Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan

Slides:



Advertisements
Similar presentations
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
Advertisements

Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Traffic Engineering Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 4, 2003 Paper # 46.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
Adaptive Self-Configuring Sensor Network Topologies ns-2 simulation & performance analysis Zhenghua Fu Ben Greenstein Petros Zerfos.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,
1 Pertemuan 20 Teknik Routing Matakuliah: H0174/Jaringan Komputer Tahun: 2006 Versi: 1/0.
M.Menelaou CCNA2 ROUTING. M.Menelaou ROUTING Routing is the process that a router uses to forward packets toward the destination network. A router makes.
Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.
Research Direction Introduction Advisor: Professor Frank, Y.S. Lin Presented by Chi-Hsiang Chan 2011/10/111.
Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 21, 2003.
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
A Routing Underlay for Overlay Networks Akihiro Nakao Larry Peterson Andy Bavier SIGCOMM’03 Reviewer: Jing lu.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Robustness of complex networks with the local protection strategy against cascading failures Jianwei Wang Adviser: Frank,Yeong-Sung Lin Present by Wayne.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,
Research Direction Introduction Advisor: Professor Frank Y.S. Lin Present by Hubert J.W. Wang.
Redundancy and Defense Resource Allocation Algorithms to Assure Service Continuity against Natural Disasters and Intelligent Attackers Advisor: Professor.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
CS 484 Load Balancing. Goal: All processors working all the time Efficiency of 1 Distribute the load (work) to meet the goal Two types of load balancing.
Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing Ying Zhang Z. Morley Mao Jia Wang Presented in NDSS07 Prepared by : Hale Ismet.
Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB.
1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
A Framework for Reliable Routing in Mobile Ad Hoc Networks Zhenqiang Ye Srikanth V. Krishnamurthy Satish K. Tripathi.
1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
E FFECTIVE N ETWORK P LANNING AND D EFENDING S TRATEGIES TO M INIMIZE S ERVICE C OMPROMISED P ROBABILITY UNDER M ALICIOUS C OLLABORATIVE A TTACKS Advisor:
1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.
Cooperative Response Strategies for Large Scale Attack Mitigation D. Nojiri, J. Rowe, K. Levitt Univ of California Davis DARPA Info Survivability Conference.
Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.
Research Direction Introduction Advisor: Frank, Yeong-Sung Lin Presented by Hui-Yu, Chung 2011/11/22.
Presented by Yu-Shun Wang Advisor: Frank, Yeong-Sung Lin Near Optimal Defense Strategies to Minimize Attackers’ Success Probabilities for networks of Honeypots.
2016/3/13 1 Peer-to-peer system-based active worm attacks: Modeling, analysis and defense Wei Yu, Sriram Chellappan, Xun Wang, Dong Xuan Computer Communications.
Advisor: Yeong-Sung Lin Presented by I-Ju Shih 2011/11/29 1 Research Direction Introduction.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 8 TCP/IP Suite Error and Control Messages.
Epidemic Profiles and Defense of Scale-Free Networks L. Briesemeister, P. Lincoln, P. Porras Presented by Meltem Yıldırım CmpE
Internet Quarantine: Requirements for Containing Self-Propagating Code
ECE 544: Traffic engineering (supplement)
On Growth of Limited Scale-free Overlay Network Topologies
Worm Origin Identification Using Random Moonwalks
Presented by Prashant Duhoon
Routing.
Research Progress Report
Network Optimization Research Laboratory
Research Progress Report
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Presented by Yu-Shun Wang
Advisor: Yeong-Sung, Lin, Ph.D. Presented by Yu-Ren, Hsieh
Research Direction Introduction
Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan
Routing.
Introduction to Internet Worm
Presentation transcript:

Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan Effective Network Planning and Defending Strategies to Minimize Attackers’ Success Probabilities under Malicious and Epidemic Attacks 考量惡意攻擊及傳染病攻擊下攻擊者成功機率最小化之有效網路規劃與防禦策略 Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2019/5/3 NTUIM OPLAB

Agenda Problem Description Attack-defense Strategies Enhancement Process 2019/5/3 NTUIM OPLAB

Problem Description 2019/5/3 NTUIM OPLAB

Problem Description Attacker perspectives Defender perspectives Attack-defense scenarios 2019/5/3 NTUIM OPLAB

Attacker perspectives Objective Using worms to get a clearer map of network topology information or vulnerability, and eventually compromise core nodes. 2019/5/3 NTUIM OPLAB

Attacker perspectives Worm Propagation Model Two-Factor model Human countermeasures Cleaning compromised computers. Patching or upgrading susceptible computers. Setting up filters to block the worm traffic on firewalls or edge routers. Disconnecting their computers from Internet. Decreased infection rate β(t) The large-scale worm propagation have caused congestion and troubles to some Internet routers, thus slowed down the worm scanning process. 2019/5/3 NTUIM OPLAB

Attacker perspectives Worm Propagation Model Two-Factor Model dR(t)/dt=γI(t) (1) dQ(t)/dt=μS(t)J(t) (2) J(t)=I(t)+R(t) (3) β(t)= β0[1-I(t)/N]η (4) N=S(t)+I(t)+R(t)+Q(t) (5) dS(t)/dt= -β(t)S(t)I(t)-dQ(t)/dt (6) dI(t)/dt= β(t)S(t)I(t)-dR(t)/dt (7) 2019/5/3 NTUIM OPLAB

Attacker perspectives Worm Propagation Model Two-Factor Model I(t)=I(t-1)+dI(t-1)/dt*Δt (8) R(t)=R(t-1)+dR(t-1)/dt*Δt (9) Q(t)=Q(t-1)+dQ(t-1)/dt*Δt (10) S(t)=N-I(t)-R(t)-Q(t) (11) 2019/5/3 NTUIM OPLAB

Attacker perspectives Worm Propagation Model Two-Factor model If I(t)/NA>=0.5, then we think the status of AS node is infectious (I) G D F C A B E NF:10,000 NB:100,000 NG:100,000 I(0)=5, I(0)/NB=5/100,000 ND:1,000,000 I(0)=5, I(0)/NA=5/1,000,000 NE:100,000 I(0)=5, I(0)/NC=5/10,000 NA:1,000,000 NC:10,000 2019/5/3 NTUIM OPLAB

Attacker perspectives Budget Preparing phase Worm purchase / refinement / development Social engineering Attacking phase Node compromising 2019/5/3 NTUIM OPLAB

Attacker perspectives Preparing phase Worm attributes Scanning method: blind vs. hitlist Propagation rate: static vs. dynamic Capability: basic vs. advanced Social engineering Number of edge nodes Number of hops from each core node to edge nodes 2019/5/3 NTUIM OPLAB

Attacker perspectives Attacking phase Node compromising Next hop selection criteria: Link degree Link traffic Node defense resource Worm injection Candidate selection criteria: Hosts of AS node 2019/5/3 NTUIM OPLAB

Defender perspectives Objective Protect core nodes Budget Planning phase Defending phase 2019/5/3 NTUIM OPLAB

Defender perspectives Planning phase Node protection General defense resources allocation(ex: Firewall, IDS) Decentralized information sharing system deployment Defending phase Decentralized information sharing system Unknown worm detection & signature distribution Rate limiting Worm origin identification Firewall reconfiguration Dynamic topology reconfiguration 2019/5/3 NTUIM OPLAB

Attack-defense scenarios 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Node compromise L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M AS node N Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M AS node N Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M AS node N Core AS node Firewall Worm injection & propagation Decentralized information sharing system Node compromise K Type1 worm Type2 worm Attacker A L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M AS node Node compromise N Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M AS node N Core AS node Worm injection & propagation Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/3 NTUIM OPLAB

Signature generation& distribution Scenarios O Signature generation& distribution G D J I F C E A B H M AS node N Core AS node Worm injection & propagation Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A Detection alarm L Rate limiting 2019/5/3 NTUIM OPLAB

Firewall reconfiguration Scenarios O G D J I F C E A B H M Worm injection & propagation Firewall reconfiguration AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/3 NTUIM OPLAB

Signature generation& distribution Scenarios O Signature generation& distribution G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L Detection alarm 2019/5/3 NTUIM OPLAB

Scenarios Worm origin identification Worm origin identification J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system Worm origin identification K Type1 worm Type2 worm Attacker A Worm origin identification Backdoor L Firewall reconfiguration 2019/5/3 NTUIM OPLAB

Decentralized information sharing system Scenarios O G D J I F C E A B H M Worm injection & propagation Node compromise AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/3 NTUIM OPLAB

dynamic topology reconfiguration Scenarios O G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/3 NTUIM OPLAB

Attack-defense Strategies 2019/5/3 NTUIM OPLAB

Attack Strategies 2019/5/3 NTUIM OPLAB

Attack Budget Worm budget Social Engineering budget 30%~70% of total budget (Normal distribution) Social Engineering budget 0%~10% of total budget (Normal distribution) Node compromising budget Total budget - worm budget - social engineering budget ex: If worm budget is 50% of total budget, social engineering budget is 5% of total budget, then node compromising budget is 45% of total budget. 2019/5/3 NTUIM OPLAB

Attack Budget Worm Set Decision If attacker has 115,000, he’ll choose worm set B. If attacker has 130,000, he’ll choose worm set C. Worm Set Purchase Refinement Development Price A 2 1 100,000 B 110,000 C 120,000 2019/5/3 NTUIM OPLAB

Attack Budget Worm attributes Purchase Refinement Development Scanning method Blind scan [1] I(0)=5 Hitlist scan [2] I(0)=(1/150)N I(0)=(1/120)N I(0)=(1/100)N Propagation speed (S):max scan times per unit time [1] S=100 S=200 S=300 Static 0<p<=1 S*p=100*p S*p=200*p S*p=300*p Dynamic 0<p(t)<=1 S*p(t)=100*p(t) S*p(t)=200*p(t) S*p(t)=300*p(t) Capability Basic [3] β0 = 0.8/N β0 = 1/N β0 = 1.2/N Advanced β0 = 0.8/N & Backdoor & Backdoor 2019/5/3 NTUIM OPLAB

Attack Budget Social engineering Node compromising Spend social engineering budget on information gathering. We used a convex function to present the relationship between gathered information and social engineering budget. Node compromising Compromise cost per node are estimated by several convex functions of special parameters and cost. For example: AS node defense resource, total host number of AS node (N). Also estimated by a concave function of gathered information about this AS node and cost. 2019/5/3 NTUIM OPLAB

Attack Strategies Node compromising Worm injection Condition:When attack path is clear, or attempt to inject worm on specific node, or attempt to compromise core node under enough attack budget. Worm injection The same worm Condition:When old worm had not been detected yet, and the infection rate has not decreased to an certain level yet. New worm Condition:When old worm had been detected, or the infection rate has decreased to an certain level 2019/5/3 NTUIM OPLAB

Attack Strategies Backdoor/Trojan horse injection Condition:attacker use worms with advanced capabilities. Worm propagation speed adjustment Condition: attacker use worms with dynamic propagation speed. Stealthy strategy:propagation speed p(t):0.03~0.3 Aggressive strategy:propagation speed p(t):0.8~1 2019/5/3 NTUIM OPLAB

Next hop selection criteria Attack Strategies Node compromising Next hop selection criteria 1.Link degree 1.1 High 1.2 Low 1.3 Random 2.Link traffic 3.Node defense resource …………….. 2019/5/3 NTUIM OPLAB

Attack Strategies Node compromising D=(4-2)/4=0.5 G=(50-20)/50=0.6 →Choose node defense resource D=2 G=20 T=100 D: link degree G: node defense resource T: link traffic G D F C A B E D=3 G=50 T=120 D=4 G=30 T=150 2019/5/3 NTUIM OPLAB

Next hop selection criteria- Link Degree 2019/5/3 NTUIM OPLAB

Next hop selection criteria- Link Traffic 2019/5/3 NTUIM OPLAB

Next hop selection criteria- Node Defense Resource 2019/5/3 NTUIM OPLAB

Attack Strategies Node compromising For example, attacker choose link degree as next hop selection criteria, and the score of V1.1, V1.2 and V1.3 represents the score of each corresponding strategy respectively, including: 1.1:prefer higher link degree 1.2:prefer lower link degree 1.3:random If , the probability for choosing prefer higher link degree strategy is , and the probability for choosing prefer lower link degree strategy is 2019/5/3 NTUIM OPLAB

Defense Strategies 2019/5/3 NTUIM OPLAB

Defense Budget Node deployment Link deployment General defense resource Decentralized information sharing system deployment Signature generation and distribution 2019/5/3 NTUIM OPLAB

Defense Strategies Detection Mitigation Avoidance Decentralized information sharing Signature generation & distribution Mitigation Rate limiting Worm origin & propagation path identification Avoidance Dynamic topology reconfiguration 2019/5/3 NTUIM OPLAB

Defense Strategies Detection Decentralized information sharing Step 1: Let (contentt−1,k, countt−1,k) be all pairs sent to node i in round t − 1. Step 2: Let dt,i = Σcountt−1,k represent the sum of the prevalence values of the signature contentk received by node i at round t for one particular content block k. Step 3: Compare dt,i with Thresholdi. If dt,i > Thresholdi , then contentk is identified as a worm signature. Step 4: Randomly and uniformly choose target targett (i) from the neighbors of i. Step 5: Send the pair (contentk, 1/2 dt,i ) to targett (i) and i (itself). Signature generation and distribution Condition: when the count of contentk exceeded Thresholdi , the detection node start generating and distributing signatures. 2019/5/3 NTUIM OPLAB

Defense Strategies Mitigation Rate limiting Condition:Only the nodes have deployed the decentralized information sharing system can enable rate limiting mechanism. When the count have not exceed the threshold of generating signature, but exceed the threshold*(70% up). Traffic(in)=Traffic(out)* confidence confidence:0.3~0.7(normal distribution) ex: confidence=0.5, then the ratio of worm traffic sent to the detection node been block is 50% 2019/5/3 NTUIM OPLAB

Defense Strategies Mitigation Worm origin & propagation path identification Condition: when the ratio of infectious nodes over total nodes exceed a certain level. The summary AS traffic information will be aggregate to several detection nodes for analysis. The identification accuracy and communication overhead will be affected by hop number of traverse path (H). [4] 2019/5/3 NTUIM OPLAB

Defense Strategies Avoidance Dynamic topology reconfiguration Disconnect link: Condition:when risk level of core node j has reached the threshold, ex: if the distance between compromised node and core node is one hop, then disconnect the link between them. Reconnect link: Condition:when risk level of core node j has recovered to previous level or the QoS performance reduction has almost reached the threshold, then reconnect the link. Start reconnect the link which connect to the node with highest defense resource. 2019/5/3 NTUIM OPLAB

Defense Strategies Avoidance Dynamic topology reconfiguration Risk Level 𝑉𝑖𝑗 is computed every time attacker selects a target i. 𝑉𝑖𝑗 is the risk level of every core node j from attacker’s target node i. The lowest 𝑉𝑖𝑗 is saved as 𝑉𝐿𝑜𝑤𝑒𝑠𝑡. 2019/5/3 NTUIM OPLAB

Defense Strategies Dynamic topology reconfiguration When node B has been compromised and node D has been infected by worm, defender can disconnect the linkBF or linkDF temporarily. G D F C A B E 2019/5/3 NTUIM OPLAB

Enhancement Process 2019/5/3 NTUIM OPLAB

2019/5/3 NTUIM OPLAB

Enhancement Process Primal Problem IP 1 第一次primal跑M次simulation算出的Zp*為0.7 IP 1 2019/5/3 NTUIM OPLAB

Enhancement Process LR Problem 2019/5/3 NTUIM OPLAB

Enhancement Process 若初始multiplier μ1皆為0,則First LR problem為 2019/5/3 NTUIM OPLAB

Enhancement Process 由此First LR problem就可以知道下列m值 以及ZLR1=0.5 可以算出multipliers μ2 2019/5/3 NTUIM OPLAB

Enhancement Process 若得到multiplier μ2,則Second LR problem為 由此Second LR problem就可知道coefficient m以及 ZLR2就可以算出下一輪的multipliers μ3 。 2019/5/3 NTUIM OPLAB

Enhancement Process μ_nodelink>μ_special> μ_general>μ_special Primal Problem Configuration LR Problem Configuration μ_nodelink>μ_special> μ_general>μ_special G:200 D C A B E G:200 F D C A B E G G:120 G G:120 G:100 G:100 G:80 F G:80 G:100 G:100 G:100 G:100 G:150 G:150 2019/5/3 NTUIM OPLAB

Enhancement Process Node and link adjustment First we find the bottleneck of the network topology through simulation analysis. Second we find all the paths pass through the bottleneck and analyze the traffic on these paths belong which services. By service type, find the shortest path form bottleneck to core node and construct a link between new node and the node whose loading is the lowest on shortest path. Construct a link between new node and bottleneck. 2019/5/3 NTUIM OPLAB

Enhancement Process Node and link adjustment Loading of node D is the lowest on the shortest path Loading of node C is too heavy. It’s a bottleneck!! D F C A B E Service 1 G D F C A B E Shortest path form node C to F 2019/5/3 NTUIM OPLAB

Enhancement Process Node and link adjustment Delete node E and the link connect to node E D F C A B E D F C A B E Loading of node E is the lowest. 2019/5/3 NTUIM OPLAB

Enhancement Process General defense resource According to simulation results, we can find those nodes often or seldom been attacked or those nodes attacker willing to spend more or less attack resources to attack. Since the budget constraints has been relaxed, we can adjust the defense rate and figure out how much tm should be put on the node. 2019/5/3 NTUIM OPLAB

Enhancement Process General defense resource Attacker is often willing to spend a lot of attack resources to attack Node D. D F C A B E 2019/5/3 NTUIM OPLAB

Node D is seldom been attacked. Enhancement Process General defense resource Node D is seldom been attacked. D F C A B E 2019/5/3 NTUIM OPLAB

Enhancement Process Special defense resource Decentralized information sharing system According the M simulation results, we can observe the ratio of worm infection on the AS network. If after the signature generation and distribution the ratio of worm infection on the AS network is still high, then we can add the deployment of decentralized information sharing system. If after the signature generation and distribution the ratio of worm infection on the AS network is very low, then we can reduce the deployment of decentralized information sharing system. 2019/5/3 NTUIM OPLAB

The ratio of worm infection on the AS network is 4/6 Enhancement Process Special defense resource The ratio of worm infection on the AS network is 4/6 D F C A B E D F C A B E 2019/5/3 NTUIM OPLAB

Enhancement Process Defending resource Signature generation and distribution According the M simulation results, we can observe the ratio of worm infection on the AS network. If after the signature generation and distribution the ratio of worm infection on the AS network is still high, then we can adjust the threshold of generating signatures or distribution frequency of signature. The threshold of generating signatures will influence the false positive of the signatures. 2019/5/3 NTUIM OPLAB

Reference [1] T. Vogt, ”Simulating and optimising worm propagation algorithms”, 2003 [2] C.C. Zou, L. Gao, W. Gong, D. Towsley, ”Monitoring and Early Warning for Internet Worms”, In Proceedings of 10th ACM Conference on Computer and Communications Security, 2003. [3] C.C. Zou, W. Gong and D. Towsley, ” Code Red Worm Propagation Modeling and Analysis”, 9th ACM Symposium on Computer and Communication Security, Pages 138-147, 2002. [4] Y. Xie, V. Sekar, M.K. Reiter and H. Zhang, ” Forensic Analysis for Epidemic Attacks in Federated Networks”, Proceedings of the 2006 14th IEEE International Conference on Network Protocols, November 2006. 2019/5/3 NTUIM OPLAB

Thanks for your listening 2019/5/3 NTUIM OPLAB