Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan Effective Network Planning and Defending Strategies to Minimize Attackers’ Success Probabilities under Malicious and Epidemic Attacks 考量惡意攻擊及傳染病攻擊下攻擊者成功機率最小化之有效網路規劃與防禦策略 Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2019/5/3 NTUIM OPLAB

Agenda Problem Description Attack-defense Strategies Enhancement Process 2019/5/3 NTUIM OPLAB

Problem Description 2019/5/3 NTUIM OPLAB

Problem Description Attacker perspectives Defender perspectives Attack-defense scenarios 2019/5/3 NTUIM OPLAB

Attacker perspectives Objective Using worms to get a clearer map of network topology information or vulnerability, and eventually compromise core nodes. 2019/5/3 NTUIM OPLAB

Attacker perspectives Worm Propagation Model Two-Factor model Human countermeasures Cleaning compromised computers. Patching or upgrading susceptible computers. Setting up filters to block the worm traffic on firewalls or edge routers. Disconnecting their computers from Internet. Decreased infection rate β(t) The large-scale worm propagation have caused congestion and troubles to some Internet routers, thus slowed down the worm scanning process. 2019/5/3 NTUIM OPLAB

Attacker perspectives Worm Propagation Model Two-Factor Model dR(t)/dt=γI(t) (1) dQ(t)/dt=μS(t)J(t) (2) J(t)=I(t)+R(t) (3) β(t)= β0[1-I(t)/N]η (4) N=S(t)+I(t)+R(t)+Q(t) (5) dS(t)/dt= -β(t)S(t)I(t)-dQ(t)/dt (6) dI(t)/dt= β(t)S(t)I(t)-dR(t)/dt (7) 2019/5/3 NTUIM OPLAB

Attacker perspectives Worm Propagation Model Two-Factor Model I(t)=I(t-1)+dI(t-1)/dt*Δt (8) R(t)=R(t-1)+dR(t-1)/dt*Δt (9) Q(t)=Q(t-1)+dQ(t-1)/dt*Δt (10) S(t)=N-I(t)-R(t)-Q(t) (11) 2019/5/3 NTUIM OPLAB

Attacker perspectives Worm Propagation Model Two-Factor model If I(t)/NA>=0.5, then we think the status of AS node is infectious (I) G D F C A B E NF:10,000 NB:100,000 NG:100,000 I(0)=5, I(0)/NB=5/100,000 ND:1,000,000 I(0)=5, I(0)/NA=5/1,000,000 NE:100,000 I(0)=5, I(0)/NC=5/10,000 NA:1,000,000 NC:10,000 2019/5/3 NTUIM OPLAB

Attacker perspectives Budget Preparing phase Worm purchase / refinement / development Social engineering Attacking phase Node compromising 2019/5/3 NTUIM OPLAB

Attacker perspectives Preparing phase Worm attributes Scanning method: blind vs. hitlist Propagation rate: static vs. dynamic Capability: basic vs. advanced Social engineering Number of edge nodes Number of hops from each core node to edge nodes 2019/5/3 NTUIM OPLAB

Attacker perspectives Attacking phase Node compromising Next hop selection criteria: Link degree Link traffic Node defense resource Worm injection Candidate selection criteria: Hosts of AS node 2019/5/3 NTUIM OPLAB

Defender perspectives Objective Protect core nodes Budget Planning phase Defending phase 2019/5/3 NTUIM OPLAB

Defender perspectives Planning phase Node protection General defense resources allocation(ex: Firewall, IDS) Decentralized information sharing system deployment Defending phase Decentralized information sharing system Unknown worm detection & signature distribution Rate limiting Worm origin identification Firewall reconfiguration Dynamic topology reconfiguration 2019/5/3 NTUIM OPLAB

Attack-defense scenarios 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Node compromise L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M AS node N Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M AS node N Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M AS node N Core AS node Firewall Worm injection & propagation Decentralized information sharing system Node compromise K Type1 worm Type2 worm Attacker A L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M AS node Node compromise N Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M AS node N Core AS node Worm injection & propagation Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/3 NTUIM OPLAB

Signature generation& distribution Scenarios O Signature generation& distribution G D J I F C E A B H M AS node N Core AS node Worm injection & propagation Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A Detection alarm L Rate limiting 2019/5/3 NTUIM OPLAB

Firewall reconfiguration Scenarios O G D J I F C E A B H M Worm injection & propagation Firewall reconfiguration AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/3 NTUIM OPLAB

Signature generation& distribution Scenarios O Signature generation& distribution G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L Detection alarm 2019/5/3 NTUIM OPLAB

Scenarios Worm origin identification Worm origin identification J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system Worm origin identification K Type1 worm Type2 worm Attacker A Worm origin identification Backdoor L Firewall reconfiguration 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M Worm injection & propagation Node compromise AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/3 NTUIM OPLAB

dynamic topology reconfiguration Scenarios O G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/3 NTUIM OPLAB

Attack-defense Strategies 2019/5/3 NTUIM OPLAB

Attack Strategies 2019/5/3 NTUIM OPLAB

Attack Budget Worm budget Social Engineering budget 30%~70% of total budget (Normal distribution) Social Engineering budget 0%~10% of total budget (Normal distribution) Node compromising budget Total budget - worm budget - social engineering budget ex: If worm budget is 50% of total budget, social engineering budget is 5% of total budget, then node compromising budget is 45% of total budget. 2019/5/3 NTUIM OPLAB

Attack Budget Worm Set Decision If attacker has 115,000, he’ll choose worm set B. If attacker has 130,000, he’ll choose worm set C. Worm Set Purchase Refinement Development Price A 2 1 100,000 B 110,000 C 120,000 2019/5/3 NTUIM OPLAB

Attack Budget Worm attributes Purchase Refinement Development Scanning method Blind scan [1] I(0)=5 Hitlist scan [2] I(0)=(1/150)N I(0)=(1/120)N I(0)=(1/100)N Propagation speed (S):max scan times per unit time [1] S=100 S=200 S=300 Static 0<p<=1 S*p=100*p S*p=200*p S*p=300*p Dynamic 0<p(t)<=1 S*p(t)=100*p(t) S*p(t)=200*p(t) S*p(t)=300*p(t) Capability Basic [3] β0 = 0.8/N β0 = 1/N β0 = 1.2/N Advanced β0 = 0.8/N & Backdoor & Backdoor 2019/5/3 NTUIM OPLAB

Attack Budget Social engineering Node compromising Spend social engineering budget on information gathering. We used a convex function to present the relationship between gathered information and social engineering budget. Node compromising Compromise cost per node are estimated by several convex functions of special parameters and cost. For example: AS node defense resource, total host number of AS node (N). Also estimated by a concave function of gathered information about this AS node and cost. 2019/5/3 NTUIM OPLAB

Attack Strategies Node compromising Worm injection Condition：When attack path is clear, or attempt to inject worm on specific node, or attempt to compromise core node under enough attack budget. Worm injection The same worm Condition：When old worm had not been detected yet, and the infection rate has not decreased to an certain level yet. New worm Condition：When old worm had been detected, or the infection rate has decreased to an certain level 2019/5/3 NTUIM OPLAB

Attack Strategies Backdoor/Trojan horse injection Condition：attacker use worms with advanced capabilities. Worm propagation speed adjustment Condition： attacker use worms with dynamic propagation speed. Stealthy strategy：propagation speed p(t)：0.03~0.3 Aggressive strategy：propagation speed p(t)：0.8~1 2019/5/3 NTUIM OPLAB

Next hop selection criteria Attack Strategies Node compromising Next hop selection criteria 1.Link degree 1.1 High 1.2 Low 1.3 Random 2.Link traffic 3.Node defense resource …………….. 2019/5/3 NTUIM OPLAB

Attack Strategies Node compromising D=(4-2)/4=0.5 G=(50-20)/50=0.6 →Choose node defense resource D=2 G=20 T=100 D: link degree G: node defense resource T: link traffic G D F C A B E D=3 G=50 T=120 D=4 G=30 T=150 2019/5/3 NTUIM OPLAB

Next hop selection criteria- Link Degree 2019/5/3 NTUIM OPLAB

Next hop selection criteria- Link Traffic 2019/5/3 NTUIM OPLAB

Next hop selection criteria- Node Defense Resource 2019/5/3 NTUIM OPLAB

Attack Strategies Node compromising For example, attacker choose link degree as next hop selection criteria, and the score of V1.1, V1.2 and V1.3 represents the score of each corresponding strategy respectively, including: 1.1：prefer higher link degree 1.2：prefer lower link degree 1.3：random If , the probability for choosing prefer higher link degree strategy is , and the probability for choosing prefer lower link degree strategy is 2019/5/3 NTUIM OPLAB

Defense Strategies 2019/5/3 NTUIM OPLAB

Defense Budget Node deployment Link deployment General defense resource Decentralized information sharing system deployment Signature generation and distribution 2019/5/3 NTUIM OPLAB

Defense Strategies Detection Mitigation Avoidance Decentralized information sharing Signature generation & distribution Mitigation Rate limiting Worm origin & propagation path identification Avoidance Dynamic topology reconfiguration 2019/5/3 NTUIM OPLAB

Defense Strategies Detection Decentralized information sharing Step 1： Let (contentt−1,k, countt−1,k) be all pairs sent to node i in round t − 1. Step 2： Let dt,i = Σcountt−1,k represent the sum of the prevalence values of the signature contentk received by node i at round t for one particular content block k. Step 3： Compare dt,i with Thresholdi. If dt,i > Thresholdi , then contentk is identified as a worm signature. Step 4： Randomly and uniformly choose target targett (i) from the neighbors of i. Step 5： Send the pair (contentk, 1/2 dt,i ) to targett (i) and i (itself). Signature generation and distribution Condition: when the count of contentk exceeded Thresholdi , the detection node start generating and distributing signatures. 2019/5/3 NTUIM OPLAB

Defense Strategies Mitigation Rate limiting Condition：Only the nodes have deployed the decentralized information sharing system can enable rate limiting mechanism. When the count have not exceed the threshold of generating signature, but exceed the threshold*(70% up). Traffic(in)=Traffic(out)* confidence confidence：0.3~0.7(normal distribution) ex: confidence=0.5, then the ratio of worm traffic sent to the detection node been block is 50% 2019/5/3 NTUIM OPLAB

Defense Strategies Mitigation Worm origin & propagation path identification Condition: when the ratio of infectious nodes over total nodes exceed a certain level. The summary AS traffic information will be aggregate to several detection nodes for analysis. The identification accuracy and communication overhead will be affected by hop number of traverse path (H). [4] 2019/5/3 NTUIM OPLAB

Defense Strategies Avoidance Dynamic topology reconfiguration Disconnect link： Condition：when risk level of core node j has reached the threshold, ex: if the distance between compromised node and core node is one hop, then disconnect the link between them. Reconnect link： Condition：when risk level of core node j has recovered to previous level or the QoS performance reduction has almost reached the threshold, then reconnect the link. Start reconnect the link which connect to the node with highest defense resource. 2019/5/3 NTUIM OPLAB

Defense Strategies Avoidance Dynamic topology reconfiguration Risk Level 𝑉𝑖𝑗 is computed every time attacker selects a target i. 𝑉𝑖𝑗 is the risk level of every core node j from attacker’s target node i. The lowest 𝑉𝑖𝑗 is saved as 𝑉𝐿𝑜𝑤𝑒𝑠𝑡. 2019/5/3 NTUIM OPLAB

Defense Strategies Dynamic topology reconfiguration When node B has been compromised and node D has been infected by worm, defender can disconnect the linkBF or linkDF temporarily. G D F C A B E 2019/5/3 NTUIM OPLAB

Enhancement Process 2019/5/3 NTUIM OPLAB

2019/5/3 NTUIM OPLAB

Enhancement Process Primal Problem IP 1 第一次primal跑M次simulation算出的Zp*為0.7 IP 1 2019/5/3 NTUIM OPLAB

Enhancement Process LR Problem 2019/5/3 NTUIM OPLAB

Enhancement Process 若初始multiplier μ1皆為0，則First LR problem為 2019/5/3 NTUIM OPLAB

Enhancement Process 由此First LR problem就可以知道下列m值 以及ZLR1=0.5 可以算出multipliers μ2 2019/5/3 NTUIM OPLAB

Enhancement Process 若得到multiplier μ2，則Second LR problem為 由此Second LR problem就可知道coefficient m以及 ZLR2就可以算出下一輪的multipliers μ3 。 2019/5/3 NTUIM OPLAB

Enhancement Process μ_nodelink>μ_special> μ_general>μ_special Primal Problem Configuration LR Problem Configuration μ_nodelink>μ_special> μ_general>μ_special G:200 D C A B E G:200 F D C A B E G G:120 G G:120 G:100 G:100 G:80 F G:80 G:100 G:100 G:100 G:100 G:150 G:150 2019/5/3 NTUIM OPLAB

Enhancement Process Node and link adjustment First we find the bottleneck of the network topology through simulation analysis. Second we find all the paths pass through the bottleneck and analyze the traffic on these paths belong which services. By service type, find the shortest path form bottleneck to core node and construct a link between new node and the node whose loading is the lowest on shortest path. Construct a link between new node and bottleneck. 2019/5/3 NTUIM OPLAB

Enhancement Process Node and link adjustment Loading of node D is the lowest on the shortest path Loading of node C is too heavy. It’s a bottleneck!! D F C A B E Service 1 G D F C A B E Shortest path form node C to F 2019/5/3 NTUIM OPLAB

Enhancement Process Node and link adjustment Delete node E and the link connect to node E D F C A B E D F C A B E Loading of node E is the lowest. 2019/5/3 NTUIM OPLAB

Enhancement Process General defense resource According to simulation results, we can find those nodes often or seldom been attacked or those nodes attacker willing to spend more or less attack resources to attack. Since the budget constraints has been relaxed, we can adjust the defense rate and figure out how much tm should be put on the node. 2019/5/3 NTUIM OPLAB

Enhancement Process General defense resource Attacker is often willing to spend a lot of attack resources to attack Node D. D F C A B E 2019/5/3 NTUIM OPLAB

Node D is seldom been attacked. Enhancement Process General defense resource Node D is seldom been attacked. D F C A B E 2019/5/3 NTUIM OPLAB

Enhancement Process Special defense resource Decentralized information sharing system According the M simulation results, we can observe the ratio of worm infection on the AS network. If after the signature generation and distribution the ratio of worm infection on the AS network is still high, then we can add the deployment of decentralized information sharing system. If after the signature generation and distribution the ratio of worm infection on the AS network is very low, then we can reduce the deployment of decentralized information sharing system. 2019/5/3 NTUIM OPLAB

The ratio of worm infection on the AS network is 4/6 Enhancement Process Special defense resource The ratio of worm infection on the AS network is 4/6 D F C A B E D F C A B E 2019/5/3 NTUIM OPLAB

Enhancement Process Defending resource Signature generation and distribution According the M simulation results, we can observe the ratio of worm infection on the AS network. If after the signature generation and distribution the ratio of worm infection on the AS network is still high, then we can adjust the threshold of generating signatures or distribution frequency of signature. The threshold of generating signatures will influence the false positive of the signatures. 2019/5/3 NTUIM OPLAB

Reference [1] T. Vogt, ”Simulating and optimising worm propagation algorithms”, 2003 [2] C.C. Zou, L. Gao, W. Gong, D. Towsley, ”Monitoring and Early Warning for Internet Worms”, In Proceedings of 10th ACM Conference on Computer and Communications Security, 2003. [3] C.C. Zou, W. Gong and D. Towsley, ” Code Red Worm Propagation Modeling and Analysis”, 9th ACM Symposium on Computer and Communication Security, Pages 138-147, 2002. [4] Y. Xie, V. Sekar, M.K. Reiter and H. Zhang, ” Forensic Analysis for Epidemic Attacks in Federated Networks”, Proceedings of the 2006 14th IEEE International Conference on Network Protocols, November 2006. 2019/5/3 NTUIM OPLAB

Thanks for your listening 2019/5/3 NTUIM OPLAB