E FFECTIVE N ETWORK P LANNING AND D EFENDING S TRATEGIES TO M INIMIZE S ERVICE C OMPROMISED P ROBABILITY UNDER M ALICIOUS C OLLABORATIVE A TTACKS Advisor: Professor Frank, Y.S. Lin Presented by Chi-Hsiang Chan

A GENDA Problem Description Mathematical Formulation

A GENDA Problem Description Mathematical Formulation

P ROBLEM D ESCRIPTION Network Survivability Collaborative attack Commander Attacker group Various defense mechanisms VMM IDS Dynamic topology reconfiguration Cloud security service

A TTACKER V IEW Commander Budget No. of attackers (attacker group) Goal (service disruption, steal information) Aggressiveness Attacker Energy Capability Harmonization Initial location

P ER H OP D ECISION (A TTACK E VENT ) Period decision Early stage Late stage Choose target nodes Compromise -> risk avoidance Pretend to attack -> risk tolerance Choose ideal attackers

P ERIOD N ： The total numbers of nodes in the Defense Networks F ： The total numbers of node which is visible to attacker including compromised nodes and next hop nodes.

P ERIOD

N O. OF T ARGET N ODES M ： Number of candidates to compromise Success Rate ( SR ) = Risk Avoidance Compromised / Risk Avoidance Attacks Target nodes ≤ No. of attackers can launch attack

S ELECTING C RITERIA

Early stage Late stage Risk Avoidance Risk Tolerance

S ELECTING C RITERIA

C HOOSE IDEAL ATTACKERS No. of attackers Collaborative attack on the nodes have higher score Risk tolerance -> do not attack collaboratively who launch the attack Set an energy threshold to define risk avoidance and risk tolerance

E XAMPLE ScoreNodeProbability be choose 100D100/( ) 90E90/( ) 87G98/( ) 60B(Attack by one attacker) 50A(Attack by one attacker) 36C(Do not attack) Choose to attack:50 Choose to collaborative attack:70

A TTACKER V IEW Attack Given Commander’s goal(Steal information, Service disruption) Commander's budget Number of attacker Attacker’s capability, initial location, harmonization To be determined Budget for buying attacking tools and launching attack Attacker event(attack one node) Given Attackers’ energy To be determined Commander’s aggressiveness Which attacker launch attack Which node be attack Cost for attacking Collaborative attack or not Maximum time threshold for compromising a target node

D EFENDER V IEW Attack Given Unit cost of constructing topology and defense mechanism Service priority To be determined Topology and initial defense resource allocation Budget for constructing topology and defense resource Attack event Given General defense resource and special defense resource on each node To be determined Activating special defense mechanisms or not

C OMPROMISE O NE N ODE Harmonization → v ij → → → T Aggressiveness

A GENDA Problem Description Mathematical Formulation

M ATHEMATICAL F ORMULATION Objective To minimize maximized service compromised probability Given Attacker’s and defender’s total budget Cost of construct topology and defending resource QoS requirement To be determined Attack and defense configuration Budget spend on each defending mechanism

A SSUMPTIONS 1. All attack events are atomic operations. 2. There are multiple core nodes and services in the network. 3. Each core node can provide only one specific service. 4. Each service has different weight, which is determined by the defender. 5. There is an SOC with full control of the network. 6. The defender has complete information of network and can allocate resources or adopt defense solutions by the SOC. 7. Commanders have only incomplete information about the network. 8.Only nodes with VMM-IPS have local defense function. 9.Only nodes with VMM-IPS have signature request function. 10.Only nodes with cloud security agent have cloud security function.

G IVEN P ARAMETERS -I NDEX S ET NotationDescription N The index set of all nodes C The index set of all core nodes L The index set of all links M The index set of all level of virtual machine monitors(VMMs) H The index set of all level of cloud security service S The index set of all kinds of services Q The index set of all candidate node equipped with cloud security agent

G IVEN P ARAMETERS -C OST NotationDescription B The defender’s total budget w The cost of constructing one intermediate node o The cost of constructing one core node p The cost of each virtual machine(VM) c The cost of setting a cloud security agent to one node

G IVEN P ARAMETERS -A TTACKER NotationDescription FiFi The number of commanders targeting on i th service, where i ∈ S u ij The number of attackers subordinates in the attack group launching j th attack on service i, where i ∈ S, 1 ≤ j ≤ F i v ij The degree of collaboration of attack group launching j th attack on service i, which affects the effectiveness of synergy, where i ∈ S, 1 ≤ j ≤ F i

G IVEN P ARAMETERS -Q O S, R ISK L EVEL NotationDescription W thershold The predefined threshold about QoS The link degree of core node k divided by the maximum link degree among all nodes in the topology, where k ∈ C The priority of service i provided by core node k divided by the maximum service priority among core nodes in the topology, where i ∈ S, k ∈ C The risk threshold of core node k, where k ∈ C

G IVEN P ARAMETERS The degree of collaboration of attack group launching j th attack on service i, which affects the effectiveness of synergy, where i ∈ S, 1 ≤ j ≤ F i NotationDescription kpkp The maximum number of virtual machines on VMM level p, where p ∈ M αiαi The weight of i th service, where i ∈ S d The ratio of defense strengthen on VMs and VMM when local defense is activated rqrq The ratio of defense strengthen using cloud security services level q, where q ∈ H E All possible defense configurations, including defense resources allocations and defending strategies Z All possible attacker categories, including attacker attributes, corresponding strategies and transition rules t fail Maximum time threshold to compromise network

D ECISION V ARIABLES NotationDescription A defense configuration, including defense resource allocation and defending strategies on i th service, where i ∈ S A instance of attack configuration, including attacker’s attributers, commander’s strategies and transition rules of the commander launches j th attack on i th service, where i ∈ S, 1 ≤ j ≤ F i 1 if the commander achieves his goal successfully, and 0 otherwise, where i ∈ S, 1 ≤ j ≤ F i Maximum time threshold to compromise node k

D ECISION V ARIABLES NotationDescription nknk The non-deception based defense resource allocated to node k, where k ∈ N e The total number of intermediate nodes q kl The capacity of direct link between node k and l, where k, l ∈ N g(q kl ) The cost of constructing a link from node k to node l with capacity q kl, where k, l ∈ N lplp The number of VMs equipped on a level p VMM, where p ∈ M v(l p ) The cost of VMM level p with l p VMs, where p ∈ M xkxk 1 if node k is equipped with cloud security agent, and 0 otherwise, where k ∈ N

D ECISION V ARIABLES NotationDescription B nodelink The budget spent on constructing nodes and links B general The budget spent on allocating general defense resource B special The budget spent on deploying special defense resource B virtualization The budget spent on virtualization B cloud agent The budget spent on deploying cloud agents B defending The budget applied for defending stage B nodelink The budget spent on constructing nodes and links

V ERBAL N OTATION -Q O S NotationDescription Y The total attack events Loading of each core node k, where k ∈ C Link utilization of each link m, where m ∈ L K effect Negative effect caused by applying fallacious signatures I effect Negative effect caused by applying dynamic topology reconfiguration J effect Negative effect caused by false positive while applying local defense P effect Negative effect caused by fallacious diagnosis of cloud security service O tocore The number of hops legitimate users experienced from one boundary node to core nodes The value of QoS determined by,, K effect, I effect, J effect and O tocore, where k ∈ C, m ∈ L W final The QoS level at the end of attack

V ERBAL N OTATION -R ISK L EVEL NotationDescription The defense resource of the shortest path from detected attacked nodes to core node k divided by total defense resource, where k ∈ C The minimum number of hops from detected attacked nodes to core node k divided by the maximum number of hops from attacker’s starting position to core node k, where k ∈ C The risk status of core node k which is the aggregation of,, and, where i ∈ S, k ∈ C

O BJECTIVE F UNCTION (IP 1)

M ATH C ONSTRAINTS Budget constraint B nodelink ≥ 0 B general ≥ 0 B special ≥ 0 B defending ≥ 0 (IP 1.1) (IP 1.2) (IP 1.3) (IP 1.4) (IP 1.5) (IP 1.6)

M ATH C ONSTRAINTS Constraints for topology construction q kl ≥ 0 g(q kl ) ≥ 0 w × e ≥ 0 (IP 1.7) (IP 1.8) (IP 1.9) (IP 1.10)

M ATH C ONSTRAINTS Constraints for general defense resource n k ≥ 0 Constraints for cloud security agent x k = 0 or 1 (IP 1.13) (IP 1.14) (IP 1.11) (IP 1.12)

M ATH C ONSTRAINTS Constraints for virtualization v(l p ) ≥ 0 0 < l p < k p B virtualization + B cloudagent ≤ B special B nodelink + B general + B special + B defending ≤ B (IP 1.18) (IP 1.19) (IP 1.17) (IP 1.16) (IP 1.15)

V ERBAL C ONSTRAINTS The performance reduction cause by compromised core nodes, activating dynamic topology reconfiguration, local defense, cloud security or applying fallacious signature should not make legitimate users’ QoS satisfaction violate IP At the end of an attack, W final ≥ W threshold. All the defense strategies are adopted only if the risk levels are lower than a predefined threshold. where i ∈ S (IP 1.23) (IP 1.22) (IP 1.21) (IP 1.20)

T HANKS FOR Y OUR L ISTENING