Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu

Agenda Problem Description Mathematical Formulation

Agenda Problem Description Mathematical Formulation

Problem Description Collaborative Attack Special Defense Resources “Fake Traffic”, “False Target” or “Dual Function” Honeypots Virtualization Dynamic Topology Reconfiguration To minimize maximized attackers’ success probability by adjusting the defense parameters of planning and defending phase.

Special Defense Resources Honeypots Fake Traffic function False Target function Dual function Virtualization Dynamic Topology Reconfiguration

Attack Strategies & Risk Acceptance Attack Strategies Compromise Pretend to attack Test reaction Take opportunity Risk Acceptance Risk Avoidance Risk Tolerance

Stage & Selection Criteria Stage Early stage Late stage Selection Criteria Defense resource Traffic

Time Issue Attackers Compromise time Recovery time Defenders Reconfiguration impact QoS time Reconfiguration QoS recovery time

Pros and Cons of Collaborative Attack Advantage Decrease budget cost of each attackers Less compromise time Less recovery time Disadvantage Probability of detected

Agenda Problem Description Mathematical Formulation

Objective To minimize maximized attackers’ success probability Given Total Defense Budget Each Cost of Constructing a Defense Mechanism Virtualization Cost Service Priority To be determined Attack and Defense Configurations Budget Spent on Constructing Node or Link General and Special Defense Resource

Given Parameters NotationDescription N The index set of all nodes. C The index set of all core nodes. L The index set of all links. S The index set of all types of services. M The index set of all level of virtual machine monitors (VMMs). H The index set of all types of honeypots. P The index set of candidate nodes equipped with false target function. Q The index set of candidate nodes equipped with fake traffic generating function. R The index set of candidate nodes equipped with false target and fake traffic generating function.

Given Parameters NotationDescription B The defender’s total budget. w The cost of constructing one intermediate node. o The cost of constructing one core node. p The cost of each virtual machine (VM). r The cost of constructing a reconfiguration function to one node.

Given Parameters NotationDescription kiki The maximum number of virtual machines on VMM level i, where i ∈ M aiai The weight of i th service, where i ∈ S. E All possible defense configurations, including defense resources allocation and defending strategies. Z All possible attack configurations, including attacker’s attributes, commander’s strategies and transition rules. FiFi The number of commanders targeting on i th service, where i ∈ S.

Decision Variables NotationDescription D A instance of defense configuration, including defense resources allocation and defending strategies on i th service, where i ∈ S. A A instance of attack configuration, including attacker’s attributes, commander’s strategies and transition rules of the commander launches j th attack on i th service, where i ∈ S, 1≤ j ≤ F i. T(D,A) 1 if the commander achieve his goal successfully, and 0 otherwise, where i ∈ S, 1≤ j ≤ F i.

Decision Variables NotationDescription B nodelink The budget spent on constructing nodes and links. B general The budget spent on allocating general defense resource. B special The budget spent on deploying special defense resource. B virtualization The budget of virtualization. B honeypot The budget of honeypots. B reconfiguration The budget of reconfiguration functions.

Decision Variables NotationDescription eThe total number of intermediate nodes. nini The general defense resources allocated to node i, where i ∈ N. q ij The capacity of direct link between node i and j, where i ∈ N, j ∈ N. g(q ij ) The cost of constructing a link from node i to node j with capacity q ij, where i ∈ N, j ∈ N. lili The number of VMM level i purchased, where i ∈ M. δiδi The number of services that honeypot i can simulate, where i ∈ H. εiεi The interactive capability of false target honeypot i, where i ∈ P. θiθi The maximum throughput of fake traffic that fake traffic generator honeypot i can achieve, where i ∈ Q.

Decision Variables NotationDescription v( l i ) The cost of VMM level i with l i VMMs, where i ∈ M. h( δ i, ε i )The cost of constructing a false target honeypot with the number of simulating services and the interactive capability, where i ∈ P. f( δ i, θ i )The cost of constructing a fake traffic generator honeypot with the number of simulating services and the maximum achievable throughput of fake traffic, where i ∈ Q. t( δ i, ε i, θ i )The cost of constructing a honeypot equipped with false target and fake traffic generating functions with the number of simulating services, the interactive capability and the maximum achievable throughput of fake traffic, where i ∈ R. xixi 1 if node i is equipped with false target function, and 0 otherwise, where i ∈ N. yiyi 1 if node i is equipped with fake traffic generating function, and 0 otherwise, where i ∈ N. zizi 1 if node i is equipped with reconfiguration function, and 0 otherwise, where i ∈ N.

Verbal Notations NotationDescription G core i Loading of each core node i, where i ∈ C. U link i Link utilization of each link i, where i ∈ L. K effect Negative effect caused by applying fake traffic adjustment. I effect Negative effect caused by applying dynamic topology reconfiguration. J effect Negative effect caused by applying local defense. O tocore The number of hops legitimate users experienced from one boundary node to destination. Y The total compromise events. W threshold The predefined threshold regarding quality of service. W final The level of quality of service at the end of an attack. W(  ) The value of quality of service is determined by several factors.

Verbal Notations NotationDescription ρ defense The defense resource of the shortest path from detected compromised nodes to core node i divided by total defense resource, where i ∈ C. τ hops The minimum number of hops from detected compromised nodes to core node i divided by the maximum number of hops from attacker’s starting position to one core node, where i ∈ C. ω degree The link degree of core node i divided by the maximum link degree among all nodes in the topology, where i ∈ C. S priority i The priority of service i provided by core nodes divided by the maximum service priority among core nodes in the topology, where i ∈ C and j ∈ S. β threshlod The risk threshold of core nodes. β()β() The risk status of each core node which is the aggregation of defense resource, number of hops, link degree and service priority

Objective Function (IP 1)

Mathematical Constraints 1 2 Direct Link Capacity Constraints : q ij ≥ 0 Honeypot Types Constraints : x i + y i ≥ 1 (IP 1.1) (IP 1.2) (IP 1.3) (IP 1.4)

Mathematical Constraints Budget Constraints : B nodelink ≥ 0 B general ≥ 0 B special ≥ 0 Constructing Topology Constraints : n i ≥ 0 w × e ≥ 0 g (q ij ) ≥ 0 (IP 1.5) (IP 1.6) (IP 1.7) (IP 1.8) (IP 1.9) (IP 1.10)

Mathematical Constraints Budget Constraints : B nodelink ≥ 0 B special ≥ (IP 1.11) (IP 1.12) (IP 1.13) (IP 1.14) (IP 1.15)

Mathematical Constraints Budget Constraints : 1 (IP 1.16) (IP 1.17)

Mathematical Constraints Special defense resource cost constraints : 1 (IP 1.18) (IP 1.19) (IP 1.20) (IP 1.21) (IP 1.22) (IP 1.23) (IP 1.24)

Verbal Constraints QoS constraints: (IP 1.25) The performance reduction cause by compromised core nodes should not violate IP1.26. (IP 1.26) The performance reduction caused by link utilization should not violate IP1.26.(IP 1.27) The performance reduction caused by fake traffic should not violate IP1.26.(IP 1.28) The performance reduction caused by dynamic topology reconfiguration should not violate IP1.26. (IP 1.29) The performance reduction cause by local defense should not violate IP1.26.(IP 1.30) Legitimate users’ QoS satisfaction with the maximum number of hops from attacking initial point to core node should not violate IP1.26. (IP 1.31) W final should not lower than W threshold at the end of attack.(IP 1.32) The defender has to guarantee at least one core node is not compromised at any time. (IP 1.33)

Verbal Constraints QoS constraints: (IP 1.25) The performance reduction cause by compromised core nodes should not violate IP1.25. (IP 1.26) The performance reduction caused by link utilization should not violate IP1.25.(IP 1.27) The performance reduction caused by fake traffic should not violate IP1.25.(IP 1.28) The performance reduction caused by dynamic topology reconfiguration should not violate IP1.25. (IP 1.29) The performance reduction cause by local defense should not violate IP1.25.(IP 1.30) Legitimate users’ QoS satisfaction with the maximum number of hops from attacking initial point to core node should not violate IP1.25. (IP 1.31) W final should not lower than W threshold at the end of attack.(IP 1.32) The defender has to guarantee at least one core node is not compromised at any time. (IP 1.33)

Verbal Constraints Reconfiguration constraints: The reconfiguration initial point and the reconfigured node must be equipped with reconfiguration function. (IP 1.35) The reconfiguration initial point must be the neighbor of core node detected risky.(IP 1.36) The defense resource of reconfiguration initial point should be the minimum one among all neighbors of core node detected risky. (IP 1.37) The reconfigured node must be the neighbor of reconfiguration initial point.(IP 1.38) The reconfigured node must not be the neighbor of core node detected risky.(IP 1.39) The defense resource of the reconfigured node should be the maximum one among all neighbors of reconfiguration initial node. (IP 1.40) (IP 1.34)

Verbal Constraints Traffic adjustment constraints: The honeypot must be equipped with fake traffic generating function.(IP 1.42) The throughput of fake traffic delivered by one fake traffic generating honeypot should not greater than the maximum achievable throughput. (IP 1.43) (IP 1.41)

Verbal Constraints Local defense constraints: For each core node, when the attack event has been detected, the mechanism is activated. (IP 1.44) Only virtualized nodes and virtual machine monitors (VMMs) can activate this mechanism. (IP 1.45) The capacity of all the VMs’ links connect with the VMM will decrease certain ratio. (IP 1.46)

THANKS FOR YOUR ATTENTION