Download presentation
Presentation is loading. Please wait.
Published byHarri Väänänen Modified over 5 years ago
1
Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan
Efficient Network Planning and Defending Strategies to Minimize Attackers’ Success Probabilities under Malicious and Epidemic Attacks 考量惡意攻擊及傳染病攻擊下攻擊者成功機率最小化之有效網路規劃與防禦策略 Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2019/5/16 NTUIM OPLAB
2
Agenda Problem Description Mathematical Formulation 2019/5/16
NTUIM OPLAB
3
Problem Description 2019/5/16 NTUIM OPLAB
4
Problem Description Attacker attributes Defender attributes
Attack-defense scenarios 2019/5/16 NTUIM OPLAB
5
Attacker attributes Objective
Using worms to get a clearer map of network topology information or vulnerability, and eventually compromise core nodes. 2019/5/16 NTUIM OPLAB
6
Attacker attributes Budget Preparing phase Attacking phase
Worm purchasing v.s development Social engineering Attacking phase Node compromising Worm injection 2019/5/16 NTUIM OPLAB
7
Attacker attributes Preparing phase Worm attributes Social engineering
Scanning method: blind v.s hitlist Propagation rate: static v.s dynamic Capability: basic v.s advanced Social engineering Number of edge nodes Number of hops from each core node to edge nodes 2019/5/16 NTUIM OPLAB
8
Attacker attributes Attacking phase Node compromising Worm injection
Next hop selection criteria: Link degree High link degree ─ information seeking Link utilization Low link utilization ─ stealth strategy Worm injection Candidate selection criteria: Link traffic High link traffic ─ high rate worm Low link traffic ─ low rate worm Node defense resource β(t) Defense resource 2019/5/16 NTUIM OPLAB
9
Defender attributes Objective Budget Protect core nodes Planning phase
Defending phase 2019/5/16 NTUIM OPLAB
10
Defender attributes Planning phase Defending phase Node protection
General defense resources allocation(ex: Firewall, IDS) Decentralized information sharing system deployment Defending phase Decentralized information sharing system Unknown worm detection & signature distribution Rate limiting Worm origin identification Firewall reconfiguration Dynamic topology reconfiguration 2019/5/16 NTUIM OPLAB
11
Attack-defense scenarios
2019/5/16 NTUIM OPLAB
12
Scenarios O G D J I F C E A B H M AS node N Core AS node Firewall
Decentralized information sharing system K Type1 worm Type2 worm L 2019/5/16 NTUIM OPLAB
13
Scenarios Node compromise O G D J I F C E A B H M AS node N
Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Node compromise L 2019/5/16 NTUIM OPLAB
14
Scenarios Worm injection & propagation O G D J I F C E A B H M AS node
Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB
15
Scenarios Worm injection & propagation O G D J I F C E A B H M AS node
Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB
16
Scenarios Worm injection & propagation Node compromise O G D J I F C E
B H M AS node N Core AS node Firewall Worm injection & propagation Decentralized information sharing system Node compromise K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB
17
Scenarios Node compromise Worm injection & propagation O G D J I F C E
B H M AS node Node compromise N Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB
18
Scenarios Worm injection & propagation Worm injection & propagation O
D J I F C E A B H M AS node N Core AS node Worm injection & propagation Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB
19
Signature generation& distribution
Scenarios O Signature generation& distribution G D J I F C E A B H M AS node N Core AS node Worm injection & propagation Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A Detection alarm L Rate limiting 2019/5/16 NTUIM OPLAB
20
Firewall reconfiguration
Scenarios O G D J I F C E A B H M Worm injection & propagation Firewall reconfiguration AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB
21
Scenarios Worm injection & propagation O G D J I F C E A B H M AS node
Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB
22
Scenarios Worm injection & propagation O G D J I F C E A B H M AS node
Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/16 NTUIM OPLAB
23
Signature generation& distribution
Scenarios O Signature generation& distribution G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L Detection alarm 2019/5/16 NTUIM OPLAB
24
Scenarios Worm origin identification Worm origin identification
J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system Worm origin identification K Type1 worm Type2 worm Attacker A Worm origin identification Backdoor L Firewall reconfiguration 2019/5/16 NTUIM OPLAB
25
Scenarios Worm injection & propagation Node compromise O G D J I F C E
B H M Worm injection & propagation Node compromise AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/16 NTUIM OPLAB
26
dynamic topology reconfiguration
Scenarios O G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/16 NTUIM OPLAB
27
Mathematical Formulation
2019/5/16 NTUIM OPLAB
28
Assumption 2019/5/16 NTUIM OPLAB
29
Assumption Defenders have complete information about the network, for example, topology, defense resource allocation, node attribute. There is a overlay network on network defender protected. Used to deploy decentralized information sharing system. Attackers have incomplete information about the network. 2019/5/16 NTUIM OPLAB
30
Given parameters N The index set of all nodes Q
Notation Description N The index set of all nodes Q The index set of all nodes that had deployed decentralized information sharing system S The index set of all kinds of services αi The weight of ith service, where i∈S B The defender’s total budget E All possible defense configurations, including defense resources allocation and defending strategies An attack configuration, including attacker’s attributes, corresponding strategies and transition rules of the attacker launches jth attack on ith service, where i∈S, 1≤ j ≤ Fi 2019/5/16 NTUIM OPLAB
31
Given parameters Notation Description Z All possible attack configurations, including attacker’s attributes, corresponding strategies and transition rules Fi The total attacking times on ith service for all attackers, where i∈S 1 if the attacker can achieve his goal successfully, and 0 otherwise, where i∈S, 1≤ j ≤ Fi ni The general defense resources allocated to node i, where i∈N d The cost of constructing a decentralized information sharing system to one node g(qij) The cost of constructing a link from node i to node j with capacity qij, where i∈N, j∈N 2019/5/16 NTUIM OPLAB
32
Decision variables Notation Description An defense configuration, including defense resources allocation and defending strategies on ith service, i∈S xi 1 if node i is implemented with the decentralized information sharing system , and 0 otherwise, where i∈N qij The capacity of direct link between node i and j, where i∈N, j∈N 2019/5/16 NTUIM OPLAB
33
Objective function (IP 1) 2019/5/16 NTUIM OPLAB
34
Constraints Capacity constraint Integer constraint (IP 1.1) (IP 1.2)
2019/5/16 NTUIM OPLAB
35
Constraints Defender’s budget constraints (IP 1.5) 2019/5/16
NTUIM OPLAB
36
Constraints Defender’s budget constraints (IP 1.6) (IP 1.7) (IP 1.8)
2019/5/16 NTUIM OPLAB
37
Constraints QoS constraints QoS is a function of :
Link utilization, core node loading, hops to core node, and affected traffic ratio. At the end of attack, the following constraint must be satisfied. (IP 1.9) 2019/5/16 NTUIM OPLAB
38
Constraints QoS Compromise times 2019/5/16 NTUIM OPLAB
39
Constraints QoS constraints
The performance reduction cause by firewall reconfiguration should not make current status violate IP 1.9. The performance reduction cause by rate limiting should not make current status violate IP 1.9. The performance reduction cause by dynamic topology reconfiguration should not make current status violate IP 1.9. (IP 1.10) (IP 1.11) (IP 1.12) 2019/5/16 NTUIM OPLAB
40
Constraints QoS constraints
The negative effect caused by false positive should not make current status violate IP 1.9. The defender has to guarantee at least one core node is not compromised at any time. (IP1.13) (IP1.14) 2019/5/16 NTUIM OPLAB
41
Constraints Signature generation and distribution constraints
Only the nodes have deployed the decentralized information sharing system can be activated. Signature generation and distribution can only be activated after an unknown worm is detected. The signature generated by the system must achieve a confidence level so it can be distributed. The total cost for generating and distributing signatures can not exceed dynamic defense budget.(學長說要跟老師討論) (IP1.15) (IP1.16) (IP1.17) 2019/5/16 NTUIM OPLAB
42
Constraints Dynamic topology reconfiguration constraints
For each core node, when ,defender can activate this mechanism so that core node can avoid being compromised or infected by worms. Only nodes that not yet been compromised can activate this mechanism. (IP1.18) (IP1.19) 2019/5/16 NTUIM OPLAB
43
Constraints Rate limiting constraints Path continuity constraint
Only the nodes have deployed the decentralized information sharing system can enable rate limiting mechanism. Ai is the suspect traffic to node i, i∈N Path continuity constraint A node is only subject to attack if a path exists from attacker’s position to that node, and all the intermediate nodes on the path have been compromised. (IP1.20) (IP1.21) (IP1.22) 2019/5/16 NTUIM OPLAB
44
Thanks for your listening
2019/5/16 NTUIM OPLAB
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.