520 likes | 649 Views
國立台灣大學資訊管理研究所 碩士論文口試審查. 達成資訊洩露程度最小化之 近似最佳化防禦資源配置策略 Near Optimal Network Defense Resource Allocation Strategies for the Minimization of Information Leakage. 指導教授:林永松 博士 研究生:曾中蓮. 中華民國九十五年七月二十七日. Outline. Introduction Problem Description & Formulation Solution Approach
E N D
國立台灣大學資訊管理研究所 碩士論文口試審查 達成資訊洩露程度最小化之近似最佳化防禦資源配置策略Near Optimal Network Defense Resource Allocation Strategies for the Minimization of Information Leakage 指導教授:林永松 博士 研究生:曾中蓮 中華民國九十五年七月二十七日
Outline • Introduction • Problem Description & Formulation • Solution Approach • Computational Experiments • Conclusion & Future Work 國立台灣大學 資訊管理研究所
Introduction Introduction Background Information Leakage Survivability Motivation
Introduction Background • Information leakagebites. • Theft of proprietary information is one of the top 3 security incidents resulting in serious damage to U.S. organizations.* • It is easily ignored by the victims due to the “silent” attack behavior. • Profound damage and loss will be caused once the stolen information is published or exploited. *: L.A. Gordon, M.P. Loeb, W. Lucyshyn, and R. Richardson, “2005 CSI/FBI Computer Crime and Security Survey”, Computer Security Institue, 2005, http://GoCSI.com. 國立台灣大學 資訊管理研究所
Introduction Background (Cont’d) • Network survivabilitycomes to the front. • There is no error-free or attack-proof system in the world. • Safe/compromised state of security is no longer sufficient to describe the states of a system. • How well can a system sustain normal service under abnormal conditions?* *: “Technical Report on Enhanced Network Survivability Performance,” T1A1.2 Working Group on Network Survivability Performance, February 2001. 國立台灣大學 資訊管理研究所
Introduction Compromised Compromised Safe Safe • Survivability is the capability of a system (including networks and • large-scale systems) to fulfill its mission, in a timely manner, in the • presence of attacks, failures, or accidents.* *: R. J. Ellison, D. A. Fisher, R. C. Linger, H. F. Lipson, T. A. Longstaff, and N. R. Mead, “Survivable Network Systems: An Emerging Discipline,”Technical Report CMU/SEI-97-TR-013, Software Engineering Institute, Carnegie Mellon University, November 1997 (Revised: May 1999). Background (Cont’d) Security States or Survivability States 國立台灣大學 資訊管理研究所
Introduction Motivation • Damage and loss incurred by information theft is unaffordable. • Average loss has exploded from $168.5K in 2004 to $355.5K in 2005* • One of the most critical security issues in next two years.** • What should network operators do to decrease the impact? • Understand the features and vulnerabilities of networks • Grid, random, and scale-free networks • Know your enemy • Little research focuses on modeling attackers’ actions in an abstract and mathematical way.*** *: L.A. Gordon, M.P. Loeb, W. Lucyshyn, and R. Richardson, “2005 CSI/FBI Computer Crime and Security Survey”, Computer Security Institute, 2005, http://GoCSI.com. **: L.A. Gordon, M.P. Loeb, W. Lucyshyn, and R. Richardson, “2006 CSI/FBI Computer Crime and Security Survey”, Computer Security Institute, 2006, http://GoCSI.com. ***: A. Stewart, “On Risk: Perception and Direction,” Computers and Security, Volume 23, pp. 362-370, May 2004.” 國立台灣大學 資訊管理研究所
Introduction Motivation (Cont’d) DRAS Model • Model the real offense-defense battle against information leakage (theft) into mathematical formulation. • DRAS model– Defense Resource Allocation Strategy (outer problem) • AS model– Attack Strategy (inner problem) • Propose survivability and susceptibility* metrics to evaluate the performance of defense and attack strategies. Defender Survivability Total Loss Due to Information Theft Susceptibility Attacker AS Model *: M. Keshtgary, F.A. Al-Zahrani, and A.P. Jayasumana, “Network Survivability Performance Evaluation with Applications in WDM Networks with Wavelength Conversion,” Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks, 2004. 國立台灣大學 資訊管理研究所
Problem Description & Formulation Problem Description & Formulation Problem Description Problem Notation Formulations of DRAS & AS Model
Problem Description & Formulation Hop-site s s Problem Description Total Attack Power Total Defense Power 國立台灣大學 資訊管理研究所
Problem Description & Formulation Problem Description (Cont’d) • Assumption • The attacker’s objective is to maximize the total damage by constructing an “attack tree” of the targeted network. • The defender’s objective is to minimize the total damage by allocating a different budget to each node in the network. • Both the attacker and the defender have complete information about the network topology. • Both the attacker and the defender have resource budget limitations. • Only node attacks are considered. • Only malicious attacks are considered. • Only AS-level networks are considered. • A node is only subject to attack if a path exists from attacker’s position to that node, and all the intermediate nodes on the path have been compromised. • A node is compromised if the attack resources applied to the node are no less than defense power of the node. 國立台灣大學 資訊管理研究所
Problem Description & Formulation Problem Description (Cont’d) • Given • Defense resource budget B • Attack resource budget A • Damage diincurred by compromising node i, i.e.,the information value held by node i • Attacker’s position s, which is connected to the target network • The network topology and the network size • Objective • To minimize the maximized total damage • Subject to • Total defense cost must be no more than B • Total attack cost must be no more than A • The node to be attacked must be connected to the existing attack tree • To determine • Defender: budget allocation strategy • Attacker: which nodes to attack 國立台灣大學 資訊管理研究所
Problem Description & Formulation Problem Notation • Decision variables: 國立台灣大學 資訊管理研究所
(IP 2) (IP 2.1) (IP 2.2) (IP 2.3) (IP 2.4) (IP 2.5) (IP 2.6) (IP 2.7) (IP 2.8) (IP 1) (IP 1.1) (IP 1.2) (IP 1.3) (IP 1.4) (IP 1.5) (IP 1.6) (IP 1.7) (IP 1.8) (IP 1.9) (IP 1.10) Problem Description & Formulation Problem Formulation – DRAS Model Problem Formulation – AS Model min – yi, ai Objective function: Path Constraints Subject to: Budget Constraints Attack Criterion 國立台灣大學 資訊管理研究所
Solution Approach – AS Model Solution Approaches • Solution Approach to the • DRAS Model • Adjustment Procedure • Impact Factor Solution Approach to the AS Model Lagrangean Relaxation Method Getting Primal Feasible Solutions
Solution Approach – AS Model Solution Approach to the AS Model –Lagrangean Relaxation • The Lagrangean relaxation method is applied to solve the AS model. • The primal problem (P) can be transformed to a Lagrangean relaxation problem (LR) by relaxing the complicating constraints to the objective function with associated multipliers. • LR is easier to be solved than the primal problem. • Boundaries of the optimal objective function value to the primal problem can be obtained through the solving process. 國立台灣大學 資訊管理研究所
Solution Approach – AS Model Optimal Solution Optimal Solution Solution Approach to the AS Model –Lagrangean Relaxation (Cont’d) LB <= Optimal Objective Function Value <= UB Primal Problem (P) Adjust Lagrangean Multiplier UB LB Lagrangean Relaxation Problem (LR) Lagrangean Dual Problem Subproblem Subproblem Source: M. L. Fisher, “The Lagrangean Relaxation Method for Solving Integer Programming Problems”, Management Science, vol. 27, 1-18, 1981 國立台灣大學 資訊管理研究所
Solution Approach – AS Model Initialization Adjustment of Multiplier • If i reaches the Improvement Counter Limit, λ = λ / 2, i = 0 • uk+1= max(0, uk+ tk (Axk+ b)) • k = k + 1. • Z* – Best known feasible solution value of (P) = Initial feasible solution • – Initial multiplier value = 0 • k – Iteration count = 0 • i – Improvement count = 0 • LB – Lower bound of (P) = -∞ • – Initial step size coefficient = 2. Get Primal Feasible Solution • If xk is feasible in (P), the resulting value is a UB of (P) • If xk is not feasible in (P), tune it with proposed heuristics. Update Bounds • Z* = min (Z*, UB) • LB = max (LB, ZD(μk)) • i = i + 1 if LB does not change. Check Termination If (|Z* - LB|) / min (|LB|, |Z*|) < or k reaches Iteration Counter Limit or LB ≥ Z*? Solve Lagrangean Relaxation Problem • Solve each subproblem of ( ) optimally • Get decision variable xkand optimal value ZD(μk). Solution Approach to the AS Model –Lagrangean Relaxation (Cont’d) STOP 國立台灣大學 資訊管理研究所
Stage 1 – Relax Constraints (2.1), (2.2), and (2.8) Getting Primal Feasible Solutions – Stage 2 Stage 2 – Relax Constraints (2.1), (2.2), and (2.7) Getting Primal Feasible Solutions – Stage 1 LB LB Lagrangean Relaxation Problem – Stage 1 Lagrangean Relaxation Problem – Stage 2 Final UB and LB Subproblem for ai Subproblem for xp Subproblem for yi and ai Subproblem for xp O(|N|2) O(|N|2) O(|N|2) O(|N|) Subproblem for yi O(|N|) Solution Approach to the AS Model –Two-stage Relaxation Procedure (Cont’d) UB Primal Problem Two-stage Relaxation Procedure 國立台灣大學 資訊管理研究所
Solution Approach – AS Model Solution Approach to the AS Model –Getting Primal Feasible Solutions of Stage 1 • Solutions to the LR problem and Lagrangean multipliers provide good hints and a starting point to get primal feasible solutions. • We derive a primal algorithm by using the solutions of aiand in the dual problem. • Sort all nodes by their weights, and adopt the concept of Prim’s minimum cost spanning tree algorithm. • Compromise nodes with smaller weights but moderate path costs for the most beneficial results. Time Complexity O(|N|log2|N|) 國立台灣大學 資訊管理研究所
5 2 1 Solution Approach – AS Model 8 7 3 6 9 4 Node weight = s s Solution Approach to the AS Model –Getting Primal Feasible Solutions of Stage 1 (Cont’d) • Activate the first half of uncompromised nodes. • Apply Prim’s algorithm to activated nodes. • Compromise an activated node if the attacker has enough power to construct an attack path to that targeted node. Assume that each node contains 1 unit of information Susceptibility = 5/9 Survivability = 1-5/9 = 4/9 國立台灣大學 資訊管理研究所
Solution Approach – AS Model Solution Approach to the AS Model –Getting Primal Feasible Solutions of Stage 2 • The algorithm is derived solutions of xp in the dual problem. • Take the union of attack paths in the dual problem to construct an attack tree. • A node’s weight is calculated by the same function used in the primal algorithm of Stage 1. Time Complexity O(|N|log|N|) 國立台灣大學 資訊管理研究所
5 5 2 2 1 1 Solution Approach – AS Model 8 8 7 7 3 3 6 6 9 9 4 4 Node weight = s s Solution Approach to the AS Model –Getting Primal Feasible Solutions of Stage 2 (Cont’d) 國立台灣大學 資訊管理研究所 Case 1: total attack cost > total attack budget Case 2: total attack cost < total attack budget
Solution Approach – DRAS Model Solution Approach to the DRAS Model – Adjustment Procedure DRAS Model Defender • The adjustment procedure is used to re-allocate defense resources after the attack each time. • Adopt the concept of the subgradient method. • Extract of resources from uncompromised nodes, and allocate them to compromised nodes with reallocation strategy. • is the step size coefficient. • wi /wmaxis the impact factor of node i; wi is the average times which node i is used as a hop-site. Adjustment Procedure Total Loss Due to Information Theft Lagrangean Relaxation Method Attacker AS Model Attacker Defender 國立台灣大學 資訊管理研究所
0 0 0 0 1 0 0 0.5 1 1 0 0.5 Solution Approach – DRAS Model Solve AS Model 0 1 0 0.5 1 2 1.5 1 2 3 2 2.5 0 5 0 2.5 1 0 0.5 1 4 0 2 4 Extraction = s s Solution Approach to the DRAS Model – Impact Factor Extraction = 0.9 Extraction = 0.6 wmax = (5+5)/2 = 5 wmax = 5 國立台灣大學 資訊管理研究所
Computational Experiments Computational Experiments Experiment Environments Experimental Results of the AS Model Experimental Results of the DRAS Model
Computational Experiments Experimental Environments 國立台灣大學 資訊管理研究所
Computational Experiments Computational Results – AS Model D1: random distribution, D2: degree-based distribution, D3: uniform distribution B1: uniform allocation, B2: degree-based allocation, B3: damage-based allocation |N| = 900 • Damage-based defense budget allocation strategy (B3) causes the lowest susceptibility in all cases. • Networks with uniform damage distribution (D3) are less susceptible than networks with D1 and D2 distribution averagely. 國立台灣大學 資訊管理研究所
Computational Experiments Computational Results – AS Model (Cont’d) • Simple algorithm 1 (SA1) • Derived from primal algorithm of stage 1 • Node weight = • Simple algorithm 2 (SA2) • Apply Prim’s algorithm to construct the minimum cost spanning tree. • Target the node with the smallest weight, and construct an attack path to it according to the spanning tree. • Stop when the attacker has no spare attacker power. • Simple algorithm 3 (SA3) • Apply the concept of the greedy algorithm to construct an attack tree until the total attack power is consumed. • The attacker only has local information about the network topology. Time Complexity O(|N|log2|N|) Time Complexity O(|N|log|N|) Time Complexity O(|N|log|N|) 國立台灣大學 資訊管理研究所
Computational Experiments Computational Results – AS Model (Cont’d) General Trend of Susceptibility: Grid Networks Random Networks Scale-free Networks 國立台灣大學 資訊管理研究所
Computational Results – DRAS Model D1: random distribution, D2: degree-based distribution, D3: uniform distribution B1: uniform allocation, B2: degree-based allocation, B3: damage-based allocation |N| = 49 Initial Budget Allocation Strategy = B3 |N| = 100 • B3 reallocation strategy can improve the survivability of random networks and scale-free networks. • The initial survivability of networks under D3 are the most robust, but no further improvement can be made through budget reallocation. 國立台灣大學 資訊管理研究所
Conclusion & Future Work Conclusion & Future Work Conclusion Contribution Future Work
Conclusion & Future Work Conclusion • Address the issue of the best resource allocation strategies for the attacker and the defender, so that the result of information theft can be accepted by both sides. • AS model • Damage-based defense resource allocation strategy will cause the lowest susceptibility for the attacker. • Grid networks are the most robust, and scale-free networks are the most vulnerable to information theft. • DRAS model • For random and scale-free networks, “the rich get richer, and the poor get poorer” is the best defense resource allocation strategy. 國立台灣大學 資訊管理研究所
Conclusion & Future Work Contribution • Problem formulation and solution approaches to the DRAS model and the AS model • Survivability & susceptibility metrics • Engineering guidelines of defense resource allocation strategy for random and scale-free networks • “The rich get richer, and the poor get poorer.” 國立台灣大學 資訊管理研究所
Conclusion & Future Work s Future Work • “Secret sharing scheme” concept • Only if several certain nodes have been all compromised can the attacker gains confidential information and causes extra damage to the defender. • Discussion of special cases • The existence of “choke points” 國立台灣大學 資訊管理研究所
Extra Notations • Given Parameter: • Decision Variable: 國立台灣大學 資訊管理研究所
(IP 3) (IP 3.1) (IP 3.2) (IP 3.3) (IP 3.4) (IP 3.5) (IP 3.6) (IP 3.7) (IP 3.8) (IP 3.9) (IP 3.10) (IP 3.11) (IP 3.12) Problem Description & Formulation Problem Formulation of Extended Model Objective function: Subject to: 國立台灣大學 資訊管理研究所
DRAS Model in Game Theory Defender • A asymmetric, zero-sum, and sequential game with perfect information • The attacker’s actions consist of a set of feasible attack trees. • The defender’s actions consist of a set of defense strategies. Attacker Defender’s Payoff Matrix 國立台灣大學 資訊管理研究所
Concave Function for Defense Capability 國立台灣大學 資訊管理研究所
Introduction P(k) k Background (Cont’d) • Scale-free networksimply Achilles’ Heel. • Degree distribution P(k) decays as a power-law distribution • Ex: Internet, citation networks • The features of scale-free networks • Growth • Preferential attachment • “Hub”– Achilles’ Heel • Low network diameter *: R. Albert, H. Jeong, and A.-L. Barabási, “Error and Attack Tolerance of Complex Networks,”Nature, Volume 406, pp. 378-382, July 2000. Grid Network Random Network* Scale-free Network* 國立台灣大學 資訊管理研究所
Problem Description & Formulation Problem Notation • Given parameters: 國立台灣大學 資訊管理研究所
Solution Approach – AS Model Solution Approach to the AS Model –Problem Decomposition of Stage 1 • By applying the Lagrangean relaxation method, the primal problem (IP 2) can be transformed into a Lagrangean relaxation problem (LR 1) where Constraints (2.1), (2.2), and (2.8) are relaxed. • Optimization Problem (LR 1): • The LR problem is further decomposed into three (xp,yi, ai) independent sub-problems. 國立台灣大學 資訊管理研究所
(Sub 2.1) Solution Approach – AS Model Subject to (Sub 2.1.1) (Sub 2.1.2) Solution Approach to the AS Model –Problem Decomposition of Stage 1 (Cont’d) • Subproblem 1.1 (related to decision variable xp ) • Subproblem 1.1 can further be decomposed into |W| independent shortest path problems. • Apply Dijkstra’s minimum cost shortest path algorithm once and optimally solve each independent problem. Time Complexity O(|N|2) 國立台灣大學 資訊管理研究所
(Sub 1.2) Solution Approach – AS Model Subject to (Sub 1.2.1) Solution Approach to the AS Model –Problem Decomposition of Stage 1 (Cont’d) • Subproblem 1.2 (related to decision variable yi) • Subproblem 1.2 can further be decomposed into |N| independent problems. • Examine the parameter of each yi , and set it to 1 if the result is negative, 0 otherwise. Time Complexity O(|N|) 國立台灣大學 資訊管理研究所
(Sub 1.3) Solution Approach – AS Model Subject to (Sub 1.3.1) (Sub 1.3.2) Solution Approach to the AS Model –Problem Decomposition of Stage 1 (Cont’d) • Subproblem 1.3 (related to decision variable ai) • Subproblem 1.3 can be viewed as a fractional knapsack problem, where is profit, and is weight. It can be solve optimally by the greedy method. Time Complexity O(|N|2) 國立台灣大學 資訊管理研究所
Solution Approach – AS Model Solution Approach to the AS Model –Problem Decomposition of Stage 2 • By applying the Lagrangean relaxation method, the primal problem (IP 2) can be transformed into a Lagrangean relaxation problem (LR) where Constraints (2.1), (2.2), and (2.7) are relaxed. • Optimization Problem (LR): • The LR problem is further decomposed into two (xp ,[yi, ai]) independent sub-problems. 國立台灣大學 資訊管理研究所
(Sub 2.1) Solution Approach – AS Model Subject to (Sub 2.1.1) (Sub 2.1.2) Solution Approach to the AS Model –Problem Decomposition of Stage 2 (Cont’d) • Subproblem 1.1 (related to decision variable xp ) • Subproblem 2.1 can further be decomposed into |W| independent shortest path problems. • Apply Dijkstra’s minimum cost shortest path algorithm once and optimally solve each independent problem. Time Complexity O(|N|2) 國立台灣大學 資訊管理研究所
Solution Approach – AS Model (Sub 2.2) (Sub 2.2.1) (Sub 2.2.2) (Sub 2.2.3) Solution Approach to the AS Model –Problem Decomposition of Stage 2 (Cont’d) • Subproblem 1.2 (related to decision variable yi, ai) Subject to: • Subproblem 1.2 can further be decomposed into |N| independent problems. • Determine the value of each yi and ai by examining its associated parameters. Time Complexity O(|N|) 國立台灣大學 資訊管理研究所
Computational Experiments Experimental Environments *: S. Martello & P. Toth, “Upper Bounds and Algorithms for Hard 0-1 Knapsack Problems,” Operations Research, Volume 45, Number 5, pp. 768-778, September 1997. 國立台灣大學 資訊管理研究所