1 / 52

Presenter : Jen- Hua Chi Advisor: Frank, Yeong -Sung Lin

Modeling and Security Analysis of Enterprise Network Using Attack-defense Stochastic Game Petri Nets. Presenter : Jen- Hua Chi Advisor: Frank, Yeong -Sung Lin. Agenda. Part I Introduction (Game T heory, Petri Net) Part II Model Part III Enterprise Network

eve
Download Presentation

Presenter : Jen- Hua Chi Advisor: Frank, Yeong -Sung Lin

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modeling and Security Analysis of Enterprise Network Using Attack-defense Stochastic Game Petri Nets Presenter: Jen-Hua Chi Advisor: Frank, Yeong-Sung Lin

  2. Agenda Part I Introduction (Game Theory, Petri Net) Part II Model Part III Enterprise Network Part IV Analysis and Conclusion

  3. Introduction • Journal: • Security and Communication Networks • Security Comm. Networks 2013 • Impact Factor: 0.414 • Author: • Yuanzhuo Wang(王卓元)

  4. Introduction • Enterprise network • firewall, VPN, IDS/IPS, antivirus software, content monitoring • prevent or to counteractattacks more effective

  5. Introduction - ADSGN ADSGN

  6. Game Theory: • Nash Equilibrium(NE) • Limitations: • do not have enough modeling abilities to describe interaction relations • existing modeling methods are nearly impossible to model the dynamic behaviors because of the complexity of state transitions • the full state space can be extremely large Introduction- SGN

  7. Introduction- SGN • Stochastic Game Nets: - use of the NE as part of the transition probabilities in SGN models - build player models => combine - backwards: attack and defense actions that are interrelated with one another

  8. Introduction- Stochastic Petri Net • Mathematical modeling languages • directed bipartite graph • nodes: transitions and places transitions : events that may occur places: conditions • The directed arcs describe which places are pre- and/or post conditions for which transitions occur.

  9. Introduction- Stochastic Petri Net • P is a set of states, called places. • P = {P1,P2,P3,P4} • T is a set of transitions. • T = {T1,T2} • Mrepresents the number of tokens • m0 ={1,0,2,1} • Transition firing rates

  10. Introduction - ADSGN • Accordingto the characteristics of the network attack and defenseactions • suitable to investigate the complex • and dynamic game-related issues in • network attack

  11. Agenda Part I Introduction Part II Model Part III Enterprise Network Part IV Analysis and Conclusion

  12. Definition- StochasticGame Nets • Nine-tuple vectorSGN: is the action set of player k

  13. Definition1- StochasticGame Nets • Nine-tuple vectorSGN:

  14. Definition- StochasticGame Nets • Nine-tuple vectorSGN:

  15. Definition- StochasticGame Nets • Each token S is assigned a reward vector h(s) = (h1(s), h2(s),. . .,hn(s)),where hk(s) is the reward of player k in token s • Transition firing rates: • consists of removing tokens from a subset • of places and adding them to another • subset

  16. Definition- StochasticGame Nets • a strategy for player k is described as a • vector

  17. Definition2- StochasticGame Nets (p denotes the initial state of player k) • An n-players game • Player k’s utility is defined as:

  18. Definition3- StochasticGame Nets • NE is a vector • such that

  19. Definition3- ADSGN • Players: n => 2 • administrator, attacker • 每個player只會有一個最佳策略, • 且此策略對另一player的效用較差 • exist some transitions ti • such that ti is no action

  20. Theorem 1- ADSGN • For an ADSGN, if the two sets P and T containfinite elements, then there exists an NE under the settingof mixed strategies. • P : places • describe the states of the system

  21. Modeling and analysis • Reward values R • represent the reward gained by the player • when an action is completed

  22. Construction First:) • Players model => combine the models • combining the places p that denote the same meanings in SGN models of different players: - case1 - case2

  23. Construction – case1 • Inhibition type

  24. Construction – case2 • Termination type

  25. Utilities of players • each players objective is to maximize the expected return k = 1, 2 • is the initial place of strategy • is the discount index of place

  26. Utilities of players • player k chooses an action using the probability distribution at place • In order to determine the optimal defense strategy, we mustfind the NE

  27. Calculation of the Nash Equilibrium Continuous ACO(CACO) • For each place pi, the behavior is modeled as a matrix game Gi • action sets of the attacker • action sets of the administrator • if an attack action is chosen in place pi , the intrusion is successful and undetected the system may transfer to another place pjwhere the game can continue

  28. Calculation of the Nash equilibrium U(pi) to denote the expected utility at place pi

  29. Calculation of the Nash equilibrium

  30. Calculation of the Nash equilibrium • objective function

  31. Evaluation and analysis • divide the place set into four parts, namely • MTFSB: mean time to first security breach • MTTSB: mean time to security breach

  32. Agenda Part I Introduction Part II Model Part III Enterprise Network Part IV Analysis and Conclusion

  33. Enterprise network • security process control structure

  34. security process control structure • Scan the weak ports (attacker) • IDS detects the attack (administrator) • Administrator server orders the firewall and trap node(administrator) • The attacker enters the trap node(attacker) • The trap node returns the false information to the attacker (administrator) • obtain the evidence of the attacker • (administrator)

  35. security process control structure (7) cracks a common user’s user name and password (attacker) (8) The attacker gets the competence of root by handling the database (attacker) (9) The attacker installs the sniffer (attacker) (10) The administrator server orders the firewall and antivirus server to blockade the IP of the attacker and remove the sniffer (administrator)

  36. security process control structure • we have two action sets

  37. security process control structure • ADSGN model is based on the following three assumptions (1) the administrator does not know whether there is an attacker or not (2) the attacker may have several objectives and strategies that the defender does not know (3) not all of the attacker’s actions can be observe by the defender

  38. ADSGN Model of Enterprise Network • 在此model中有六個places {p(normal), p(webserver with vulnerability), p(get general permission), p(get root permission), p(sniffer installing), p(informationstolen)} = {p1, p2, p3, p4, p5, p6}

  39. ADSGN Model of Enterprise Network p2:webserver with vulnerability P3: get general permission a1:Scanvulnerability ; a2:CrackPassword a3:Attackdatabase ; a7:empty d1: IDSscan ; d2: Cheatattacker ; d3:Getevidence d6: empty

  40. ADSGN Model of Enterprise Network p4: get root permission P5:sniffer installing a4: Enhance permission ;a5:Installsniffer a7:empty d1:IDSscan ; d4: Blockade IP d5:Removesniffer ; d6:empty

  41. ADSGN Model of Enterprise Network p6:information stolen a6:Installsniffer ; a7:empty d1:IDSscan; d4:BlockadeIP d5: Remove sniffer ; d6: empty

  42. Model-attacker

  43. Model - administrator

  44. Model - combine

  45. Agenda Part I Introduction Part II Model Part III Enterprise Network Part IV Analysis and Conclusion (MTTSB, MTTFB, attack rate)

  46. Experimental Security Analysis

  47. Experimental Security Analysis

  48. Experimental Security Analysis

  49. Experimental Security Analysis

  50. Experimental Security Analysis

More Related