‧指導教授：林永松 博士 【 Master Thesis 】 Oral Examination A Near-Optimal Redundancy Allocation Policy to Minimize System Vulnerability against Hazardous Events and Malicious Attacks 考量危害事件與惡意攻擊下系統脆弱度最小化之 近似最佳化冗餘配置策略 ‧研究生：江坤道 國立台灣大學‧資訊管理研究所 碩士論文口試審查

2 Outline  Introduction  Problem Description & Formulation  Solution Approach  Computational Experiments  Conclusion & Future Work

3 Outline  Introduction  Background  Motivation Introduction Problem Solution Experiments Conclusion

4 Background  We are in an environment where hazardous events occur frequently and malicious attacks emerge in an endless stream.  Hazardous events Natural disasters Man-made  Modern organizations have become increasingly reliant on information technology. Introduction Problem Solution Experiments Conclusion

5 CSI/FBI 2006 Computer Crime and Security Survey 2006: 313 respondents Source: Computer Security Institute Total losses for 2006 = $52,494,290

6 Motivation  How to develop a solid redundancy allocation policy which supports continuous services.  Related researches considering hazardous events and targeted malicious attacks at the same time are scant. Introduction Problem Solution Experiments Conclusion

7 Outline  Problem  Description  Formulation RAPMA Model ARS Model Introduction Problem Solution Experiments Conclusion Redundancy Allocation Problem considering Malicious Attacks Attacking Redundancy Strategy

8 Description Introduction Problem Solution Experiments Conclusion Uncompromised Node (Primary) Attacked Node (Primary) Compromised Node (Primary) Secondary Component Attacked Secondary Component Non-attacked Secondary Component Unreachable Link Reachable Link Link upon the Attack Tree Objective: maximize the vulnerability of the network when hazardous events occurring.

9 Description  Two scenarios in the real world  Software Malicious attacks: manipulation of configuration files Hazardous events: power cut incurred by natural disasters  Hardware Malicious attacks: malicious program making CPU overheated Hazardous events: breakdown of air conditioner in the server room Introduction Problem Solution Experiments Conclusion

10 Description  Two antithesis metrics  Vulnerability of the network Total node vulnerability Node vulnerability = Total component vulnerability The network is compromised if no component is functional.  Survivability of the network (1 - Vulnerability of the network) Introduction Problem Solution Experiments Conclusion

11 Description  Assumptions 1. The attacker’s objective is to maximize the total vulnerability of the network against hazardous events. 2. The defender’s objective is to minimize the total vulnerability by redundancy allocation. 3. Both attacker and defender have complete information about the network topology. 4. Both attacker and defender have resource budget limitations. 5. Only node attack is considered. 6. Only malicious attacks are considered. Introduction Problem Solution Experiments Conclusion

12 Description 7. Only AS-level networks are considered. 8. A node is only subject to attack if a path exists from attacker’s position to that node, and all the intermediate nodes on the path have been compromised. 9. “A node is compromised” if and only if the primary component deployed to it is compromised by allocating more attack power than the minimum level. 10. Failures of individual components are independent. 11. All redundant components are in a hot-standby state. 12. All redundant components which are compromised by attacker are never repaired or detected. Introduction Problem Solution Experiments Conclusion

13 Description  Given 1. Defense resource budget B. 2. Attack resource budge A. 3. The minimum attack power required to compromise a component. 4. Attacker’s position s, which is connected to the target network 5. The network topology and the network size 6. The estimated probability of hazardous event d occurring 7. All available redundant components for node i to support operating function and provide failure tolerance. Introduction Problem Solution Experiments Conclusion

14 Description  Objective  For attacker, to maximize the vulnerability against hazardous events.  For defender, to minimize the maximized vulnerability against hazardous events.  Subject to  The total defense cost must be no more than B.  The total attack cost most be no more than A.  The node to be attacked must be connected to the existing attack tree.  To determine  Defender: redundancy allocation policy.  Attacker: which nodes to attack, and attack power. Introduction Problem Solution Experiments Conclusion

15 Formulation Introduction Problem Solution Experiments Conclusion

16 Formulation (RAPMA) Introduction Problem Solution Experiments Conclusion “A node is compromised” if and only if the primary component deployed to it is compromised by allocating more attack power than the minimum level.

17 Formulation (RAPMA) Introduction Problem Solution Experiments Conclusion

18 Formulation (RAPMA) Introduction Problem Solution Experiments Conclusion

19 Formulation (ARS) Introduction Problem Solution Experiments Conclusion

20 Formulation (ARS) Introduction Problem Solution Experiments Conclusion

21 Outline  Solution  Solution Approach  Lagrangean Relaxation  Approach to ARS Model  Approach to RAPMA Model Introduction Problem Solution Experiments Conclusion

22 Solution Approach  Lagrangean relaxation is applied to the ARS model.  Attacking strategy Attack power Target components  Defender adjusts redundancy allocation according to the attacking strategy to satisfy RAPMA model.  Redundancy allocation policy Components

23 Lagrangean Relaxation Primal Problem Lagrangean Relaxation Problem Subproblem Lagrangean Dual Problem Upper Bound Lower Bound Adjust Lagrangean Multipliers ‧‧‧‧‧‧‧ LB Optimal Objective Function Value UB Introduction Problem Solution Experiments Conclusion

24 Approach to ARS Model Introduction Problem Solution Experiments Conclusion ‧ Related to X p (Attack Tree) ‧ Time Complexity: O(|N| 2 ), where N is the number of nodes. Subproblem 1 ‧ Related to y i (Target) ‧ Time Complexity: O(|N|), where N is the number of nodes. Subproblem 2 ‧ Related to g im (Attack Power) ‧ Time Complexity: O(A|C| 2 ), where C is the number of components, A is total attack power. Subproblem 3

25 Approach to ARS Model Introduction Problem Solution Experiments Conclusion Step 1: Utilize the attack policy derived from Sub- problem 1 as the initial solution. Step 2: If the attack tree is available, go to Step 4, otherwise, go to Step 3. Step 3: “Recycle” the wasted attack power, which is allocated to the leaf node, and re-allocate the recycled power to the uncompromised nodes according to the associated weight,.. Go to Step 2. Step 4: Allocate residual power to reachable components according to its side effect. Getting Primal Feasible Solution W=5 W=2 W=1

26 Approach to RAPMA Model Introduction Problem Solution Experiments Conclusion Step 1: Sort the nodes according to the associated weight,, in descending order. Step 2: If the node is survival, degrade and recycle allocated defense resources; otherwise, upgrade its protection level. Step 3: Allocate residual resources to secondary components according to its side effect. Step 4: A practical redundancy allocation policy is found. Redundancy Allocation Policy W=5 W=2 W=1 W=0

27 Outline  Experiments  Environment  Simple Algorithm  Result Introduction Problem Solution Experiments Conclusion

28 Environment (Scalability of ARS) Introduction Problem Solution Experiments Conclusion ParametersValue Test Topology ‧ Grid network ‧ Random network ‧ Cellular Network Scale Number of nodesNumber of components 16 (Small)16 * 5 = (Medium)64 * 5 = (Large)196 * 5 = 980 Simple Algorithms ‧ Minimum cost spanning tree (SA1) ‧ Greedy-based algorithm (SA2)

29 Environment (Applicability of ARS) Introduction Problem Solution Experiments Conclusion ParametersValue Test Topology ‧ Grid network ‧ Random network ‧ Tree network ‧ Ring network ‧ Star network ‧ Cellular Network Scale Number of nodesNumber of components 4949 * 5 = 245 Simple Algorithms ‧ Minimum cost spanning tree (SA1) ‧ Greedy-based algorithm (SA2)

30 Environment (Scalability of RAPMA) Introduction Problem Solution Experiments Conclusion ParametersValue Test Topology ‧ Grid network ‧ Random network ‧ Cellular Network Scale Number of nodesNumber of components 16 (Small)16 * 5 = (Medium)64 * 5 = (Large)196 * 5 = 980 Budgets Reallocation ‧ Uniform Budget Allocation (B1) ‧ Damage-based Budge Allocation (B2)

31 Environment (Applicability of RAPMA) Introduction Problem Solution Experiments Conclusion ParametersValue Test Topology ‧ Grid network ‧ Random network ‧ Tree network ‧ Ring network ‧ Star network ‧ Cellular Network Scale Number of nodesNumber of components 4949 * 5 = 245 Budgets Reallocation ‧ Uniform Budget Allocation (B1) ‧ Damage-based Budge Allocation (B2)

32 Simple Algorithm  Minimum cost spanning tree (SA1)  Applying prim’s algorithm to construct the attack tree  Edge weight:  Similar to DFS algorithm Introduction Problem Solution Experiments Conclusion 1 1 1/2 1/3 1/4 1/2 1/3 1/2

33 Simple Algorithm  Greedy-based algorithm (SA2)  Hill climbing  Using only local information to obtain local optimal solution Introduction Problem Solution Experiments Conclusion

34 Result (Scalability of ARS) Introduction Problem Solution Experiments Conclusion Test Topology: Grid Network Scale ARSSA1SA2 Vulnerability GAPMPI Small %1.26%12.86% Medium %8.17%15.45% Large %4.12%17.67% Test Topology: Cellular Network Scale ARSSA1SA2 Vulnerability GAPMPI Small %2.56%18.94% Medium %9.34%19.25% Large %8.1%18.11%

35 Result (Scalability of ARS) Introduction Problem Solution Experiments Conclusion Test Topology: Random Network Scale ARSSA1SA2 Vulnerability GAPMPI Small %5.24%15. 62% Medium %12.63%25.29% Large %14.28%26.45%

36 Result (Scalability of ARS) Introduction Problem Solution Experiments Conclusion

37 Result (Applicability of ARS) Introduction Problem Solution Experiments Conclusion

38 Result (Scalability of RAPMA) Introduction Problem Solution Experiments Conclusion Test Topology: Grid Network Scale RAPMAB1B2 Survivability MPI Small %35.18% Medium %23.11% Large %6.02% Test Topology: Cellular Network Scale RAPMAB1B2 Survivability MPI Small %28.69% Medium %26.60% Large %11.63%

39 Result (Scalability of RAPMA) Introduction Problem Solution Experiments Conclusion Test Topology: Random Network Scale RAPMAB1B2 Survivability MPI Small %28.69% Medium %26.60% Large %11.63%

40 Result (Scalability of RAPMA)

41 Result (Applicability of RAPMA)

42 Outline  Conclusion  Conclusion  Contribution  Future Work Introduction Problem Solution Experiments Conclusion

43 Conclusion  A practical approach is proposed to effectively solve RAP; therefore, continuous service can be realized.  As a whole, a network with higher average degree is more robust.  Defense-in-depths might be the best strategy in designing a robust network. Introduction Problem Solution Experiments Conclusion

44 Contribution  We propose a more robust framework which assists organization in providing continuous service via redundant allocation.  From our survey of literature, we might be the pioneer to consider malicious attacks and hazardous events at the same time.  Besides, RAP is extended to the realm of network management. Introduction Problem Solution Experiments Conclusion

45 Future Work  Hazardous events occurred round by round.  The sequential hazardous events can be extended to multiple rounds.  Hazardous events occurred prior to targeted malicious attacks.  Issue: how to determine which nodes will survive after the occurrence of hazardous events, such as fire, flood, and blizzard. Introduction Problem Solution Experiments Conclusion

46 Thanks for your listening