800 likes | 813 Views
This study explores optimal inspection and attack/defense strategies for security in reliability systems, considering dynamic threats to complex structures. It presents an optimization problem in defender-attacker scenarios, aiming to maximize the cost of attacks. By examining series and parallel systems, the research extends to more general structures without replications. Theoretical theorems are formulated for series and parallel independent components, offering insights into minimal expected testing costs.
E N D
European Journal of Operational Research Volume 181, August 2007 Optimal Resource Allocation for Security in Reliability Systems Industrial Engineering Department, King Saud University, Saudi Arabia M. Naceur Azaiez Department of Industrial Engineering, University of Wisconsin-Madison, USA Vicki M. Bier Instructor : Professor Frank Y.S. Lin Presented by Ray J.P. Lo 駱睿斌 NTU IM OPLab
Agenda • Introduction • Results of prior work • Optimal inspection policy • Optimal attack/defense strategies • Conclusions and further work • Compared with OPLab NTU IM OPLab
Agenda • Introduction • Results of prior work • Optimal inspection policy • Optimal attack/defense strategies • Conclusions and further work • Compared with OPLab NTU IM OPLab
Introduction • Much work combines reliability analysis with optimization, to identify the most cost-effective risk reduction strategies. • However, the threat is usually assumed to be static. • By contrast, most past applications of game theory and similar approaches to defense against intentional threats to security have dealt with : • components in isolation • simple series and parallel systems NTU IM OPLab
Introduction (cont’d) • In the real world, however, we will frequently be concerned about protecting the functionality of complex systems with arbitrary structures from adaptive threats. NTU IM OPLab
Introduction (cont’d) • There are mainly two ways to describe the situation. • One could assume that the level of effort expended by the attacker on each component to be attacked is a constant, and hence investments by the defender change only the success probability of an attack on each component. • One could hold constant the success probabilityof an attack on each component. • They adopt this latter approach, and assume that the defender attempts to deter attacks by making them as costly as possible to the attacker. NTU IM OPLab
Introduction (cont’d) • The problem can be formulated as: • Consider a system consisting of n components, (S1,S2 . . .Sn), in a specific configuration. • C(0, 0. . .0): The initial cost of an optimal attack. (before any defensive investments have been undertaken) • C(x1,x2 . . .xn): The expected cost of an optimal attack after an investment of (x1,x2 . . .xn) in strengthening of components (S1,S2 . . .Sn). • B: The total available defensive budget. • The optimal defensive investment will be the solution to the following optimization problem: NTU IM OPLab
Agenda • Introduction • Results of prior work • Optimal inspection policy • Optimal attack/defense strategies • Conclusions and further work • Compared with OPLab NTU IM OPLab
Results of prior work • The approach used here models optimal attack strategies by analogy with existing results for least-expected-cost failure-state diagnosis of reliability systems. • A cost is incurred for testing each component of the system. • The initial failure probability of each component is known, as well as the system configuration. NTU IM OPLab
Series system of n independent components • Component i + 1 is tested only if component i is found operational, for all components i = 1,2…n-1. • ci: Testing cost of component i. • qi: Failure probability of component i. • pi = 1 – qi • Then, the following result holds: NTU IM OPLab
Series system of n independent components (cont’d) • Theorem 2.1. In a series system, testing components i = 1,2. . .n in sequential order is optimum (minimum expected testing cost) if and only if: • In this case, the expected testing cost: NTU IM OPLab
Parallel system of n independent components • Component i + 1 is tested only if component i is found failed, for all components i = 1,2…n-1. • ci: Testing cost of component i. • qi: Failure probability of component i. • pi = 1 – qi • Then, the following result holds: NTU IM OPLab
Parallel system of n independent components (cont’d) • Theorem 2.2. In a parallel system, testing components i = 1,2. . .n in sequential order is optimum (minimum expected testing cost) if and only if: • In this case, the expected testing cost: NTU IM OPLab
Extension to systems with more general structures • It is important to generalize the results given above to more general combined series/parallel systems. • They restrict their attention to systems of independent components that can be represented ‘‘without replications,’’ that is, systems that can be representedusing only AND/OR logic in such a way that each component appears only once. NTU IM OPLab
Definitions • A subsystem S is called a series (parallel) subsystem with constituents S1 . . .Sn (for n > 1) if S can be obtained by placing S1 . . .Sn in series (in parallel). • A series (parallel) subsystem S is called a maximal series (parallel) subsystem if no other subsystems of the entire system can be obtained by placing additional components or subsystems in series (parallel) with S. NTU IM OPLab
Definitions (cont’d) • The constituents S1 . . .Sn of a series (parallel) subsystem S are called the basic constituents of S if none of them is itself a series (parallel) subsystem. • It follows that every series (parallel) subsystem has a unique setof basic constituents. NTU IM OPLab
Agenda • Introduction • Results of prior work • Optimal inspection policy • Optimal attack/defense strategies • Conclusions and further work • Compared with OPLab NTU IM OPLab
Initialization algorithm • The algorithm is used toorder the basic constituents of all subsystems of a combined series/parallel system that can be represented without replications, prior to identifying the optimal inspection policy. NTU IM OPLab
Initialization algorithm (cont’d)Step 1 • Consider anymaximal series subsystemS for which all the basic constituents S1 . . .Sn are simple components. • For all i = 1. . .n. Let: • ci: The testing cost of component Si. • pi: The success probabilities of component Si. • qi:The failure probabilities of component Si. NTU IM OPLab
Initialization algorithm (cont’d)Step 1 (cont’d) • Then, do the following: • Reorder and re-label the components (if necessary) so that inequality (2) above holds. We say that S = (S1 . . .Sn) is now ordered. • Set C(S) to be the expected testing cost of the series subsystem S = (S1 . . .Sn). • Set P(S) and Q(S) to be the success and failure probabilities of subsystem S, respectively. NTU IM OPLab
Initialization algorithm (cont’d)Step 1 (cont’d) • Similarly, for anymaximal parallel subsystem S for which all the basic constituents S1 . . .Sn are simple components. • Use the same notation as above: • ci: The testing cost of component Si. • pi: The success probabilities of component Si. • qi:The failure probabilities of component Si. NTU IM OPLab
Initialization algorithm (cont’d)Step 1 (cont’d) • Then, do the following: • Reorder and re-label the components (if necessary) so that inequality (2) above holds. We say that S = (S1 . . .Sn) is now ordered. • Set C(S) to be the expected testing cost of the parallel subsystem S = (S1 . . .Sn). • Set P(S) and Q(S) to be the success and failure probabilities of subsystem S, respectively. NTU IM OPLab
Initialization algorithm (cont’d) • If the entire system is now ordered then stop. • Else, go to step 2. NTU IM OPLab
Initialization algorithm (cont’d)Step 2 • Consider each non-ordered maximal series (respectively, parallel) subsystem S in which all basic constituents are either ordered subsystems or simple components. • If any basic constituent Si is a simple component, then let: • C(Si): The testing cost of Si. • P(Si): The success probability of Si. • Q(Si): The failure probabilities of Si. NTU IM OPLab
Initialization algorithm (cont’d)Step 2 (cont’d) • For each maximal series subsystem S = (S1 . . .Sn) in turn, do the following: • Reorder and re-label the basic constituents (if necessary) so that following condition holds. We say that S = (S1 . . .Sn) is ordered. • Set • Set P(S) and Q(S) to be the success and failure probabilities of S, respectively. NTU IM OPLab
Initialization algorithm (cont’d)Step 2 (cont’d) • Similarly, for each maximal parallel subsystem S = (S1 . . .Sn), do the following: • Reorder and re-label the basic constituents (if necessary) so that following condition holds. We say that S = (S1 . . .Sn) is ordered. • Set • Set P(S) and Q(S) to be the success and failure probabilities of S, respectively. NTU IM OPLab
Initialization algorithm (cont’d) • Repeat step 2 as needed until all subsystems have been ordered. • END. NTU IM OPLab
Initialization example c2/p2=15 c3/p3=10.45 S1= (3,2) C(S1)= c3+q3c2=0.96 Q(S1)=q2q3=0.066 P(S1)=1- Q(S1)=0.934 c2 = 12 p2 = 0.8 q2 = 0.2 Step 1 → c1 = 10 p1 = 0.7 q1 = 0.3 → → → → c3 = 7 p3 = 0.67 q3 = 0.33 c5 = 10 p5 = 0.9 q5 = 0.1 c4 = 6 p4 = 0.6 q4 = 0.4 NTU IM OPLab
Initialization example (cont’d) C(1)/Q(1)=33.3 C(S1)/Q(S1)=166.1 S2= (1,S1) =17.67 C(S2)=C(1)+P(1)C(S1) P(S2)=P(1)P(S1)=0.65 Q(S2)=1- P(S2)=0.35 Step 2 → → → → C(1) = c1 = 10 P(1) = p1 = 0.7 Q(1) = q1 = 0.3 → → → → → → → C(S1) = 10.96 P(S1) = 0.934 Q(S1) = 0.066 → → c5 = 10 p5 = 0.9 q5 = 0.1 c4 = 6 p4 = 0.6 q4 = 0.4 NTU IM OPLab
Initialization example (cont’d) C(4)/P(4)=10 C(S2)/P(S2)=27.18 S3= (4,S2) C(S3)=C(4)+Q(4)C(S2)=13.07 Q(S3)=Q(4)Q(S2)=0.14 P(S3)=1- Q(S3)=0.86 Step 2 (cont’d) → → → → → → → → → → → C(S2) = 17.67 P(S2) = 0.65 Q(S2) = 0.35 c5 = 10 p5 = 0.9 q5 = 0.1 → → C(4) = c4 = 6 P(4) = p4 = 0.6 Q(4) = q4 = 0.4 NTU IM OPLab
Initialization example (cont’d) C(5)/Q(5)=100 C(S3)/Q(S3)=93.36 S= (S3,5) C(S)=C(S3)+P(S3)C(5)=21.67 P(S)=P(S3)P(5)=0.77 Q(S)=1- P(S)=0.23 Step 2 (cont’d) → → → → → → → → → → → C(5) = c5 = 10 P(5) = p5 = 0.9 Q(5) = q5 = 0.1 → → → C(S3) = 13.07 P(S3) = 0.86 Q(S3) = 0.14 NTU IM OPLab
Optimal inspection policy • Lemma 4.1. Consider any ordered series or parallel subsystem S = (S1 . . .Sn). Then in order to minimize the expected testing cost, testing of any basic constituent Si must be performed to completion before moving on to testing of another basic constituent with a subscript higher than i. NTU IM OPLab
Optimal inspection policy (cont’d) • Theorem 4.1. Consider a combined series/parallel system S, ordered according to the initialization algorithm. Then, the optimal testing policy that minimizes the expected testing cost is to follow the orderings specified in the initialization algorithm. NTU IM OPLab
Optimal inspection policy (cont’d) • If a basic constituent Sij of subsystem Sj = (S1j…Snj) is to be tested, then it should be tested to completion before moving on to testing of basic constituent Si+1j of that subsystem (or testing of some other subsystem), if needed. • In this case, the optimal expected testing cost of the system will equal C(S), as computed in the above algorithm. NTU IM OPLab
Optimal inspection policy for the example → → • S=(S3,5) (series) • S3=(4,S2) (parallel) • S2=(1,S1) (series) • S1=(3,2) (parallel) • Using the initialization algorithm ,the expected testing cost of the above procedure is 21.67. → → → → → NTU IM OPLab
Agenda • Introduction • Results of prior work • Optimal inspection policy • Optimal attack/defense strategies • Conclusions and further work • Compared with OPLab NTU IM OPLab
Optimal attack/defense strategies • In the context of attack strategies: • The costs will be the costs to the attacker of launching attacks on the various components of a targeted system. • The failure (respectively, success) probabilities will refer to failure (respectively, survival) of those components after being attacked. NTU IM OPLab
Assumptions • The system can be represented in a combined series/parallel configuration with no replications, and attacks on each component succeed or fail independently of the results of attacks on other components. • Each component can be attacked at most once. NTU IM OPLab
Assumptions (cont’d) • The attacker objective is to determine the feasible attack policy with minimum expected cost. • Here, a feasible attack policy is one that continues until either the system is disabled, or the attacker discovers that it will be unable to disable the system. • The defender is interested primarily in preserving the functionality of the overall system. NTU IM OPLab
Assumptions (cont’d) • The objective of the defender is to maximize the minimum expected cost of a feasible attack, subject to a budget constraint B limiting total defensive investments. • Defensive investments in any given component increase the cost of attacking that component, but do not decrease the probability of an attack succeeding. NTU IM OPLab
Assumptions (cont’d) • The cost of an attack against component i increases linearly in the amount of defensive investment in that component, xi. • The attacker is aware of any defensive investments in the system before launching an attack. (Perfect knowledge) NTU IM OPLab
Attack Strategies • Under these assumptions, and by analogy with Theorem 4.1, the optimal least-cost attack policy for an ordered series (parallel) path will consist of attacking basic constituent Si+1 only if an attack on basic constituent Si fails (succeeds). NTU IM OPLab
Attack Strategies (cont’d) • In an ordered system, basic constituent Si will be attacked before any basic constituent Sj with j > i, so we will say that Si is ‘‘more attractive’’to the attacker than Sj. • This concept can also be generalized to components and/or subsystems not necessarily belonging to the same series or parallel path. • In this context, ‘‘ordered’’ will mean from most attractive to least attractive. NTU IM OPLab
Attack Strategies (cont’d) • In a series subsystem, ‘‘more attractive’’ means ‘‘more fragile’’ (holding the attack costs equal). • In a parallel subsystem, ‘‘more attractive’’ means ‘‘more robust’’ (holding the attack costs equal). NTU IM OPLab
Defender’s challenge • The problem is to determine the optimal allocationof the total defensive budget B over the various components in order to maximize the expected cost of an optimal attack. • The optimal defensive strategy will spend the entire available budget. NTU IM OPLab
Series system • Consider an ordered series system S of n components, for which • the initial cost of an attack on component i is ci • the probability of the component resisting an attack is qi and pi = 1 - qi for i = 1. . .n. • Since the system is assumed to be ordered, relationship holds. pi qi NTU IM OPLab
Series system (cont’d) • If the components are ordered in terms of their attractiveness, then the minimum expected cost of a feasible attack would be given by pj NTU IM OPLab
Series system (cont’d) • The budget allocation can change the order of attractiveness of the various components and the objective function of the problem. • In particular, if after some defensive investment (x1,x2 . . .xn) the components are ordered according to (π(1) . . . π (n)), where π is a permutation of (1,2 . . .n), then the objective function would become NTU IM OPLab pπ(j)
Series system (cont’d) • The objective function can always be written as a linear function of the decision variables xi. • This optimization problem could be solved by decomposing it into n! linear programs. • In order to investigate the qualitative properties of the optimal solution, they assumed that the cost-effectiveness parameters for investments in the various components are all equal (ai = a, for all i). NTU IM OPLab
Series system (cont’d) • Proposition 5.1. If we have (c1 + aB)/q1 c2/q2 , then the optimal allocation policy will be given by (B,0. . . 0). NTU IM OPLab