1. Advisor: Yeong-Sung Lin Presented by I-Ju Shih 2011/11/29 1 Defender Message Strategies to Maximize Network Survivability for Multi-Stage Defense Resource Allocation under Incomplete Information 考量不完全資訊情況下多階段防禦資源分配 以最大化網路存活度之防禦者訊息策略

2. Agenda 2011/11/29 2 Problem Description Problem Formulation

3. Problem Description 2011/11/29 3

4. Defender versus Attacker 2011/11/29 4 DefenderAttacker Defender’s information 1. Common knowledgeThe information was known to both. 2. Defender’s private information (ex. node’s type, and network topology) The defender knew all of it. The attacker knew a part of it. 3. The defender’s other information (ex. system vulnerabilities) The defender did not know it before the game started. The attacker knew a part of it.

5. Defender versus Attacker 2011/11/29 5 DefenderAttacker Budget1. Based on the importance of node Defense.Attack. 2. On each nodeReleasing message.Updating information. 3. Reallocated or recycledYes. But the defender with extra cost. No. 4. RewardNo.Yes. If the attacker compromised a node, the node’s resource could be controlled by the attacker before the defender had not repaired it yet. 5. Repaired nodeYes.No. 6. Resource accumulationYes. But the resource needed to be discounted.

6. Defender versus Attacker 2011/11/29 6 DefenderAttacker Immune benefit Yes. The defender could update information about system vulnerabilities after attacks or do penetration test to patch system vulnerabilities. No. RationalityFull or bounded rationality.

7. Objective 2011/11/29 7 The network survivability is measured by ADOD. The game has two players: an attacker (he, A) and a defender (she, D). Defender Objective - minimize the damage of the network (ADOD). Budget Constraint -  deploying the defense budget in nodes  repairing the compromised node  releasing message in nodes  patching system vulnerabilities Attacker Objective - maximize the damage of the network (ADOD). Budget Constraint –  deploying the attack budget in nodes  updating information

8. Defender’s information 2011/11/29 8 The defender had private information, including each node’s type and network topology. There were two types (lower or higher valuation) of nodes and each node’s prior belief in the first round was common knowledge. The attack success probability of node i = The probability of node i belonged to type 1 * The attack success probability of node i belonged to type 1 + The probability of node i belonged to type 2 * The attack success probability of node i belonged to type 2

9. Defender’s information 2011/11/29 9

10. Defender’s action 2011/11/29 10 In each round, the defender moves first, determines strategy and chooses message which may be truth, secrecy, deception or doing nothing at all to each node.

11. Message releasing 2011/11/29 11 Message releasing could be classified into two situations.  A node’s information could be divided into different parts to release message by the defender.  The defender could release a node’s defensive state as a message to the attacker.

12. Message releasing- type 1 2011/11/29 12 The defender could choose a part of information from a node according to his strategy to release truthful message, deceptive message and secrecy or do nothing at all.

13. Message releasing- type 2 2011/11/29 13 The defender released a node’s defensive state as a message, which was truth, deception, secrecy or doing nothing at all to each node as a mixed strategy.

14. Message releasing 2011/11/29 14 The defender chooses : Cost:Deceptive message > Secrecy > Truthful message > doing nothing at all 1.Doing nothing at all if and only if does not publicize information/defense. 2.Truthful message if and only if the public message = actual information/defense. 3.Secrecy if and only if the message is secret. 4.Deceptive message if and only if the message ≠ actual information/defense.

15. The effect of deception/secrecy 2011/11/29 15 The effect of deception or secrecy would be discounted if the attacker knew defender’s partial private information.

16. The effect of deception/secrecy 2011/11/29 16 The effect of deception or secrecy would be zero if the attacker knew something that the defender did not know.

17. Immune benefit 17 Although the attacker knew something that the defender did not know, the defender could update information after observing the result of each round’s contest. Or the defender used resources doing penetration test to patch system vulnerabilities. After the defender updated information, she had immune benefit which meant that the attacker was unable to use identical attack.

18. Defender’s resources 2011/11/29 18 From the view of the defender, the budget could be reallocated or recycled but the discount factor was also considered. Besides, the compromised nodes could be repaired. The defender could accumulate resources to decrease attack success probability to defend network nodes in next time. Defense resource on node i Defender Recycled Reallocated

19. Attacker’s information 2011/11/29 19 The attacker knew only partial network topology. The attacker could update information after observing the result of each round’s contest.

20. Attacker’s resources 2011/11/29 20 The attacker could accumulate experience to increase attack success probability to compromise network nodes in next time. The attacker could increase resources when the attacker compromised network nodes, before the defender had not repaired the nodes yet.

21. Network topology 2011/11/29 21 We considered a complex system with n nodes in series-parallel. A node consisted of M components which might be different component or the same. (M ≥ 1)

22. Network topology 2011/11/29 22 A node’s composition could be classified into two types.  A node with backup component  A k-out-of-m node

23. Network topology 2011/11/29 23 The relationship between nodes could be classified into three types.  Independence A node could function solely.  Dependence When a node was destroyed, the nodes dependent on the destroyed node would not operate normally.  Interdependence When a node was destroyed, the node interdependent on the destroyed node would not operate normally and vice versa.

24. 2011/11/29 24

25. Problem Formulation 2011/11/29 25

26. Given 2011/11/29 26 The total budget of network defender. The total budget of cyber attacker. Both the defender and the attacker have incomplete information about each other.

27. Objective 2011/11/29 27 Minimize the maximum damage degree of network (ADOD).

28. Subject to 2011/11/29 28 The total budget constraint of network defender. The total budget constraint of cyber attacker.

29. To determine 2011/11/29 29 The attacker How to allocate attack budget to each node and whether to use the system vulnerabilities of node i to attack node i in each round. The defender How to allocate defense budget and determine which message strategy would use to each node in each round. Whether to repair the compromised node in each round. Whether to patch or using penetration test to patch system vulnerabilities to each node in each round. Whether to reallocate or recycle nodes’ resource in each round.

30. Given parameter 2011/11/29 30

31. Given parameter 2011/11/29 31

32. Given parameter 2011/11/29 32

33. Given parameter 2011/11/29 33

34. Decision variable 2011/11/29 34

35. Decision variable 2011/11/29 35

36. Decision variable 2011/11/29 36

37. Objective function 2011/11/29 37

38. Subject to 2011/11/29 38

39. Subject to 2011/11/29 39

40. Subject to 2011/11/29 40

41. Subject to 2011/11/29 41

42. Subject to 2011/11/29 42

43. Thanks for your listening. 2011/11/29 43