Advisor: Frank,Yeong-Sung Lin Near Optimal Defense Strategies to Minimize Attackers’ Success Probabilities in Honeypot Networks Advisor: Frank,Yeong-Sung Lin Presented by Yu-Shun, Wang

Agenda Introduction Problem formulation Solution Approach Problem description Mathematical formulation Solution Approach Evaluation Process Policy Enhancement Experimental result Conclusion Reviewers’ comment 2019/1/16 OPLab@IM, NTU

Agenda Introduction Problem formulation Solution Approach Problem description Mathematical formulation Solution Approach Evaluation Process Policy Enhancement Experimental result Conclusion Reviewers’ comment 2019/1/16 OPLab@IM, NTU

2009 version will release on December 1, 2009 11:00 am PT/2:00 pm ET Introduction The complexity and attack level of network systems grow with each passing day. The attacked organization will get lots of lose no matter on monetary or reputation. the most expensive incident on average was financial fraud, with an average reported cost of $463,100. * followed by dealing with “bot” computers within the organization’s network, reported to cost an average of $345,600 per respondent. * Dealing with loss of either proprietary information or loss of customer and employee confidential data averaged at approximately $241,000 and $268,000, respectively. * *Robert R., CSI Director, “2008 CSI Computer Crime & Security Survey,” 2008. 2009 version will release on December 1, 2009 11:00 am PT/2:00 pm ET 2019/1/16 OPLab@IM, NTU

Introduction We define survivability as the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents. We use the term system in the broadest possible sense, including networks and large-scale systems of systems. * Survivability Status Compromised Safe * R. J. Ellison, D. A. Fisher, R. C. Linger, H. F. Lipson, T. Longstaff, and N. R. Mead, “Survivable Network Systems: An Emerging Discipline,” Technical Report CMU/SEI-97-TR-013, November 1997. 2019/1/16 OPLab@IM, NTU

Introduction Title Author(s) An Evaluation of Network Survivability When Defense Levels Are Discounted by the Accumulated Experience of Attackers F.Y.-S. Lin, P.-Y. Chen, and P.-H. Tsang Maximization of Network Survival Time in the Event of Intelligent and Malicious Attacks P.H. Tsang, F.Y.S. Lin, and C.W, Chen Near Optimal Attack Strategies for the Maximization of Information Theft F.Y.S. Lin, C.-L. Tseng and P.-H. Tsang Near Optimal Protection Strategies against Targeted Attacks on the Core Node of a Network F.Y.-S. Lin, P.-H. Tsang and Y.-L. Lin Evaluation of Network Robustness for Given Defense Resource Allocation Strategies F.Y.-S. Lin, P.-H. Tsang, C.-H. Chen, C.-L. Tseng and Y.-L. Lin Maximization of Network Robustness Considering the Effect of Escalation and Accumulated Experience of Intelligent Attackers F.Y.-S. Lin, P.-H. Tsang, P.-Y. Chen, and H.-T. Chen Former researches on survivability are mostly relay on assumption of “perfect knowledge”. This assumption means attackers hold every detailed information about network and he can use it intelligently to maximize damage. It helps defenders to analyze the worst case scenario. 2019/1/16 OPLab@IM, NTU

Introduction Previous research My work Complete information about topology Only one hop information Complete information about defense resource allocation Only next hop defense resource information Complete information about node attribute Partial information about node attribute Single category of attacker Multiple categories of attacker Information is gathered before an attacker launches an attack Information is gathered during attack 2019/1/16 OPLab@IM, NTU

Agenda Introduction Problem formulation Solution Approach Problem description Mathematical formulation Solution Approach Evaluation Process Policy Enhancement Experimental result Conclusion Reviewers’ comment 2019/1/16 OPLab@IM, NTU

Problem formulation For defense resource, we not only consider resource that increase defense level but also another deception based defense mechanism, honeypots. Acting as a false target to distract attackers. * * http://honeypots.sourceforge.net/ 2019/1/16 OPLab@IM, NTU

Problem formulation For attackers, we apply following criteria to classify: Budget Three levels, using minimum attack cost as the benchmark. Capability Three levels, it influences the probability attackers cheated by honeypots. Next hop selection criteria The highest defense level (for valuable information) The lowest defense level (for stealth strategy *) Random attack (for random strategy *) * Fred Cohen, “Managing Network Security Attack and Defense Strategies” 2019/1/16 OPLab@IM, NTU

Agenda Introduction Problem formulation Solution Approach Problem description Mathematical formulation Solution Approach Evaluation Process Policy Enhancement Experimental result Conclusion Reviewers’ comment 2019/1/16 OPLab@IM, NTU

Mathematical formulation Assumptions There is only one single core node in the network. The defender has the perfect knowledge of network that is attacked by several attackers with different budget, capabilities, and next hop selection criteria. The attackers are not aware that there are honeypots deployed by the defender in the network, i.e., the attackers have the imperfect knowledge of network. There are two types of defense resources, the honeypot and non-honeypot. 2019/1/16 OPLab@IM, NTU

Mathematical formulation Assumptions (cont.) A node is only subject to attack if a path exists from the attacker’s position to that node, and all the intermediate nodes on the path have been compromised. A node is compromised when attack resources allocated to it is no less than the defense force incurred by defense resources. Only malicious nodal attacks are considered The network is viewed at the AS level. 2019/1/16 OPLab@IM, NTU

Mathematical formulation Given parameters Notation Description M The total evaluation frequency for all attacker categories K The total attacker categories Pk The portion of attacker type k in total attackers (where k K) Rk Rounded evaluation frequency of each attacker type D All possible defense strategies The strategy of an attacker, comprising his budget, capabilities, and next hop selection criteria. (where k K) Skj( , ) 1 if the attacker j of the kth category can compromise the core node under defense strategy, and 0 otherwise (where k K) B The total budget of defender Bk The total budget of the kth type of attacker, where k K F The index set of honeypots to play the role of fake core nodes I The index set of all general nodes in the network Frequency Attack & Defense Budget Index 2019/1/16 OPLab@IM, NTU

Mathematical formulation Decision variables Notation Description bi The defense resource allocated to protect a node i, where i I hf The defense resource allocated to honeypot f as the fake core node in the network, where f F a(bi) The cost of compromising a general node i in the network, where i I a(hf) The cost of compromising a honeypot f in the network, where f F Defense budget Attack budget 2019/1/16 OPLab@IM, NTU

Mathematical formulation Objective Function: 2019/1/16 OPLab@IM, NTU

Mathematical formulation Constraints Defender budget constraints Attacker budget constraints 2019/1/16 OPLab@IM, NTU

Agenda Introduction Problem formulation Solution Approach Problem description Mathematical formulation Solution Approach Evaluation Process Policy Enhancement Experimental result Conclusion Reviewers’ comment 2019/1/16 OPLab@IM, NTU

Solution Approach Evaluation Process Run evaluation with the 27 kinds of different attackers for M times and get the core node compromised frequency. Let the frequency divided by M to gather average core node compromised probability. Initial state Run another evaluation M times using adjusted defense parameters and get the corresponding probability Stop criteria Yes Adjust defense parameters by policy enhancement No Compare result with the initial one 2019/1/16 OPLab@IM, NTU

Agenda Introduction Problem formulation Solution Approach Problem description Mathematical formulation Solution Approach Evaluation Process Policy Enhancement Experimental result Conclusion Reviewers’ comment 2019/1/16 OPLab@IM, NTU

Solution Approach Policy Enhancement The main concept of policy enhancement can be summarized into the following parts. Derivative This concept is using to measure the marginal effectiveness of each defense resource allocation. Popularity Based Strategy This strategy is focuses on those nodes are frequently attacked. Therefore, we let the cost attackers spent on each node divided by total attack cost spend in the entire network as the metric in the policy enhancement. 2019/1/16 OPLab@IM, NTU

Solution Approach Policy enhancement Quantity of resources is too large? We first take certain amount of resources from nodes in the network Yes Only remove resources from nodes afforded No Total quantity of resources is higher than the threshold? Change the quantity of resources we take from nodes Yes No Yes Whether there is a better value to test? Choose the one with lowest derivative to replace current allocation scheme Calculate derivative of every reallocation scheme No 2019/1/16 OPLab@IM, NTU

Agenda Introduction Problem formulation Solution Approach Problem description Mathematical formulation Solution Approach Evaluation Process Policy Enhancement Experimental result Conclusion Reviewers’ comment 2019/1/16 OPLab@IM, NTU

Experimental result Important parameters Parameter Value Total number of attacker profiles 27 Attacker budget levels 3 Attacker capability levels Next hop selection criteria Defender total budget 1,000 Total evaluation times for one round 10,000,000 2019/1/16 OPLab@IM, NTU

Types of attackers’ budget level Types of attackers’ capability level Experimental result Important parameters (cont.) Types of attackers’ budget level Value High level 2 times of minimum attack cost Medium level 1.5 times of minimum attack cost Low level 1 time of minimum attack cost Types of attackers’ capability level Value High level 30% distracted by false target honeypot Medium level 50% distracted by false target honeypot Low level 70% distracted by false target honeypot 2019/1/16 OPLab@IM, NTU

Experimental result Experiment on M 1000 chunks 2019/1/16 OPLab@IM, NTU

Experimental result Experiment on M (cont.) 10000 chunks 2019/1/16 OPLab@IM, NTU

Experimental result Initial allocation scheme We apply two metrics to allocate our defense resource: The number of hops to the core node We believe nodes closer to the core node play more important role. Therefore, we allocate more resources on nodes near the core node. Link degree of each node Since the link degree can also reflect importance of a node, we allocate more resources on nodes with higher link degree. We combine these two metrics by giving different weight, for example, 30% number of hops and 70% link degree, to allocate resource. 2019/1/16 OPLab@IM, NTU

Experimental result Different values of weight will result in distinct initial allocations. Once the initial allocation is changed, the value of minimum attack cost also altered. Attackers’ budget is determined by multiple of minimum attack cost. We need an uniform benchmark to compare performance. Consequently, the benchmark of deciding attackers’ budget is fixed at certain values in the following experiments. 2019/1/16 OPLab@IM, NTU

Experimental result Performance comparison when benchmark is set at 443 (minimum attack cost of 20% hop and 80% link initial allocation): 0%是因若完全採用link degree，會有許多節點呈現相同的資源分布，因此造成了一條對於攻擊者而言相對有利的攻擊路徑。 60%是因出現一條僅需425攻擊資源的路徑 2019/1/16 OPLab@IM, NTU

Experimental result Performance comparison when benchmark is set at 480 (minimum attack cost of 50% hop and 50% link initial allocation): 2019/1/16 OPLab@IM, NTU

Experimental result Performance comparison when benchmark is set at 515 (minimum attack cost of 80% hop and 20% link initial allocation): 2019/1/16 OPLab@IM, NTU

Agenda Introduction Problem formulation Solution Approach Problem description Mathematical formulation Solution Approach Evaluation Process Policy Enhancement Experimental result Conclusion Reviewers’ comment 2019/1/16 OPLab@IM, NTU

Conclusion In this paper, we relax the commonly made “perfect information assumption for attackers” in previous research and propose a mathematical model to evaluate network survivability. We consider a more realistic environment where multiple classes of attackers may exist, and that attackers from different classes may be of distinct attributes, behaviors and strategies. Our main contribution is that we combine mathematical programming and simulation techniques and develop a novel approach to solve problems with the imperfect knowledge property. 3. 可發現網路中某些特別的點，並加以運用 2019/1/16 OPLab@IM, NTU

Agenda Introduction Problem formulation Solution Approach Problem description Mathematical formulation Solution Approach Evaluation Process Policy Enhancement Experimental result Conclusion Reviewers’ comments 2019/1/16 OPLab@IM, NTU

Reviewers’ comments Reviewer 1: The authors describe a mathematical model that allows to asses the survivability of a computer network and its core components. While the model may be an interesting theoretical contribution, I see several problems once the methodology is applied to a real world scenario. First, in real works it is almost impossible to estimate/fix the parameters of the system. For example, how can one asses the "cost of compromising a general node in the network" (value a(b_i))? How can I compute the "cost" of a specific defense mechanism? Second, it remains completely unclear which "attacker categories" the authors consider. They do tell on page 2 that there are in total 27 of them, but they do not give any details. Third, I do not understand why their proposed algorithm is “near optimal” as stated in the title. What does that mean? When is an algorithm "optimal"? 2019/1/16 OPLab@IM, NTU

Reviewers’ comments Reviewer 2: You paper is well written and I was inclined to think that you had stumbled across an area of growing interest when you referenced it to several other pieces of work: "A number of previous works, e.g., [2] [3] [4] [5] [6] [7]" However, on examination, you have only cited your own work and thus are presenting minor changes to your own work. If the research question is a significant one, and it may be, then you need to provide an in-depth literature review that proves this. Otherwise I have to reject it since you have not really begun to show your reader why this work is significant. 2019/1/16 OPLab@IM, NTU

Reviewers’ comments Reviewer 3: This paper studied the near optimal defense strategies to minimize attacker's success probabilities in honeypot networks. The presentation is clear and the paper is well organized. Given the assumptions in the paper, the evaluation looks good. My concern about the paper is the strong assumptions in the paper. In Section II, Problem Formulation, the authors over simplified the attacker's knowledge and the procedure of attacks. Given such strong assumption, the later calculations and analysis are less challenging. I doubt how many attacks can fall into the assumed situation. The strong assumption may seriously limit the application of the proposed method and make the contribution of the paper less significant. Moreover, the technical strength of the paper, especially the analysis part, is a little bit weak. 2019/1/16 OPLab@IM, NTU

Thanks for Your Listening 2019/1/16 OPLab@IM, NTU

Solution approach Evaluation Process Since our scenario and environment are very dynamic, it is hard to solve the problem purely by mathematical programming. For each attacker category, although attackers in it belong to the same type, there is still some randomness between each other. This is caused by honeypots. if an attacker compromises a false target honeypot, there is a probability that he will believe the core node is compromised and terminate this attack. Therefore, we can never guarantee the result of an attack is successful or failed until the end of the evaluation. 2019/1/16 OPLab@IM, NTU

Solution Approach Evaluation Process Parameter setting M (Total evaluation frequency for one round) First, we make an initial value, for example, 10 million. Then, we let 10 thousands as a chunk to summary the result and draw a diagram depicting the relationship between compromised frequency and number of chunks. If the diagram shows a stable trend, it implies the value of M is an ideal one. Stop criteria N (Total rounds for policy enhancement) We set this value by resource constrained approach. If we cannot improve the quality of resource allocation scheme anymore, we also terminate this process. resource constrained approach : 因解的存活時間不一定很長 2019/1/16 OPLab@IM, NTU

Solution Approach Policy enhancement The quantity of defense resource we take from node is determined by harmonic series. Further, we also determine direction of this quantity. When the quantity divided by iteration number is no more than 2, we stop searching for better value. ‧‧‧‧‧‧‧‧‧‧ 30+30/3=40 20+20/2=30 30-30/3=20 Initial value (20) 10+10/3=13 20-20/2=10 10-10/3=7 2019/1/16 OPLab@IM, NTU

Topical on honeypot in Taiwan 2019/1/16 OPLab@IM, NTU

Topical on honeypot in Taiwan 2019/1/16 OPLab@IM, NTU

Response to the comment It is worth to emphasis there is a great difference between perfect knowledge and imperfect knowledge. For example, most of shortest path algorithms and minimum cost spanning tree algorithms are based on the perfect knowledge assumption. If nodes and links will dynamically appear during searching for the shortest path or the minimum cost spanning tree, well-known algorithms may not feasible anymore. Although there is no need to relax this assumption in those algorithms, it is a necessary concern in our attack defense scenario. 2019/1/16 OPLab@IM, NTU