Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan

Similar presentations


Presentation on theme: "Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan"— Presentation transcript:

1 Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan
Efficient Network Planning and Defending Strategies to Minimize Attackers’ Success Probabilities under Malicious and Epidemic Attacks 考量惡意攻擊及傳染病攻擊下攻擊者成功機率最小化之有效網路規劃與防禦策略 Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2019/5/16 NTUIM OPLAB

2 Agenda Problem Description Mathematical Formulation 2019/5/16
NTUIM OPLAB

3 Problem Description 2019/5/16 NTUIM OPLAB

4 Problem Description Attacker attributes Defender attributes
Attack-defense scenarios 2019/5/16 NTUIM OPLAB

5 Attacker attributes Objective
Using worms to get a clearer map of network topology information or vulnerability, and eventually compromise core nodes. 2019/5/16 NTUIM OPLAB

6 Attacker attributes Budget Preparing phase Attacking phase
Worm purchasing v.s development Social engineering Attacking phase Node compromising Worm injection 2019/5/16 NTUIM OPLAB

7 Attacker attributes Preparing phase Worm attributes Social engineering
Scanning method: blind v.s hitlist Propagation rate: static v.s dynamic Capability: basic v.s advanced Social engineering Number of edge nodes Number of hops from each core node to edge nodes 2019/5/16 NTUIM OPLAB

8 Attacker attributes Attacking phase Node compromising Worm injection
Next hop selection criteria: Link degree High link degree ─ information seeking Link utilization Low link utilization ─ stealth strategy Worm injection Candidate selection criteria: Link traffic High link traffic ─ high rate worm Low link traffic ─ low rate worm Node defense resource β(t) Defense resource 2019/5/16 NTUIM OPLAB

9 Defender attributes Objective Budget Protect core nodes Planning phase
Defending phase 2019/5/16 NTUIM OPLAB

10 Defender attributes Planning phase Defending phase Node protection
General defense resources allocation(ex: Firewall, IDS) Decentralized information sharing system deployment Defending phase Decentralized information sharing system Unknown worm detection & signature distribution Rate limiting Worm origin identification Firewall reconfiguration Dynamic topology reconfiguration 2019/5/16 NTUIM OPLAB

11 Attack-defense scenarios
2019/5/16 NTUIM OPLAB

12 Scenarios O G D J I F C E A B H M AS node N Core AS node Firewall
Decentralized information sharing system K Type1 worm Type2 worm L 2019/5/16 NTUIM OPLAB

13 Scenarios Node compromise O G D J I F C E A B H M AS node N
Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Node compromise L 2019/5/16 NTUIM OPLAB

14 Scenarios Worm injection & propagation O G D J I F C E A B H M AS node
Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB

15 Scenarios Worm injection & propagation O G D J I F C E A B H M AS node
Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB

16 Scenarios Worm injection & propagation Node compromise O G D J I F C E
B H M AS node N Core AS node Firewall Worm injection & propagation Decentralized information sharing system Node compromise K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB

17 Scenarios Node compromise Worm injection & propagation O G D J I F C E
B H M AS node Node compromise N Core AS node Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB

18 Scenarios Worm injection & propagation Worm injection & propagation O
D J I F C E A B H M AS node N Core AS node Worm injection & propagation Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB

19 Signature generation& distribution
Scenarios O Signature generation& distribution G D J I F C E A B H M AS node N Core AS node Worm injection & propagation Firewall Worm injection & propagation Decentralized information sharing system K Type1 worm Type2 worm Attacker A Detection alarm L Rate limiting 2019/5/16 NTUIM OPLAB

20 Firewall reconfiguration
Scenarios O G D J I F C E A B H M Worm injection & propagation Firewall reconfiguration AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB

21 Scenarios Worm injection & propagation O G D J I F C E A B H M AS node
Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A L 2019/5/16 NTUIM OPLAB

22 Scenarios Worm injection & propagation O G D J I F C E A B H M AS node
Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/16 NTUIM OPLAB

23 Signature generation& distribution
Scenarios O Signature generation& distribution G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L Detection alarm 2019/5/16 NTUIM OPLAB

24 Scenarios Worm origin identification Worm origin identification
J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system Worm origin identification K Type1 worm Type2 worm Attacker A Worm origin identification Backdoor L Firewall reconfiguration 2019/5/16 NTUIM OPLAB

25 Scenarios Worm injection & propagation Node compromise O G D J I F C E
B H M Worm injection & propagation Node compromise AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/16 NTUIM OPLAB

26 dynamic topology reconfiguration
Scenarios O G D J I F C E A B H M Worm injection & propagation AS node N Core AS node Firewall Decentralized information sharing system K Type1 worm Type2 worm Attacker A Backdoor L 2019/5/16 NTUIM OPLAB

27 Mathematical Formulation
2019/5/16 NTUIM OPLAB

28 Assumption 2019/5/16 NTUIM OPLAB

29 Assumption Defenders have complete information about the network, for example, topology, defense resource allocation, node attribute. There is a overlay network on network defender protected. Used to deploy decentralized information sharing system. Attackers have incomplete information about the network. 2019/5/16 NTUIM OPLAB

30 Given parameters N The index set of all nodes Q
Notation Description N The index set of all nodes Q The index set of all nodes that had deployed decentralized information sharing system S The index set of all kinds of services αi The weight of ith service, where i∈S B The defender’s total budget E All possible defense configurations, including defense resources allocation and defending strategies An attack configuration, including attacker’s attributes, corresponding strategies and transition rules of the attacker launches jth attack on ith service, where i∈S, 1≤ j ≤ Fi 2019/5/16 NTUIM OPLAB

31 Given parameters Notation Description Z All possible attack configurations, including attacker’s attributes, corresponding strategies and transition rules Fi The total attacking times on ith service for all attackers, where i∈S 1 if the attacker can achieve his goal successfully, and 0 otherwise, where i∈S, 1≤ j ≤ Fi ni The general defense resources allocated to node i, where i∈N d The cost of constructing a decentralized information sharing system to one node g(qij) The cost of constructing a link from node i to node j with capacity qij, where i∈N, j∈N 2019/5/16 NTUIM OPLAB

32 Decision variables Notation Description An defense configuration, including defense resources allocation and defending strategies on ith service, i∈S xi 1 if node i is implemented with the decentralized information sharing system , and 0 otherwise, where i∈N qij The capacity of direct link between node i and j, where i∈N, j∈N 2019/5/16 NTUIM OPLAB

33 Objective function (IP 1) 2019/5/16 NTUIM OPLAB

34 Constraints Capacity constraint Integer constraint (IP 1.1) (IP 1.2)
2019/5/16 NTUIM OPLAB

35 Constraints Defender’s budget constraints (IP 1.5) 2019/5/16
NTUIM OPLAB

36 Constraints Defender’s budget constraints (IP 1.6) (IP 1.7) (IP 1.8)
2019/5/16 NTUIM OPLAB

37 Constraints QoS constraints QoS is a function of :
Link utilization, core node loading, hops to core node, and affected traffic ratio. At the end of attack, the following constraint must be satisfied. (IP 1.9) 2019/5/16 NTUIM OPLAB

38 Constraints QoS Compromise times 2019/5/16 NTUIM OPLAB

39 Constraints QoS constraints
The performance reduction cause by firewall reconfiguration should not make current status violate IP 1.9. The performance reduction cause by rate limiting should not make current status violate IP 1.9. The performance reduction cause by dynamic topology reconfiguration should not make current status violate IP 1.9. (IP 1.10) (IP 1.11) (IP 1.12) 2019/5/16 NTUIM OPLAB

40 Constraints QoS constraints
The negative effect caused by false positive should not make current status violate IP 1.9. The defender has to guarantee at least one core node is not compromised at any time. (IP1.13) (IP1.14) 2019/5/16 NTUIM OPLAB

41 Constraints Signature generation and distribution constraints
Only the nodes have deployed the decentralized information sharing system can be activated. Signature generation and distribution can only be activated after an unknown worm is detected. The signature generated by the system must achieve a confidence level so it can be distributed. The total cost for generating and distributing signatures can not exceed dynamic defense budget.(學長說要跟老師討論) (IP1.15) (IP1.16) (IP1.17) 2019/5/16 NTUIM OPLAB

42 Constraints Dynamic topology reconfiguration constraints
For each core node, when ,defender can activate this mechanism so that core node can avoid being compromised or infected by worms. Only nodes that not yet been compromised can activate this mechanism. (IP1.18) (IP1.19) 2019/5/16 NTUIM OPLAB

43 Constraints Rate limiting constraints Path continuity constraint
Only the nodes have deployed the decentralized information sharing system can enable rate limiting mechanism. Ai is the suspect traffic to node i, i∈N Path continuity constraint A node is only subject to attack if a path exists from attacker’s position to that node, and all the intermediate nodes on the path have been compromised. (IP1.20) (IP1.21) (IP1.22) 2019/5/16 NTUIM OPLAB

44 Thanks for your listening
2019/5/16 NTUIM OPLAB


Download ppt "Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan"

Similar presentations


Ads by Google