450 likes | 460 Views
Explore defense mechanisms using honeypots in network security to minimize attackers' success probabilities. Mathematical formulation and evaluation process are discussed with policy enhancements. Experimental results and conclusion are presented. Reviewer comments included.
E N D
Near Optimal Defense Strategies to Minimize Attackers’ Success Probabilities in Honeypot Networks Advisor: Frank,Yeong-Sung Lin Presented by Yu-Shun, Wang
Agenda • Introduction • Problem formulation • Problem description • Mathematical formulation • Solution Approach • Evaluation Process • Policy Enhancement • Experimental result • Conclusion • Reviewers’ comment OPLab@IM, NTU
Agenda • Introduction • Problem formulation • Problem description • Mathematical formulation • Solution Approach • Evaluation Process • Policy Enhancement • Experimental result • Conclusion • Reviewers’ comment OPLab@IM, NTU
Introduction • The complexity and attack level of network systems grow with each passing day. • The attacked organization will get lots of lose no matter on monetary or reputation. • the most expensive incident on average was financial fraud, with an average reported cost of $463,100. * • followed by dealing with “bot” computers within the organization’s network, reported to cost an average of $345,600 per respondent. * • Dealing with loss of either proprietary information or loss of customer and employee confidential data averaged at approximately $241,000 and $268,000, respectively. * *Robert R., CSI Director, “2008 CSI Computer Crime & Security Survey,” 2008. 2009version will release on December 1, 200911:00 am PT/2:00 pm ET OPLab@IM, NTU
Introduction • We define survivability as the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents. We use the term system in the broadest possible sense, including networks and large-scale systems of systems. * Survivability Status Compromised Safe * R. J. Ellison, D. A. Fisher, R. C. Linger, H. F. Lipson, T. Longstaff, and N. R. Mead, “Survivable Network Systems: An Emerging Discipline,” Technical Report CMU/SEI-97-TR-013, November 1997. OPLab@IM, NTU
Introduction OPLab@IM, NTU
Introduction OPLab@IM, NTU
Agenda • Introduction • Problem formulation • Problem description • Mathematical formulation • Solution Approach • Evaluation Process • Policy Enhancement • Experimental result • Conclusion • Reviewers’ comment OPLab@IM, NTU
Problem formulation • For defense resource, we not only consider resource that increase defense level but also another deception based defense mechanism, honeypots. • Acting as a false target to distract attackers. * * http://honeypots.sourceforge.net/ OPLab@IM, NTU
Problem formulation • For attackers, we apply following criteria to classify: • Budget • Three levels, using minimum attack cost as the benchmark. • Capability • Three levels, it influences the probability attackers cheated by honeypots. • Next hop selection criteria • The highest defense level (for valuable information) • The lowest defense level (for stealth strategy *) • Random attack (for random strategy *) * Fred Cohen, “Managing Network Security Attack and Defense Strategies” OPLab@IM, NTU
Agenda • Introduction • Problem formulation • Problem description • Mathematical formulation • Solution Approach • Evaluation Process • Policy Enhancement • Experimental result • Conclusion • Reviewers’ comment OPLab@IM, NTU
Mathematical formulation • Assumptions • There is only one single core node in the network. • The defender has the perfect knowledge of network that is attacked by several attackers with different budget, capabilities, and next hop selection criteria. • The attackers are not aware that there are honeypots deployed by the defender in the network, i.e., the attackers have the imperfect knowledge of network. • There are two types of defense resources, the honeypot and non-honeypot. OPLab@IM, NTU
Mathematical formulation • Assumptions (cont.) • A node is only subject to attack if a path exists from the attacker’s position to that node, and all the intermediate nodes on the path have been compromised. • A node is compromised when attack resources allocated to it is no less than the defense force incurred by defense resources. • Only malicious nodal attacks are considered • The network is viewed at the AS level. OPLab@IM, NTU
Mathematical formulation Frequency Attack & Defense Budget Index OPLab@IM, NTU
Mathematical formulation Defense budget Attack budget OPLab@IM, NTU
Mathematical formulation • Objective Function: OPLab@IM, NTU
Mathematical formulation • Constraints Defender budget constraints Attacker budget constraints OPLab@IM, NTU
Agenda • Introduction • Problem formulation • Problem description • Mathematical formulation • Solution Approach • Evaluation Process • Policy Enhancement • Experimental result • Conclusion • Reviewers’ comment OPLab@IM, NTU
Solution Approach • Evaluation Process Run evaluation with the 27 kinds of different attackers for M times and get the core node compromised frequency. Let the frequency divided by M to gather average core node compromised probability. Initial state Run another evaluation M times using adjusted defense parameters and get the corresponding probability Stop criteria Yes Adjust defense parameters by policy enhancement No Compare result with the initial one OPLab@IM, NTU
Agenda • Introduction • Problem formulation • Problem description • Mathematical formulation • Solution Approach • Evaluation Process • Policy Enhancement • Experimental result • Conclusion • Reviewers’ comment OPLab@IM, NTU
Solution Approach • Policy Enhancement • The main concept of policy enhancement can be summarized into the following parts. • Derivative • This concept is using to measure the marginal effectiveness of each defense resource allocation. • Popularity Based Strategy • This strategy is focuses on those nodes are frequently attacked. Therefore, we let the cost attackers spent on each node divided by total attack costspend in the entire network as the metric in the policy enhancement. OPLab@IM, NTU
Solution Approach Quantity of resources is too large? Yes We first take certain amount of resources from nodes in the network • Policy enhancement Only remove resources from nodes afforded No Total quantity of resources is higher than the threshold? Change the quantity of resources we take from nodes Yes No Yes Whether there is a better value to test? Choose the one with lowest derivative to replace current allocation scheme Calculate derivative of every reallocation scheme No OPLab@IM, NTU
Agenda • Introduction • Problem formulation • Problem description • Mathematical formulation • Solution Approach • Evaluation Process • Policy Enhancement • Experimental result • Conclusion • Reviewers’ comment OPLab@IM, NTU
Experimental result • Important parameters OPLab@IM, NTU
Experimental result • Important parameters (cont.) OPLab@IM, NTU
Experimental result • Experiment on M • 1000 chunks OPLab@IM, NTU
Experimental result • Experiment on M (cont.) • 10000 chunks OPLab@IM, NTU
Experimental result • Initial allocation scheme • We apply two metrics to allocate our defense resource: • The number of hops to the core node • We believe nodes closer to the core node play more important role. Therefore, we allocate more resources on nodes near the core node. • Link degree of each node • Since the link degree can also reflect importance of a node, we allocate more resources on nodes with higher link degree. • We combine these two metrics by giving different weight, for example, 30% number of hops and 70% link degree, to allocate resource. OPLab@IM, NTU
Experimental result • Different values of weight will result in distinctinitial allocations. • Once the initial allocation is changed, the value of minimum attack cost also altered. • Attackers’ budget is determined by multiple of minimum attack cost. • We need an uniform benchmark to compare performance. • Consequently, the benchmark of deciding attackers’ budget is fixed at certain values in the following experiments. OPLab@IM, NTU
Experimental result • Performance comparison when benchmark is set at 443 (minimum attack cost of 20% hop and 80% link initial allocation): OPLab@IM, NTU
Experimental result • Performance comparison when benchmark is set at 480 (minimum attack cost of 50% hop and 50% link initial allocation): OPLab@IM, NTU
Experimental result • Performance comparison when benchmark is set at 515 (minimum attack cost of 80% hop and 20% link initial allocation): OPLab@IM, NTU
Agenda • Introduction • Problem formulation • Problem description • Mathematical formulation • Solution Approach • Evaluation Process • Policy Enhancement • Experimental result • Conclusion • Reviewers’ comment OPLab@IM, NTU
Conclusion • In this paper, we relax the commonly made “perfect information assumption for attackers” in previous research and propose a mathematical model to evaluate network survivability. • We consider a more realistic environment where multiple classes of attackers may exist, and that attackers from different classes may be of distinct attributes, behaviors and strategies. • Our main contribution is that we combinemathematical programming and simulation techniques and develop a novel approach to solve problems with the imperfect knowledge property. OPLab@IM, NTU
Agenda • Introduction • Problem formulation • Problem description • Mathematical formulation • Solution Approach • Evaluation Process • Policy Enhancement • Experimental result • Conclusion • Reviewers’ comments OPLab@IM, NTU
Reviewers’ comments • Reviewer 1: • The authors describe a mathematical model that allows to asses the survivability of a computer network and its core components. While the model may be an interesting theoretical contribution, I see several problems once the methodology is applied to a real world scenario. • First, in real works it is almost impossible to estimate/fix the parameters of the system. For example, how can one asses the "cost of compromising a general node in the network" (value a(b_i))? How can I compute the "cost" of a specific defense mechanism? • Second, it remains completely unclear which "attacker categories" the authors consider. They do tell on page 2 that there are in total 27 of them, but they do not give any details. • Third, I do not understand why their proposed algorithm is “near optimal” as stated in the title. What does that mean? When is an algorithm "optimal"? OPLab@IM, NTU
Reviewers’ comments • Reviewer 2: • You paper is well written and I was inclined to think that you had stumbled across an area of growing interest when you referenced it to several other pieces of work: "A number of previous works, e.g., [2] [3] [4] [5] [6] [7]" • However, on examination, you have only cited your own work and thus are presenting minor changes to your own work. • If the research question is a significant one, and it may be, then you need to provide an in-depth literature review that proves this. Otherwise I have to reject it since you have not really begun to show your reader why this work is significant. OPLab@IM, NTU
Reviewers’ comments • Reviewer 3: • This paper studied the near optimal defense strategies to minimize attacker's success probabilities in honeypot networks. The presentation is clear and the paper is well organized. Given the assumptions in the paper, the evaluation looks good. • My concern about the paper is the strong assumptions in the paper. In Section II, Problem Formulation, the authors over simplified the attacker's knowledge and the procedure of attacks. Given such strong assumption, the later calculations and analysis are less challenging. I doubt how many attacks can fall into the assumed situation. The strong assumption may seriously limit the application of the proposed method and make the contribution of the paper less significant. • Moreover, the technical strength of the paper, especially the analysis part, is a little bit weak. OPLab@IM, NTU
Thanks for Your Listening OPLab@IM, NTU
Solution approach • Evaluation Process • Since our scenario and environment are very dynamic, it is hard to solve the problem purely by mathematical programming. • For each attacker category, although attackers in it belong to the same type, there is still some randomness between each other. • This is caused by honeypots. if an attacker compromises a false target honeypot, there is a probability that he will believe the core node is compromised and terminate this attack. • Therefore, we can never guarantee the result of an attack is successful or failed until the end of the evaluation. OPLab@IM, NTU
Solution Approach • Evaluation Process • Parameter setting • M (Total evaluation frequency for one round) • First, we make an initial value, for example, 10 million. Then, we let 10 thousands as a chunk to summary the result and draw a diagram depicting the relationship between compromised frequency and number of chunks. • If the diagram shows a stable trend, it implies the value of M is an ideal one. • Stop criteria • N (Total rounds for policy enhancement) • We set this value by resource constrained approach. • If we cannot improve the quality of resource allocation scheme anymore, we also terminate this process. OPLab@IM, NTU
Solution Approach • Policy enhancement • The quantity of defense resource we take from node is determined by harmonic series. • Further, we also determine direction of this quantity. • When the quantity divided by iteration number is no more than 2, we stop searching for better value. ‧‧‧‧‧‧‧‧‧‧ 30+30/3=40 20+20/2=30 30-30/3=20 Initial value (20) 10+10/3=13 20-20/2=10 10-10/3=7 OPLab@IM, NTU
Topical on honeypot in Taiwan OPLab@IM, NTU
Topical on honeypot in Taiwan OPLab@IM, NTU
Response to the comment • It is worth to emphasis there is a great difference between perfect knowledge and imperfect knowledge. • For example, most of shortest path algorithms and minimum cost spanning tree algorithms are based on the perfect knowledge assumption. • If nodes and links will dynamically appear during searching for the shortest path or the minimum cost spanning tree, well-known algorithms may not feasible anymore. • Although there is no need to relax this assumptionin those algorithms, it is a necessary concern in our attack defense scenario. OPLab@IM, NTU