1. Advisor: Professor Frank Y.S. Lin Ray J.P. Lo 駱睿斌
Near Optimal Redundancy and Extra Defense Allocation Strategies Against Malicious Attack with Experience Accumulation
考慮具經驗累積之惡意攻擊下
近似最佳化冗餘及額外防禦配置策略
Advisor: Professor Frank Y.S. Lin
Ray J.P. Lo 駱睿斌

2. Agenda Introduction Scenario Problem Formulation Lagrangean Relaxation
Decomposition
2019/5/1
NTU IM OPLab

3. Agenda Introduction Scenario Problem Formulation Lagrangean Relaxation
Decomposition
2019/5/1
NTU IM OPLab

4. Introduction Business Continuity Management (BCM) BS 25999
Business Impact Analysis (BIA)
Risk Analysis (RA)
Disaster Recovery Planning (DRP)
Redundancy Allocation Problem (RAP)
1.企業最大的價值應該是及時提供顧客服務以滿足他們的需求，換言之必須隨時可提供服務，也就是要維持持續性服務，因為一旦服務中斷，所帶來的損失將難以估計，除了損失了服務中斷期間的生意之外，更嚴重的是商譽的損害以及顧客的流失，因此近年來企業持續營運管理逐漸受到組織的重視，英國標準協會BSI在2006年更為此訂定了一套標準BS25999。
2.BS25999可分為兩部份，第一部分為引導組織發展完整BSM的guidelines，第二部分則是一些稽核的標準。其中第一部分主要可視為一個lifecycle，第一步是要了解組織自身的情形，透過BIA和RA可找出組織關鍵的流程、物件以及相對應潛在的風險，第二步即藉由第一步的分析結果去擬定BCM策略並進行實際規劃，其中包含了職權分工、 DPR、教育訓練計畫、應變程序、備援機制…等，接著便是實際的演練、維護以及成果的審查與修正，最終則是要讓BCM成為組織文化的一部分，根植所有組織人員的心。
3.在BCM範疇中，其中與IT最相關的就是DRP，它的定義是一種內控的系統，目的主要在於災害或意外發生後可快速將錯誤或失效的部分快速復原，而Redundancy則是DRP眾多方法中的一項重要方法。Redundancy主要概念是透過部署多個功能相同的redundant components來降低意外發生時運作中斷的風險，因為功能相同的redundant components彼此可以互相替代，當運作中的redundant component發生問題時，其他的redundant components可以馬上接手工作。
4.運用Redundancy的好處在於它具備兩種層面的功效，事前防範及事後應變:災害前redundancy可視為一種保險，減輕一發生災害就營運中斷的風險；災害後則也可利用redundant component作為備援，暫時維持必需的運作，直到受損的主要元件修復為止。
5.Redundancy配置的相關問題，一般通稱為RAP(，而在1987年，RAP已被證明是屬於NP-hard的問題。)
2019/5/1
NTU IM OPLab

5. Introduction (cont’d)
Main difference
Derek Jiang’s
My Work
Condition for Compromising a Node
Compromise the primary redundant component of it
Compromise all redundant components of it
Objective
Vulnerability
Attack cost
Number of Core Node
Multiple
Experience Accumulation X O
Extra Defensive Mechanisms
2019/5/1
NTU IM OPLab

6. Agenda Introduction Scenario Problem Formulation Lagrangean Relaxation
Decomposition
2019/5/1
NTU IM OPLab

7. Environment Considering a network consisted of AS-level nodes:
Just one kind of specified function is provided by each node.
The plan about which node providing what kind of function is predefined and consistent.
Multiple core nodes
Only malicious attack is considered.
2019/5/1
NTU IM OPLab

8. Defender
The defender hopes to enhance the survivability of whole network by exploiting unified purchase to implement redundancy allocation.
First, the defender gets a list of products from the vendor.
2019/5/1
NTU IM OPLab

9. Defender (cont’d)
Redundant Component Choice Sets of Different Functions
1.Redundant components 是真正提供所需功能的元件，但它們仍具備基本的防禦能力。
2.額外的defensive mechanisms則是純粹用以保護redundant components。
3.不同種類的r.c.和d.m價錢不同，且攻克它們所需要的攻擊成本也不同，而這些資訊也被揭露在那份清單上，對於攻防雙方都是已知。.
4.Firewall, Anti-Virus, Anti-Spam, Anti-Spyware, Application-level firewall, Encryption of data (in transmit / in rest), Access control, Public key Infrastructure system, Intrusion Detection System, Intrusion Prevention System, Data Loss Prevention
Defensive Mechanism Choice Sets of
Different Redundant Components
2019/5/1
NTU IM OPLab

10. Defender (cont’d)
The defender has to choose appropriate redundant components to allocate in each node from the redundant component choice set of the specific function which is predefined for each node.
When allocating a redundant component, the defender also has to choose appropriate extra defensive mechanisms from the corresponding defensive mechanism choice set of the kind of redundant component in the meantime.
The number of redundant components must comply with the regulation of each node’s predefined redundant level.
2019/5/1
NTU IM OPLab

11. Defender (cont’d)
After efficient allocation of redundant components and defensive mechanisms in each node:
The attacker must compromise all of the same-functioned redundant components in whichever node he/she wants to compromise.
Before really attacking a redundant component, the attacker must compromise all of the defensive mechanisms which are protecting it.
The defender’s ultimate goal is maximizing the total attack cost of compromising all core nodes with the regard for limited total defensive budget.
2019/5/1
NTU IM OPLab

12. Attacker
The attacker also has the perfect knowledge about this target network.
The topology of the network
The allocation of redundant components and defensive mechanisms in each node
Extreme experience accumulation
The attacker’s final goal is minimizing the total attack cost of compromising all core nodes by choosing which nodes to compromise.
2019/5/1
NTU IM OPLab

13. Scenario S C S C
2019/5/1
NTU IM OPLab

14. Scenario S C C C S
2019/5/1
NTU IM OPLab

15. Agenda Introduction Scenario Problem Formulation Lagrangean Relaxation
Decomposition
2019/5/1
NTU IM OPLab

16. Assumption Every node in this network is at AS-level.
No attack on links is considered.
Only malicious attack is considered.
Both the defender and the attacker have perfect knowledge about this network.
Each node in the network must provide just one kind of predefined function.
The defender has limitation of total defensive budget.
The redundant level of each node which defines the minimum required amount of redundant components must be satisfied.
2019/5/1
NTU IM OPLab

17. Assumption (cont’d)
All kinds of redundant components in a choice set provide identical main function, and the defender selects the redundant components with the same function for different nodes from a same redundant component choice set.
Other than providing the main function, all kinds of redundant components also have little basic defensive ability.
All redundant components are in hot-standby state.
All compromised redundant components are never repaired.
2019/5/1
NTU IM OPLab

18. Assumption (cont’d)
There are several extra defensive mechanisms available for further protecting each kind of redundant component, and the defender selects the defensive mechanisms for the same kind of redundant components from a same defensive mechanism choice set.
The defender must decide which extra defensive mechanisms to deploy for protecting a redundant component when allocating a redundant component in a node.
2019/5/1
NTU IM OPLab

19. Assumption (cont’d)
A node is subject to attack only if a path exists from node s to that node, and all the intermediate nodes on the path have been compromised.
A node is compromised if and only if all redundant components allocated in it have been compromised.
A redundant component is subject to attack only if all extra defensive mechanisms allocated to protect it have been compromised.
2019/5/1
NTU IM OPLab

20. Assumption (cont’d)
If the attacker has compromised the extra defensive mechanism d of redundant component m once, he/she then learned some effective skills or developed some powerful hacker tools to deal with this kind of defensive mechanism d of redundant component m.
Hence, the attacker can compromise the same kind of defensive mechanism d of the same kind of redundant component m without spending any cost afterward.
According to the same reason mentioned above, the attacker can compromise any kind of redundant component which he/she has ever compromised without spending any cost.
2019/5/1
NTU IM OPLab

21. Given The Core nodes The initial position of attacker
The topology and size of the network
The total defensive budget
The redundant levels of all nodes in the network
The predefined function of each node
2019/5/1
NTU IM OPLab

22. Given (cont’d)
The redundant component choice set of each kind of function
The defensive mechanism choice set of each kind of redundant component
The cost of each kind of redundant component
The cost of each kind of extra defensive mechanism available for each kind of redundant component
The threshold of compromising each kind of redundant component
The threshold of compromising each kind of extra defensive mechanism available for each kind of redundant component
2019/5/1
NTU IM OPLab

23. Objective To maximize the minimized total attack cost Subjected to
The total cost spending on allocating redundant components and extra defensive mechanisms must be no more than the limitation of total defensive budget.
The number of redundant components in each node must be no less than the redundant level of it.
The node to be attacked must be connected to the existing attack tree.
2019/5/1
NTU IM OPLab

24. To determine Defender Attacker
Which redundant components and extra defensive mechanisms in which nodes to allocate
Attacker
Which redundant components and extra defensive mechanisms in which nodes to compromise
2019/5/1
NTU IM OPLab

25. RAP-EDM Model (Redundancy Allocation Problem with Extra Defensive Mechanisms)

26. Given parameters B N T F Mf W The total defensive budgetary limitation
The index set of all nodes in the network T
The index set of all core nodes in the network F
The index set of all functions provided by the nodes in the network Mf
The index set of all redundant components which can be selected to provide the same main function f, where f F W
The index set of all Origin-Destination (O-D) pairs, where the origin is node s and the destination is the core node t, where t T
2019/5/1
NTU IM OPLab

27. Given parameters (cont’d)Pw
The index set of all candidate paths of an O-D pair w, where w W Dm
The index set of all extra defensive mechanisms available for the kind of redundant component m, where m Mf, f F
leveli
The redundant level of node i, where i N, leveli 1
σif
The indicator function, which is 1 if node i provides function f, and 0 otherwise (where i N, f F)
δpi
The indicator function, which is 1 if node i is on the path p, and 0 otherwise (where i N, p Pw, w W)
2019/5/1
NTU IM OPLab

28. Given parameters (cont’d)cm
The cost of the kind of redundant component m, where m Mf, f F
m(cm)
The threshold of the attack cost required to compromise the kind of redundant component m, where m Mf, f F
cmd
The cost of the defensive mechanism d of the kind of redundant component m, where d Dm, m Mf, f F
md(cmd)
The threshold of the attack cost required to compromise the defensive mechanism d of the kind of redundant component m, where d Dm, m Mf, f F
2019/5/1
NTU IM OPLab

29. Decision variables Rim Rimd yi yim yimd
1 if the redundant component m is allocated in node i, and 0 otherwise (where m Mf, f F, i N)
Rimd
1 if the defensive mechanism d of redundant component m is allocated in node i, and 0 otherwise (where d Dm, m Mf, f F, i N) yi
1 if node i is compromised, and 0 otherwise (where i N)
yim
1 if the redundant component m in node i is compromised, and 0 otherwise (where m Mf, f F, i N)
yimd
1 if the defensive mechanism d of redundant component m in node i is compromised, and 0 otherwise (where d Dm, m Mf, f F, i N)
2019/5/1
NTU IM OPLab

30. Decision variables (cont’d)zm
1 if the attacker has compromised the kind of redundant component m so far, and 0 otherwise (where m Mf, f F)
zmd
1 if the attacker has compromised the kind of defensive mechanism d of the kind of redundant component m so far, and 0 otherwise (where d Dm, m Mf, f F) xp
1 if path p is selected as the attack path, and 0 otherwise (where p Pw, w W)
2019/5/1
NTU IM OPLab

31. Objective
Attack cost for really compromising a redundant component
(IP 1)
Attack cost for compromising all extra defensive mechanisms protecting a redundant component
2019/5/1
NTU IM OPLab

32. Subject to (IP 1.1) (IP 1.2) (IP 1.3) (IP 1.4) (IP 1.5) (IP 1.6)
2019/5/1
NTU IM OPLab

33. Subject to (cont’d) (IP 1.8) (IP 1.9) (IP 1.10) (IP 1.11) (IP 1.12)
2019/5/1
NTU IM OPLab

34. Subject to (cont’d) (IP 1.13) (IP 1.14) (IP 1.15) (IP 1.16) (IP 1.17)
2019/5/1
NTU IM OPLab

35. AEA Model (Attack with Experience Accumulation)

36. Given parameters B N T F Mf W The total defensive budgetary limitation
The index set of all nodes in the network T
The index set of all core nodes in the network F
The index set of all functions provided by the nodes in the network Mf
The index set of all redundant components which can be selected to provide the same main function f, where f F W
The index set of all Origin-Destination (O-D) pairs, where the origin is node s and the destination is the core node t, where t T
2019/5/1
NTU IM OPLab

37. Given parameters (cont’d)Pw
The index set of all candidate paths of an O-D pair w, where w W Dm
The index set of all extra defensive mechanisms available for the kind of redundant component m, where m Mf, f F
σif
The indicator function, which is 1 if node i provides function f, and 0 otherwise (where i N, f F)
δpi
The indicator function, which is 1 if node i is on the path p, and 0 otherwise (where i N, p Pw, w W)
2019/5/1
NTU IM OPLab

38. Given parameters (cont’d)cm
The cost of the kind of redundant component m, where m Mf, f F
m(cm)
The threshold of the attack cost required to compromise the kind of redundant component m, where m Mf, f F
cmd
The cost of the defensive mechanism d of the kind of redundant component m, where d Dm, m Mf, f F
md(cmd)
The threshold of the attack cost required to compromise the defensive mechanism d of the kind of redundant component m, where d Dm, m Mf, f F
2019/5/1
NTU IM OPLab

39. Given parameters (cont’d)
Rim
1 if the redundant component m is allocated in node i, and 0 otherwise (where m Mf, f F, i N)
Rimd
1 if the defensive mechanism d of redundant component m is allocated in node i, and 0 otherwise (where d Dm, m Mf, f F, i N)
2019/5/1
NTU IM OPLab

40. Decision variables yi yim yimd
1 if node i is compromised, and 0 otherwise (where i N)
yim
1 if the redundant component m in node i is compromised, and 0 otherwise (where m Mf, f F, i N)
yimd
1 if the defensive mechanism d of redundant component m in node i is compromised, and 0 otherwise (where d Dm, m Mf, f F, i N)
2019/5/1
NTU IM OPLab

41. Decision variables (cont’d)zm
1 if the attacker has compromised the kind of redundant component m so far, and 0 otherwise (where m Mf, f F)
zmd
1 if the attacker has compromised the kind of defensive mechanism d of the kind of redundant component m so far, and 0 otherwise (where d Dm, m Mf, f F) xp
1 if path p is selected as the attack path, and 0 otherwise (where p Pw, w W)
2019/5/1
NTU IM OPLab

42. Objective
(IP 2)
2019/5/1
NTU IM OPLab

43. Subject to
(IP 2.1)
(IP 2.2)
(IP 2.3)
(IP 2.4)
2019/5/1
NTU IM OPLab

44. Subject to (cont’d) (IP 2.5) (IP 2.6) (IP 2.7) (IP 2.8) (IP 2.9)
2019/5/1
NTU IM OPLab

45. Subject to (cont’d) (IP 2.10) (IP 2.11) (IP 2.12) (IP 2.13) 2019/5/1
NTU IM OPLab

46. Agenda Introduction Scenario Problem Formulation Lagrangean Relaxation
Decomposition
2019/5/1
NTU IM OPLab

47. Lagrangean Relaxation
We turn the primal problem (IP 2) into the Lagrangean relaxation problem (LR 1) by relaxing the constraints (IP 2.1), (IP 2.5), (IP 2.6), (IP 2.7), (IP 2.10), and (IP 2.11).
2019/5/1
NTU IM OPLab

48. Optimization problem (LR 1)
μ1, μ2, μ3, μ4, μ5, and μ6 are all non-negative.
2019/5/1
NTU IM OPLab

49. Subject to (LR 1.1) (LR 1.2) (LR 1.3) (LR 1.4) (LR 1.5) (LR 1.6)
2019/5/1
NTU IM OPLab

50. Decomposition Subproblem 1.1 Subproblem 1.2 Subproblem 1.3
(related to decision variable xp)
Subproblem 1.2
(related to decision variable yi)
Subproblem 1.3
(related to decision variable yim, zm)
Subproblem 1.4
(related to decision variable yimd, zmd)
2019/5/1
NTU IM OPLab

51. Subproblem 1.1 (related to decision variable xp)
Subject to:
(Sub 1.1.1)
(Sub 1.1.2)
2019/5/1
NTU IM OPLab

52. Subproblem 1.2 (related to decision variable yi)
Subject to
(Sub 1.2.1)
2019/5/1
NTU IM OPLab

53. Subproblem 1.3 (related to decision variable yim, zm)
Subject to
(Sub 1.3.1)
(Sub 1.3.2)
2019/5/1
NTU IM OPLab

54. Subproblem 1.4 (related to decision variable yimd, zmd)
Subject to
(Sub 1.4.1)
(Sub 1.4.2)
2019/5/1
NTU IM OPLab

55. Thanks for your listening!