Post on 20-Jan-2018
description
Research Direction Introduction
Advisor: Frank, Yeong-Sung LinPresented by Hui-Yu, Chung
2011/11/22
Agenda• Scenario Review• Mathematical Formulation
2011/11/22
Attack-Defense Scenario• The goal of this research is to optimize system
survivability• Collaborative attack– One commander who has a group of attackers– Different attackers has different attributes• Budget, Capability
– The commander has to decide his attack strategy at every round• ex. # of attackers, resource used
2011/11/22
Attacker attributes• Attack mechanisms– Compromising Nodes• The goal is to finally compromise core nodes, which
reduce the QoS of those core nodes to below certain level or steal sensitive information
– Worm injection• The purpose is to get further topology information• After a node is compromised, the commander will
decide whether to inject worms• The worm propagation model follows
two-factor model2011/11/22
Topology Structure• Attackers attack the AS nodes with a direction from
edge nodes to core nodes• Several million hosts per AS node• Some AS nodes equipped with decentralized
information sharing system• Along relatively low-cost path– Continuous constraint
2011/11/22
Guangsen Zhang, Manish Parashar “Cooperative detection and protection against network attacks using decentralized information sharing” Cluster Comput (2010) Vol.13, pp. 67–86
Special Defense Resources• Distributed information sharing system– Signature generation & distribution– Rate limiting
• Worm origin identification– Worm propagation path identification
• Firewall reconfiguration– Used on nodes without DISS
• Dynamic topology reconfiguration– Disconnect or reconnect a link
→ Detection→ Mitigation
→ Mitigation
→ Mitigation
→ Avoidance
2011/11/22
Core Node Risk Level• Dynamic Topology Reconfiguration
– Whether to use topology reconfiguration defense strategy is determined by the risk level of the core nodes
– The lower the value of Vij, the more danger the core node
– HopsToCoreNode: The distance of one core node to the nearest hop which is detected to be attacked
– maxHopsToCoreNode: The maximum number of hops from attacker’s starting position to one core node
– The lowest Vij is saved as Vlowest
1 2 3
{ } { }ij ij jij
min HopsToCoreNode min pathDefenseResource maxLinkDegree linkDegreeV w w w
maxHopsToCoreNode maxPathDefenseResource maxLinkDegree
2011/11/22
Defending Costs• Planning Phase:– Node and link deployment– General Defense Resources– Special Defense Resources
• Defending Phase:– Defending Costs• When generating worm signatures
2011/11/22
Negative Effect Caused by Special Defense Resources
• QoS damage:– Firewall reconfiguration– Rate Limiting– Dynamic topology reconfiguration
• Resource consumption– False positive of worm detection
2011/11/22
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
Type I Worm
Detection alarm
Type II Worm
Dynamic topology reconfiguration
Firewall reconfiguration
Worm origin identification
Rate limiting
2011/11/22
Agenda• Scenario Review• Mathematical Formulation
2011/11/22
Description• Objective: – To minimize maximized service compromised probability
• Given: – Total defense budget and attacker budget– Each cost of construction of defense or attack
mechanism– QoS requirement
• To be determined:– Attack and defense strategies– Attack and defense resource allocation scheme
2011/11/22
Given ParametersNotation Description
N The index set of all nodesC The index set of all core nodesI The index set of all possible attacker groupsL The index set of all links
QThe index set of all candidate nodes that is appropriate to deploy the distributed information sharing system
S The index set of all types of servicesαi The weight of ith service, where i∈SB The defender’s total budget
The cost of constructing one intermediate AS nodeThe cost of constructing one core node
d The cost of deploying a distributed information sharing system to one node
EAll possible defense configurations, including defense resources allocation and defending strategies
ZAll possible attack configurations, including attacker’s attributes, corresponding strategies and transition rules
Fi The number of commanders targeting on ith service, where i∈S
w
o
2011/11/22
Decision VariablesNotation Description
An defense configuration, including defense resources allocation and defending strategies on ith service, where i∈S
The ith attacker group, including all of their attributes, where i∈IA instance of attack configuration, including attacker’s attributes, commander’s strategies and transition rules of the commander launches jth attack on ith service by commanding kth attacker group, where i∈S, 1≤ j ≤ Fi, k∈I1 if the commander achieve his goal successfully, and 0 otherwise, where i∈S, 1≤ j ≤ Fi , k∈I
BnodelinkThe budget spent on constructing nodes and links.
BgeneralThe budget spent for general defense resource
BspecialThe budget spent for special defense resource
BdefendingThe budget applied for defending stage.
e The total number of intermediate AS nodes
niThe general defense resources allocated to node i, where i∈N
xi
1 if node i is equipped with the distributed information sharing system, and 0 otherwise, where i∈Q
qijThe capacity of direct link between node i and j, where i∈N, j∈N
g(qij) The cost of constructing a link from node i to node j with capacity qij, where i∈N, j∈N
iD
( )ij kA
( , ( ))ij i ij kT D A
nodelink general special defendingB B B B B
2011/11/22
i
Verbal Notation (1/2)Verbal Notations (1/2)
Notation Description
Loading of each core node i, where i∈C
Link utilization of each link i, where i∈L
OtocoreThe number of hops legitimate users experienced from one boundary node to destination
IeNegative effect caused by applying dynamic topology reconfiguration
FeNegative effect caused by applying firewall reconfiguration
ReNegative effect caused by applying rate limiting
FPeNegative effect caused by false positive of worm detection
The total attack events
WthresholdThe predefined threshold regarding quality of service
WfinalThe level of quality of service at the end of an attack
The value of quality of service is determined by , , Otocore, Ie, Fe,Re , and FPe ,where i∈C, j∈L icoreG
ilinkU
Y
( )W
icoreG
jlinkU
2011/11/22
Verbal Notation (2/2)Verbal Notations (2/2)
Notation DescriptionThe defense resource of the shortest path from detected attacked nodes to core node i divided by total defense resource, where i∈C
The minimum number of hops from detected attacked nodes to core node i divided by the maximum number of hops from attacker’s starting position to one core node, where i∈CThe link degree of core node i divided by the maximum link degree among all nodes in the topology, where i∈C
The priority of service i provided by core nodes divided by the maximum service priority among core nodes in the topology, where i∈C and j∈S
The risk threshold of core nodesThe risk status of each core node which is the aggregation of defense resource, number of hops, link degree and service priority
The output traffic rate to node i, where i∈NThe input traffic rate to node i, where i∈NThe limit ratio of traffic rate
defensei
hopsi
degreei
jpriorityis
threshold
( )
( )out irate A( )in irate A
confidence
2011/11/22
Mathematical Formulation• Objective function:
(IP 1)
1
( )
( , ( ))i
i ij k
F
i ij i ij ki S j
D A
i ii S
T D Amin max
F
2011/11/22
Sum of all kinds of services
The sum of attack results (0 or 1)for a certain service
Total weighted # commanders targeting on service i
Given defense configuration and thenmaximize commander’s service compromised probability
After maximizing commander’sattack success probability, thedefender minimize attack successprobability
Mathematical Formulation• Mathematical constraints:
(IP 1.1)
(IP 1.2)
(IP 1.3)
(IP 1.4)
(IP 1.5)
(IP 1.6)
(IP 1.7)
(IP 1.8)
iD E i S
( )ij kA Z
0nodelinkB
0generalB
0specialB
0defendingB
2011/11/22
,1 ,ii S j F k I
i generali N
n B
0in i N
Mathematical Formulation• Mathematical constraints:
(IP 1.9)
(IP 1.10)
(IP 1.11)
(IP 1.12)
(IP 1.13)
(IP 1.14)
(IP 1.15)
0w e
( ) 0ijg q ,i N j N
nodelink general special defendingB B B B B
( )
2
iji N j N
nodelink
g qw e o C B
i speciali N
x d B
2011/11/22
0ijq ,i N j N
0 1ix or i N
Mathematical Formulation• Verbal constraints:
(IP 1.16)
The performance reduction caused by compromised core nodes should not make current status violate IP1.16.
(IP 1.17)
The performance reduction caused by firewall reconfiguration should not make current status violate IP 1.16.
(IP 1.18)
The performance reduction caused by rate limiting should not make current status violate IP 1.16.
(IP 1.19)
The performance reduction caused by dynamic topology reconfiguration should not make current status violate IP 1.16.
(IP 1.20)
The performance reduction caused by false positive of worm detection should not make current status violate IP 1.16.
(IP 1.21)
Legitimate users’ QoS satisfaction should not make current status violate IP1.16.
(IP 1.22)
[ ( , , , , , , )] 1, ,
core link tocore e e e ei jY W G U O I F R FP dyy
W where i C j LthresholdY
2011/11/22
Mathematical Formulation• Verbal constraints:For each service, there is at least one core node that survives to end of an attack.
(IP 1.23)
The level of quality of service at the end of an attack should not be lower than Wfinal at the end of an attack.
(IP 1.24)
Only nodes equipped with the distributed information sharing system are able to generate the signature.
(IP 1.25)
Only the nodes equipped with distributed information systems are able to enable the rate limiting mechanism..
(IP 1.26)
2011/11/22
For each core node, when , the defender is able to activate dynamic topology reconfiguration to avoid the node being compromised.
(IP 1.27)
Only survival nodes are able to activate dynamic topology reconfiguration.
(IP 1.28)
The signature generating and distributing process is activated if the confidence level exceeds a certain threshold.
(IP 1.29)
(IP 1.30)
A node is subject to attack only if a path exists from the attacker’s position to that node, and all the intermediate nodes on the path have been compromised.
(IP 1.31)
Mathematical Formulation• Verbal constraints:
( ) ( )out i in irate A rate A confidence
2011/11/22
( , , , ) , i
defense hops degree thresholdprioritys where i S
~THANKS FOR YOUR ATTENTION~
2011/11/22