420 likes | 546 Views
Research Direction Introduction. Advisor: Frank , Yeong -Sung Lin Presented by Hui -Yu, Chung. Agenda. Problem Description Mathematical Formulation. Problem description. Network survivability Attackers
E N D
Research Direction Introduction Advisor: Frank, Yeong-Sung Lin Presented by Hui-Yu, Chung
Agenda • Problem Description • Mathematical Formulation
Problem description • Network survivability • Attackers • Using worms to get a clearer map of network topology information or vulnerability, and eventually compromise core nodes. • Defenders • Protect core nodes and maintain the QoS to legitimate users above certain level
Problem description • Collaborative attack • One commander and a group of attackers • Attack and defense mechanisms • Worm attack • Different types of worms • Worm defense • Worm signature, worm origin identification, rate limiting, firewall reconfiguration
Collaborative attack • Synergies result from collaborative attack • Synergies could be positive or negative • Positive synergies • Less time needed to compromise a node • Less cost needed to compromise a node • Negative synergies • Easier to be detected by the defender
Attackerattribute • Attacker’s goal • Service disruption • Steal confidential information • Per-hop decision criteria • The commander has to do per-hop decision before every attack event • period decision, aggressiveness, number of attackers, which attackers to use, which hops to attack
Early stage Q M R AS Node Commander N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F B Compromised L G D A Compromised
Worm injection Q M R AS Node Commander N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F Type I Worm B L G D A
Worm propagation Q M R AS Node Commander N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F Type I Worm B L G D Self-propagation of the worm A
Late stage Q M R AS Node Commander Rate limiting N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F Type I Worm B Detection alarm L G Type II Worm D Firewall reconfiguration A
Late stage Q M R AS Node Commander Rate limiting N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F Type I Worm B Detection alarm L G Type II Worm D Firewall reconfiguration A
Attackerbudget • Preparing Phase: worm injection • Worm purchase / refinement / development • Worms with better scanning method, higher capability, faster propagation rate, would need higher budget to inject • Social engineering • Number of edge nodes • Number of hops from each core node to edge nodes
Attackerbudget • Attacking Phase: node compromising • During every attack event, the commander will select the attackers according to their attack resources • Use contest success function to determine the required attack resource • Given: aggressiveness(preferred success prob.), t, m • To be determined: T
Defender attribute • Planning phase • Node protection • General defense resources allocation • Decentralized information sharing system deployment • Special defense resources allocation
Defender attribute • Defending phase • Distributed information sharing system • Worm signature generation • Rate limiting • Worm origin identification • Firewall reconfiguration • Topology reconfiguration
Scenarios Worm origin identification Dynamic topology reconfiguration Q M R AS Node Commander Rate limiting N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F Type I Worm B Detection alarm L G Type II Worm D Firewall reconfiguration A
Time issue • Compromise time: • Using State-space predator model to be the attack model and estimate the MTTC (Mean Time-to-Compromise)of the system • Three levels of attacker capabilities • Beginner • Intermediate attacker • Expert attacker David John Leversage, Eric James “Estimating a System’s Mean Time-to-Compromise”, IEEE Computer Security & Privacy Volume 6, Number 1 pp. 52-60, January/February 2008
Time issue • Worm propagation time • The time needed in worm propagation follows two-factor model • Considers human countermeasures and network countermeasures, including increasing removable rate and decreasing infectious rate, into account # of removed host from infectious hosts People’s awareness of the worm # of removed host from susceptible hosts
Time issue • Other time issue • Attacker • Recovery time • Defender • Signature propagation time • Reconfiguration impact on QoS
Agenda • Problem Description • Mathematical Formulation
Description • Objective: • To minimize maximized service compromised probability • Given: • Total defense budget and attacker budget • Each cost of construction of defense or attack mechanism • QoS requirement • To be determined: • Attack and defense strategies • Attack and defense resource allocation scheme
Assumptions • There is a large enterprise network consists of many LANs. So the network is viewed at the AS level. • There is at least one core node in the network. Each core node is responsible for a service. • The defender has complete information about the network. For example, topology, defense resource allocation, node attribute, and so on. • There is an overlay network on network defender protected used to deploy the detection nodes. • The commanders have incomplete information about the network. For example, the commanders are not aware that which nodes in the network have deployed detection nodes. • There are two types of defense resources. The first type is fixed defense resources, including general defense resources on each node, and the detection node on specific nodes. The second type is dynamic defense resources, including the worm signatures generation.
Assumptions • The defender has several response strategies to apply without expending defense budget. For example, rate limiting, worm origin identification, firewall reconfiguration and dynamic topology reconfiguration. However, some of these response strategies may decrease QoS level. • A node is only subject to be attacked if there exist a path from the commander's position to that node, and all the intermediate nodes on the path have been compromised. • Whether a node is compromised successfully is determined by contest success function. • In the attack-defense scenario, all the worm types are unknown before the defender detect them and generate signatures. • The commander may inject the same worm under the circumstances that the same worm has not yet being detected.
Assumptions • The statuses of all nodes are susceptible (S) before new types of worm being detected. • Only nodes equipped with the distributed information sharing system are able to generate the signature. • Only the nodes equipped with distributed information systems are able to enable the rate limiting mechanism. • Only survival nodes are able to activate dynamic topology reconfiguration. • The signature generating and distributing process is activated if the confidence level exceeds a certain threshold. • There is no link attack in this scenario.
Attacker decisions • How to determine attacker energy T? • Every attackers’ attacker energy T is computed from the capability and budget of the attacker • Given the aggressiveness, the commander will determine a attack success probability • Given the success probability, the commander determines a value T needed in an attack event from contest success function, the commander will choose a suitable attacker with that attack power T
Attacker decisions • Maximum time to compromise a node, tfail • A decision variable for the attacker • If the node is not compromised at time tfail, the attacker is regarded to be fail during this attack event • Stop-loss point for the attacker
The number of attackers • uij: The number of attackers subordinates in the attack group launching jthattack on service i, where i∈S, 1≤ j ≤ Fi G3: E,F,H,I,J G1: A,B,D u12 = 5 G2: C,G F1 = 3 F2 = 2 F3 = 3 G4: C,G,K,L
Degree of collaboration • vij: degree of collaboration of attacker group j targeting on service i, which affects the effectiveness of synergy • Time aspect • Whenvij↑ → μt↓,σt↓ • Cost aspect • vij↑ → S(vij) ↑ Time
Attacker decisions • Combine tfail with attacker aggressiveness • Make the attack success probability equal to the area of the accumulated probability from 0 to tfail Illustrate prob. distribution of t/T Contest Success Function μt, σt
Attacker decisions Aggressiveness probability = Accumulated area of PDF tfail
Mathematical Formulation • Objective function: The sum of attack results (0 or 1) for a certain service Sum of all kinds of services After maximizing commander’s attack success probability, the defender minimize attack success probability Total weighted # commanders targeting on service i Given defense configuration and then maximize commander’s service compromised probability
Mathematical Formulation • Mathematical constraints:
Mathematical Formulation • Mathematical constraints:
Mathematical Formulation • Verbal constraints:
Enhancement process Primal problem (Zp) Relax constraints For k iterations LR problem (ZLR) Evaluation Adjust by information gathered during simulations 1.node/link 2.general defense resource 3.special defense resource 4.defending phase defense resource Compute next iteration multipliers Whether if k iteration finished No Yes Return LR reconfiguration