500 likes | 663 Views
Research Direction Introduction. Advisor: Frank , Yeong -Sung Lin Presented by Hui -Yu, Chung. Agenda. Paper review Contest success function Worm Characteristics Worm propagation Problem descriptions Defender attributes Attacker attributes Attack-defense scenarios.
E N D
Research Direction Introduction Advisor: Frank, Yeong-Sung Lin Presented by Hui-Yu, Chung
Agenda • Paper review • Contest success function • Worm Characteristics • Worm propagation • Problem descriptions • Defender attributes • Attacker attributes • Attack-defense scenarios
Contest success function (CSF) • The idea of CSF came from the problem of “rent-seeking” in economic field • Which refers to efforts to capture special monopoly privileges • The phenomenon of rent-seeking in connection with monopolies was first formally identified in 1967 by Gordon Tullock • To identify the probability that certain party wins the privilege Tullock, Gordon (1967). "The Welfare Costs of Tariffs, Monopolies, and Theft". Western Economic Journal5 (3): 224–232
Contest success function (CSF) • For 2 players in Tullock’s basic model • Original form: (Ratio form) • Since p1 + p2= 1, the original form can be transferred to: • In our scenario, CSF is transformed as follow:
About contest intensity • Contest intensity m • m=0 • The efforts have equal impact on the vulnerability regardless of their size • 0<m<1 • Disproportional advantage of investing less than one’s opponent. • m=1 • The investment have proportional impact on the vulnerability →Random →Fighting to win or die →Normal case
About contest intensity • Contest intensity m • m>1 • Disproportional advantage of investing more than one’s opponent. • m=∞ • A step function where “winner-takes-all” • The most popular versions of the Tullock CSF are the lottery(m = 1) and the all-pay auction(m = ∞) →God is on the side of larger battalions →Like Auction Jack Hirshleifer "Conflict and rent-seeking success functions - Ratio vs difference models of relative success," Proc. Public Choice 63, 1989, pp.101-112 Jack Hirshleifer "The Paradox of Power," Proc. Economics and Politics Volume 3 November 1993, pp.177-200
About contest intensity • The result came from “Lanchester's laws” • Which is used to calculating the relative strengths of a predator/prey pair by Frederick Lanchesterin 1916, during the height of World War I. • Lanchester'sLinear Law • for ancient combatwhich one man could only ever fight exactly one other man at a time. • Lanchester's Square Law • for modern combat with long-range weapons such as firearms
About contest intensity Inflection Point
Worm Characteristics • Informationcollection • Collect information about the local or target network. • Probing • Scans and detects the vulnerabilities of the specified host, determines which approach should be taken to attack and penetrate. • Communication • Communicate between worm and hacker or among worms. • Attack • Makes use of the holesgained by scanning techniques to create apropagationpath. • Self-propagating • Uses various copies ofworms and transfers these copies among differenthosts.
Wormpropagation model • Classical epidemic model • Does not consider any countermeasures • Used to analyze complicated scenario Su Fei, Lin Zhaowen, Ma Yan “A survey of internet worm propagation models” Proc. IC-BNMT2009, pp.453-457 Stefan Misslinger “Internet worm propagation”, Departement for Computer Science TechnischeUniversitÄatMÄunchen
Wormpropagation model • Kermack-Mckendrickmodel(SIR model) • Takes remove process into consideration • susceptible • susceptible → infectious → removed • But doesn’t take network congestion into account # of infectious hosts including removed hosts
Wormpropagation model • Two-factor Model • Considers human countermeasures and network countermeasures into account • Increasing removable rate • Decreasing infectious rate • More accurate model # of removed host from infectious hosts People’s awareness of the worm # of removed host from susceptible hosts
Worm propagation time • Two-factor fit(Code Red Worm in July 2001) • Take both I → R and S → R into account • Decreased infectious rate • About 120,000 hosts are infected in 8 hours Cliff Changchun Zou, Weibo Gong, Don Towsley, "Code Red Worm Propagation Modeling and Analysis"
Node compromise time • Using State-space predator model to be the attack model and estimate the MTTC (Mean Time-to-Compromise)of the system • Three levels of attacker capabilities • Beginner • Intermediate attacker • Expert attacker David John Leversage, Eric James “Estimating a System’s Mean Time-to-Compromise”, IEEE Computer Security & Privacy Volume 6, Number 1 pp. 52-60, January/February 2008
Node compromise time • Divide the attacker’s actions into three statistical processes • Process 1 – The attacker has identified one or more known vulnerabilities and has one or more exploits on hand • Process 2 – The attacker has identified one or more known vulnerabilities but doesn’t have an exploit on hand • Process 3 – No known vulnerabilities or exploits are available • Mean time-to-compromise
Node compromise time • Time-to-compromise • t1, t2, t3: expected mean time of process 1,2,3 • P1: prob. of a finding a vulnerability • u: failure probability to find an exploit • t1 is hypothesized to be 1 working day (8 hrs) • t2 is hypothesized to be 5.8*(expected tries) working days • t3= ((1/s)-0.5)*30.42+5.8 days, where s = AM/V
Node compromise time • Estimated number or tries, ET • AM: avg # of vulnerabilities for which an exploit can be found or created by the attacker whose skill level is given • V: avg # of vulnerabilities per node within a zone • NM: the # of vulnerabilities an attacker with given skill won’t be able to use • NM = V-AM • Expected avg time needed in process 2: • ET*5.8 working days
Node compromise time • Skill indicator s = AM/V • Prob. that attacker in process 1: • M: # of exploits readily available to the attacker • K: total # of nonduplicatevulnerabilities • Prob. That process 2 is unsuccessful
Node compromise time • Results Measured inworking days
Agenda • Paper review • Contest success function • Worm Characteristics • Worm propagation • Problem descriptions • Defender attributes • Attacker attributes • Attack-defense scenarios
Attack-Defense scenario • Collaborative attack • One commander who has a group of attackers • Different attackers has different attributes • Budget, Capability • The commander has to decide his attack strategy at every round • ex. # of attackers, resource used • Once the strategy is given, all the attackers will exercise the attack simultaneously
Defender attributes • Objective • Protect provided services • Budget • General defense resources(ex: Firewall, IDS) • Worm profile distribution mechanisms • Worm source identification methods
Defender attributes • General defense mechanisms • Defense resource on each node • Dynamic topology reconfiguration • If the QoS is not satisfied, the disconnected link must be reconnect back • Worm defense mechanisms • Decentralized information sharing system • Unknown worm detection & profile distribution • Worm origin identification • Rate limiting • To slow down worm propagation • Firewall reconfiguration • May decrease QoS at the same time
Defender attributes • Fixed defense resource • General defense resource on each node • Detection system on specific nodes • Dynamic defense resource • Generating worm signatures • Without expending budget • Worm origin identification • Rate limiting • Firewall reconfiguration • Dynamic topology reconfiguration
Attacker attributes • Objective • To decrease the QoS of the defender • To steal information (by attacking some specific nodes) • Budget • Preparing Phase: worm injection • Attacking Phase: node compromising
Attacker attributes • Attack mechanisms • Compromising Nodes • The goal is to finally compromise core nodes, which reduce the QoS of those core nodes to below certain level or steal sensitive information • Worm injection • The purpose is to get further topology information • After a node is compromised, the commander will decide whether to inject worms
Attacker attributes • Process
Compromising nodes • How to select the attackers? • The commander has to select the attackers who have enough attack resource • The resource required is computed via contest success function • During decision phase, all that commander has to do is to find out the interval of defense resource whose values are near the defense resource on that node • After every round the table will be updated by the new resource owned by the attacker selected
How to select the attackers? • A corresponding defense resource table is created right after the defender had constructed his network topology • The value of an attacker resource Tis computed by the budget and attack time of that attacker • Attack power • Aggressiveness • The value of the defense resource tis the defense resource on a node in the network • The table is sorted in ascending order of t
How to select the attackers? The budget, capability, and aggressiveness of the attackers is predetermined. The value of contest intensity m is given
Aggressiveness • High Aggressiveness (Risk avoidance) • Often used to compromise nodes • Before worm injection • Higher when approaching core nodes • Low Aggressiveness (Risk tolerance) • Used to pretend to attack • Ex. To lower the risk level of certain core node
Worm injection • Used to get more topology information behind nodes before compromising them • After compromising one node, the attacker can decide whether to inject a worm into it • Often choose a node with high link degree to inject worms • Worm Immune • Once a worm is detected by the defender, the defender may take some defense mechanism to immune from it • In that case, the attacker has to inject another type worm to get new information • Different types of worms • Scanning method, propagation rate, capability
Scenarios Q M R AS Node N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T K C F B L G D A
One attacker to compromise node A Scenarios Q M R AS Node Commander N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F B L G D A Compromised
Two attackers to compromise node C &D Scenarios Q M R AS Node Commander N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F B Compromised L G D A Compromised
Inject Type I worm to node C Scenarios Q M R AS Node Commander N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F Type I Worm B L G D A
Scenarios Q M R AS Node Commander N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F Type I Worm B L G D Self-propagation of the worm A
Two attackers to compromise node I & F Scenarios Q M R AS Node Commander N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker Compromised K C F Type I Worm B Compromised L G D A
Scenarios Q M R AS Node Commander N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker Compromised K C F Type I Worm B Compromised Detection alarm L G D A
Two attackers to compromise node N & J Scenarios Q M R AS Node Commander N Core AS Node H S O Firewall Compromised Decentralized Information Sharing System I E J P T Attacker Compromised K C F Type I Worm B Detection alarm L G D A
Inject type II worm to node N and J Scenarios Q M R AS Node Commander N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F Type I Worm B Detection alarm L G Type II Worm D A
Scenarios Q M R AS Node Commander N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F Type I Worm B Detection alarm L G Type II Worm D A
Scenarios Worm origin identification Dynamic topology reconfiguration Q M R AS Node Commander Rate limiting N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F Type I Worm B Detection alarm L G Type II Worm D Firewall reconfiguration A
Two attackers to compromise node Q & P Scenarios Q M R AS Node Commander Rate limiting N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F Type I Worm B Detection alarm L G Type II Worm D Firewall reconfiguration A
Scenarios Dynamic topology reconfiguration Q M R AS Node Commander Rate limiting N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F Type I Worm B Detection alarm L G Type II Worm D Firewall reconfiguration A Reconnect to satisfy QoS
One attacker to compromise node O Scenarios Q M R AS Node Commander Rate limiting N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F Type I Worm B Detection alarm L G Type II Worm D Firewall reconfiguration A
Two attackers to compromise core node R & S Scenarios Q M R AS Node Commander Rate limiting N Core AS Node H S O Firewall Decentralized Information Sharing System I E J P T Attacker K C F Type I Worm B Detection alarm L G Type II Worm D Firewall reconfiguration A