Research Progress Report HSU, Chia-Yang OPLab
Agenda Problem Description Mathematical Formulation OPLab 2018/10/13
Problem Description OPLab 2018/10/13
Problem Description Environment: Role: A government or enterprise network with multiple servers to provide services. Role: Defender Complete information of the topology. There is a defense center for defender to control all the network. Attacker Only one hop information. OPLab 2018/10/13
Defender Nodes:general nodes, core nodes. We can set up many VMs on a VMM-IDPS, each VM can be a general or core node. General and core nodes can be out of VMM-IDPS, too. General node Core node VMM-IDPS is integrated in VMM. OPLab 2018/10/13
Defender (Cont.) Different view of topology: Logical links and logical nodes. Different view of topology: Physical link Virtual link Physical link (invisible) Physical topology Defender’s view Logical topology Logical link Core node General node VMM-IDPS OPLab 2018/10/13
Defender (Cont.) Planning phase: Set up VMM-IDPS. How many VMM-IDPS and decide their positions. How many VMs each VMM-IDPS supports, What is each VMM-IDPS’s level. Decide positions of core nodes. Link settings. Connect physical links. Set virtual links of each VM and decide their link capacity. Decide link capacity of physical links. Set up cloud security agent to logical nodes. Add general defense to logical nodes. Firewall, antivirus… OPLab 2018/10/13
Defender (Cont.) Defending phase: Generate signature. Triggered when VMs got attacked. Need time for generation and distribution. All VMMs and VMs will be immune to the attack method when signature is updated. False positive or wrong signatures will make all virtual link capacity decrease certain ratio!! Local VMM-IDPS protection. Increase defense effect of VMs on the same VMM, including VMM. Decrease certain ratio of virtual link capacity. OPLab 2018/10/13
Defender (Cont.) Defending phase: Cloud security service. Triggered when any logical node got attacked. Only logical nodes equipped with cloud security agent can request cloud security service. Cloud security agent will forward suspicious traffic to SaaS cloud security provider, with clean traffic coming back. Different level of security inspecting charges differently. False positive will result in decreasing certain ratio of link capacity. OPLab 2018/10/13
Defender (Cont.) Defending phase: Dynamic topology reconfiguration: Triggered when any logical node got attacked. With core node loading, link capacity, user satisfaction constraints. Remove or reconnect some links to make core nodes more secure. OPLab 2018/10/13
Defender (Cont.) OPLab 2018/10/13
Defender (Cont.) OPLab 2018/10/13
Defender (Cont.) OPLab 2018/10/13
Attacker Capability:general distribution. Risk Tolerance: Proficiency: Description on each attacker. Associated with training cost and the probability of seeing through VM environment. May affect the false negative rate of VMM-IDPS. Risk Tolerance: A description on each attacker. Together with left budget will affect: Target selection strategy, i.e. attack VMM? Change method and next hop criteria? Preferred success probability of compromising a node. Proficiency: Each attacking method has its own proficiency. Will affect effectiveness of attack costs. OPLab 2018/10/13
Attacker (Cont.) Strategies: More budget used in preparing phase or attacking phase? Holding how many tools is better? What proficiency level of training each tool? Next hop selection criteria before and after attack. Next hop target candidates, all neighbors or deeper is better? Attack VMM or not when discovering a VMM? Switch to another method? Repeat attack on the same node? Risk tolerance after discovering existence of VMM-IDPS. What value should the preferred successfully attack probability be set. Change the value during attack or keep the same? Associated with budget left and attacker’s risk tolerance. OPLab 2018/10/13
Contest success function (Cont.) Attacker decides a value of T to make greater than a certain value. According to risk tolerance an budget left. transforms attack cost T to attack effectiveness. Depending on proficiency of each method the tool quality. is the defense effectiveness of defense resource t. OPLab 2018/10/13
Scenario Defender’s View Core node General node VMM-IDPS VM defense center Defender’s View Attackers Core node General node VMM-IDPS OPLab 2018/10/13
Scenario (Cont.) Physical Links Core node General node VMM-IDPS VM defense center Physical Links Attackers Core node General node VMM-IDPS OPLab 2018/10/13
Scenario (Cont.) Logical Topology Core node General node VMM-IDPS VM defense center Logical Topology Attackers Core node General node VMM-IDPS OPLab 2018/10/13
Scenario (Cont.) Core node General node VM defense center Attackers Core node General node VMM-IDPS Attackers can see only one hop away. OPLab 2018/10/13
Scenario (Cont.) Intrusion detected! Generate signature. Core node VM defense center Intrusion detected! Generate signature. Attackers Core node General node VMM-IDPS Select a target to attack. OPLab 2018/10/13
Scenario (Cont.) Local defense on. It can make other VMs and the VMM itself more secure. VM defense center Attackers Core node General node VMM-IDPS OPLab 2018/10/13
Scenario (Cont.) Reset links to make core nodes more secure. Core node VM defense center Attackers Core node General node VMM-IDPS Compromise the target successfully. OPLab 2018/10/13
Scenario (Cont.) Signature generation needs a long time. Core node VM defense center Signature generation needs a long time. Attackers Core node General node VMM-IDPS No new links found. OPLab 2018/10/13
Scenario (Cont.) Same attack method. No need for another signature. VM defense center Attackers Core node General node VMM-IDPS Select another target. Attacker needs more effort to attack due to local defense. OPLab 2018/10/13
Scenario (Cont.) Reset links to make core nodes more secure. Core node VM defense center Reset links to make core nodes more secure. Attackers Core node General node VMM-IDPS Compromise the target successfully. Found the existence of VMM. OPLab 2018/10/13
Scenario (Cont.) Core node VM defense center Attackers Core node General node VMM-IDPS Decide to attack VMM. Need more effort than normal nodes. Also local defense should be considered. OPLab 2018/10/13
Scenario (Cont.) Reset links to make core nodes more secure. Core node VM defense center Reset links to make core nodes more secure. Attackers Core node General node VMM-IDPS Compromise VMM and find it’s a IDPS. See all virtual and physical links. OPLab 2018/10/13
Scenario (Cont.) Signature updated!! Core node VM defense center Signature updated!! Attackers Core node General node VMM-IDPS Decide to use the same attack method to attack another node. OPLab 2018/10/13
VMs are now immune to the attack method, so it’s safe to relink. Scenario (Cont.) VM defense center Attackers Core node General node VMM-IDPS Compromise the target. OPLab 2018/10/13
Scenario (Cont.) Core node General node Keep on attacking. VMM-IDPS VM defense center Attackers Core node General node VMM-IDPS Keep on attacking. OPLab 2018/10/13
Scenario (Cont.) Core node General node VMM-IDPS VM defense center Attackers Core node General node VMM-IDPS OPLab 2018/10/13
Mathematical Formulation OPLab 2018/10/13
Assumptions Defender has complete information about the network. topology, defense resource allocation, node attribute. There is a defense center for defender to control all the network. Set nodes, links, decide defense strategies. Attackers have incomplete information about the network. Only one hop information. OPLab 2018/10/13
Given parameters Notation Description N The index set of all physical nodes O The index set of all physical nodes equipped with VMM-IDPS V The index set of all virtual machine nodes G The index set of all logical nodes C The index set of all logical nodes equipped with cloud security agent Xi The virtual link index set of virtual machine node i, where i∈V K The physical link index set M The index set of all VMM-IDPS levels OPLab@IM, NTU 2018/10/13
Given parameters Notation Description E All possible defense configuration, including defense resources allocation and defending strategies B The defender’s total budget S The index set of all kinds of services Z All possible attacker’s categories, including attacker’s attributes, corresponding strategies and transition rules An attack configuration, comprising attacker’s detailed information, possible strategies and transition rules, where i∈S, 1≤ j ≤ Fi The total attacking times on ith service for all attackers, where i∈S 1 if the attacker can achieve his goal successfully, and 0 otherwise, where i∈S, 1≤ j ≤ OPLab@IM, NTU 2018/10/13
Given parameters Notation Description h(mi) The numbers of VMs supported by mith VMM-IDPS level, where i∈N and mi∈M v(mi , li ) The cost of virtualization on node i with VMM-IDPS of level mi and li virtual machines(run time cost), where i∈N and 0 ≤ li ≤ h(mi) g(qi) The cost of constructing physical link i with capacity qi, where i∈K e The cost of setting a cloud security agent to one node OPLab@IM, NTU 2018/10/13
Decision variables Notation Description The configuration regarding resources allocating and defending, where i∈S ui 1 if node i is virtualized and equipped with VMM-IDPS, 0 otherwise, where i∈N mi The level of VMM-IDPS equipped on node i, where i∈N and mi∈M li The number of virtual machines implemented on virtualized node i, where i∈N OPLab@IM, NTU 2018/10/13
Decision variables Notation Description pijk 1 if the jth virtual link of virtual machine node i passes physical link k, 0 otherwise, where i∈V, j∈Xi, k∈K qi The capacity of physical link i, where i∈K rij The capacity of the jth virtual link of virtual machine node i, where i∈V, j∈Xi ci 1 if logical node i is equipped with cloud security agent, 0 otherwise, where i∈G ni The general defense resources allocated on node i, where i∈G OPLab@IM, NTU 2018/10/13
Objective function (IP 1) OPLab@IM, NTU 2018/10/13
Constraints Supported virtual machine numbers constraint Virtual link capacity constraint (IP 1.1) (IP 1.2) (IP 1.3) (IP 1.4) OPLab@IM, NTU 2018/10/13
Constraints Defender’s budget constraints (IP 1.5) OPLab@IM, NTU 2018/10/13
Constraints Defender’s budget constraints (IP 1.6) (IP 1.7) (IP 1.8) OPLab@IM, NTU 2018/10/13
Constraints QoS constraint Budget constraint QoS is a function of : Link utilization, core node loading, hops to core node. Served users ratio. At the end of attack, the following constraint must be satisfied. The defender has to guarantee at least one core node is not compromised at any time. Budget constraint Budget should be considered when all defense strategies used. (IP 1.10) (IP 1.11) (IP 1.12) OPLab@IM, NTU 2018/10/13
Constraints Dynamic topology reconfiguration constraint Topology reconfiguration will result in traffic shift, link capacity and core node loading and hops to core node must be considered. Local defense constraint Only nodes with VMM-IDPS have local defense function. The capacity of all the VMs’ virtual links on the VMM-IDPS will decrease certain ratio. Signature request constraint Only nodes with VMM-IDPS have signature request function. False positive and wrong signatures will result in all virtual link capacity decrease certain ratio. Cloud security constraint Only nodes with cloud security agent have cloud security function. Traffic forwarding to cloud security provider for inspecting will decrease link capacity when false positive occurs (links connect to the node). (IP 1.13) (IP 1.14) (IP 1.15) (IP 1.16) (IP 1.17) (IP 1.18) (IP 1.19) OPLab@IM, NTU 2018/10/13
Constraints (IP 1.20) (IP 1.21) (IP 1.22) OPLab@IM, NTU 2018/10/13
Thanks for your listening! Q & A OPLab 2018/10/13
References [1] SANS Institute InfoSec Reading Room, "Intrusion Detection Systems: Definition, Need and Challenges," 2001. [2] John K. Waters, "Virtualization Definition and Solutions," 2008, at http://www.cio.com/article/40701/Virtualization_Definition_and_ Solutions. [3] T. Garfinkel and M. Rosenblum, "A Virtual Machine Introspection Based Architecture for Intrusion Detection," in NDSS, ed, 2003. [4] Y. Bai and H. Kobayashi, "Intrusion Detection Systems: technology and development," in Advanced Information Networking and Applications, 2003. AINA 2003. 17th International Conference on, 2003, pp. 710-715. [5] http://tw.trendmicro.com/tw/about/news/pr/article/20100909143814. html OPLab 2018/10/13
References (Cont.) [6] Skaperdas, S., 1996. Contest success functions. Economic Theory 7, 283–290. [7] G. Levitin, and K. Hausken, “False targets efficiency in defense strategy,” European Journal of Operational Research, Vol. 194, Issue 1, Pages 155-162, 1 April 2009. [8] M. Laureano, et al., "Intrusion Detection in Virtual Machine Environments," presented at the Proceedings of the 30th EUROMICRO Conference, 2004. [9] T. Garfinkel and M. Rosenblum, "When virtual is harder than real: security challenges in virtual machine based computing environments," presented at the Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10, Santa Fe, NM, 2005. [10] T. Garfinkel, et al., "Terra: a virtual machine-based platform for trusted computing," presented at the Proceedings of the nineteenth ACM symposium on Operating systems principles, Bolton Landing, NY, USA, 2003. OPLab 2018/10/13
References (Cont.) [11] Scarfone, Karen; Mell, Peter (February 2007). "Guide to Intrusion Detection and Prevention Systems (IDPS)". Computer Security Resource Center (National Institute of Standards and Technology) (800-94). [12] Robert C. Newman (19 February 2009). Computer Security: Protecting Digital Resources. Jones & Bartlett Learning. pp. 273. [13] Michael E. Whitman; Herbert J. Mattord (2009). Principles of Information Security. Cengage Learning EMEA. pp. 289. OPLab 2018/10/13
References (Cont.) [14] M. Locasto, et al., "FLIPS: Hybrid Adaptive Intrusion Prevention," in Recent Advances in Intrusion Detection. vol. 3858, A. Valdes and D. Zamboni, Eds., ed: Springer Berlin / Heidelberg, 2006, pp. 82-101. OPLab 2018/10/13