Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu

Agenda Problem Description Attack Decision Mathematical Formulation

Agenda Problem Description Attack Decision Mathematical Formulation

Problem Description Collaborative Attack Special Defense Resources “Fake Traffic”, “False Target” or “Dual Function” Honeypots Virtualization Dynamic Topology Reconfiguration To minimize maximized service compromised probability by adjusting the defense parameters of planning and defending phase.

Agenda Problem Description Attack Decision Mathematical Formulation

Attacker Objectives Attacker Objective Service Disruption Steal Confidential Information

3 45 Attacker Group Attack Attack events 3 attack events 1 attack Commander & Attacker Commander Attackers L M O

Attacker Attributes Budget Capability Initial Location External Attackers Malicious Insides Risk Preference Risk Avoidance – compromise Risk Tolerance – pretend to attack

Selection Criteria High Defense Resource core node, confidential information Low Defense Resource easily to be compromised High Traffic might have connection with core node might have connection with more nodes Fred Cohen, “Managing Network Security: Attack and Defense Strategies,” Network Security, Volume 1999, Issue 7, pp. 7–11, July 1999.

6 xy 4 x 3 x 2 y A A C D E F G H I J K L M N O B

6 4 x 3 x 2 y A A C D E F G H I J K L M N O B

6 4 x 3 x 2 y A A C D E F G H I J K L M N O B

Period in attack Early StageLate Stage Low Defense Resource High Traffic Low Defense High Defense No. of attacker for each attack event Choose ideal attacker(s) for each attack event Budget No. of attack event Capability Risk Preference

3 x 3 9 A 9 Core Node with Local Defense Defense ResourceMalicious Insider 3 xy 3 y Honeypot X:False Target Y:Fake Traffic Compromised Scenario

6 xy 4 x 3 x 2 y A A C D E F G H I J K L M N O B

6 4 x 3 x 2 y A A C D E F G H I J K L M N O B

6 4 x 3 x 2 y A A C D E F G H I J K L M N O B

6 xy 4 x 3 x 2 y A A C D E F G H I J K L M N O B

6 xy 4 x 3 x 2 y A A C D E F G H I J K L M N O B

6 xy 4 x 3 x 2 y A A C D E F G H I J K L M N O B

6 xy 4 x 3 x 2 y A A C D E F G H I J K L M N O B

6 xy 4 x 3 x 2 y A A C E D F G H I J K L M N O B

6 xy 4 x 3 x 2 y A A C E D F G H I J K L M N O B

6 xy 4 x 3 x 2 y A A C E D F G H I J K L M N O B

6 xy 4 x 3 x 2 y A A C E D F G H I J K L M N O B

6 xy 4 x 3 x 2 y A A C E D F G H I J K L M N O B

Agenda Problem Description Attack Decision Mathematical Formulation

Assumptions 1.The defender has complete information about the network, for example, topology, defense resource allocation, node attribute. 2.Both commanders and attackers have incomplete information about the network. 3.There are multiple core nodes providing a service in the network. 4.Each service has different weight determined by the defender. 5.One virtual machine only provides one service. 6.Only malicious nodal attacks are considered. 7.Evaluate whether the attack is success or not is determined by the Contest Success Function (CSF).

Assumptions 8.There are many attack events in an attack. 9.Each attack group launches one attack. 10.Every attacker subordinates in only one attack group. 11.The fake traffic honeypot must be equipped with fake traffic generating function. 12.The throughput of fake traffic delivered by one fake traffic generating honeypot should not greater than the maximum achievable throughput. 13.The reconfiguration initial point and the reconfigured node must be equipped with reconfiguration function. 14.Only virtualized nodes and virtual machine monitors (VMMs) can activate local defense mechanism.

Mathematical Formulation Objective To minimize maximized service compromised probability Given Total Defense Budget Each Cost of Constructing a Defense Mechanism Virtualization Cost Service Priority To be determined Attack and Defense Configurations Budget Spent on Constructing Node or Link General and Special Defense Resource

Given Parameters NotationDescription NThe index set of all nodes CThe index set of all core nodes LThe index set of all links SThe index set of all types of services MThe index set of all level of virtual machine monitors (VMMs) HThe index set of all types of honeypots PThe index set of candidate nodes equipped with false target function Q The index set of candidate nodes equipped with fake traffic generating function R The index set of candidate nodes equipped with false target and fake traffic generating function

Given Parameters NotationDescription BThe defender’s total budget wThe cost of constructing one intermediate node oThe cost of constructing one core node pThe cost of each virtual machine (VM) rThe cost of constructing a reconfiguration function to one node

Given Parameters NotationDescription k The maximum number of virtual machines on VMM level l, where k ∈ M αiαi The weight of i th service, where i ∈ S t fail Maximum time threshold to compromise one node. E All possible defense configurations, including defense resources allocation and defending strategies Z All possible attack configurations, including attacker’s attributes, corresponding strategies and transition rules FiFi The total attacking times on i th service for all attackers, where i ∈ S u ij The number of attackers subordinates in the attack group launching j th attack on service i, where 1≤ j ≤ F i, i ∈ S v ij The degree of collaboration of attack group j, which affects the effectiveness of synergy

Number of attackers in an attack group Service 1Service 2Service 3 Attack Group 1VV Attack Group 2V Attack Group 3VVV Attack Group 4VV Attack Group 5VV GroupNo. of Attackers

3 Number of attackers in an attack group Cost aspect AttackerBudget A100 B200 C300 D400 AttackerBudget A90 B180 C270 D O

The degree of collaboration Time

The degree of collaboration

NotationDescription A defense configuration, including defense resource allocation and defending strategies on i th service, where i ∈ S A instance of attack configuration, including attacker’s attributers, commander’s strategies and transition rules of the commander launches j th attack on i th service, where i ∈ S, 1 ≤ j ≤ F i 1 if the commander achieves his goal successfully, and 0 otherwise, where i ∈ S, 1 ≤ j ≤ F i Decision Variables

NotationDescription B nodelink The budget spent on constructing nodes and links. B general The budget spent on allocating general defense resource B special The budget spent on deploying special defense resource B virtualization The budget of virtualization B honeypot The budget of honeypots B reconfiguration The budget of reconfiguration functions

Decision Variables NotationDescription eThe total number of intermediate nodes NkNk The general defense resources allocated to node k, where k ∈ N q mn The capacity of direct link between node m and n, where m ∈ N, n ∈ N g(q mn ) The cost of constructing a link from node i to node j with capacity q mn, where m ∈ N, n ∈ N lklk The number of VMM level k purchased, where k ∈ M δnδn The number of services that honeypot i can simulate, where n ∈ H εnεn The interactive capability of false target honeypot i, where n ∈ P θnθn The maximum throughput of fake traffic that fake traffic generator honeypot i can achieve, where n ∈ Q

Decision Variables NotationDescription v( l p ) The cost of VMM level p with l p VMMs, where p ∈ M h( δ l, ε l ) The cost of constructing a false target honeypot with the number of simulating services and the interactive capability, where l ∈ P f( δ l, θ l ) The cost of constructing a fake traffic generator honeypot with the number of simulating services and the maximum achievable throughput of fake traffic, where l ∈ Q t( δ l, ε l, θ l ) The cost of constructing a honeypot equipped with false target and fake traffic generating functions with the number of simulating services, the interactive capability and the maximum achievable throughput of fake traffic, where l ∈ R xkxk 1 if node i is equipped with false target function, and 0 otherwise, where k ∈ N ykyk 1 if node i is equipped with fake traffic generating function, and 0 otherwise, where k ∈ N zkzk 1 if node i is equipped with reconfiguration function, and 0 otherwise, where k ∈ N

Verbal Notation NotationDescription G core k Loading of each core node k, where k ∈ C U link k Link utilization of each link k, where k ∈ L K effect Negative effect caused by applying fake traffic adjustment I effect Negative effect caused by applying dynamic topology reconfiguration J effect Negative effect caused by applying local defense O tocore The number of hops legitimate users experienced from one boundary node to destination YThe total compromise events W threshold The predefined threshold regarding quality of service W final The level of quality of service at the end of an attack W(  ) The value of quality of service is determined by several factors

Verbal Notation NotationDescription ρ defense The defense resource of the shortest path from detected compromised nodes to one core node divided by total defense resource τ hops The minimum number of hops from detected compromised nodes to one core node divided by the maximum number of hops from attacker’s starting position to one core node ω degree The link degree of one core node divided by the maximum link degree among all nodes in the topology S priority i The priority of service i provided by core nodes divided by the maximum service priority among core nodes in the topology, where i ∈ S β threshold The risk threshold of core nodes β()β() The risk status of each core node which is the aggregation of ρ defense, τ hops, ω degree and S priority i

Objective Function

Mathematical Constraints 1 2 Direct Link Capacity Constraints : q ij ≥ 0 Honeypot Types Constraints : x i + y i ≥ 1 (IP 1.1) (IP 1.2) (IP 1.3) (IP 1.4)

Mathematical Constraints Budget Constraints : B nodelink ≥ 0 B general ≥ 0 B special ≥ 0 Constructing Topology Constraints : n i ≥ 0 w × e ≥ 0 g (q ij ) ≥ 0 (IP 1.5) (IP 1.6) (IP 1.7) (IP 1.8) (IP 1.9) (IP 1.10)

Mathematical Constraints Budget Constraints : B nodelink ≥ 0 B special ≥ (IP 1.11) (IP 1.12) (IP 1.13) (IP 1.14) (IP 1.15)

Mathematical Constraints Budget Constraints : 1 (IP 1.16) (IP 1.17)

Mathematical Constraints Special defense resource cost constraints : 1 (IP 1.18) (IP 1.19) (IP 1.20) (IP 1.21) (IP 1.22) (IP 1.23) (IP 1.24)

Verbal Constraints QoS constraints: (IP 1.25) The performance reduction cause by compromised core nodes, activating Honeypot, Reconfiguration and Virtualization during defending phase should not make legitimate users’ QoS satisfaction violate IP (IP 1.26) At the end of an attack, W final ≧ W threshold. (IP 1.27)

For each core node, when the attack event has been detected, the mechanism is activated. (IP 1.33) The capacity of all the VMs’ links connect with the VMM will decrease certain ratio.(IP 1.34) Verbal Constraints Activation of defense mechanisms constraints: Reconfiguration constraints: Local defense constraints: The reconfiguration initial point must be the neighbor of core node detected risky. (IP 1.29) The defense resource of reconfiguration initial point should be the minimum one among all neighbors of core node detected risky. (IP 1.30) The reconfigured node must be the neighbor of reconfiguration initial point and not be the neighbor of core node detected risky. (IP 1.31) The defense resource of the reconfigured node should be the maximum one among all neighbors of reconfiguration initial node. (IP 1.32) (IP 1.28)

THANKS FOR YOUR ATTENTION