Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan Efficient Network Planning and Defending Strategies to Minimize Attackers’ Success Probabilities under Malicious and Epidemic Attacks 考量惡意攻擊及傳染病攻擊下攻擊者成功機率最小化之有效網路規劃與防禦策略 Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2019/5/16 NTUIM OPLAB
Agenda Problem Description Mathematical Formulation 2019/5/16 NTUIM OPLAB
Problem Description 2019/5/16 NTUIM OPLAB
Problem Description Attacker attributes Defender attributes Attack-defense scenarios 2019/5/16 NTUIM OPLAB
Attacker attributes Objective Using worms to get a clearer map of network topology information or vulnerability, and eventually compromise core nodes. 2019/5/16 NTUIM OPLAB
Attacker attributes Budget Preparing phase Attacking phase Worm purchasing v.s development Social engineering Attacking phase Node compromising Worm injection 2019/5/16 NTUIM OPLAB
Attacker attributes Preparing phase Worm attributes Social engineering Scanning method: blind v.s hitlist Propagation rate: static v.s dynamic Capability: basic v.s advanced Social engineering Number of edge nodes Number of hops from each core node to edge nodes 2019/5/16 NTUIM OPLAB
Attacker attributes Attacking phase Node compromising Worm injection Next hop selection criteria: Link degree High link degree ─ information seeking Link utilization Low link utilization ─ stealth strategy Worm injection Candidate selection criteria: Link traffic High link traffic ─ high rate worm Low link traffic ─ low rate worm Node defense resource β(t) Defense resource 2019/5/16 NTUIM OPLAB
Defender attributes Objective Budget Protect core nodes Planning phase Defending phase 2019/5/16 NTUIM OPLAB
Defender attributes Planning phase Defending phase Node protection General defense resources allocation(ex: Firewall, IDS) Decentralized information sharing system deployment Defending phase Decentralized information sharing system Unknown worm detection & signature distribution Rate limiting Worm origin identification Firewall reconfiguration Dynamic topology reconfiguration 2019/5/16 NTUIM OPLAB
Attack-defense scenarios 2019/5/16 NTUIM OPLAB
Scenarios O G D J I F C E A B H M AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm L 2019/5/16 NTUIM OPLAB
Scenarios Node compromise O G D J I F C E A B H M AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Node compromise L 2019/5/16 NTUIM OPLAB
Scenarios Worm injection & propagation O G D J I F C E A B H M AS node Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB
Scenarios Worm injection & propagation O G D J I F C E A B H M AS node Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB
Scenarios Worm injection & propagation Node compromise O G D J I F C E B H M AS node N Core AS node Firewall Worm injection & propagation Decentralized information sharing system Node compromise K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB
Scenarios Node compromise Worm injection & propagation O G D J I F C E B H M AS node Node compromise N Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB
Scenarios Worm injection & propagation Worm injection & propagation O D J I F C E A B H M AS node N Core AS node Worm injection & propagation Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB
Signature generation& distribution Scenarios O Signature generation& distribution G D J I F C E A B H M AS node N Core AS node Worm injection & propagation Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A Detection alarm L Rate limiting 2019/5/16 NTUIM OPLAB
Firewall reconfiguration Scenarios O G D J I F C E A B H M Worm injection & propagation Firewall reconfiguration AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB
Scenarios Worm injection & propagation O G D J I F C E A B H M AS node Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB
Scenarios Worm injection & propagation O G D J I F C E A B H M AS node Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/16 NTUIM OPLAB
Signature generation& distribution Scenarios O Signature generation& distribution G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L Detection alarm 2019/5/16 NTUIM OPLAB
Scenarios Worm origin identification Worm origin identification J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system Worm origin identification K Type1 worm Type2 worm Attacker A Worm origin identification Backdoor L Firewall reconfiguration 2019/5/16 NTUIM OPLAB
Scenarios Worm injection & propagation Node compromise O G D J I F C E B H M Worm injection & propagation Node compromise AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/16 NTUIM OPLAB
dynamic topology reconfiguration Scenarios O G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/16 NTUIM OPLAB
Mathematical Formulation 2019/5/16 NTUIM OPLAB
Assumption 2019/5/16 NTUIM OPLAB
Assumption Defenders have complete information about the network, for example, topology, defense resource allocation, node attribute. There is a overlay network on network defender protected. Used to deploy decentralized information sharing system. Attackers have incomplete information about the network. 2019/5/16 NTUIM OPLAB
Given parameters N The index set of all nodes Q Notation Description N The index set of all nodes Q The index set of all nodes that had deployed decentralized information sharing system S The index set of all kinds of services αi The weight of ith service, where i∈S B The defender’s total budget E All possible defense configurations, including defense resources allocation and defending strategies An attack configuration, including attacker’s attributes, corresponding strategies and transition rules of the attacker launches jth attack on ith service, where i∈S, 1≤ j ≤ Fi 2019/5/16 NTUIM OPLAB
Given parameters Notation Description Z All possible attack configurations, including attacker’s attributes, corresponding strategies and transition rules Fi The total attacking times on ith service for all attackers, where i∈S 1 if the attacker can achieve his goal successfully, and 0 otherwise, where i∈S, 1≤ j ≤ Fi ni The general defense resources allocated to node i, where i∈N d The cost of constructing a decentralized information sharing system to one node g(qij) The cost of constructing a link from node i to node j with capacity qij, where i∈N, j∈N 2019/5/16 NTUIM OPLAB
Decision variables Notation Description An defense configuration, including defense resources allocation and defending strategies on ith service, i∈S xi 1 if node i is implemented with the decentralized information sharing system , and 0 otherwise, where i∈N qij The capacity of direct link between node i and j, where i∈N, j∈N 2019/5/16 NTUIM OPLAB
Objective function (IP 1) 2019/5/16 NTUIM OPLAB
Constraints Capacity constraint Integer constraint (IP 1.1) (IP 1.2) 2019/5/16 NTUIM OPLAB
Constraints Defender’s budget constraints (IP 1.5) 2019/5/16 NTUIM OPLAB
Constraints Defender’s budget constraints (IP 1.6) (IP 1.7) (IP 1.8) 2019/5/16 NTUIM OPLAB
Constraints QoS constraints QoS is a function of : Link utilization, core node loading, hops to core node, and affected traffic ratio. At the end of attack, the following constraint must be satisfied. (IP 1.9) 2019/5/16 NTUIM OPLAB
Constraints QoS Compromise times 2019/5/16 NTUIM OPLAB
Constraints QoS constraints The performance reduction cause by firewall reconfiguration should not make current status violate IP 1.9. The performance reduction cause by rate limiting should not make current status violate IP 1.9. The performance reduction cause by dynamic topology reconfiguration should not make current status violate IP 1.9. (IP 1.10) (IP 1.11) (IP 1.12) 2019/5/16 NTUIM OPLAB
Constraints QoS constraints The negative effect caused by false positive should not make current status violate IP 1.9. The defender has to guarantee at least one core node is not compromised at any time. (IP1.13) (IP1.14) 2019/5/16 NTUIM OPLAB
Constraints Signature generation and distribution constraints Only the nodes have deployed the decentralized information sharing system can be activated. Signature generation and distribution can only be activated after an unknown worm is detected. The signature generated by the system must achieve a confidence level so it can be distributed. The total cost for generating and distributing signatures can not exceed dynamic defense budget.(學長說要跟老師討論) (IP1.15) (IP1.16) (IP1.17) 2019/5/16 NTUIM OPLAB
Constraints Dynamic topology reconfiguration constraints For each core node, when ,defender can activate this mechanism so that core node can avoid being compromised or infected by worms. Only nodes that not yet been compromised can activate this mechanism. (IP1.18) (IP1.19) 2019/5/16 NTUIM OPLAB
Constraints Rate limiting constraints Path continuity constraint Only the nodes have deployed the decentralized information sharing system can enable rate limiting mechanism. Ai is the suspect traffic to node i, i∈N Path continuity constraint A node is only subject to attack if a path exists from attacker’s position to that node, and all the intermediate nodes on the path have been compromised. (IP1.20) (IP1.21) (IP1.22) 2019/5/16 NTUIM OPLAB
Thanks for your listening 2019/5/16 NTUIM OPLAB