Presentation is loading. Please wait.

Presentation is loading. Please wait.

From Survivability To Risk Management

Published byHector Cannon Modified over 6 years ago

Similar presentations

Presentation on theme: "From Survivability To Risk Management"— Presentation transcript:

1 From Survivability To Risk Management
Near Optimal Defense Resource Allocation Strategies for Minimization of Information Leakage Presented by Lillian Tseng

2 Outline Introduction to Survivability and Risk Management
Introduction to Model of Minimization of Maximal Damage 2018/11/29

3 Introduction to survivability and risk management
Security & Survivability Survivability Introduction Quantitative Analysis for Survivability Risk Management Introduction Survivability & Risk Management 2018/11/29

4 Security & Survivability
Status Safe or compromised 0%~100% Objective Attack resistance Service maintenance Threats Malicious attacks Random errors & malicious attacks 2018/11/29

5 Survivability Introduction
Definition of survivability Survivability is the capability of a system (including networks and large-scale systems) to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents. Source: R. J. Ellison, D. A. Fisher, R. C. Linger, H. F. Lipson, T. A. Longstaff, and N. R. Mead, “Survivable Network Systems: An Emerging Discipline,” Technical Report CMU/SEI-97-TR-013, Software Engineering Institute, Carnegie Mellon University, November 1997 (Revised: May 1999). 2018/11/29

6 Survivability Introduction (Cont’d)
Survivability is the degree to which essential functions are still available even though some part of the system is down. Source: M. S. Deutsch and R. R. Willis, Software Quality Engineering: A Total Technical and Management Approach, Englewood Cliffs, NJ: Prentice-Hall, 1988. 2018/11/29

7 Survivability Introduction (Cont’d)
Survivability is a property of a system, subsystem, equipment, process, or procedure that provides a defined degree of assurance that the named entity will continue to function during and after a natural or man-made disturbance; e.g., nuclear burst. Note: For a given application, survivability must be qualified by specifying the range of conditions over which the entity will survive, the minimum acceptable level or post-disturbance functionality, and the maximum acceptable outage duration. Source: “Telecom Glossary 2000 (American National Standard, T ),” Alliance for Telecommunications Industry Solutions, 2018/11/29

8 Survivability Introduction (Cont’d)
Four components of survivability System Usage Minimal level of service (survivability metrics) Threats Accidental threats (random errors) Intentional or malicious threats (malicious attacks) Catastrophic threats Source: V. R. Westmark, “A Definition for Information System Survivability,” Proceedings of the 37th IEEE Hawaii International Conference on System Sciences, Volume 9, p , 2004. 2018/11/29

9 Quantitative Analysis of Survivability
Quantitative Analysis Approaches Connectivity Performance LCF NCF Markov chain/queueing theory Game theory Simulation with defined metrics Number of calls Number of connected subscribers Traffic volume Delay time (Integer) linear programming Non-linear programming Vertex/edge removal Number of node/link disjoint paths Betweenness centrality/degree of separation 2018/11/29

10 Quantitative Analysis of Survivability (Cont’d)
Survivability functions Expected survivability E[S] Worst-case survivability SW R-percentile survivability Sr Zero survivability 2018/11/29

11 Risk Management Introduction
Combination of the probability of an event and its consequence (ISO/IEC Guide 73:2002). The possibility of something adverse happening. The function of the likelihood of a given threat-source’s exploiting a particular potential vulnerability. The resulting impact of that adverse event on assets of the organization or on individuals. In Business Continuity/Disaster Planning Risk = Threat x Vulnerability x Asset 2018/11/29

12 Risk Management Introduction (Cont’d)
The coordinated activities to direct and control an organization with regard to risk (ISO/IEC Guide 73:2002, BS7799-2:2002). The process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost (ISO/IEC 17799:2000). The systematic application of management policies, procedures and practices to the tasks of analyzing, evaluating and treating risk (ISO :1995). 2018/11/29

13 Risk Management Introduction (Cont’d)
Stages of risk management Risk assessment Risk analysis Source identification Risk estimation Risk evaluation Risk treatment Risk avoidance Risk deduction Risk transfer Risk retention Risk acceptance Risk estimation: Process used to assign values to the probability and consequences of a risk Risk evaluation: Process of comparing the estimated risk against given risk criteria to determine the significance of the risk Risk treatment: process of selection and implementation of measures to modify risk Risk retention: acceptance of the burden of loss, or benefit of gain, from a particular risk. Including risks not be identified, but not transferred risk Risk acceptance: acceptance of an identified risk after evaluating its consequence 2018/11/29

14 Risk Management Introduction (Cont’d)
2018/11/29

15 Survivability & Risk Management
Maximization of survivability ≣ Minimization of risk Threats to survivability ≣ Sources of risk Random errors Malicious attacks Through analyzing the survivability of networks quantitatively, we could also understand their risk levels in reality and enforce other activities belonging to risk management. 2018/11/29

16 Introduction to Model of Minimization of Maximal Damage
Background Motivation Problem Assumptions and Scenarios Problem Description Problem Notation Problem Formulation Problem Decomposition Conclusions Appendices 2018/11/29

17 Background Information leakage is one of the most serious cyber-crime.
No direct or immediate impact Ignorance of the victims Profound consequences Network survivability comes to the front. There’s no error-free or attack-proof system in the world. Safe/compromised is not enough to describe the states of a system. How well can a system sustain normal service under abnormal conditions? 2018/11/29

18 Motivation Damage and loss incurred by information theft is unendurable. How should network operators do to decrease the impact? Understand the vulnerabilities of networks Know your enemies Model the real offense-defense game into mathematical formulation. DRAS model – Defense Resource Allocation Strategy (outer problem) AS model – Attack Strategy (inner problem) 2018/11/29

19 Problem Assumptions and Scenarios – DRAS Model
The objective of the attacker is to maximize the total damage by constructing an “attack tree” of the targeted network. The objective of the defender is to minimize the total damage through allocating different budget on each node in the network. Both the attacker and the defender has resource budget limitation. Only node attacks are considered Only malicious attacks are considered (no random error is concerned). A node is subject to attack only if a path exists from attacker’s position to this node where all intermediate nodes on the path have been compromised. A node is compromised if attack power applied to the node is more than defense power of the node. Emphasize on no complete information, so the attacker must attack hop by hop If a node is attacked, it can be still functional, and be the hop site; that’s why we only consider node attack, because only nodes can be hop sites If a node is attacked, all links associated to it won’t be malfunctioned. Both attacker and defender have complete information about the network topology. 2018/11/29

20 Attack Procedure s s 2018/11/29

21 Problem Description – DRAS Model
Given: Defense Budget B Attack Budget A Damage di incurred by compromising node i Attacker’s position s, which is connected to the target network The network topology and the network size Objective: To minimize the maximized total damage Subject to: Total defense cost must be no more than B Total attack cost must be no more than A The node to be attacked must be connected to the existing attack tree To determine: Defender: budget allocation strategy Attacker: which nodes will be attacked 2018/11/29

22 Problem Notation – DRAS Model
Given parameters: Notation Description N The index set of all nodes in the network W The set of all O-D pairs where the origin is node s and the destinations are the nodes of positive di , where i, s  N di Damage incurred by compromising node i, where i  N Pw The index set of all candidate paths for O-D pair w, where w  W A The total attack power B The total budget for defense/protective mechanism δpi The indicator function which is 1 if node i is on path p and 0 otherwise (where i  N, p  Pw, w  W) 2018/11/29

23 Problem Notation – DRAS Model (Cont’d)
Decision variables: Notation Description bi the budget allocated to protect node i, where i  N ai the attack power applied to node i, where i  N the threshold of attack power to compromise node i ; i.e. the defense power of node i, where i  N yi 1 if node i is compromised and 0 otherwise, where i  N xp 1 if path p is selected as the attack path and 0 otherwise, where p  Pw, w  W 2018/11/29

24 Problem Formulation – DRAS Model
(IP 2) (IP 2.1) (IP 2.2) (IP 2.3) (IP 2.4) (IP 2.5) (IP 2.6) (IP 2.7) (IP 2.8) (IP 1) (IP 1.1) (IP 1.2) (IP 1.3) (IP 1.4) (IP 1.5) (IP 1.6) (IP 1.7) (IP 1.8) (IP 1.9) (IP 1.10) Problem Formulation – DRAS Model Problem Formulation – AS Model min – yi, ai Objective function: 先講4~11條 2018/11/29

25 Problem Description – AS Model
Solving the inner problem – AS model Assume the budget allocation strategy is given, i.e. bi and are given parameters. . Maximize the total damage. Transform maximization problem into minimization problem by adding a minus sign to objective function. Using two-stage Lagrangian relaxation method to solve this problem. 2018/11/29

26 Problem Decomposition – First Stage
By applying the Lagrangean relaxation method, the primal problem (IP 2) can be transformed into a Lagrangean relaxation problem (LR 1) where constraints (2.1), (2.2), and (2.8) are relaxed. Optimization Problem (LR 1): The LR problem is further decomposed into two independent sub-problems. 2018/11/29

27 Problem Decomposition – First Stage (Cont’d)
Subproblem 1.1 (related to decision variable xp ) Subproblem 1.1 can further be decomposed into |W| independent problems. We apply Dijkstra’s shortest cost path algorithm once and optimally solve each independent problem. (Sub 2.1) (Sub 2.1.2) (Sub 2.1.1) Subject to Time Complexity 2018/11/29

28 Problem Decomposition – First Stage (Cont’d)
Subproblem 1.2 (related to decision variable yi) Subproblem 1.2 can further be decomposed into |N| independent problems. We examine the parameter of each yi , and set it to 1 if the result is negative, 0 otherwise. (Sub 1.2) Subject to (Sub 1.2.1) Time Complexity 2018/11/29

29 Problem Decomposition – First Stage (Cont’d)
Subproblem 1.3 (related to decision variable ai) Subproblem 1.3 can be viewed as a fractional knapsack problem, where is profit, and is weight. It can be solve optimally by greedy method. (Sub 1.3) Subject to (Sub 1.3.1) (Sub 1.3.2) Time Complexity 2018/11/29

30 Problem Decomposition – Second Stage
By applying the Lagrangean relaxation method, the primal problem (IP 2) can be transformed into a Lagrangean relaxation problem (LR 2) where constraints (2.1), (2.2), and (2.7) are relaxed. Optimization Problem (LR 2): The LR problem is further decomposed into two independent sub-problems. 2018/11/29

31 Problem Decomposition – Second Stage (Cont’d)
Subproblem 2.1 (related to decision variable xp ) Subproblem 2.1 can further be decomposed into |W| independent problems. We apply Dijkstra’s shortest cost path algorithm once and optimally solve each independent problem. (Sub 2.1) (Sub 2.1.2) (Sub 2.1.1) Subject to Time Complexity 2018/11/29

32 Problem Decomposition – Second Stage (Cont’d)
Subproblem 2.2 (related to decision variable yi ,ai) Subproblem 2.2 can further be decomposed into |N| independent problems. We determine the value of each yi and ai by examining its associated parameters. (Sub 2.2) Subject to (Sub 2.2.1) (Sub 2.2.2) (Sub 2.2.3) Time Complexity 2018/11/29

33 Conclusions Damage incurred by information leakage is the subject of both DRAS and AS model. Know your enemy and know yourself. The best solution of DRAS model depends on the best solution of AS model. AS model is a knapsack-like problem with tree constraint. 強調KNAPSACK與此model間之對應 2018/11/29

34 Conclusions (Cont’d) Future works — DRAS model Simulated annealing
Treat LR result as evaluation for budget allocation policy decided by simulated annealing. Neighbor searching Pick an uncompromised node randomly and extract half of its allocated resources. Then distribute them to compromised node averagely. Subgradient-based algorithm Extract little resources from uncompromised node, and allocate them to compromised node proportionally. If the solution quality doesn’t improve within a certain iteration count, decrease the percentage of resources being extracted. Compare the survivability of different defense resource allocation strategies. . 2018/11/29

35 Appendix 1 Scale-free networks Can be characterized by a P(k) ~k-r.
Also known as power law distributions. Internet, WWW, and other large networks are these kinds of networks. The features of scale-free networks Growth Preferential attachment 2<r<3 Internet:r=2.48 Source: R. Albert, H. Jeong, and A.-L. Barabási, “Error and Attack Tolerance of Complex Networks,” Nature, Volume 406, pp , July 2000. 2018/11/29

36 Appendix 2 The creation of inhomogeneous networks
Start with mo nodes At every time step t, a new node is introduced, connecting to m existed nodes in the network The probability Πi that the new node is connected to node i depends on the connectivity ki of node i such that =ki /Σkj For large t, the connectivity distribution follows P(k) = 2m2/k3. R=3 2018/11/29

37 Appendix 3 Cut-off property “Scale-free” property
Only part of the graph follows power-law distribution. “Scale-free” property The slope (r) of the simulated line doesn’t affected by corresponding node number. R=2.29~2.46~2.6 強調座標軸兩個皆取log 2018/11/29

38 Appendix 4 Initial state doesn’t matter
Growth property New edge number (m) doesn’t matter Different ms only result in different total edge number. The slope of simulated lines with different ms are parallel. 2018/11/29

39 Thanks for your listening^^

Download ppt "From Survivability To Risk Management"

Similar presentations

Risk Modeling The Tropos Approach PhD Lunch Meeting 07/07/2005 Yudistira Asnar –

Risk Modeling The Tropos Approach PhD Lunch Meeting 07/07/2005 Yudistira Asnar –
Optimal redundancy allocation for information technology disaster recovery in the network economy Benjamin B.M. Shao IEEE Transaction on Dependable and.

Optimal redundancy allocation for information technology disaster recovery in the network economy Benjamin B.M. Shao IEEE Transaction on Dependable and.
VL Netzwerke, WS 2007/08 Edda Klipp 1 Max Planck Institute Molecular Genetics Humboldt University Berlin Theoretical Biophysics Networks in Metabolism.

VL Netzwerke, WS 2007/08 Edda Klipp 1 Max Planck Institute Molecular Genetics Humboldt University Berlin Theoretical Biophysics Networks in Metabolism.
Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.

Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.
1 EL736 Communications Networks II: Design and Algorithms Class8: Networks with Shortest-Path Routing Yong Liu 10/31/2007.

1 EL736 Communications Networks II: Design and Algorithms Class8: Networks with Shortest-Path Routing Yong Liu 10/31/2007.
An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.

An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.
Scale Free Networks Robin Coope April 4 2003 Abert-László Barabási, Linked (Perseus, Cambridge, 2002). Réka Albert and AL Barabási,Statistical Mechanics.

Scale Free Networks Robin Coope April Abert-László Barabási, Linked (Perseus, Cambridge, 2002). Réka Albert and AL Barabási,Statistical Mechanics.
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
1 SOFTWARE PRODUCTION. 2 DEVELOPMENT Product Creation Means: Methods & Heuristics Measure of Success: Quality f(Fitness of Use) MANAGEMENT Efficient &

1 SOFTWARE PRODUCTION. 2 DEVELOPMENT Product Creation Means: Methods & Heuristics Measure of Success: Quality f(Fitness of Use) MANAGEMENT Efficient &
Optimal Survivability Enhancement in Complex Vulnerable systems Gregory Levitin The Israel Electric Corporation Ltd.

Optimal Survivability Enhancement in Complex Vulnerable systems Gregory Levitin The Israel Electric Corporation Ltd.
Introduction to Network Defense

Introduction to Network Defense
(Social) Networks Analysis III Prof. Dr. Daning Hu Department of Informatics University of Zurich Oct 16th, 2012.

(Social) Networks Analysis III Prof. Dr. Daning Hu Department of Informatics University of Zurich Oct 16th, 2012.
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
1 ESI 6417 Linear Programming and Network Optimization Fall 2003 Ravindra K. Ahuja 370 Weil Hall, Dept. of ISE 352-392-3615.

1 ESI 6417 Linear Programming and Network Optimization Fall 2003 Ravindra K. Ahuja 370 Weil Hall, Dept. of ISE
Popularity versus Similarity in Growing Networks Fragiskos Papadopoulos Cyprus University of Technology M. Kitsak, M. Á. Serrano, M. Boguñá, and Dmitri.

Popularity versus Similarity in Growing Networks Fragiskos Papadopoulos Cyprus University of Technology M. Kitsak, M. Á. Serrano, M. Boguñá, and Dmitri.
Quasi-static Channel Assignment Algorithms for Wireless Communications Networks Frank Yeong-Sung Lin Department of Information Management National Taiwan.

Quasi-static Channel Assignment Algorithms for Wireless Communications Networks Frank Yeong-Sung Lin Department of Information Management National Taiwan.
Introduction A GENERAL MODEL OF SYSTEM OPTIMIZATION.

Introduction A GENERAL MODEL OF SYSTEM OPTIMIZATION.
Maximization of Network Survivability against Intelligent and Malicious Attacks (Cont’d) Presented by Erion Lin.

Maximization of Network Survivability against Intelligent and Malicious Attacks (Cont’d) Presented by Erion Lin.
Network Survivability Against Region Failure Signal Processing, Communications and Computing (ICSPCC), 2011 IEEE International Conference on Ran Li, Xiaoliang.

Network Survivability Against Region Failure Signal Processing, Communications and Computing (ICSPCC), 2011 IEEE International Conference on Ran Li, Xiaoliang.

Similar presentations

Ads by Google