Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by Yu-Shun Wang

Published byÅshild Thomassen Modified over 6 years ago

Similar presentations

Presentation on theme: "Presented by Yu-Shun Wang"— Presentation transcript:

1 Presented by Yu-Shun Wang
Near Optimal Defense Strategy to Minimize System Compromise Probability with Honeypot under Incomplete Information Presented by Yu-Shun Wang

2 Agenda Introduction Scenario Mathematical Formulation
Solution Approach Evaluation Process Improving Procedure OP IM, NTU 2019/4/12

3 Agenda Introduction Scenario Mathematical Formulation
Solution Approach Evaluation Process Improving Procedure OP IM, NTU 2019/4/12

4 Introduction The complexity and attack level of network systems grow with each passing day. We need more solutions to deal with various threats from the present and future. As a result, we not only consider general defense resource but also another kind of defensive technology, honeypot, as a deceptive tool to distract attackers. OP IM, NTU 2019/4/12

5 Introduction Past group research My Work Assumption Defense technology
Complete Information Incomplete Information Defense technology Major focus on non-honeypot defense technique, i.e., firewall, IPS, IDS Also include deception based defense technique, honeypot Solution Approach Optimization based mathematical programming Through evaluation process to measure system compromised probability OP IM, NTU 2019/4/12

6 Agenda Introduction Scenario Mathematical Formulation
Solution Approach Evaluation Process Improving Procedure OP IM, NTU 2019/4/12

7 Scenario Although we propose both a generic model and a specific one, for stating the scenario clearly, the following statement is based on the specific model. Honeypot classification Attacker classification OP IM, NTU 2019/4/12

8 Scenario Honeypot classification
Wasting attack resource and learning attack tactics. 1 Acting as a false target to distract attackers. 2 1 Michael Sink, “The Use of Honeypots and Packet Sniffers for Intrusion Detection”, 2001 2 OP IM, NTU 2019/4/12

9 Scenario Attacker classification Budget Capability
Three levels, using minimum attack cost as benchmark. Capability Three levels, it influences the probability attacker cheated by false target honeypots. Next hop selecting criteria The highest link utilization (for valuable information) The lowest link utilization (for stealth strategy *) The lowest defense level (for easiest to compromise *) Random attack (for random strategy *) The number of levels can be finite or infinite. Budget: 三倍以下,三倍到五倍,五倍以上 Capability: 30%, 50%, 70% * Fred Cohen, “Managing Network Security Attack and Defense Strategies” OP IM, NTU 2019/4/12

10 t W F F W S OP IM, NTU 2019/4/12

11 t W F F W S OP IM, NTU 2019/4/12

12 t W F F W S OP IM, NTU 2019/4/12

13 t W F F W S OP IM, NTU 2019/4/12

14 t W F F W S OP IM, NTU 2019/4/12

15 t W F F W S OP IM, NTU 2019/4/12

16 t W F F W S OP IM, NTU 2019/4/12

17 t W F F W S OP IM, NTU 2019/4/12

18 t W F F W S OP IM, NTU 2019/4/12

19 t W F F W S OP IM, NTU 2019/4/12

20 Scenario The above scenario contains two extreme situations. One describes attacker cheated by false target honeypot and the other depicts attacker not only penetrate false target but also has sufficient budget to compromise the core node. However, this model contains more different scenarios, we simply illustrate two possible examples. OP IM, NTU 2019/4/12

21 Agenda Introduction Scenario Mathematical Formulation
Solution Approach Evaluation Process Improving Procedure OP IM, NTU 2019/4/12

22 Mathematical Formulation
Assumptions There is only one single core node in the network. The defender has the complete information of network that is attacked by several attackers with different budget, capabilities, and next hop selecting criteria. The attackers are not aware that there are honeypots deployed by the defender in the network, i.e., the attackers have the incomplete information of network. There are two types of defense resources, the honeypot and non-honeypot. Further, honeypots can be divided into two categories, one is used for wasting attackers’ resources and learning their tactics, and the other is used to play the role of fake core node to distract the attackers. 2019/4/12

23 Mathematical Formulation
Assumptions (cont.) A node is only subject to attack if a path exists from the attacker’s position to that node, and all the intermediate nodes on the path have been compromised. A node is compromised when attack resources allocated to it is no less than the defense force incurred by defense resources. There is no random error. There is no link attack. The network is viewed at the AS level. OP IM, NTU 2019/4/12

24 Mathematical Formulation
Given parameters Notation Description M The total evaluation frequency for all attacker categories K The total attacker categories Pk The portion of attacker type k in total attackers (where k K) Rk Rounded evaluation frequency of each attacker type D All possible defense strategies The strategy of an attacker, comprising his budget, capabilities, and next hop selecting criteria. Skj( , ) 1 if the attacker j of the kth category can compromise the core node under defense strategy, and 0 otherwise (where k K) B The total budget of defender Bk The total budget of the kth type of attacker, where k K N The index set of honeypots for wasting attackers’ resources and learning their tactics F The index set of honeypots to play the role of fake core nodes I The index set of all general nodes in the network

25 Mathematical Formulation
Decision variables Notation Description bi The defense resource allocated to protect a node i, where i I hn The defense resource allocated to honeypot n in the network, where n N hf The defense resource allocated to honeypot f as the fake core node in the network, where f F un The cost to adjust link utilization of honeypot n in the network, where n N uf The cost to adjust link utilization of honeypot f in the network, where f F a(bi) The cost of compromising a general node i in the network, where i I a(hn) The cost of compromising a honeypot n in the network, where n N a(hf) The cost of compromising a honeypot f in the network, where f F

26 Mathematical Formulation
Objective Function: OP IM, NTU 2019/4/12

27 Mathematical Formulation

28 Agenda Introduction Scenario Mathematical Formulation
Solution Approach Evaluation Process Improving Procedure OP IM, NTU 2019/4/12

29 Solution Approach Evaluation Process
Since our scenario and environment are very dynamic, it is hard to solve the problem purely by mathematical programming. For each attacker category, although attackers in it belong to the same type, there is still some randomness between each other. This is caused by honeypots. if an attacker compromises a false target honeypot, there is a probability that he will believe the core node is compromised and terminate this attack. Therefore, we can never guarantee the result of an attack is successful or failed until at the end of the evaluation. OP IM, NTU 2019/4/12

30 Solution Approach Evaluation Process
Run evaluation with the 36 kinds of different attackers for M times and get the core node compromise frequency. Let the frequency divided by M to gather average core node compromised probability. Initial state Run another evaluation M times using adjusted defense parameters and get the corresponding probability N times Yes Adjust defense parameters by improving procedure No Compare result with the initial one OP IM, NTU 2019/4/12

31 Solution Approach Evaluation Process Parameter setting
M (Total evaluation frequency for one round) First, we make an initial value, for example, 10 million. Then, we let 10 thousands as a chunk to summary the result and draw a diagram depicting the relationship between compromised frequency and number of chunks. If the diagram shows a converging trend, it implies the value of M is an ideal one. N (Total rounds for improving procedure) We set this value by resource constrained approach. resource constrained approach : 因解的存活時間不一定很長 OP IM, NTU 2019/4/12

32 Agenda Introduction Scenario Mathematical Formulation
Solution Approach Evaluation Process Improving Procedure OP IM, NTU 2019/4/12

33 Solution Approach Improving Procedure
The main concept of improving Procedure can be summarized into the following parts. Popularity Based Strategy This strategy is focuses on those nodes are frequently attacked. Therefore, we let the total cost attackers spent on each node as the metric in the improving procedure. Derivative This concept is using to measure the marginal effectiveness of each defense resource allocation. OP IM, NTU 2019/4/12

34 Solution Approach Improving Procedure
Calculate derivative of defense resource with one virtual positive unit resource Is it a honeypot No Highest group Yes Select the highest derivative from the two groups respectively and remove one unit resource from the lowest group to the highest group Calculate derivative of defense resource and link utilization with one virtual positive unit resource By the attack cost spent on each node, we chose first three of the highest (and lowest) nodes as two groups. Calculate derivative of defense resource and link utilization with one virtual negative unit resource Yes Lowest group Calculate derivative of defense resource with one virtual negative unit resource Is it a honeypot No OP IM, NTU 2019/4/12

35 Solution Approach The relationship between evaluation process and improving procedure. Initial state Run evaluation with the 36 kinds of different attackers for M times and get the core node compromise frequency. Let the frequency divided by M to gather average core node compromised probability. Adjust defense parameters by improving procedure Run another evaluation M times using adjusted defense parameters and get the corresponding probability N times Compare result with the initial one No Yes By the attack cost spent on each node, we chose first three of the highest (and lowest) nodes as two groups. Is it a honeypot Calculate derivative of defense resource with one virtual positive unit resource Calculate derivative of defense resource and link utilization with one virtual positive unit resource Calculate derivative of defense resource and link utilization with one virtual negative unit resource Calculate derivative of defense resource with one virtual negative unit resource Select the highest derivative from the two groups respectively and remove one unit resource from the lowest group to the highest group Yes No Highest group Lowest group OP IM, NTU 2019/4/12

36 Thanks For Your listening
OP IM, NTU 2019/4/12

Download ppt "Presented by Yu-Shun Wang"

Similar presentations

1 12. Principles of Parameter Estimation The purpose of this lecture is to illustrate the usefulness of the various concepts introduced and studied in.

1 12. Principles of Parameter Estimation The purpose of this lecture is to illustrate the usefulness of the various concepts introduced and studied in.
Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.

Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.
An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.

An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.
Detection of Nuclear Threats: Defending Multiple Ports Jeffrey Victor Truman 17 July 2009.

Detection of Nuclear Threats: Defending Multiple Ports Jeffrey Victor Truman 17 July 2009.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
Dynamic lot sizing and tool management in automated manufacturing systems M. Selim Aktürk, Siraceddin Önen presented by Zümbül Bulut.

Dynamic lot sizing and tool management in automated manufacturing systems M. Selim Aktürk, Siraceddin Önen presented by Zümbül Bulut.
1 Sampling Models for the Population Mean Ed Stanek UMASS Amherst.

1 Sampling Models for the Population Mean Ed Stanek UMASS Amherst.
Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.
1 Enviromatics 2008 - Decision support systems Decision support systems Вонр. проф. д-р Александар Маркоски Технички факултет – Битола 2008 год.

1 Enviromatics Decision support systems Decision support systems Вонр. проф. д-р Александар Маркоски Технички факултет – Битола 2008 год.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Reliability-Redundancy Allocation for Multi-State Series-Parallel Systems Zhigang Tian, Ming J. Zuo, and Hongzhong Huang IEEE Transactions on Reliability,

Reliability-Redundancy Allocation for Multi-State Series-Parallel Systems Zhigang Tian, Ming J. Zuo, and Hongzhong Huang IEEE Transactions on Reliability,
Game theoretic models for detecting network intrusions OPLab 1.

Game theoretic models for detecting network intrusions OPLab 1.
Trust-based Multi-Objective Optimization for Node-to-Task Assignment in Coalition Networks 1 Jin-Hee Cho, Ing-Ray Chen, Yating Wang, and Kevin S. Chan.

Trust-based Multi-Objective Optimization for Node-to-Task Assignment in Coalition Networks 1 Jin-Hee Cho, Ing-Ray Chen, Yating Wang, and Kevin S. Chan.
SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.

SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.
Agenda Introduction Overview of White-box testing Basis path testing

Agenda Introduction Overview of White-box testing Basis path testing
Maximization of Network Survivability against Intelligent and Malicious Attacks (Cont’d) Presented by Erion Lin.

Maximization of Network Survivability against Intelligent and Malicious Attacks (Cont’d) Presented by Erion Lin.
Adviser: Frank, Yeong-Sung Lin Presenter: Yi-Cin Lin.

Adviser: Frank, Yeong-Sung Lin Presenter: Yi-Cin Lin.
Protection vs. false targets in series systems Reliability Engineering and System Safety(2009) Kjell Hausken, Gregory Levitin Advisor: Frank,Yeong-Sung.

Protection vs. false targets in series systems Reliability Engineering and System Safety(2009) Kjell Hausken, Gregory Levitin Advisor: Frank,Yeong-Sung.
Chin-Yu Huang Department of Computer Science National Tsing Hua University Hsinchu, Taiwan Optimal Allocation of Testing-Resource Considering Cost, Reliability,

Chin-Yu Huang Department of Computer Science National Tsing Hua University Hsinchu, Taiwan Optimal Allocation of Testing-Resource Considering Cost, Reliability,
Optimal Placement of Femto Base Stations in Enterprise Femtocell Networks Adviser: Frank, Yeong - Sung Lin Present by Li Wen Fang.

Optimal Placement of Femto Base Stations in Enterprise Femtocell Networks Adviser: Frank, Yeong - Sung Lin Present by Li Wen Fang.

Similar presentations

Ads by Google