National Taiwan University Master...

國立臺灣大學管理學院資訊管理學研究所

碩士論文

Department of Graduate Institute of Management

College of Information Management

National Taiwan University

Master Thesis

在智慧型與惡意型攻擊下存活時間最大化

Maximization of Network Survival Time upon Intelligent

and Malicious Attacks

陳俊維

Franson, Chun-Wei Chen

指導教授：林永松博士

Advisor: Frank, Yeong-Sung Lin, Ph.D.

中華民國 96 年 7 月

July, 2007

I

謝詞

研究生生活飛逝，還記得剛從大學畢業的徬徨懵懂，經過這兩年的學習與磨

練，使得我精神與心理更加的成長茁壯。如果大學的目的是學會如何學習，則研

究所就是培養做學問的態度，而這兩年也正是我學生生涯中付出最多心力也獲得

最多收穫的階段。

首先，我想感謝在這段時間給予我最多幫助與鼓勵的指導教授林永松博士。

您除了論文指導上提供學生無比的支持之外，更重要的是您為學風範，在老師的

陶冶之下使學生了解並建立研究的精神。除了學業研究外，在待人處事上老師也

給予學生很多的幫助，讓學生在與人相處的態度與品行上能有更進一步的改進。

此外，承蒙孫雅麗所長、呂俊賢老師、祝國忠老師與顏宏旭老師在口試期間提供

學生許多意見與建議，使得本論文能趨於完善。

感謝博士班佩玲學姊、國維、演福、政達、柏皓、俊甫、明宗與建璋學長在

這兩年所給予的鼓勵。其中特別感謝柏皓學長，老師與您一同帶領我進入資訊安

全的領域，您的經驗與分享更讓我沉醉其中。每每在我最需要幫助的時候，不管

您多麼繁忙或有多少壓力，總是不令伸出援手提供協助。感謝去年畢業的中蓮學

姊在我剛進入研究所時給予我許多的指導，讓我能快速的進入狀況；謝謝義倫、

弘翕、文政、勇誠、孝穎與建宏學長在論文與生活中給予的幫助與指教。感謝一

同努力的夥伴們岦毅、承賓、坤道、翊恆、雅芳與怡孜，我會永遠記得與岦毅、

承賓一起在實驗室熬夜早上去吃麥當勞的時光，跟岦毅去好市多大採購，承賓的

主程式架構，坤道給予程式與演算法上的幫助，翊恆英文上的指導，雅芳提供的

八卦讓我們生活更添樂趣，與怡孜提供的下午茶小蛋糕。謝謝研一的各位學弟奐

庭、志浩、志元、政佑與孜謙，謝謝你們的幫忙，讓我能順利完成口試。

此外，感謝方毓這兩年來不斷的給予我支持與鼓勵，在我緊張與心情不好時

帶給我歡笑，在我散漫時給予我提醒，在我難過時提供安慰，讓我能一次又一次

II

度過層層關卡與低潮，陪伴我一起走過這一段特別的時光。感謝小豆干在最後一

段時間給予我歡樂，也謝謝所有關心豆干的人對我的包容與提供許多幫助。

另外最重要就是感謝我的父母，陳文標先生與張淑美女士，您們對我無止境

的愛與包容，讓我在人生中沒有後顧之憂，就算我曾經使您們失望，但因為有您

們的支持與鼓勵，讓我有勇氣再度站起來並爬得更高，謝謝您們的關愛、支持與

體諒。

最後，感謝這一路上所有關心我、鼓勵我、支持我與幫助我的親人、老師、

同學與朋友們，謝謝你們。

陳俊維謹識

于臺大資訊管理研究所

中華民國九十六年七月

III

論文摘要

論文題目：在智慧型與惡意型攻擊下存活時間最大化

作者：陳俊維民國九十六年七月

指導教授：林永松博士

沒有一套資訊系統是完全安全的。有經驗的攻擊者能夠在各式各樣的攻擊方

式中選擇一個最適當的，包括利用員工的濫用、系統的弱點、字典攻擊，甚至是

暴力攻擊來侵入並毀壞系統。因此對於網路管理者而言，擬定有效的防禦策略使

得網路中重要的系統或主機在遭受攻擊時能夠將存活時間拉長，藉此讓管理者有

更長的時間來回應惡意的網路攻擊。

在這篇論文中，我們考慮在智慧型與惡意型攻擊下目標節點存活時間最大化

的問題，而攻擊者攻克網路中節點的時間是該節點分配到的防禦資源之函數。這

個問題可以被表示為一個最小最大化的雙層整數規劃問題，其中，內層的最大化

問題表示攻擊者在固定的時間與防禦資源配置策略下，決定到達目標節點最佳的

攻擊路徑以達到最大的成功機率；外層的最小化問題表示網路管理者藉由調整防

禦資源配置策略使得攻擊者成功的機率最小化。我們也將問題加以延伸，考慮攻

擊者從攻擊的過程中獲得經驗累積所造成的影響。我們假設每攻克一個節點就會

獲得一個折扣係數，而這個係數會影響之後攻擊者攻克網路中節點的時間與防禦

資源之函數。此論文利用拉格蘭日鬆弛法與次梯度法這兩種基本方式來發展演算

法，並利用電腦實驗來衡量這個演算法的效率與效果。

關鍵字：防禦資源配置策略、資訊安全、網路攻防、存活時間、拉格蘭日鬆弛法、

最佳化

V

Thesis Abstract

GRADUATE INSTITUTE OF INFORMATION MANAGEMENT

NATIONAL TAIWAN UNIVERSITY

NAME: FRANSON, CHUN-WEI CHEN MONTH/YEAR: JULY/2007

ADVISOR: FRANK, YEONG-SUNG LIN, Ph.D.

Maximization of Network Survival Time upon Intelligent and

Malicious Attacks

No information system in a network is absolutely secure. Sophisticated attackers

may adopt various types of hacking techniques, such as staff abuses, system

vulnerabilities, dictionary attacks, or brute force attacks, to penetrate and damage the

system. Therefore, it is essential that effective defense strategies be devised by network

administrators to maximize the survival time of critical/core components in networks

upon attacks so as to achieve the longest response time.

In this thesis, the problem of maximization of the core node survival time upon

intelligent and malicious attacks is considered. The time for an attacker to compromise a

node in the network is considered as a random variable, of which the associated CDF is

assumed to be a function of the allocated defense resource. The problem is formulated

as a mini-max integer programming problem, where the inner (maximization) problem

VI

is for the attacker to determine an optimal attack path to the core node so as to

maximize his/her success probability under a given time constraint and a given defense

resource allocation policy, while the outer (minimization) problem is for the network

administrator to adjust his/her defense resource allocation policies so as to minimize the

success probability of the attacker. The basic approach to the algorithm development is

Lagrangean relaxation and the subgradient method. The efficiency and effectiveness of

the proposed algorithms will be evaluated by computational experiments.

Key Words: Defense Resource Allocation Strategy, Information Security, Network

Attack and Defense, Survival Time, Lagrangean Relaxation Method, Optimization.

VII

Table of Contents

謝詞 ........................................................................................................... I

論文摘要 .................................................................................................... III

Table of Contents ..................................................................................... VII

List of Figures ............................................................................................ XI

Chapter 1 Introduction ............................................................................... 1

1.1 Background ....................................................................................................... 1

1.2 Motivation ......................................................................................................... 4

1.3 Literature Survey ............................................................................................. 6

1.3.1 Survival Time ......................................................................................... 6

1.3.2 Offense and Defense Strategies ............................................................ 7

1.4 Proposed Approach ........................................................................................ 10

1.5 Thesis Organization ......................................................................................... 11

Chapter 2 Problem Formulation ............................................................. 13

2.1 Problem Description and Assumption .......................................................... 13

2.2 Notations .......................................................................................................... 18

2.3 Problem Formulation ..................................................................................... 22

2.4 Problem Reformulation ................................................................................. 25

Chapter 3 Solution Approach................................................................... 29

3.1 Lagrangean Relaxation Method .................................................................... 29

3.2 Solution Approach .......................................................................................... 33

3.3 Lagrangean Relaxation .................................................................................. 33

3.4 The Dual Problem and the Subgradient Method......................................... 39

3.5 Getting Primal Feasible Solution .................................................................. 40

VIII

Chapter 4 Computational Experiments .................................................. 43

4.1 Simple Algorithms .......................................................................................... 43

4.2 Experiment Environment .............................................................................. 44

4.3 Experiment Results ........................................................................................ 46

4.4 Discussion of Results ...................................................................................... 57

Chapter 5 Conclusion and Future Work ................................................ 59

5.1 Conclusion ....................................................................................................... 59

5.2 Future Work .................................................................................................... 60

Reference .................................................................................................... 63

IX

List of Tables

Table 2 - 1 Problem Assumptions and Description .................................................... 17

Table 2 - 2 P-function ................................................................................................... 19

Table 3 - 1 Heuristic for the Model ............................................................................. 41

Table 4 - 1 Experiment Parameter Settings ............................................................... 45

Table 4 - 2 Experiment Results of Grid Network ( |N| = 9 )...................................... 47

Table 4 - 3 Experiment Results of Random Network ( |N| = 9 ) ............................... 48

Table 4 - 4 Experiment Results with 30 unit Budget ( |N| = 25 ) .............................. 50

XI

List of Figures

Figure 1 - 1 Type of Attackers or Misuse Detected in the Last 12 Months ................. 2

Figure 1 - 2 Percentage of Targeted Attack by E-mail .................................................. 4

Figure 1 - 3 Monthly Survival Time ............................................................................... 7

Figure 2 - 1 The pdf of Compromise probability ........................................................ 13

Figure 2 - 2 The cpf of Compromise probability ......................................................... 13

Figure 2 - 3 Initial State ................................................................................................. 15

Figure 2 - 4 Different Probability Distribution ........................................................... 15

Figure 2 - 5 Choosing a Target ...................................................................................... 15

Figure 2 - 6 Continued Selecting .................................................................................. 15

Figure 2 - 7 Post-choosing Network State .................................................................... 16

Figure 2 - 8 Selected Nodes and Links ......................................................................... 16

Figure 2 - 9 Attack Path ................................................................................................ 16

Figure 2 - 10 Detection Rate for Different Security Softwares .................................. 21

Figure 2 - 11 μ-function ................................................................................................. 21

Figure 2 - 12 σ2-function ................................................................................................ 21

Figure 3 - 1 Concepts of the Lagrangean Relaxation Method ................................... 31

Figure 3 - 2 The Lagrangean Relaxation Procedure ................................................... 32

Figure 4 - 1 Compromise Probability of the Grid Network with 20 Budget (|N|=9) 51

Figure 4 - 2 Compromise Probability of the Grid Network with 25 Budget (|N|=9)

................................................................................................................................. 51

Figure 4 - 3 Compromise Probability of the Grid Network with 30 Budget (|N|=9) 52

Figure 4 - 4 Compromise Probability of the Grid Network with Different Budget

(|N|=9) ...................................................................................................................... 52

XII

Figure 4 - 5 Compromise Probability of the Grid Network with Different Topology

Size (30 Budget) ...................................................................................................... 53

Figure 4 - 6 Compromise Probability of the Random Network with 5 Budget (|N|=9)

................................................................................................................................. 53

Figure 4 - 7 Compromise Probability of the Random Network with 10 Budget

(|N|=9) ...................................................................................................................... 54


(|N|=9) ...................................................................................................................... 54


(|N|=9) ...................................................................................................................... 55

Figure 4 - 10 Compromise Probability of the Random Network with Different

Budget (|N|=9) ......................................................................................................... 55

Figure 4 - 11 Compromise Probability of the Random Network with Different

Topology Size (30 Budget) ..................................................................................... 56

Figure 4 - 12 Compromise Probability of with Different Budget and Topologies

(|N|=9) ...................................................................................................................... 56

Figure 5 - 1 The Survival Time of UNIX and Windows system ................................. 61

1

Chapter 1 Introduction

1.1 Background

The internet has become parts of our life. As computers and networks are more and

more important, they also bring us various threats such as virus, worm, Trojan horse,

and spyware, etc. Many kinds of information security equipments, such as anti-virus

applications, firewall systems, Intrusion Detection Systems (IDS), Intrusion Prevention

Systems (IPS), and Unified Threat Management (UTM) systems, have been developed.

However, none of them is secure enough. Attackers could use a variety of skills and

exploit vulnerabilities of those equipments to penetrate them, so that computers behind

them are compromised. What the attackers need is to spend enough resources against

those equipments.

The Trend of Attack and Misuse

In the past, most of the attackers scanned equipments on the network widely by

some tools to discover vulnerabilities and aimed at those weaknesses, or launched

Denial-of- Services (DoS) violently. As information security techniques are enhanced,

many kinds of security software and hardware (e.g. anti-virus applications, firewall

systems, IDSs) are getting better and better. At the same time, the content inspection

and destination address filtering mechanisms decrease the number of security incidents,

2

including insider abuse of network access permission and unauthorized access to

information.

According to the CSI/FBI Computer Crime and Security Survey (2006) [1], the

successful probability of traditional attacks descended sharply as we saw in Figure 1-1

[1]. As for virus, the probability was up to 90% in 2001, but it had dropped year by year

and was only about 65% left by 2006. Insider abuse of network access to cause serious

damages fell steeply from 97% of 1999 to 42% of 2006. As unauthorized access to

information, the success rate only had 32% in 2006 from 71% in 2000. DoS attacks

were up to 42% in 2003 and declined to 25% in2006. The defense mechanisms we

mentioned before let the probability decrease, and forced attackers to change the ways

to attack.

Figure 1 - 1 Type of Attackers or Misuse Detected in the Last 12 Months

3

New kind of Attack

Most of security threats today are aimed at financial reward, and this kind of

malicious attack always focus on particular enterprises and their staff, or special groups

of users. For example, an attacker might pretend the boss of any of well-known

companies and send an e-mail with malicious software (malware) to the secretary,

therefore he/she would open it with no doubt, and then the attacker could access

everything he/she wants. Unlike past attacks, launched randomly and widely, today’s

attacks combine several kinds of malwares, such as Trojan horse, backdoor, spyware,

and rootkit, etc, and send an e-mail or some malicious applets to the target. Furthermore,

they induced him/her who does not have enough awareness to fall into the trap.

Many security experts referred to “targeted attack” in the Virus Bulletin 2006

Conference, and Alex Shipp, MessageLabs Imagineer, had a speech about targeted

Trojan attacks and industrial espionage [2]. He said typical targeted attacks include one

to ten similar e-mails focusing on one to three enterprises, and on the average seven of

them belong to targeted Trojan attacks everyday. It is less than 0.001% of the malware

spreading by e-mails, but attackers’ intending to inject spywares into the company is the

most troubling thing (Fig 1-2 [2]).

4

Figure 1 - 2 Percentage of Targeted Attack by E-mail

The Core Node

Because of lots attackers focusing on financial rewards, the most important assets

of organizations are their know-how or mission critical system keeping the business

going, and this sensitive and valuable segment in the network domain, called “core

node,” which attackers desire to take over [3]. However, we only have some ways, such

as buying some defense products, obtaining some advices from security experts, and

education training, etc, to increase our network survivability under limited budgets.

1.2 Motivation

In the past, the main attack type was massive scan and exploiting discovered

vulnerabilities, or launching DoS attacks; however, attackers today tend to adopt

targeted attacks instead. The attackers focus on computers with sensitive information of

enterprises or organizations, and depict an attacking blueprint to the target. Although

5

information security experts try their best to stop this new attack type, one hundred

percent security cannot be achieved only by network protection.

Many attackers do not have sufficient technique skills, high patience, ample

preparations, and enough time for attacking, they just use some existing common

hacking tools on the internet. When the tools are not suitable for specific situations, the

attackers do not have the ability to amend those tools. Therefore, we can add some

varieties and complexities on the attack path, so that the attackers have to spend more

time to achieve the target, even turn to an easier target. In many cases, the more time the

attackers spend, the easier intrusions are detected. Although stopping the attackers to

penetrate systems is improbable, it is higher possible to detect the intrusions through

investing security budgets properly for establishing defense mechanisms to delay time

spent on attack [4].

In some cases, we would like to know how long the core node will survive upon

malicious targeted attacks, or what the probability of the core node to be compromised

in time constraint is. Because of the core node’s sensitivity, attackers would try their

best to compromise it, and defenders would defend as hard as possible on the opposite.

Defense resources for building up related mechanisms are limited; therefore how to

allocate those resources in a precise way to obtain an optimal defense strategy is an

important issue. This research wants to discuss how to arrange defense budgets properly

6

to reduce the compromise probability of the core node under different considerations of

time slot.

1.3 Literature Survey

1.3.1 Survival Time

Attackers compromised computers or networks might steal the critical information

and cause them stop servicing. From the start to the downtime, it is the survival time of

them, and the definition by SANS-ISC (SysAdmin, Audit, Network, Security Institute -

Internet Storm Center) is shown below.

Definition of survival time:

The survival time is calculated as the average time between reports for an

average target IP address [5].

The SANS-ISC also points out how to increase the survival time. Updating

security patches what a system needs is the first thing to do. According to the

researchers at the ISC, the survival time raises from 20mins in 2003 to 40mins in 2004

because of the adoption of Windows Service Pack 2 [6] [7]. Second, blocking ports

which are commonly used by worms is another important way to avoid malicious

attacks. Finally, malwares frequently aim at high speed networks, such as University

7

Networks, and the survival time will be much smaller. Therefore we should take more

care when connecting to that kind of networks [5].

Figure 1 - 3 Monthly Survival Time

(2006/12/25 12:00PM)

In Figure 1-3 [5], the red line from Jul 2005 to Nov 2006 indicates the tendency of

the average survival time; the thick red line of each month means the standard

deviation’s range; the peak and the lowest point represent the maximum survival time

for a month and the minimum one. Through this figure, we could image that the

distribution of survival time is a normal distribution. The survival time reflects the

compromise probability, so that it could be assumed as a normal distribution.

1.3.2 Offense and Defense Strategies

Practically, attackers and defenders both change their offense and defense

strategies frequently. As defenders adjust their network security frameworks and

8

equipments, opponents will try to find out new system vulnerabilities and network

weaknesses to keep obtaining benefits. However, defenders will rearrange their defense

strategies again, and so will attackers. The strategies of both sides will be mutually

adjusted repeatedly.

F. Cohen indicated the main strategies of attackers in practices including many

types as shown below [8].

• Speed: Some attackers choose to do only the fastest attacks available. This gives

them the advantage that they can win before the defender can detect or react to

their presence.

• Stealth: Some attackers choose to conceal themselves to avoid detection.

• Overwhelming force: Some attackers try to generate enough force - typically in

the form of physical assault or sheer volume of resources - to overwhelm the

defender.

• Indirection (Reflexive control): Some attackers use deceptive techniques to

cause the defender to spend resources on the wrong defenses or to cause the

defender to act in ways that provide openings to attack.

• Random: Some attackers just try whatever they happen to come across as an

idea on any given day.

9

• Least Resistance: Some attackers try to do things they think are least likely to

be defended against and which are easiest for them to do.

• Easiest to find: Some attackers just get software from the Internet and try it

against many systems.

Furthermore, defenders can essentially select different strategies from among the

following elements [8].

• Dissuasion: Many defenders try to convince possible attackers to go elsewhere.

• Deception: Many defenders create fictions intended to prevent attackers from

attacking or to cause them to attack elements of less value.

• Prevention: Defenders often choose to build defenses intended to keep attackers

from succeeding in their attempted activities.

• Detection and Reaction: With the belief that no prevention can be perfect,

detection and reaction are commonly used as a part of the mix.

• Repair: After detection - or when there is a belief that vulnerabilities exist,

repair is often undertaken to mitigate risk.

• Exploitation: In some cases, it is determined that an attacker can be exploited in

some way to the advantage of the defender. If the defender is so inclined, this

strategy may be undertaken.

10

• Capture and Punishment: In many cases, defenders try to capture and

prosecute attackers in order to recoup losses and dissuade others from attacking.

• Cover Up: It is often considered desirable to cover up an attack so that nobody

else knows about it.

• Constant Change: Some people take the strategy of changing the way they

operate at a pace that is so fast that long-term attacks are destined to failure

because the nature of the systems under attack has changed by the time a

long-term attack can succeed.

Attackers can gain rewards, such as thrills for self-satisfaction, confidential data, or

large amount of money, through attacking networks; on the other hand, defenders suffer

damages including leakages of confidential data, unauthorized alteration of important

information, or system downtime, etc [9]. Offense and defense strategies are trying to

maximize self-benefits, or minimize damages on the contrary, and hence they both have

their own strategies.

1.4 Proposed Approach

In this paper, we describe a resource allocation problem, which is a mixed

nonlinear integer programming optimization problem. It can be solved by using the

Lagrangean relaxation method in conjunction with heuristic algorithms. The defense of

11

networks is not all-or-nothing, whereas there is a spectrum of it. Therefore, we use the

probability to measure the survivability of networks.

This is a min-max mathematical model, which for the inner problem is to

maximize the compromise probability of the core node in the attacker’s aspect, and for

the outer problem is to minimize it in the defender’s view. The probability of each node

is affected by budgets allocating on it, and the probability of the core node is decided by

nodes on the attack path. Therefore, the lower probability is, the longer survival time of

the core node has.

1.5 Thesis Organization

This thesis is organized as follows. In Chapter 2, the formulation of the budget

allocation problem is proposed. In Chapter 3, the solution approach of the problem is

presented. The computational results of the problem are shown in Chapter 4. Finally, we

present our conclusions and indicate possible directions of future research.

13

Chapter 2 Problem Formulation

2.1 Problem Description and Assumption

We assume that the network is at the Autonomous System (AS) level, and therefore

attackers must attack forward the core node step by step instead of attacking directly.

There must be more than one attacker in the network, but we could model a group of

attackers in different locations as an omnipresent attacker, so as defenders [3]. Although

it is improbable for attackers to know everything of the network in the real world, there

is the worst case to be considered. Therefore, we could assume that attackers have

complete information about the network.

According to the article mentioned before, the probability of each node to be

compromised by attackers is the normal distribution (Fig 2-1, Fig 2-2). Compromising a

node is not so easy, so that many of attackers should spend the average time. As

defenders aspect, they could allocate more budgets for each node to increase the mean

and the variance of its distribution, thus the compromise probability decreased.

Time

Figure 2 - 1 The pdf of Compromise

probability

Time

Figure 2 - 2 The cpf of Compromise

probability

Compromised Probability


14

The following figures describe the attacking scenario. An attacker occupies an

initial node, s, at the beginning, and the target is the core node, t (Fig 2-3). Because of

allocating different budgets to each node, the compromised probabilities are

distinguished one from the other (Fig 2-4). Next, he chooses a node, which is connected

to s, with the highest compromise probability (Fig 2-5). The attacker continues selecting

nodes, which are neighbored on s or pass through the node just chosen, with the highest

probability until reaching t (Fig 2-6, Fig 2-7). To ignore links and nodes not used or

chosen, the attacker only considers the chosen ones (Fig 2-8), and then tracking back

from t to s would construct a attack path, called Origin-Destination pair (O-D pair), and

bring out the new compromise probability distribution by doing the convolutions of

nodes on the path (Fig 2-9).

If the defender would not assign any efforts on a node, it still has some resistant

ability to the attacker, so that he could have more probability to compromise it, but it

also costs him some time to find vulnerabilities and to penetrate them. As every

investment amounts are discontinuous, we assume that the choices of each node’s

budget are limited. However, the total budget of the defender is also limited; therefore,

how to arrange those resources effectively is the main subject of this research. The

assumptions and description of this model are given in Table 2-1.

15

Figure 2 - 3 Initial State

Initially, the attacker is on node s, and the target is

on node t.

Figure 2 - 4 Different Probability Distribution

Each node has its probability distribution because of

allocating different budgets.

Figure 2 - 5 Choosing a Target

The attacker chooses a node, which has the highest

compromise probability at the time, from neighbors.

Figure 2 - 6 Continued Selecting

Repeating to choose a node directly connecting to

the initial node s or passing through the node just

chosen.

s

t

s

t

s

t

s

t

16

Figure 2 - 7 Post-choosing Network State

Continuing choosing until the core node t be chosen.

Figure 2 - 8 Selected Nodes and Links

Only considering the chosen links and nodes.

Figure 2 - 9 Attack Path

Tracking back from t to s and constructing the attack

path, therefore binging out the new pdf by doing the

convolutions of nodes on path.

Candidate node

Unchosen node

Attacker’s initial position s

Chosen node

Unreachable link

Reachable link

Link to the chosen node

s

s

t

s

t

s

t

17

Table 2 - 1 Problem Assumptions and Description

Assumption：

The attacker is on node s.

Only one node (node t, the core node) is the target of attack.

A node i is subject to attack only if a path exists from node s to node i where all

the intermediate nodes on the path have been compromised (they can be viewed

as the hop sites for attacking the target).

The defense budget allocated to the node will affect to the compromise

probability distribution of it.

The compromise probability distribution of the node t depends on all the

intermediate nodes on the path.

Both the attacker and the defender have complete information about the network.

The attacker will always find the best strategy to reach the objective.

The defender is subject to the total budget constraint, and the budget choice of

each node is limited.

No link attacks are considered.

No random failures are considered.

Given：

The network topology

The total budget for the defender

The mean and the variance of a node are functions of the node’s budget

allocation.

The tail distribution of a normal distribution with mean μ and variance σ2 at the

time t.

18

Objective：

To minimize the maximized compromise probability of the core node at the

constant time

Subject to：

Budget constraint of the defender

To determine：

The budget allocated to each node by the defender

Which node will be attacked by the attacker

Which routing path will be chosen to reach the core node

2.2 Notations Given Parameters Notation Description N The index set of all nodes in the network w The O-D pair ( s , t )

wP The index set of all candidate paths for O-D pair w

ipδ The indicator function, which is 1 if node i is on path p, and 0 otherwise (where i∈N, p∈ Pw).

*ipδ The indicator function which is 1 if node i is on the shortest path p* (where the cost associated with node i is μi(min{Bi}) ), and 0 otherwise (where i∈N).

*iqσ The indicator function which is 1 if node i is on the shortest path q* (where the cost associated with node i is μi(max{Bi}) ), and 0 otherwise (where i∈N).

B The total budget Bi All kinds of bi on the node i, where i∈N

19

T The time the attacker used M All kinds of μ on the attack path. Σ2 All kinds of σ2 on the attack path. Mp All kinds of mp on the path p, where p∈Pw Sp

2 All kinds of sp2 on the path p, where p∈Pw

2( , , )P t μ σ This is a polynomial approximation tail distribution of a normal distribution with mean μ and variance σ2 at the time t .

The indicator function ipδ means whether node i is on path p or not, but *ipδ and

*iqσ especially point out the special routes, p* and q*, which are two kinds of extreme

cases. Because of using the normal distribution as the probability function, we consult

some Mathematics documents and obtain the P function, which is a polynomial

approximation tail distribution of a normal distribution (Table 2-2) [10].

Table 2 - 2 P-function

Time t μ

2

2 2 3 4 521 2 3 4 5

1( , , ) ( )2

z

P t e d x d x d x d x d x zμ σ επ

−⎡ ⎤= + + + + +⎣ ⎦ ,

where 8( ) 7.5 10zε −< × , tz μσ−= , 1

1x

pz=

+, p=0.2316419,

d1=0.3193815, d2=-0.3565638, d3=1.7814779,

d4=-1.8212560, d5=1.3302744


20

Decision Variables Notation Description bi Budget allocated to protect node i, where i∈N.

μ The mean of the normal distribution that is the convolution by the probability density functions of all nodes on the attack path.

σ2 The variance of the normal distribution that is the convolution by the probability density functions of all nodes on the attack path.

mp The mean of the normal distribution that is the convolution by the probability density functions of all nodes on the path p, where p∈Pw.

sp 2 The variance of the normal distribution that is the convolution by the probability density functions of all nodes on the path p, where p∈Pw.

μi(bi) The mean of the normal distribution, which is the probability density function of the node i, is the function of budget, where i∈N

σi (bi)2 The variance of the normal distribution, which is the probability density function of the node i, is the function of budget, where i∈N

yi 1 if the node i is chosen, and 0 otherwise (where i∈N). yt 1 if the core node t is chosen, and 0 otherwise.

xp 1 if the path p is selected as the attack path, and 0 otherwise (where p∈ Pw).

Nodes without putting any resource still possess some defense abilities, so that the

mean and variance at zero budgets also have initial value μ0 and σ02. Malware-Test Lab

is an institute to test the quality of information security softwares, and published an

antivirus comparison report on June 28th, 2007. In this report, the terminology, malware,

includes virus, Trojan horse, worm, backdoor, spyware, adware, dialer, key logger, hack

tool and so on. The samples we use are collected daily from honey pot, the total

malware count is 267,287, and total file size is about 34,156 MB [11]. We could see the

trend of different security software by analyzing this report (Fig 2-10), and therefore, as

budgets increasing, the margin effects would cause μ0 and σ02 to tend towards stability

21

(Fig 2-11, Fig 2-12).

Figure 2 - 10 Detection Rate for Different Security Softwares

Budget

0( ) ln( 1)i i A B ib bμ μ λ λ= + +

Figure 2 - 11 μ-function

Budget

2 20( ) ln( 1)i i C D ib bσ σ λ λ= + +

Figure 2 - 12 σ2-function

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%Pa

nda

Inte

rnet

Sec

urity

200

7ES

ET N

OD

32 2

.7CA

Inte

rnet

Sec

urity

200

7W

ebro

ot S

py S

wee

per w

ith A

ntiv

irus

5.5

Ahn

Lab

V3 In

tern

et S

ecur

ity 2

007 …

McA

fee

Inte

rnet

Sec

urity

200

7Jia

ngm

in A

ntiv

irus

KV2

007

Tren

d M

icro

Clie

nt S

erve

r M

essa

ging

…F-

Prot

Ant

ivir

us 3

.16f

Fils

ecla

b Tw

iste

r A

nti-T

roja

nVir

us V

7Sy

man

tec

Nor

ton

Inte

rnet

Sec

urity

200

7Ki

ngso

ft In

tern

et S

ecur

ity 2

007

Tren

d M

icro

Inte

rnet

Sec

urity

200

7 …Tr

end

Mic

ro C

lient

Ser

ver

Mes

sagi

ng …

ALW

IL a

vast

Pro

fess

iona

l 4.7

Risi

ng A

ntiv

irus

200

7Bi

tDef

ende

r 8 F

ree

Editi

on (F

ree)

Clam

Win

Fre

e A

ntiv

irus

0.9

0 (F

ree)

AVI

RA A

ntiV

ir P

erso

nalE

ditio

n Cl

assi

c …Ka

sper

sky

Inte

rnet

Sec

urity

6.0

AO

L A

ctiv

e Vi

rus

Shie

ld (F

ree)

Mic

roW

orld

eSc

an In

tern

et S

ecur

ity 9

.0Zo

neA

larm

Sec

urity

Sui

te 7

.0F-

Secu

re In

tern

et S

ecur

ity 2

007

Nor

man

Vir

us C

ontr

ol P

lus

5.90

BitD

efen

der I

nter

net S

ecur

ity v

10A

VIRA

Pre

miu

m S

ecur

ity S

uite

7.0

Fort

inet

For

tiClie

nt C

onsu

mer

Edi

tion …

Detection Rate (2007/06/28 Malware-Test Lab)

Mean Variance

22

2.3 Problem Formulation

Objective function: 2min max 1 ( , , )

i ib yP T μ σ− (IP 1)

Subject to: ( )i i i

i Nb yμ μ

∈=∑ (IP 1.1)

2 2( )i i ii N

b yσ σ∈

=∑ (IP 1.2)

* *(min{ }) (max{ })i i ip i i iqi N i N

B Bμ δ μ μ σ∈ ∈

≤ ≤∑ ∑ (IP 1.3)

2 2 2


B Bσ δ σ σ σ∈ ∈

≤ ≤∑ ∑ (IP 1.4)

Mμ ∈ (IP 1.5)

2 2σ ∈∑ (IP 1.6)

w

p ip ip P

x yδ∈

=∑ i N∀ ∈ (IP 1.7)

1w

pp P

x∈

=∑ (IP 1.8)

0 1px or= wp P∀ ∈ (IP 1.9)

0 1iy or= { }i N t∀ ∈ − (IP 1.10)

1ty = (IP 1.11)

min{ } max{ }i i iB b B≤ ≤ i N∀ ∈ (IP 1.12)

ii N

b B∈

≤∑ (IP 1.13)

23

i ib B∈ i N∀ ∈ . (IP 1.14)

Explanation of the mathematical formulation:

Objective function: The objective is to minimize the maximized the compromise

probability of core node 1-P (T, μ, σ2). In the inner problem, an attacker tries to

maximize the probability of compromising the core node by selecting which nodes

to attack, i.e. yi. In the outer problem, the defender intends to minimize the

compromise probability of the target node, t, by allocating defense budget, bi, to

each node. As P function is a tail distribution of probability from T to infinity, we

want to cumulate from zero to T and utilize one minus P function as the objective

function.

Constraints (IP 1.1) and (IP 1.2) is the mean and variance of probability

distribution by doing the convolutions of nodes which are chosen for

compromising, i.e., yi=1, and the attacker must find an attack path between the

initial position, s, and the targeted node, t. A convolution is defined as product of

functions, and convolution of two functions f and g over an infinite range is given

by ( ) ( ) ( ) ( )f g f g t d g f t dτ τ τ τ τ τ∞ ∞

−∞ −∞∗ = − = −∫ ∫ . Therefore, the convolution of

two normal distributions is another normal distribution with summing up both

means and variances [12].

24

Constraints (IP 1.3) and (IP 1.4) limit the boundary of the mean and variance. They

would lie between the shortest path, p*, of all nodes with minimum budget and it,

q*, of all nodes with maximum budget.

Constraints (IP 1.5) and (IP 1.6) mean that the mean value and the variance of

probability distribution on the attack path are selected out from the choices set M

and Σ2. They are affected by the resources, which are discrete values, allocated on

each node; therefore μ and σ2 are discrete values.

Constraint (IP 1.7) enforces that if the path p is chosen by the attacker, nodes on it

must also be chosen.

Constraint (IP 1.8) indicates that only one path from the source node, s, to the

targeted node, t, could be chosen by the attacker.

Constraints (IP 1.9) and (IP 1.10) restrict the xp and yi to 1 or 0, which means the

path and the node be selected or not.

Constraint (IP 1.11) is a redundant constraint that describes the targeted node, t, has

to be chosen.

Constraints (IP 1.12) and (IP 1.13) restrain the range of the allocating defense

resources of each node, bi, and the total allocated budgets, ii N

b∈∑ , must not exceed

the defense budget, B.

Constraint (IP 1.14) means that the allocating budget of each node is selected out

25

from the choices set of node i, Bi.

2.4 Problem Reformulation

We replace the inner problem with the constraint, and reformulate the original

objective function, ZIP1. Furthermore, the constant value of the objective function, ZIP1,

is ignored, and the reconstructed problem is shown below.

Objective function: 2

2 ,min ( , , )

i iIP b y

Z P T μ σ= − (IP 2)

Subject to: 2 2( , , ) ( , , )p pP T P T m sμ σ ≤ wp P∀ ∈ (IP 2.1)

( )i i ii N

b yμ μ∈

=∑ (IP 2.2)

2 2( )i i ii N

b yσ σ∈

=∑ (IP 2.3)


B Bμ δ μ μ σ∈ ∈

≤ ≤∑ ∑ (IP 2.4)

2 2 2* *(min{ }) (max{ })i i ip i i iq

i N i NB Bσ δ σ σ σ

∈ ∈≤ ≤∑ ∑ (IP 2.5)

Mμ ∈ (IP 2.6)

2 2σ ∈∑ (IP 2.7)

( )p i i ipi N

m bμ δ∈

=∑ wp P∀ ∈ (IP 2.8)

2 2( )p i i ipi N

s bσ δ∈

=∑ wp P∀ ∈ (IP 2.9)

26

(min{ }) (max{ })i i ip p i i ipi N i N

B m Bμ δ μ δ∈ ∈

≤ ≤∑ ∑ wp P∀ ∈ (IP 2.10)

2 2 2(min{ }) (max{ })i i ip p i i ipi N i N

B s Bσ δ σ δ∈ ∈

≤ ≤∑ ∑ wp P∀ ∈ (IP 2.11)

p pm M∈ wp P∀ ∈ (IP 2.12)

2 2p ps S∈ wp P∀ ∈ (IP 2.13)

w

p ip ip P

x yδ∈

≤∑ i N∀ ∈ (IP 2.14)

1w

pp P

x∈

=∑ (IP 2.15)

0 1px or= wp P∀ ∈ (IP 2.16)

0 1iy or= { }i N t∀ ∈ − (IP 2.17)

1ty = (IP 2.18)

min{ } max{ }i i iB b B≤ ≤ i N∀ ∈ (IP 2.19)

ii N

b B∈

≤∑ (IP 2.20)

i ib B∈ i N∀ ∈ . (IP 2.21)

Explanation of the mathematical formulation:

Objective function: the defender wants to minimize the compromise probability of

the core node by adjusting the budgets allocation after replacing the inner problem

to the constraint.

27

Constraint (IP 2.1) lets the original inner problem still satisfy by keeping the

probability of the core node passing though the attack path always less than or

equal to it passing though the other paths.

Constraints (IP 2.8) ~ (IP 2.9) define the mean and variance of probability

distribution by doing the convolutions of nodes on any path, p, between the initial

position, s, and the targeted node, t.

Constraints (IP 2.10) and (IP 2.11) limit the boundary of the mean and variance of

the candidate path, p. They would lie between nodes on p with minimum budget

and them with maximum budget.

Constraints (IP 2.12) and (IP 2.13) mean that the mean value and the variance of

probability distribution on any path are selected out from the choices set Mp and

Sp2. They are affected by the resources, which are discrete values, allocated on each

node; therefore mp and sp2 are discrete values.

Constraint (IP 2.14) replaces “equal to” to “less than or equal to” because of (IP 2.1)

tending yi to be smaller.

Constraints (IP 2.2) ~ (IP 2.7) and (IP 2.15) ~ (IP 2.21) are the same as the original

problem, ZIP1.

29

Chapter 3 Solution Approach

3.1 Lagrangean Relaxation Method

In the 1970s, many approaches had been published to solve complex mathematical

problems by using decomposition technique which separates an improbable solved

problem into several easy subproblems by a relatively set of side constraints [14] [15].

Besides its flexibility, Lagrangean relaxation method permits us to develop bounds of

the optimal objective value and assists us to design effective heuristic algorithms.

Therefore, it has become one of the most popular tools for solving optimization

problems. Its scopes include linear programming, integer programming, combinatorial

optimization, and nonlinear programming problems [13].

As the essential of Lagrangean relaxation method, we redeploy some complicated

constraints to the objective function of the primal problem (P) with associated

multipliers (u), and the new optimization problem with fewer constraints is called the

Lagrangean relaxation problem (LRu). Figure 3-1illustrates the major concepts of the

Lagrangean relaxation method. Depending on the (LRu), we decompose the relaxation

problem into several stand-alone subproblems which could be optimal solved by any

known methodology or algorithm [13].

30

For the minimization problems, the optimal value of (LRu) is the lower bound (LB)

of the original problem after solving the subproblems and making substitutions into

(LRu). However, it does not mean that is the feasible solution of the original, but helps

us to know what the LB of it is. For getting the tighter LB to close the optimal value, we

are continuously tuning the multipliers, and this procedure is named as “Lagrangean

dual problem.” During solving Lagrangean and dual problem, we can obtain values of

the decision variables and multipliers. Therefore, they could be hints for us to develop

proper heuristics to tune the infeasible solution to a feasible one, and this step is called

“getting primal feasible solution.” All feasible solutions we found are the upper bound

(UB) of the original problem, and thus the optimal value is between UB and LB [15].

For tuning the multiplier, the subgradient method is the most popular technique

because of the scalar which can modulate the step size of tuning multipliers in a

iteration. At the beginning, the scalar is a little big, so the vibration of multipliers is

bigger. However, it will reduce in later period, and then the variation range of

multipliers narrows with time. At last, it tends to be stable and converges to one value,

and thus it is the time to stop the Lagrangean relaxation method [14]. There are more

details of the method presented in Figure 3-2.

The Lagrangean relaxation method has four significant adventures. First, there are

many possible ways to decompose a model by this method, and therefore it is a general

31

problem solving strategy and solution framework than any solution technique. Second,

decomposing to several subproblems, we can choose any known algorithm for solving

each of them. Third, it can help us to derive the bounds of the objection function, and to

evaluate the solution quality for primal feasible solution. Last, we can design effective

heuristic methods for solving complicated and large-scale optimization problems [13].

Therefore, we apply the Lagrangean relaxation method to be the solution approach in

this research.

Figure 3 - 1 Concepts of the Lagrangean Relaxation Method

Primal Problem

Lagrangean Relaxation

Problem (LRu)

Subproblem

Optimal Solution

Lagrangean Dual Problem

‧‧‧‧

Adjust Lagrangean

Multipliers (u)

Lower Bound (LB)

Upper Bound (UB)

Subproblem

Optimal Solution

LB ≤ Optimal Objective Function Value ≤ UB

32

Initialization Z* Best known feasible solution value of primal problem = Initial feasible solution

u0 Initial multiplier value = 0 k Iteration count = 0 i Improvement count = 0 LB Lower bound of primal problem = ∞- λ0 Initial step size coefficient = 2

Solve Lagrangean Relaxation Problem

1. Solve each subproblem of ( )kLRu

optimally 2. Get decision variables kx and

optimal value ( )kDZ u

Get Primal Feasible Problem ‧ if kx is feasible in primal problem,

the result is a UB of primal problem.

‧ if kx is not feasible in primal problem, tune it with specific heuristic.

Figure 3 - 2 The Lagrangean Relaxation Procedure

Adjustment of multipliers 1. If i reaches the Improvement

Counter Limit, 0 ,2/ == iλλ

2. ( )( )2

kk D

k k

Z Z ut

Ax b

λ ∗ −=

+

3. ( )( )1 max 0,k k kku u t Ax b+ = + +

4. 1+= kk Update Bounds

1. ( )( )( )k

D

Z min Z ,UB

LB max LB,Z u

∗ ∗=⎧⎪⎨

=⎪⎩

2. i = i+1 if LB does not change

Check Termination if ( ) ( ) ε<∗∗ Z,LB/minLB-Z

or k reaches Iteration Count Limit

or LB ∗≥ Z ?

S T O P Yes

No

33

3.2 Solution Approach

As applying the Lagrangean relaxation method, we transform the reformulation

problem (IP 2) into the following Lagrangean relaxation problem (LR 1) with relaxing

Constraints (IP 2.1), (IP 2.2), (IP 2.3), (IP 2.8), (IP 2.9), (IP 2.14) and (IP 2.20). With a

vector of Lagrangean multipliers, the Lagrangean relaxation problem of (IP 2) is

converted to (LR 1).

3.3 Lagrangean Relaxation

Optimization Problem:

( )1 2 3 4 5 6 7 2 1 2 2( , , , , , , ) min ( , , ) ( , , ) ( , , )w

D p p pp P

Z u u u u u u u P T u P T P T m sμ σ μ σ∈

= − + −∑

2 3 2 2 4( ) ( ) ( )w

i i i i i i p p i i pii N i N p P i N

u b y u b y u m bμ μ σ σ μ δ∈ ∈ ∈ ∈

⎛ ⎞ ⎛ ⎞ ⎛ ⎞+ − + − + −⎜ ⎟ ⎜ ⎟ ⎜ ⎟⎝ ⎠ ⎝ ⎠ ⎝ ⎠

∑ ∑ ∑ ∑

5 2 2 6 7( )w w

p p i i pi i p pi i ip P i N i N p P i N

u s b u x y u b Bσ δ δ∈ ∈ ∈ ∈ ∈

⎛ ⎞⎛ ⎞ ⎛ ⎞+ − + − + −⎜ ⎟⎜ ⎟ ⎜ ⎟⎜ ⎟⎝ ⎠ ⎝ ⎠⎝ ⎠∑ ∑ ∑ ∑ ∑

(LR 1)

Subject to: * *(min{ }) (max{ })i i ip i i iq

i N i NB Bμ δ μ μ σ

∈ ∈

≤ ≤∑ ∑ (LR 1.1)

2 2 2


B Bσ δ σ σ σ∈ ∈

≤ ≤∑ ∑ (LR 1.2)

Mμ ∈ (LR 1.3)

2 2σ ∈∑ (LR 1.4)

34

(min{ }) (max{ })i i ip p i i ipi N i N

B m Bμ δ μ δ∈ ∈

≤ ≤∑ ∑ wp P∀ ∈ (LR 1.5)



≤ ≤∑ ∑ wp P∀ ∈ (LR 1.6)

p pm M∈ wp P∀ ∈ (LR 1.7)

2 2p ps S∈ wp P∀ ∈ (LR 1.8)

1w

pp P

x∈

=∑ (LR 1.9)

0 1px or= wp P∀ ∈ (LR 1.10)

0 1iy or= { }i N t∀ ∈ − (LR 1.11)

1ty = (LR 1.12)

min{ } max{ }i i iB b B≤ ≤ i N∀ ∈ (LR 1.13)

i ib B∈ i N∀ ∈ . (LR 1.14)

The Lagrangean multipliers u1, u2, u3, u4, u5, u6, and u7 are the vectors of {up1},

{u2}, {u3}, {up4}, {up

5}, {ui6}, and {u7}, in which u1, u6, and u7 are non-negative and u2,

u3, u4,and u5 are unrestricted. For solving (LR 1), we could decompose it into four

independent subproblems as shown below.

Subproblem 1 (related to decision variable xp)

6 61( ) min

pw

sub i p pix i N p Pz u u x δ

∈ ∈= ∑∑ (SUB 1)

35

Subject to: 1

w

pp P

x∈

=∑ (LR 1.9)

0 1px or= wp P∀ ∈ . (LR 1.10)

(SUB 1) could be considered as a shortest path problem with a node cost ui6.

Because of the non-negative costs, we would like to use Dijkstra’s minimum cost

algorithm to optimal solve this subproblem. However, that algorithm requests link cost,

therefore we could be using “node splitting” technique to separate one node, i, into two

nodes, i and i', that are connected by an artificial link with the weight ui6. At last, we

transfer the node cost to the link weight, and then apply it to optimal solve this

subproblem.

The time complexity of (SUB 1) is O(|N|2).

Subproblem 2 (related to decision variable yi , bi)

2 3 4 5 6 7 2 3 2 42 ,( , , , , , ) min ( ) ( ) ( )

i iw

sub i i i i i i p i i pib y i N i N p P i Nz u u u u u u u b y u b y u bμ σ μ δ

∈ ∈ ∈ ∈

⎛= − + +⎜⎜

⎝∑ ∑ ∑∑

5 2 6 7 7( )w

p i i pi i i ip P i N i N i N

u b u y u b u Bσ δ∈ ∈ ∈ ∈

⎞+ + − + ⎟⎠

∑ ∑ ∑ ∑ (SUB 2)

Subject to: 0 1iy or= i N∀ ∈ (LR 1.11)

1ty = (LR 1.12)

36

min{ } max{ }i i iB b B≤ ≤ i N∀ ∈ (LR 1.13)

i ib B∈ i N∀ ∈ . (LR 1.14)

We make the substitutions of μi(bi) for μ0+λAln(λB bi +1) and σi (bi)2 for

σ02+λCln(λD bi +1) in (SUB 2). Because of ignoring the constant value u7B, it could be

decomposed into a continuity of |N| subproblems. For each node i,

2 3 2 4 5 2 6 72' min ( ) ( ) ( ) ( )

iw w

sub i i i i i i p i i pi p i i pi i i ib p P p Pz u b y u b y u b u b u y u bμ σ μ δ σ δ

∈ ∈

⎛ ⎞= − + + + + −⎜ ⎟⎜ ⎟

⎝ ⎠∑ ∑

( ) ( ){ 2 3 20min ln 1 ln 1

io A B i i C D i ib

u b y u b yμ λ λ σ λ λ⎡ ⎤⎡ ⎤= − + + + + +⎣ ⎦ ⎣ ⎦

( ) ( )4 5 2 6 70ln 1 ln 1

w w

p o A B i pi p C D i pi i i ip P p P

u b u b u y u bμ λ λ δ σ λ λ δ∈ ∈

⎫⎪⎡ ⎤⎡ ⎤+ + + + + + + − ⎬⎣ ⎦ ⎣ ⎦ ⎪⎭∑ ∑

( ) ( ){ 2 3 2 6 2 30min ln 1 ln 1

io i A B i C D i ib

u u u u b u b yμ σ λ λ λ λ⎡ ⎤= − + + + + + +⎣ ⎦

( ) ( ) ( )4 5 7 4 5 20 0ln 1 ln 1

w w w

p A B i p C D i pi i p p pip P p P p P

u b u b u b u uλ λ λ λ δ μ σ δ∈ ∈ ∈

⎫⎡ ⎤ ⎪+ + + + − + + ⎬⎢ ⎥⎪⎣ ⎦ ⎭

∑ ∑ ∑

(SUB 2’)

Subject to: 0 1iy or= (LR 1.11)

1ty = (LR 1.12’)

min{ } max{ }i i iB b B≤ ≤ (LR 1.13’)

i ib B∈ . (LR 1.14’)

However, yi has only two choices, 0 or 1, so that we could make the substitutions

of it for each value.

37

If yi=0

( ) ( ) ( )4 5 7 4 5 22' 0 0min ln 1 ln 1

iw w w

sub p A B i p C D i pi i p p pib p P p P p P

z u b u b u b u uλ λ λ λ δ μ σ δ∈ ∈ ∈

⎧ ⎫⎡ ⎤⎪ ⎪= − + + + − + +⎨ ⎬⎢ ⎥⎪ ⎪⎣ ⎦⎩ ⎭∑ ∑ ∑

If yi=1

( ) ( )2 4 3 5 72' min ln 1 ln 1

iw w

sub p pi A B i p pi C D i ib p P p P

z u u b u u b u bδ λ λ δ λ λ∈ ∈

⎧⎛ ⎞ ⎛ ⎞⎪= − + + + + + −⎜ ⎟ ⎜ ⎟⎨⎜ ⎟ ⎜ ⎟⎪⎝ ⎠ ⎝ ⎠⎩∑ ∑

( )2 3 2 6 4 5 20 0 0

w

o i p p pip P

u u u u uμ σ μ σ δ∈

⎫⎡ ⎤⎪+ + + + + ⎬⎢ ⎥⎪⎣ ⎦⎭

∑

This problem could be solved by the exhausted search of each node. In case of

yi=0, we find the optimal value of bi, so as yi=1, and compare one optimal solutions of

zsub2’ with another. Therefore, the smaller one is the optimal solution of this node’s

subproblem.

The time complexity of (SUB 2) is O(|N| |Bi|).

Subproblem 3 (related to decision variable μ, σ2)

2

1 2 3 1 2 2 3 23 ,( , , ) min 1 ( , , )

w

sub pp P

z u u u u P T u uμ σ

μ σ μ σ∈

⎛ ⎞= − + +⎜ ⎟⎜ ⎟

⎝ ⎠∑ (SUB 3)

Subject to: * *(min{ }) (max{ })i i ip i i iq

i N i NB Bμ δ μ μ σ

∈ ∈

≤ ≤∑ ∑ (LR 1.1)

2 2 2* *(min{ }) (max{ })i i ip i i iq

i N i NB Bσ δ σ σ σ

∈ ∈

≤ ≤∑ ∑ (LR 1.2)

Mμ ∈ (LR 1.3)

38

2 2σ ∈∑ . (LR 1.4)

The mean and variance, μ and σ2, are discrete, and exist in the limited range

separately. Therefore, this subproblem could be optimally solved by exhausted search

again. We replace each the possible values of μ and σ2 to (SUB 3) and select the best

one which is the optimal solution of this subproblem.

The time complexity of (SUB 3) is O(|M| |∑2|).

Subproblem 4 (related to decision variable mp , sp2)

2

1 4 5 1 2 4 5 24 ,( , , ) min ( , , )

p pw w w

sub p p p p p p pm s p P p P p Pz u u u u P T m s u m u s

∈ ∈ ∈= − + +∑ ∑ ∑ (SUB 4)

Subject to: (min{ }) (max{ })i i ip p i i ip

i N i NB m Bμ δ μ δ

∈ ∈

≤ ≤∑ ∑ wp P∀ ∈ (LR 1.5)



≤ ≤∑ ∑ wp P∀ ∈ (LR 1.6)

p pm M∈ wp P∀ ∈ (LR 1.7)

2 2p ps S∈ wp P∀ ∈ . (LR 1.8)

Distinguished from above, (SUB 4) must consider all the paths from s to t, and that

is an enormous number for the networks. Therefore, we should find some way to

decrease the complexity of it, and save the computational power.

39

There is no need to list all paths on the computing stage, as the paths we concern

about are those whose one of the multipliers, up1, up

4 or up5, is non-zero at least. When

all of them are zero, the optimization problem zsub4 would be enforced to zero; when one

of them is non-zero, we could consider it as a possible active path, and mark it to the list.

After marking over all possible paths, the next step solving this subproblem only goes

through paths on the list.

The time complexity of (SUB 4) is O(|Pw| |Mp| |Sp2|).

3.4 The Dual Problem and the Subgradient Method

According to the weak duality theorem of Lagrangean relaxation method, it states

that the optimal objective value ZD of the Lagrangean multiplier is never larger than the

optimal objective function value of the problem (IP 2) [13]. Therefore, we construct the

dual problem (D 1) in order to obtain the tightest lower bound by the subgradient

method [14][15].

Dual Problem :

1 2 3 4 5 6 71 1max ( , , , , , , )D DZ Z u u u u u u u= (D 1)

Subject to: 1 6 7, , 0u u u ≥ .

Let a vector f be a subgradient of ZD1(u1,u2,u3,u4,u5,u6,u7). Then, in iteration k of

the subgradient optimization procedure, the multiplier vector uk = (u1k, u2k, u3k, u4k, u5k,

40

u6k, u7k) is updated by uk = uk + αk f k, where

1 2 3 4 5 6 7 2 2( , , , , , , ) ( , , ) ( , , ), ( ) ,k k k k k k k kp p i i i

i N

f u u u u u u u P T P T m s b yμ σ μ μ∈

⎛= − −⎜⎝

∑

2 2 2 2( ) , ( ) , ( ) , , ;w

i i i p i i pi p i i pi p pi i ii N i N i N p P i N

b y m b s b x y b Bσ σ μ δ σ δ δ∈ ∈ ∈ ∈ ∈

⎞− − − − − ⎟⎟

⎠∑ ∑ ∑ ∑ ∑　　

and the step size, αk, is determined by

*2 1

2

( )kk IP D

k

Z Z u

fα ρ −= ,

where ZIP2*, the best primal objective function value found by iteration k, is the upper

bound (UB) of (IP2), and ρ is a constant where 0≤ρ≤2.

3.5 Getting Primal Feasible Solution

According to the solutions to (LR 1) and the multipliers getting from (D 1), we can

get some hints for a heuristic designed and implemented to improve the solution quality

of (IP 2). The proposed heuristic’s concept is described below.

The algorithm we devise is derived solutions of bi, xp, and ui6 in the dual problem.

The bi we obtain from (SUB2) could be the initial budget allocation strategy for the

defender. We could observe that the multiplier ui6 represents the important of each node,

therefore, the more important the node i is the bigger multiplier ui6 it has. Hence, if the

budget the defender allocated are exceeded the total budget, we remove the budget from

node i which has the minimum ui6. On the contrary, if the budget allocated to the

41

network is less than the total budget, we add the budget from node i which has the

maximum ui6 and not fill with the limit budget of it.

The xp we derive from (SUB1) as the attack path the attacker chooses is the critical

path of the network. We take budget ai=6 6

6

max( )i i

ii N

u u Bu

∈

⎡ ⎤−⎢ ⎥×⎢ ⎥

⎢ ⎥⎣ ⎦∑

from a node which is not

on the critical path and is allocated budget to a node which is on that path and does not

meet the budget limited of it. Though this process the critical path of network is stronger

than before, and the compromise probability from the source node to the core node is

decrease.

Table 3 - 1 Heuristic for the Model

Step 1. Allocating budget bi to each node, where bi is derived by (SUB2), i∈N

Step 2. Checking the budget allocated on the network to meet the constraint.

Step 3. Choosing the path xp derived by (SUB 1) as the attack path

Step 4. Moving budget ai=6 6

6

max( )i i

ii N

u u Bu

∈

⎡ ⎤−⎢ ⎥×⎢ ⎥

⎢ ⎥⎣ ⎦∑

from a node which is not on the

attack path to a node which is on it, i∈N, if node i was allocated budget

bi and bi > 0 at step 1

43

Chapter 4 Computational Experiments

4.1 Simple Algorithms

We implement two kinds of simple algorithms, the popularity based and the greedy

based budget allocation strategy, to demonstrate that the heuristic we proposed are

effective.

As the heuristic we describe at chapter 3, the popularity based budget allocation

strategy dispense budget by accumulated compromised frequency of each node which

appears on the candidate paths. Generally, the more times a node is compromised, the

more important it is, hence we assign more budget to it. The budget we allocate on node

i, bi, is { }'max ,max'

ii

total

f B Bf

⎛ ⎞×⎜ ⎟

⎝ ⎠, where fi‘ is the accumulated compromised

frequency of node i on this simple algorithm 1, denoted as SA1, and ftotal‘ is the

summation of the accumulated compromised frequency of all nodes on SA1. If there

still have some budget left, we could randomly allocate the remainder to the nodes

which don’t have any defense resource to construct the defense mechanisms.

Simple algorithm 2, denoted as SA2, used for comparing our heuristic is greedy

based budget allocation strategy whereby the node with the smallest compromise

probability form the source node to the core node is allocated first. Because budget of

each node we could dispense is limited, the maximum budget of node i is max{Bi}. This

44

algorithm will finish as all defender’s total budget is allocated.

4.2 Experiment Environment

The algorithm we proposed is written in C++ and coded by Dev-C++, moreover, it

runs on a PC with an INTELTM Pentium-4 2.40 GHz CPU with 512MB RAM. The

Iteration Counter Limit and the Improvement Counter Limit are set to 10000 and 250.

The step size scalar, λ, is initialized to 2 and is halved as the iterations which the

objective function value, ZD, does not improve reach to the Improvement Counter Limit.

We choose two kinds of popular network topology which accord with real

networks as attack targets. The first one is a grid network which with p nodes along one

side has pxp nodes in total [16]. Another kind of topology is a random network that the

probability that two nodes are connected is random and uniform [17].

Because of the marginal effect, the mean function, µi(bi), and the variance function,

σi(bi)2, are defined as concave functions. In the real world, a network with many nodes

but not allocated any budget would not have more defense power than it with less nodes

but some budget. To incooperate this character, the initial value of two function, μ0 and

σ02, could not be too big to violate it.

More details of the experimental parameters are shown in Table 4-1.

45

Table 4 - 1 Experiment Parameter Settings

Parameter of LR

Parameter Value

Iteration Counter Limit 5000

Improvement Counter Limit 200

Initial Upper Bound 0

Initial Multiplier Value u1= u2= u3= u4= u5= u6= u7=0

Initial Scalar of Step Size λ 2

Test Platform

CPU: INTELTM Pentium-4 2.40 GHz

RAM: 512 MB

OS: Microsoft Windows XP SP2

Parameter of the Model

Parameter Value

Number of Nodes, |N| 9, 25

Network Topology Grid networks, Random networks

Time, T 2.5 ~ 20

Budget, B Grid 20, 25, 30

Random 5, 10, 15, 20, 25, 30

Mean function, µi(bi) µi(bi) = 1.3 ln ( 1.3 bi + 1 ) + 0.11, bi is the

budget allocated to node i,∀i∈N

Variance function, σi(bi)2 σi(bi)2 = 1.3 ln ( 1.3 bi + 1 ) + 0.01 , bi is the

budget allocated to node i,∀i∈N

46

4.3 Experiment Results

The LR represents the compromise probability distribution by the heuristic we

proposed, and the LB indicates a lower bound obtained from (LR1). The gap between

LR and LB to evaluate the quality of LR is calculated by 100%LB LRLR− × ; and the

improvement ratio of LR to SA1 and SA2 is calculated by 1

1

100%LR SASA− × and

2

2

100%LR SASA− × .

47

Table 4 - 2 Experiment Results of Grid Network ( |N| = 9 )

Budget Time LR LB Gap (%)

SA1 Imp. R. to SA1 (%)


20

2.5 0.000000 0.000000 0.00 0.000000 0.00% 0.000000 0.00

5 0.051500 0.026859 47.85 0.051500 0.00% 0.158745 67.56

7.5 0.233279 0.192291 17.57 0.233279 0.00% 0.475315 50.92

10 0.525892 0.394229 25.04 0.538458 2.33% 0.808397 34.95

12.5 0.811826 0.608574 25.04 0.821334 1.16% 0.964535 15.83

15 0.955841 0.809985 15.26 0.959453 0.38% 0.996927 4.12

17.5 0.994199 0.943722 5.08 0.994890 0.07% 0.999880 0.57

20 0.999587 0.988902 1.07 0.999653 0.01% 0.999998 0.04

25

2.5 0.000000 0.000000 0.00 0.000000 0.00 0.000000 0.00

5 0.013924 0.000303 97.82 0.037238 62.61 0.066146 78.95

7.5 0.149934 0.129941 13.33 0.199660 24.91 0.268791 44.22

10 0.399889 0.334734 16.29 0.486124 17.74 0.589064 32.11

12.5 0.700140 0.573440 18.10 0.779870 10.22 0.856881 18.29

15 0.903751 0.796167 11.90 0.942751 4.14 0.971784 7.00

17.5 0.981313 0.941364 4.07 0.991457 1.02 0.997011 1.57

20 0.997882 0.987729 1.02 0.999292 0.14 0.999835 0.20

30

2.5 0.000000 0.000000 0.00 0.000000 0.00 0.000000 0.00

5 0.000000 0.000000 0.00 0.004016 100.00 0.004016 100.00

7.5 0.101712 0.093571 8.00 0.131732 22.79 0.131732 22.79

10 0.296311 0.283188 4.43 0.365481 18.93 0.365481 18.93

12.5 0.594121 0.537707 9.50 0.663970 10.52 0.663970 10.52

15 0.837708 0.792037 5.45 0.883065 5.14 0.883065 5.14

17.5 0.958363 0.937134 2.22 0.974860 1.69 0.974860 1.69

20 0.993411 0.987262 0.62 0.996782 0.34 0.996782 0.34

48

Table 4 - 3 Experiment Results of Random Network ( |N| = 9 )




5

2.5 0.142353 0.114240 19.75 0.275634 48.35 0.142353 0.00

5 0.548481 0.436925 20.34 0.783825 30.03 0.548481 0.00

7.5 0.904537 0.687764 23.97 0.984841 8.15 0.904537 0.00

10 0.993682 0.893309 10.10 0.999805 0.61 0.993682 0.00

12.5 0.999883 0.981595 1.83 1.000000 0.01 0.999883 0.00

15 0.999999 0.998519 0.15 1.000000 0.00 0.999999 0.00

17.5 1.000000 0.999947 0.01 1.000000 0.00 1.000000 0.00

20 1.000000 0.999999 0.00 1.000000 0.00 1.000000 0.00

10

2.5 0.030389 0.011736 61.38 0.100796 69.85 0.030389 0.00

5 0.236336 0.208038 11.97 0.442252 46.56 0.236336 0.00

7.5 0.602791 0.526778 12.61 0.833956 27.72 0.602791 0.00

10 0.892255 0.833036 6.64 0.981470 9.09 0.892255 0.00

12.5 0.986676 0.971136 1.57 0.999313 1.26 0.986676 0.00

15 0.999300 0.997650 0.17 0.999992 0.07 0.999300 0.00

17.5 0.999985 0.999915 0.01 1.000000 0.00 0.999985 0.00

20 1.000000 0.999999 0.00 1.000000 0.00 1.000000 0.00

15

2.5 0.008146 0.002483 69.52 0.042162 80.68 0.008146 0.00

5 0.179497 0.174524 2.77 0.270065 33.54 0.179497 0.00

7.5 0.508097 0.508092 0.00 0.651539 22.02 0.508097 0.00

10 0.830343 0.830342 0.00 0.917924 9.54 0.830343 0.00

12.5 0.970671 0.970671 0.00 0.991645 2.12 0.970671 0.00

15 0.997643 0.997643 0.00 0.999657 0.20 0.997643 0.00

17.5 0.999915 0.999915 0.00 0.999994 0.01 0.999915 0.00

20 0.999999 0.999999 0.00 1.000000 0.00 0.999999 0.00

49




20

2.5 0.008146 0.002483 69.52 0.008146 0.00 0.008146 0.00

5 0.179497 0.174524 2.77 0.179497 0.00 0.179497 0.00

7.5 0.508097 0.508092 0.00 0.508097 0.00 0.508097 0.00

10 0.830343 0.830342 0.00 0.830343 0.00 0.830343 0.00

12.5 0.970671 0.970671 0.00 0.970671 0.00 0.970671 0.00

15 0.997643 0.997643 0.00 0.997643 0.00 0.997643 0.00

17.5 0.999915 0.999915 0.00 0.999915 0.00 0.999915 0.00

20 0.999999 0.999999 0.00 0.999999 0.00 0.999999 0.00

25

2.5 0.008146 0.002483 69.52 0.008146 0.00 0.008146 0.00

5 0.179497 0.174524 2.77 0.179497 0.00 0.179497 0.00

7.5 0.508097 0.508092 0.00 0.508097 0.00 0.508097 0.00

10 0.830343 0.830342 0.00 0.830343 0.00 0.830343 0.00

12.5 0.970671 0.970671 0.00 0.970671 0.00 0.970671 0.00

15 0.997643 0.997643 0.00 0.997643 0.00 0.997643 0.00

17.5 0.999915 0.999915 0.00 0.999915 0.00 0.999915 0.00

20 0.999999 0.999999 0.00 0.999999 0.00 0.999999 0.00

30

2.5 0.008146 0.002483 69.52 0.008146 0.00 0.008146 0.00

5 0.179497 0.174524 2.77 0.179497 0.00 0.179497 0.00

7.5 0.508097 0.508092 0.00 0.508097 0.00 0.508097 0.00

10 0.830343 0.830342 0.00 0.830343 0.00 0.830343 0.00

12.5 0.970671 0.970671 0.00 0.970671 0.00 0.970671 0.00

15 0.997643 0.997643 0.00 0.997643 0.00 0.997643 0.00

17.5 0.999915 0.999915 0.00 0.999915 0.00 0.999915 0.00

20 0.999999 0.999999 0.00 0.999999 0.00 0.999999 0.00

50

Table 4 - 4 Experiment Results with 30 Budget ( |N| = 25 )

Network Topology

Time LR LB Gap (%)



Grid

2.5 0 0 0.00 0 0.00 0 0.00

5 0 0 0.00 0.008578 100.00 0.019746 100.00

7.5 0.046776 0 0.00 0.144887 67.72 0.167204 72.02

10 0.193235 0 0.00 0.397629 51.40 0.438668 55.95

12.5 0.438692 0.027709 1483.21 0.703465 37.64 0.743273 40.98

15 0.716562 0.04491 1495.55 0.907954 21.08 0.928031 22.79

17.5 0.901672 0.145253 520.76 0.983086 8.28 0.988369 8.77

20 0.977764 0.305606 219.94 0.998227 2.05 0.998954 2.12

Random

2.5 0.000000 0.000000 0.00 0.000000 0.00 0.000000 0.00

5 0.044755 0.044755 0.00 0.117928 62.05 0.044755 0.00

7.5 0.215477 0.215477 0.00 0.387539 44.40 0.215477 0.00

10 0.509349 0.509349 0.00 0.726932 29.93 0.509349 0.00

12.5 0.797681 0.797681 0.00 0.932260 14.44 0.797681 0.00

15 0.949839 0.949839 0.00 0.991393 4.19 0.949839 0.00

17.5 0.992921 0.992921 0.00 0.999465 0.65 0.992921 0.00

20 0.999449 0.999449 0.00 0.999984 0.05 0.999449 0.00

51



0.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

2.5 5 7.5 10 12.5 15 17.5 20

Com

prom

ise

Prob

abili

ty

Time

LR LB SA1 SA2

0.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

2.5 5 7.5 10 12.5 15 17.5 20

Com

prom

ise

Prob

abili

ty

Time

LR LB SA1 SA2

52


Figure 4 - 4 Compromise Probability of the Grid Network with Different Budget (|N|=9)

0.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

2.5 5 7.5 10 12.5 15 17.5 20

Com

prom

ise

Proa

bbili

ty

Time

LR LB SA1 SA2

0.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

2.5 5 7.5 10 12.5 15 17.5 20

Com

prom

ise

Prob

abili

ty

Time

Budget 20 Budget 25 Budget 30

53

Figure 4 - 5 Compromise Probability of the Grid Network with Different Topology Size (30 Budget)


0.00

0.10

0.20

0.30

0.40

0.50

0.60

0.70

0.80

0.90

1.00

2.5 5 7.5 10 12.5 15 17.5 20

Com

prom

ise

Prob

abili

ty

Time

Grid 9 Grid 25

0.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

2.5 5 7.5 10 12.5 15 17.5 20

Com

prom

ise

Prob

abili

ty

Time

LR LB SA1 SA2

54



0.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

2.5 5 7.5 10 12.5 15 17.5 20

Com

prom

ise

Prob

abili

ty

Time

LR LB SA1 SA2

0.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

2.5 5 7.5 10 12.5 15 17.5 20

Com

prom

ise

Prob

abili

ty

Time

LR LB SA1 SA2

55


Figure 4 - 10 Compromise Probability of the Random Network with Different Budget (|N|=9)

0.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

2.5 5 7.5 10 12.5 15 17.5 20

Com

prom

ise

Prob

abili

ty

Time

LR LB SA1 SA2

0.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

2.5 5 7.5 10 12.5 15 17.5 20

Com

prom

ise

Prob

abili

ty

Time



56

Figure 4 - 11 Compromise Probability of the Random Network with Different Topology Size (30

Budget)

Figure 4 - 12 Compromise Probability of with Different Budget and Topologies (|N|=9)

0.00

0.10

0.20

0.30

0.40

0.50

0.60

0.70

0.80

0.90

1.00

2.5 5 7.5 10 12.5 15 17.5 20

Com

prom

ise

Prob

abili

ty

Time

Random 9 Random 25

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

2.5 5 7.5 10 12.5 15 17.5 20

Com

prom

ise

Prob

abili

ty

Time

Grid 20 Grid 25 Grid 30

Random 20 Random 25 Random 30

57

4.4 Discussion of Results

Figures 4-1 to 4-4 show the compromise probability of the grid network under

different total budget the defender has. We have some observations to make on these

figures. The first thing we notice is that the compromise probability from the source

node to the destination node continually increases as time goes by, and the core node

would be penetrated in the end. The next observation is that the heuristic we propose

has better results to be close to the LB which obtains by (LR1) than SA1 and SA2, and

has a smaller gap for the optimal objective function value. The last one from figure 4-4

could tell us that the more budget we allocate on this network the lower compromise

probability attackers have.

Figure 4-6 to 4-9 spread out the compromise probability of the random network

under different total budget. As the condition we observe in the grid network, the

compromise probability of this network still rise continually and the core node will be

intruded in the course of time. The major distinction from the grid network is that the

compromise probability could not be improved as the budget a defender can allocate

more than 15 unit budget. The reason of this special situation is that this network has a

shortest path from the source node to the core node. When nodes on this critical path

allocated maximum budget of each node an attacker still intend to choose it as an attack

path, this kind of network has compromise probability limit. Therefore, the remainder of

58

total budget should be allocated for other uses.

Figure 4-12 compares the grid network with the random network under different

total budget, and we could observe that the compromise probability of the grid network

is smaller than another kind. It is because the grid network has the larger diameter than

the random network. An attacker trying to penetrate the grid network needs to through

more hubs than the random network. Thus we could see the advantage of

defense-in-depth, and this condition also shows on figure 4-5 and 4-11.

59

Chapter 5 Conclusion and Future Work

5.1 Conclusion

Although it is improbable to prevent attackers from penetrating networks, through

the defense resource allocation strategy defenders could establish defense mechanisms

for networks. With well budget allocation of a network, we could decrease the

compromise probability of the core node, in other words, the targeted node is increased

the survival probability. Hence, we have more chance to detect, alert, and response to

attacks.

In this thesis we use the attack-defense behavior to describe the targeted attack. As

an attacker intends to maximize the compromise probability from the source node to the

core node by choosing an attack path, a defender tries to minimize it by well allocating

the resource.

Providing more resource does not always decrease compromise probability for

some networks, it means this kind of network’s compromise probability has some

limited. Therefore, it is alright that the defender could only offer enough budgets for the

network, and the remainder should be allocated to the other use, or supported to the

other networks.

Although raising the total resource to networks is a good way to defend the

60

intrusions, another way to reduce the compromise probability of them is to increase the

depth of networks. The more step an attacker needs to pass, the more time he could

spend, and the more possibility he could be detected. Hence, adding an extra defense

device on the critical path of networks is another choice to increase survival time of the

core node.

The main contribution of this research is combining with single core node,

probability, and survival time, and we proposed a mathematical model to well formulate

a complex problem. Although there are already some papers discussed about the single

core node problem, and measured networks survivability by probability, we proceed

from a new dimension, “time”, to concern with. This research affords the defender the

budget allocation strategy to reduce the compromise probability of the core node under

different considerations of time slot, and they could know what the probability of the

core node to be compromised in time constraint upon intelligent and malicious attack.

5.2 Future Work

There still has several issues and topics could be extended for further discuss, and

we describe as follows.

Different kinds of operating system

According to the report gathering by SANS-ISC, UNIX systems’ survival

time is mu

not so frien

off for defe

node to UN

Attack

Throu

attacking te

let attacker

compromis

attacker pa

uch longer th

ndly for the

fenders to ad

NIX systems

Figure 5 - 1

ker experien

ugh attackin

echniques,

rs penetrate

se probabili

arameter fo

han Window

e users as W

djust. Henc

s for increa

The Surviva

nce

ng network

social engin

e next nod

ity distribu

or raising th

61

ws systems

Windows sy

ce, we could

sing the sur

al Time of UN

ks, attacke

neering skil

de easier th

ution of eac

he comprom

s’ [5]. Neve

ystems. The

d only repla

rvival time.

NIX and Wind

ers would

lls, etc. Thi

han before,

ch node. Th

mise probab

rtheless, UN

ese two cha

ace some W

dows system

learn some

is kind of ex

and shoul

herefore, w

bility to ea

NIX system

aracters are

Windows sys

ething, suc

xperience w

ld reflect t

we could ad

ach node o

ms are

trade

stems

ch as

would

o the

dd an

n the

62

attack path. We consider the effect of experience accumulated by the attacker alone

the attack process. More precisely, it is assumed that a discount factor be gained for

each compromised node, and this discount factor will affect the aforementioned

CDF function (in an opposite direction as opposed to the allocated defense

resource) of each subsequently attacked node.

63

Reference

[1] Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, and Robert Richardson,

“CSI/FBI Computer Crime and Security Survey,” 2006

[2] Alex Shipp, “Targeted Trojan Attacks and Industrial Espionage ,” Virus Bulletin

Conference, 2006

[3] Yi-Luen Lin, “Near Optimal Protection Strategies against Targeted Attacks on the

Core Node of a Network”

[4] Partha Pal, Franklin Webber, and Richard Schaniz, “Survival by Defense-Enable,”

OASIS, 2003

[5] SANS-ISC (SysAdmin, Audit, Network, Security Institute - Internet Storm Center),

http://isc.sans.org/survivalhistory.php

[6] Matt Loney and Robert Lemos, “Study: Unpatched PCs compromised in 20

minutes,” CNET News.com, Aug. 2004

[7] Zeid Nasser, “‘Survival Time’ must be increased!” http://zeidnasser.blogspot.com,

Jun. 2005

[8] Fred Cohen, “Managing Network Security - Attack and Defense Strategies,”

Network Security, Jul. 1999

64

[9] Kong-wei Lye, and Jeannette M. Wing, “Game strategies in network security,”

International Journal of Information Security , Vol. 4, No. 1-2, pp. 71-86, Feb.

2005

[10] Milton Abramowitz., and Irene A. Stegun, “Normal or Gaussian Probability

Function,” Handbook of Mathematical Functions with Formulas, Graphs, and

Mathematical Tables, p.931, 1964

[11] Malware-Test Lab, http://www.malware-test.com/

[12] Bracewell, R. "Convolution" and "Two-Dimensional Convolution," The Fourier

Transform and Its Applications, 3rd Ed, pp. 25-50 and 243-244, New York:

McGraw-Hill, 1999

[13] Ravindra K. Ahuja, Thomas L. Magnanti, and James B. Orlin, “Lagrangian

Relaxation and Network Optimization,”Network Flows: Theory, Algorithm, and

Application, pp. 598-639, Prentice Hall, Inc., Jan. 1993

[14] Marshall L. Fisher, “The Lagrangian Relaxation Method for Solving Integer

Programming Problems,” Management Science, Vol. 27, No. 1, pp. 1-18, Jan. 1981

[15] Marshall L. Fisher, “An Application Oriented Guide to Lagrangian Relaxation,”

Interfaces, Vol. 15, No. 2, pp. 10-21, Apr. 1985

[16] Wasel Chemij, “Parallel Computer Taxonomy,” MPhil, Aberystwyth University,

1994

65

[17] Albert-Laszlo Barabasi, and Reka Albert, “Emergence of Scaling in Random

Networks,” Science, Vol. 286, pp. 509-512, Oct. 1999

67

簡歷

姓名：陳俊維

出生地：菲律賓馬尼拉市

出生日：中華民國六十九年三月二十九日

學歷：九十一年九月至九十四年六月

國立中央大學資訊管理學系

電機工程學系

九十四年九月至九十六年七月

國立臺灣大學資訊管理研究所

National Taiwan University Master...

Documents

Transcript of National Taiwan University Master...