Presentation is loading. Please wait.

Presentation is loading. Please wait.

E FFECTIVE N ETWORK P LANNING AND D EFENDING S TRATEGIES TO M INIMIZE S ERVICE C OMPROMISED P ROBABILITY UNDER M ALICIOUS C OLLABORATIVE A TTACKS Advisor:

Published byDella Owens Modified over 8 years ago

Similar presentations

Presentation on theme: "E FFECTIVE N ETWORK P LANNING AND D EFENDING S TRATEGIES TO M INIMIZE S ERVICE C OMPROMISED P ROBABILITY UNDER M ALICIOUS C OLLABORATIVE A TTACKS Advisor:"— Presentation transcript:

1 E FFECTIVE N ETWORK P LANNING AND D EFENDING S TRATEGIES TO M INIMIZE S ERVICE C OMPROMISED P ROBABILITY UNDER M ALICIOUS C OLLABORATIVE A TTACKS Advisor: Professor Frank, Y.S. Lin Presented by Chi-Hsiang Chan

2 A GENDA Problem Description Mathematical Formulation

3 A GENDA Problem Description Mathematical Formulation

4 P ROBLEM D ESCRIPTION Network Survivability Collaborative attack Commander Attacker group Various defense mechanisms VMM IDS Dynamic topology reconfiguration Cloud security service

5 A TTACKER V IEW Commander Budget No. of attackers (attacker group) Goal (service disruption, steal information) Aggressiveness Attacker Energy Capability Harmonization Initial location

6 P ER H OP D ECISION (A TTACK E VENT ) Period decision Early stage Late stage Choose target nodes Compromise -> risk avoidance Pretend to attack -> risk tolerance Choose ideal attackers

7 P ERIOD N : The total numbers of nodes in the Defense Networks F : The total numbers of node which is visible to attacker including compromised nodes and next hop nodes.

8 P ERIOD

9 N O. OF T ARGET N ODES M : Number of candidates to compromise Success Rate ( SR ) = Risk Avoidance Compromised / Risk Avoidance Attacks Target nodes ≤ No. of attackers can launch attack

10 S ELECTING C RITERIA

11 Early stage Late stage Risk Avoidance Risk Tolerance

12 S ELECTING C RITERIA

13 C HOOSE IDEAL ATTACKERS No. of attackers Collaborative attack on the nodes have higher score Risk tolerance -> do not attack collaboratively who launch the attack Set an energy threshold to define risk avoidance and risk tolerance

14 E XAMPLE ScoreNodeProbability be choose 100D100/(100+90+87) 90E90/(100+90+87) 87G98/(100+90+87) 60B(Attack by one attacker) 50A(Attack by one attacker) 36C(Do not attack) Choose to attack:50 Choose to collaborative attack:70

15 A TTACKER V IEW Attack Given Commander’s goal(Steal information, Service disruption) Commander's budget Number of attacker Attacker’s capability, initial location, harmonization To be determined Budget for buying attacking tools and launching attack Attacker event(attack one node) Given Attackers’ energy To be determined Commander’s aggressiveness Which attacker launch attack Which node be attack Cost for attacking Collaborative attack or not Maximum time threshold for compromising a target node

16 D EFENDER V IEW Attack Given Unit cost of constructing topology and defense mechanism Service priority To be determined Topology and initial defense resource allocation Budget for constructing topology and defense resource Attack event Given General defense resource and special defense resource on each node To be determined Activating special defense mechanisms or not

17 C OMPROMISE O NE N ODE Harmonization → v ij → → → T Aggressiveness

18 A GENDA Problem Description Mathematical Formulation

19 M ATHEMATICAL F ORMULATION Objective To minimize maximized service compromised probability Given Attacker’s and defender’s total budget Cost of construct topology and defending resource QoS requirement To be determined Attack and defense configuration Budget spend on each defending mechanism

20 A SSUMPTIONS 1. All attack events are atomic operations. 2. There are multiple core nodes and services in the network. 3. Each core node can provide only one specific service. 4. Each service has different weight, which is determined by the defender. 5. There is an SOC with full control of the network. 6. The defender has complete information of network and can allocate resources or adopt defense solutions by the SOC. 7. Commanders have only incomplete information about the network. 8.Only nodes with VMM-IPS have local defense function. 9.Only nodes with VMM-IPS have signature request function. 10.Only nodes with cloud security agent have cloud security function.

21 G IVEN P ARAMETERS -I NDEX S ET NotationDescription N The index set of all nodes C The index set of all core nodes L The index set of all links M The index set of all level of virtual machine monitors(VMMs) H The index set of all level of cloud security service S The index set of all kinds of services Q The index set of all candidate node equipped with cloud security agent

22 G IVEN P ARAMETERS -C OST NotationDescription B The defender’s total budget w The cost of constructing one intermediate node o The cost of constructing one core node p The cost of each virtual machine(VM) c The cost of setting a cloud security agent to one node

23 G IVEN P ARAMETERS -A TTACKER NotationDescription FiFi The number of commanders targeting on i th service, where i ∈ S u ij The number of attackers subordinates in the attack group launching j th attack on service i, where i ∈ S, 1 ≤ j ≤ F i v ij The degree of collaboration of attack group launching j th attack on service i, which affects the effectiveness of synergy, where i ∈ S, 1 ≤ j ≤ F i

24 G IVEN P ARAMETERS -Q O S, R ISK L EVEL NotationDescription W thershold The predefined threshold about QoS The link degree of core node k divided by the maximum link degree among all nodes in the topology, where k ∈ C The priority of service i provided by core node k divided by the maximum service priority among core nodes in the topology, where i ∈ S, k ∈ C The risk threshold of core node k, where k ∈ C

25 G IVEN P ARAMETERS The degree of collaboration of attack group launching j th attack on service i, which affects the effectiveness of synergy, where i ∈ S, 1 ≤ j ≤ F i NotationDescription kpkp The maximum number of virtual machines on VMM level p, where p ∈ M αiαi The weight of i th service, where i ∈ S d The ratio of defense strengthen on VMs and VMM when local defense is activated rqrq The ratio of defense strengthen using cloud security services level q, where q ∈ H E All possible defense configurations, including defense resources allocations and defending strategies Z All possible attacker categories, including attacker attributes, corresponding strategies and transition rules t fail Maximum time threshold to compromise network

26 D ECISION V ARIABLES NotationDescription A defense configuration, including defense resource allocation and defending strategies on i th service, where i ∈ S A instance of attack configuration, including attacker’s attributers, commander’s strategies and transition rules of the commander launches j th attack on i th service, where i ∈ S, 1 ≤ j ≤ F i 1 if the commander achieves his goal successfully, and 0 otherwise, where i ∈ S, 1 ≤ j ≤ F i Maximum time threshold to compromise node k

27 D ECISION V ARIABLES NotationDescription nknk The non-deception based defense resource allocated to node k, where k ∈ N e The total number of intermediate nodes q kl The capacity of direct link between node k and l, where k, l ∈ N g(q kl ) The cost of constructing a link from node k to node l with capacity q kl, where k, l ∈ N lplp The number of VMs equipped on a level p VMM, where p ∈ M v(l p ) The cost of VMM level p with l p VMs, where p ∈ M xkxk 1 if node k is equipped with cloud security agent, and 0 otherwise, where k ∈ N

28 D ECISION V ARIABLES NotationDescription B nodelink The budget spent on constructing nodes and links B general The budget spent on allocating general defense resource B special The budget spent on deploying special defense resource B virtualization The budget spent on virtualization B cloud agent The budget spent on deploying cloud agents B defending The budget applied for defending stage B nodelink The budget spent on constructing nodes and links

29 V ERBAL N OTATION -Q O S NotationDescription Y The total attack events Loading of each core node k, where k ∈ C Link utilization of each link m, where m ∈ L K effect Negative effect caused by applying fallacious signatures I effect Negative effect caused by applying dynamic topology reconfiguration J effect Negative effect caused by false positive while applying local defense P effect Negative effect caused by fallacious diagnosis of cloud security service O tocore The number of hops legitimate users experienced from one boundary node to core nodes The value of QoS determined by,, K effect, I effect, J effect and O tocore, where k ∈ C, m ∈ L W final The QoS level at the end of attack

30 V ERBAL N OTATION -R ISK L EVEL NotationDescription The defense resource of the shortest path from detected attacked nodes to core node k divided by total defense resource, where k ∈ C The minimum number of hops from detected attacked nodes to core node k divided by the maximum number of hops from attacker’s starting position to core node k, where k ∈ C The risk status of core node k which is the aggregation of,, and, where i ∈ S, k ∈ C

31 O BJECTIVE F UNCTION (IP 1)

32 M ATH C ONSTRAINTS Budget constraint B nodelink ≥ 0 B general ≥ 0 B special ≥ 0 B defending ≥ 0 (IP 1.1) (IP 1.2) (IP 1.3) (IP 1.4) (IP 1.5) (IP 1.6)

33 M ATH C ONSTRAINTS Constraints for topology construction q kl ≥ 0 g(q kl ) ≥ 0 w × e ≥ 0 (IP 1.7) (IP 1.8) (IP 1.9) (IP 1.10)

34 M ATH C ONSTRAINTS Constraints for general defense resource n k ≥ 0 Constraints for cloud security agent x k = 0 or 1 (IP 1.13) (IP 1.14) (IP 1.11) (IP 1.12)

35 M ATH C ONSTRAINTS Constraints for virtualization v(l p ) ≥ 0 0 < l p < k p B virtualization + B cloudagent ≤ B special B nodelink + B general + B special + B defending ≤ B (IP 1.18) (IP 1.19) (IP 1.17) (IP 1.16) (IP 1.15)

36 V ERBAL C ONSTRAINTS The performance reduction cause by compromised core nodes, activating dynamic topology reconfiguration, local defense, cloud security or applying fallacious signature should not make legitimate users’ QoS satisfaction violate IP 1.20. At the end of an attack, W final ≥ W threshold. All the defense strategies are adopted only if the risk levels are lower than a predefined threshold. where i ∈ S (IP 1.23) (IP 1.22) (IP 1.21) (IP 1.20)

37 T HANKS FOR Y OUR L ISTENING

Download ppt "E FFECTIVE N ETWORK P LANNING AND D EFENDING S TRATEGIES TO M INIMIZE S ERVICE C OMPROMISED P ROBABILITY UNDER M ALICIOUS C OLLABORATIVE A TTACKS Advisor:"

Similar presentations

1 Traffic Engineering (TE). 2 Network Congestion Causes of congestion –Lack of network resources –Uneven distribution of traffic caused by current dynamic.

1 Traffic Engineering (TE). 2 Network Congestion Causes of congestion –Lack of network resources –Uneven distribution of traffic caused by current dynamic.
Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li, Iordanis Koutsopoulos, Radha Poovendran (InfoComm ’07) Presented.

Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li, Iordanis Koutsopoulos, Radha Poovendran (InfoComm ’07) Presented.
1 EL736 Communications Networks II: Design and Algorithms Class3: Network Design Modeling Yong Liu 09/19/2007.

1 EL736 Communications Networks II: Design and Algorithms Class3: Network Design Modeling Yong Liu 09/19/2007.
Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.

Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.
A Framework for Secure Data Aggregation in Sensor Networks Yi Yang Xinran Wang, Sencun Zhu and Guohong Cao The Pennsylvania State University MobiHoc’ 06.

A Framework for Secure Data Aggregation in Sensor Networks Yi Yang Xinran Wang, Sencun Zhu and Guohong Cao The Pennsylvania State University MobiHoc’ 06.
Net-Centric Software and Systems I/UCRC Copyright © 2011 NSF Net-Centric I/UCRC. All Rights Reserved. High-Confidence SLA Assurance for Cloud Computing.

Net-Centric Software and Systems I/UCRC Copyright © 2011 NSF Net-Centric I/UCRC. All Rights Reserved. High-Confidence SLA Assurance for Cloud Computing.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
OLD DOG CONSULTING Traffic Engineering or Network Engineering? The transition to dynamic management of multi-layer networks Adrian Farrel Old Dog Consulting.

OLD DOG CONSULTING Traffic Engineering or Network Engineering? The transition to dynamic management of multi-layer networks Adrian Farrel Old Dog Consulting.
CPSC 601.43 Topics in Multimedia Networking A Mechanism for Equitable Bandwidth Allocation under QoS and Budget Constraints D. Sivakumar IBM Almaden Research.

CPSC Topics in Multimedia Networking A Mechanism for Equitable Bandwidth Allocation under QoS and Budget Constraints D. Sivakumar IBM Almaden Research.
Dynamic Spectrum Management: Optimization, game and equilibrium Tom Luo (Yinyu Ye) December 18, WINE 2008.

Dynamic Spectrum Management: Optimization, game and equilibrium Tom Luo (Yinyu Ye) December 18, WINE 2008.
The Maryland Optics Group Multi-Hop View: Interfaces not available between (s, d): Try to create multi-hop path. Link Selection: Local Optimization: Select.

The Maryland Optics Group Multi-Hop View: Interfaces not available between (s, d): Try to create multi-hop path. Link Selection: Local Optimization: Select.
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 7.1.

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 7.1.
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
------ An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
Trust-based Multi-Objective Optimization for Node-to-Task Assignment in Coalition Networks 1 Jin-Hee Cho, Ing-Ray Chen, Yating Wang, and Kevin S. Chan.

Trust-based Multi-Objective Optimization for Node-to-Task Assignment in Coalition Networks 1 Jin-Hee Cho, Ing-Ray Chen, Yating Wang, and Kevin S. Chan.
An Introduction to Software Architecture

An Introduction to Software Architecture
Network Aware Resource Allocation in Distributed Clouds.

Network Aware Resource Allocation in Distributed Clouds.
1 11 Subcarrier Allocation and Bit Loading Algorithms for OFDMA-Based Wireless Networks Gautam Kulkarni, Sachin Adlakha, Mani Srivastava UCLA IEEE Transactions.

1 11 Subcarrier Allocation and Bit Loading Algorithms for OFDMA-Based Wireless Networks Gautam Kulkarni, Sachin Adlakha, Mani Srivastava UCLA IEEE Transactions.
1 Protection Mechanisms for Optical WDM Networks based on Wavelength Converter Multiplexing and Backup Path Relocation Techniques Sunil Gowda and Krishna.

1 Protection Mechanisms for Optical WDM Networks based on Wavelength Converter Multiplexing and Backup Path Relocation Techniques Sunil Gowda and Krishna.

Similar presentations

Ads by Google