1. Advisor: Frank,Yeong-Sung Lin
Near Optimal Defense Strategies to Minimize Attackers’ Success Probabilities in Honeypot Networks
Advisor: Frank,Yeong-Sung Lin
Presented by Yu-Shun, Wang

2. Agenda Introduction Problem formulation Solution Approach
Problem description
Mathematical formulation
Solution Approach
Evaluation Process
Policy Enhancement
Experimental result
Conclusion
Reviewers’ comment
2019/1/16
NTU

3. Agenda Introduction Problem formulation Solution Approach
Problem description
Mathematical formulation
Solution Approach
Evaluation Process
Policy Enhancement
Experimental result
Conclusion
Reviewers’ comment
2019/1/16
NTU

4. 2009 version will release on December 1, 2009 11:00 am PT/2:00 pm ET
Introduction
The complexity and attack level of network systems grow with each passing day.
The attacked organization will get lots of lose no matter on monetary or reputation.
the most expensive incident on average was financial fraud, with an average reported cost of $463,100. *
followed by dealing with “bot” computers within the organization’s network, reported to cost an average of $345,600 per respondent. *
Dealing with loss of either proprietary information or loss of customer and employee confidential data averaged at approximately $241,000 and $268,000, respectively. *
*Robert R., CSI Director, “2008 CSI Computer Crime & Security Survey,” 2008.
2009 version will release on December 1, :00 am PT/2:00 pm ET
2019/1/16
NTU

5. Introduction
We define survivability as the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents. We use the term system in the broadest possible sense, including networks and large-scale systems of systems. *
Survivability Status
Compromised
Safe
* R. J. Ellison, D. A. Fisher, R. C. Linger, H. F. Lipson, T. Longstaff, and N. R. Mead, “Survivable Network Systems: An Emerging Discipline,” Technical Report CMU/SEI-97-TR-013, November 1997.
2019/1/16
NTU

6. Introduction Title Author(s)
An Evaluation of Network Survivability When Defense Levels Are Discounted by the Accumulated Experience of Attackers
F.Y.-S. Lin, P.-Y. Chen, and P.-H. Tsang
Maximization of Network Survival Time in the Event of Intelligent and Malicious Attacks
P.H. Tsang, F.Y.S. Lin, and C.W, Chen
Near Optimal Attack Strategies for the Maximization of Information Theft
F.Y.S. Lin, C.-L. Tseng and P.-H. Tsang
Near Optimal Protection Strategies against Targeted Attacks on the Core Node of a Network
F.Y.-S. Lin, P.-H. Tsang and Y.-L. Lin
Evaluation of Network Robustness for Given Defense Resource Allocation Strategies
F.Y.-S. Lin, P.-H. Tsang, C.-H. Chen, C.-L. Tseng and Y.-L. Lin
Maximization of Network Robustness Considering the Effect of Escalation and Accumulated Experience of Intelligent Attackers
F.Y.-S. Lin, P.-H. Tsang, P.-Y. Chen, and H.-T. Chen
Former researches on survivability are mostly relay on assumption of “perfect knowledge”.
This assumption means attackers hold every detailed information about network and he can use it intelligently to maximize damage.
It helps defenders to analyze the worst case scenario.
2019/1/16
NTU

7. Introduction Previous research My work
Complete information about topology
Only one hop information
Complete information about defense resource allocation
Only next hop defense resource information
Complete information about node attribute
Partial information about node attribute
Single category of attacker
Multiple categories of attacker
Information is gathered before an attacker launches an attack
Information is gathered during attack
2019/1/16
NTU

8. Agenda Introduction Problem formulation Solution Approach
Problem description
Mathematical formulation
Solution Approach
Evaluation Process
Policy Enhancement
Experimental result
Conclusion
Reviewers’ comment
2019/1/16
NTU

9. Problem formulation
For defense resource, we not only consider resource that increase defense level but also another deception based defense mechanism, honeypots.
Acting as a false target to distract attackers. * *
2019/1/16
NTU

10. Problem formulation
For attackers, we apply following criteria to classify:
Budget
Three levels, using minimum attack cost as the benchmark.
Capability
Three levels, it influences the probability attackers cheated by honeypots.
Next hop selection criteria
The highest defense level (for valuable information)
The lowest defense level (for stealth strategy *)
Random attack (for random strategy *)
* Fred Cohen, “Managing Network Security Attack and Defense Strategies”
2019/1/16
NTU

11. Agenda Introduction Problem formulation Solution Approach
Problem description
Mathematical formulation
Solution Approach
Evaluation Process
Policy Enhancement
Experimental result
Conclusion
Reviewers’ comment
2019/1/16
NTU

12. Mathematical formulation
Assumptions
There is only one single core node in the network.
The defender has the perfect knowledge of network that is attacked by several attackers with different budget, capabilities, and next hop selection criteria.
The attackers are not aware that there are honeypots deployed by the defender in the network, i.e., the attackers have the imperfect knowledge of network.
There are two types of defense resources, the honeypot and non-honeypot.
2019/1/16
NTU

13. Mathematical formulation
Assumptions (cont.)
A node is only subject to attack if a path exists from the attacker’s position to that node, and all the intermediate nodes on the path have been compromised.
A node is compromised when attack resources allocated to it is no less than the defense force incurred by defense resources.
Only malicious nodal attacks are considered
The network is viewed at the AS level.
2019/1/16
NTU

14. Mathematical formulation
Given parameters
Notation
Description M
The total evaluation frequency for all attacker categories K
The total attacker categories Pk
The portion of attacker type k in total attackers (where k K) Rk
Rounded evaluation frequency of each attacker type D
All possible defense strategies
The strategy of an attacker, comprising his budget, capabilities, and next hop selection criteria. (where k K)
Skj( , )
1 if the attacker j of the kth category can compromise the core node under defense strategy, and 0 otherwise (where k K) B
The total budget of defender Bk
The total budget of the kth type of attacker, where k K F
The index set of honeypots to play the role of fake core nodes I
The index set of all general nodes in the network
Frequency
Attack & Defense
Budget
Index
2019/1/16
NTU

15. Mathematical formulation
Decision variables
Notation
Description bi
The defense resource allocated to protect a node i, where i I hf
The defense resource allocated to honeypot f as the fake core node in the network, where f F
a(bi)
The cost of compromising a general node i in the network, where i I
a(hf)
The cost of compromising a honeypot f in the network, where f F
Defense budget
Attack budget
2019/1/16
NTU

16. Mathematical formulation
Objective Function:
2019/1/16
NTU

17. Mathematical formulation
Constraints
Defender budget constraints
Attacker budget constraints
2019/1/16
NTU

18. Agenda Introduction Problem formulation Solution Approach
Problem description
Mathematical formulation
Solution Approach
Evaluation Process
Policy Enhancement
Experimental result
Conclusion
Reviewers’ comment
2019/1/16
NTU

19. Solution Approach Evaluation Process
Run evaluation with the 27 kinds of different attackers for M times and get the core node compromised frequency.
Let the frequency divided by M to gather average core node compromised probability.
Initial state
Run another evaluation M times using adjusted defense parameters and get the corresponding probability
Stop criteria
Yes
Adjust defense parameters by policy enhancement No
Compare result with the initial one
2019/1/16
NTU

20. Agenda Introduction Problem formulation Solution Approach
Problem description
Mathematical formulation
Solution Approach
Evaluation Process
Policy Enhancement
Experimental result
Conclusion
Reviewers’ comment
2019/1/16
NTU

21. Solution Approach Policy Enhancement
The main concept of policy enhancement can be summarized into the following parts.
Derivative
This concept is using to measure the marginal effectiveness of each defense resource allocation.
Popularity Based Strategy
This strategy is focuses on those nodes are frequently attacked. Therefore, we let the cost attackers spent on each node divided by total attack cost spend in the entire network as the metric in the policy enhancement.
2019/1/16
NTU

22. Solution Approach Policy enhancement
Quantity of resources is too large?
We first take certain amount of resources from nodes in the network
Yes
Only remove resources from nodes afforded No
Total quantity of resources is higher than the threshold?
Change the quantity of resources we take from nodes
Yes No
Yes
Whether there is a better value to test?
Choose the one with lowest derivative to replace current allocation scheme
Calculate derivative of every reallocation scheme No
2019/1/16
NTU

23. Agenda Introduction Problem formulation Solution Approach
Problem description
Mathematical formulation
Solution Approach
Evaluation Process
Policy Enhancement
Experimental result
Conclusion
Reviewers’ comment
2019/1/16
NTU

24. Experimental result Important parameters Parameter Value
Total number of attacker profiles 27
Attacker budget levels 3
Attacker capability levels
Next hop selection criteria
Defender total budget
1,000
Total evaluation times for one round
10,000,000
2019/1/16
NTU

25. Types of attackers’ budget level Types of attackers’ capability level
Experimental result
Important parameters (cont.)
Types of attackers’ budget level
Value
High level
2 times of minimum attack cost
Medium level
1.5 times of minimum attack cost
Low level
1 time of minimum attack cost
Types of attackers’ capability level
Value
High level
30% distracted by false target honeypot
Medium level
50% distracted by false target honeypot
Low level
70% distracted by false target honeypot
2019/1/16
NTU

26. Experimental result Experiment on M 1000 chunks 2019/1/16
NTU

27. Experimental result Experiment on M (cont.) 10000 chunks 2019/1/16
NTU

28. Experimental result Initial allocation scheme
We apply two metrics to allocate our defense resource:
The number of hops to the core node
We believe nodes closer to the core node play more important role. Therefore, we allocate more resources on nodes near the core node.
Link degree of each node
Since the link degree can also reflect importance of a node, we allocate more resources on nodes with higher link degree.
We combine these two metrics by giving different weight, for example, 30% number of hops and 70% link degree, to allocate resource.
2019/1/16
NTU

29. Experimental result
Different values of weight will result in distinct initial allocations.
Once the initial allocation is changed, the value of minimum attack cost also altered.
Attackers’ budget is determined by multiple of minimum attack cost.
We need an uniform benchmark to compare performance.
Consequently, the benchmark of deciding attackers’ budget is fixed at certain values in the following experiments.
2019/1/16
NTU

30. Experimental result
Performance comparison when benchmark is set at 443 (minimum attack cost of 20% hop and 80% link initial allocation):
0%是因若完全採用link degree，會有許多節點呈現相同的資源分布，因此造成了一條對於攻擊者而言相對有利的攻擊路徑。
60%是因出現一條僅需425攻擊資源的路徑
2019/1/16
NTU

31. Experimental result
Performance comparison when benchmark is set at 480 (minimum attack cost of 50% hop and 50% link initial allocation):
2019/1/16
NTU

32. Experimental result
Performance comparison when benchmark is set at 515 (minimum attack cost of 80% hop and 20% link initial allocation):
2019/1/16
NTU

33. Agenda Introduction Problem formulation Solution Approach
Problem description
Mathematical formulation
Solution Approach
Evaluation Process
Policy Enhancement
Experimental result
Conclusion
Reviewers’ comment
2019/1/16
NTU

34. Conclusion
In this paper, we relax the commonly made “perfect information assumption for attackers” in previous research and propose a mathematical model to evaluate network survivability.
We consider a more realistic environment where multiple classes of attackers may exist, and that attackers from different classes may be of distinct attributes, behaviors and strategies.
Our main contribution is that we combine mathematical programming and simulation techniques and develop a novel approach to solve problems with the imperfect knowledge property.
3. 可發現網路中某些特別的點，並加以運用
2019/1/16
NTU

35. Agenda Introduction Problem formulation Solution Approach
Problem description
Mathematical formulation
Solution Approach
Evaluation Process
Policy Enhancement
Experimental result
Conclusion
Reviewers’ comments
2019/1/16
NTU

36. Reviewers’ comments Reviewer 1:
The authors describe a mathematical model that allows to asses the survivability of a computer network and its core components. While the model may be an interesting theoretical contribution, I see several problems once the methodology is applied to a real world scenario.
First, in real works it is almost impossible to estimate/fix the parameters of the system. For example, how can one asses the "cost of compromising a general node in the network" (value a(b_i))? How can I compute the "cost" of a specific defense mechanism?
Second, it remains completely unclear which "attacker categories" the authors consider. They do tell on page 2 that there are in total 27 of them, but they do not give any details.
Third, I do not understand why their proposed algorithm is “near optimal” as stated in the title. What does that mean? When is an algorithm "optimal"?
2019/1/16
NTU

37. Reviewers’ comments Reviewer 2:
You paper is well written and I was inclined to think that you had stumbled across an area of growing interest when you referenced it to several other pieces of work: "A number of previous works, e.g., [2] [3] [4] [5] [6] [7]"
However, on examination, you have only cited your own work and thus are presenting minor changes to your own work.
If the research question is a significant one, and it may be, then you need to provide an in-depth literature review that proves this. Otherwise I have to reject it since you have not really begun to show your reader why this work is significant.
2019/1/16
NTU

38. Reviewers’ comments Reviewer 3:
This paper studied the near optimal defense strategies to minimize attacker's success probabilities in honeypot networks. The presentation is clear and the paper is well organized. Given the assumptions in the paper, the evaluation looks good.
My concern about the paper is the strong assumptions in the paper. In Section II, Problem Formulation, the authors over simplified the attacker's knowledge and the procedure of attacks. Given such strong assumption, the later calculations and analysis are less challenging. I doubt how many attacks can fall into the assumed situation. The strong assumption may seriously limit the application of the proposed method and make the contribution of the paper less significant.
Moreover, the technical strength of the paper, especially the analysis part, is a little bit weak.
2019/1/16
NTU

39. Thanks for Your Listening
2019/1/16
NTU

40. Solution approach Evaluation Process
Since our scenario and environment are very dynamic, it is hard to solve the problem purely by mathematical programming.
For each attacker category, although attackers in it belong to the same type, there is still some randomness between each other.
This is caused by honeypots. if an attacker compromises a false target honeypot, there is a probability that he will believe the core node is compromised and terminate this attack.
Therefore, we can never guarantee the result of an attack is successful or failed until the end of the evaluation.
2019/1/16
NTU

41. Solution Approach Evaluation Process Parameter setting
M (Total evaluation frequency for one round)
First, we make an initial value, for example, 10 million. Then, we let 10 thousands as a chunk to summary the result and draw a diagram depicting the relationship between compromised frequency and number of chunks.
If the diagram shows a stable trend, it implies the value of M is an ideal one.
Stop criteria
N (Total rounds for policy enhancement)
We set this value by resource constrained approach.
If we cannot improve the quality of resource allocation scheme anymore, we also terminate this process.
resource constrained approach : 因解的存活時間不一定很長
2019/1/16
NTU

42. Solution Approach Policy enhancement
The quantity of defense resource we take from node is determined by harmonic series.
Further, we also determine direction of this quantity.
When the quantity divided by iteration number is no more than 2, we stop searching for better value.
‧‧‧‧‧‧‧‧‧‧
30+30/3=40
20+20/2=30
30-30/3=20
Initial value (20)
10+10/3=13
20-20/2=10
10-10/3=7
2019/1/16
NTU

43. Topical on honeypot in Taiwan
2019/1/16
NTU

44. Topical on honeypot in Taiwan
2019/1/16
NTU

45. Response to the comment
It is worth to emphasis there is a great difference between perfect knowledge and imperfect knowledge.
For example, most of shortest path algorithms and minimum cost spanning tree algorithms are based on the perfect knowledge assumption.
If nodes and links will dynamically appear during searching for the shortest path or the minimum cost spanning tree, well-known algorithms may not feasible anymore.
Although there is no need to relax this assumption in those algorithms, it is a necessary concern in our attack defense scenario.
2019/1/16
NTU