- SGN • Stochastic Game Nets: - use of the NE as part of the transition probabilities in SGN models - build player models => combine - backwards: attack and defense actions that are interrelated with one another
Introduction- Stochastic Petri Net • Mathematical modeling languages • directed bipartite graph • nodes: transitions and places transitions : events that may occur places: conditions • The directed arcs describe which places are pre- and/or post conditions for which transitions occur.
Introduction- Stochastic Petri Net • P is a set of states, called places. • P = {P1,P2,P3,P4} • T is a set of transitions. • T = {T1,T2} • Mrepresents the number of tokens • m0 ={1,0,2,1} • Transition firing rates
Introduction - ADSGN • Accordingto the characteristics of the network attack and defenseactions • suitable to investigate the complex • and dynamic game-related issues in • network attack
Agenda Part I Introduction Part II Model Part III Enterprise Network Part IV Analysis and Conclusion
Definition- StochasticGame Nets • Nine-tuple vectorSGN: is the action set of player k
Definition1- StochasticGame Nets • Nine-tuple vectorSGN:
Definition- StochasticGame Nets • Nine-tuple vectorSGN:
Definition- StochasticGame Nets • Each token S is assigned a reward vector h(s) = (h1(s), h2(s),. . .,hn(s)),where hk(s) is the reward of player k in token s • Transition firing rates: • consists of removing tokens from a subset • of places and adding them to another • subset
Definition- StochasticGame Nets • a strategy for player k is described as a • vector
Definition2- StochasticGame Nets (p denotes the initial state of player k) • An n-players game • Player k’s utility is defined as:
Definition3- StochasticGame Nets • NE is a vector • such that
Definition3- ADSGN • Players: n => 2 • administrator, attacker • 每個player只會有一個最佳策略, • 且此策略對另一player的效用較差 • exist some transitions ti • such that ti is no action
Theorem 1- ADSGN • For an ADSGN, if the two sets P and T containfinite elements, then there exists an NE under the settingof mixed strategies. • P : places • describe the states of the system
Modeling and analysis • Reward values R • represent the reward gained by the player • when an action is completed
Construction First:) • Players model => combine the models • combining the places p that denote the same meanings in SGN models of different players: - case1 - case2
Construction – case1 • Inhibition type
Construction – case2 • Termination type
Utilities of players • each players objective is to maximize the expected return k = 1, 2 • is the initial place of strategy • is the discount index of place
Utilities of players • player k chooses an action using the probability distribution at place • In order to determine the optimal defense strategy, we mustfind the NE
Calculation of the Nash Equilibrium Continuous ACO(CACO) • For each place pi, the behavior is modeled as a matrix game Gi • action sets of the attacker • action sets of the administrator • if an attack action is chosen in place pi , the intrusion is successful and undetected the system may transfer to another place pjwhere the game can continue
Calculation of the Nash equilibrium U(pi) to denote the expected utility at place pi
Calculation of the Nash equilibrium • objective function
Evaluation and analysis • divide the place set into four parts, namely • MTFSB: mean time to first security breach • MTTSB: mean time to security breach
Agenda Part I Introduction Part II Model Part III Enterprise Network Part IV Analysis and Conclusion
Enterprise network • security process control structure
security process control structure • Scan the weak ports (attacker) • IDS detects the attack (administrator) • Administrator server orders the firewall and trap node(administrator) • The attacker enters the trap node(attacker) • The trap node returns the false information to the attacker (administrator) • obtain the evidence of the attacker • (administrator)
security process control structure (7) cracks a common user’s user name and password (attacker) (8) The attacker gets the competence of root by handling the database (attacker) (9) The attacker installs the sniffer (attacker) (10) The administrator server orders the firewall and antivirus server to blockade the IP of the attacker and remove the sniffer (administrator)
security process control structure • we have two action sets
security process control structure • ADSGN model is based on the following three assumptions (1) the administrator does not know whether there is an attacker or not (2) the attacker may have several objectives and strategies that the defender does not know (3) not all of the attacker’s actions can be observe by the defender
ADSGN Model of Enterprise Network • 在此model中有六個places {p(normal), p(webserver with vulnerability), p(get general permission), p(get root permission), p(sniffer installing), p(informationstolen)} = {p1, p2, p3, p4, p5, p6}
ADSGN Model of Enterprise Network p2:webserver with vulnerability P3: get general permission a1:Scanvulnerability ; a2:CrackPassword a3:Attackdatabase ; a7:empty d1: IDSscan ; d2: Cheatattacker ; d3:Getevidence d6: empty
ADSGN Model of Enterprise Network p4: get root permission P5:sniffer installing a4: Enhance permission ;a5:Installsniffer a7:empty d1:IDSscan ; d4: Blockade IP d5:Removesniffer ; d6:empty
ADSGN Model of Enterprise Network p6:information stolen a6:Installsniffer ; a7:empty d1:IDSscan; d4:BlockadeIP d5: Remove sniffer ; d6: empty
Agenda Part I Introduction Part II Model Part III Enterprise Network Part IV Analysis and Conclusion (MTTSB, MTTFB, attack rate)