Presenter: Jen-Hua Chi Advisor: Frank, Yeong-Sung Lin Modeling and Security Analysis of Enterprise Network Using Attack-defense Stochastic Game Petri Nets Presenter: Jen-Hua Chi Advisor: Frank, Yeong-Sung Lin
Agenda Part I Introduction (Game Theory, Petri Net) Part II Model Part III Enterprise Network Part IV Analysis and Conclusion
Introduction Journal: Security and Communication Networks Security Comm. Networks 2013 Impact Factor: 0.414 Author: Yuanzhuo Wang(王卓元)
Introduction Enterprise network firewall, VPN, IDS/IPS, antivirus software, content monitoring prevent or to counteract attacks more effective
Introduction - ADSGN Stochastic Game Net Stochastic Petri Net ADSGN
Introduction - SGN Game Theory: Nash Equilibrium(NE) Limitations: do not have enough modeling abilities to describe interaction relations existing modeling methods are nearly impossible to model the dynamic behaviors because of the complexity of state transitions the full state space can be extremely large
Introduction- SGN Stochastic Game Nets: - use of the NE as part of the transition probabilities in SGN models - build player models => combine - backwards: attack and defense actions that are interrelated with one another
Introduction- Stochastic Petri Net Mathematical modeling languages directed bipartite graph nodes: transitions and places transitions : events that may occur places: conditions The directed arcs describe which places are pre- and/or post conditions for which transitions occur.
Introduction- Stochastic Petri Net P is a set of states, called places. P = {P1,P2,P3,P4} T is a set of transitions. T = {T1,T2} M represents the number of tokens m0 ={1,0,2,1} Transition firing rates
Introduction - ADSGN According to the characteristics of the network attack and defense actions suitable to investigate the complex and dynamic game-related issues in network attack
Agenda Part I Introduction Part II Model Part III Enterprise Network Part IV Analysis and Conclusion
Definition - Stochastic Game Nets Nine-tuple vector SGN: is the action set of player k
Definition1 - Stochastic Game Nets Nine-tuple vector SGN:
Definition - Stochastic Game Nets Nine-tuple vector SGN:
Definition - Stochastic Game Nets Each token S is assigned a reward vector h(s) = (h1(s), h2(s),. . .,hn(s)),where hk(s) is the reward of player k in token s Transition firing rates: consists of removing tokens from a subset of places and adding them to another subset
Definition - Stochastic Game Nets a strategy for player k is described as a vector
Definition2 - Stochastic Game Nets (p denotes the initial state of player k) An n-players game Player k’s utility is defined as:
Definition3 - Stochastic Game Nets NE is a vector such that
Definition3 - ADSGN Players: n => 2 administrator, attacker exist some transitions ti such that ti is no action
Theorem 1 - ADSGN For an ADSGN, if the two sets P and T contain finite elements, then there exists an NE under the setting of mixed strategies. P : places describe the states of the system
Modeling and analysis Reward values R represent the reward gained by the player when an action is completed
Construction First:) Players model => combine the models combining the places p that denote the same meanings in SGN models of different players: - case1 - case2
Construction – case1 Inhibition type
Construction – case2 Termination type
Utilities of players each players objective is to maximize the expected return k = 1, 2 is the initial place of strategy is the discount index of place
Utilities of players player k chooses an action using the probability distribution at place In order to determine the optimal defense strategy, we must find the NE
Calculation of the Nash Equilibrium Continuous ACO(CACO) For each place pi, the behavior is modeled as a matrix game Gi action sets of the attacker action sets of the administrator if an attack action is chosen in place pi , the intrusion is successful and undetected the system may transfer to another place pj where the game can continue
Calculation of the Nash equilibrium U(pi) to denote the expected utility at place pi
Calculation of the Nash equilibrium
Calculation of the Nash equilibrium objective function
Evaluation and analysis divide the place set into four parts, namely MTFSB: mean time to first security breach MTTSB: mean time to security breach
Agenda Part I Introduction Part II Model Part III Enterprise Network Part IV Analysis and Conclusion
Enterprise network security process control structure
security process control structure Scan the weak ports (attacker) IDS detects the attack (administrator) Administrator server orders the firewall and trap node(administrator) The attacker enters the trap node(attacker) The trap node returns the false information to the attacker (administrator) obtain the evidence of the attacker (administrator)
security process control structure (7) cracks a common user’s user name and password (attacker) (8) The attacker gets the competence of root by handling the database (attacker) (9) The attacker installs the sniffer (attacker) (10) The administrator server orders the firewall and antivirus server to blockade the IP of the attacker and remove the sniffer (administrator)
security process control structure we have two action sets
security process control structure ADSGN model is based on the following three assumptions (1) the administrator does not know whether there is an attacker or not (2) the attacker may have several objectives and strategies that the defender does not know (3) not all of the attacker’s actions can be observe by the defender
ADSGN Model of Enterprise Network 在此model中有六個places {p(normal), p(web server with vulnerability), p(get general permission), p(get root permission), p(sniffer installing), p(information stolen)} = {p1, p2, p3, p4, p5, p6}
ADSGN Model of Enterprise Network p2: web server with vulnerability P3: get general permission a1:Scanvulnerability ; a2:CrackPassword a3:Attackdatabase ; a7:empty d1: IDSscan ; d2: Cheatattacker ; d3:Getevidence d6: empty
ADSGN Model of Enterprise Network p4: get root permission P5:sniffer installing a4: Enhance permission ;a5:Installsniffer a7:empty d1:IDSscan ; d4: Blockade IP d5:Removesniffer ; d6:empty
ADSGN Model of Enterprise Network p6:information stolen a6:Installsniffer ; a7:empty d1:IDSscan; d4:BlockadeIP d5: Remove sniffer ; d6: empty
Model-attacker
Model - administrator
Model - combine
Agenda Part I Introduction Part II Model Part III Enterprise Network Part IV Analysis and Conclusion (MTTSB, MTTFB, attack rate)
Experimental Security Analysis
Experimental Security Analysis
Experimental Security Analysis
Experimental Security Analysis
Experimental Security Analysis
Conclusion Inherit the advantages of Petri nets and SGN investigate key factors of the attack and defense models, trying to find the inherent rules and patterns
Thanks for your attention