Research Direction Introduction Advisor: Frank, Yeong-Sung Lin Presented by Hui-Yu, Chung 2011/11/22
Agenda Scenario Review Mathematical Formulation 2011/11/22
Attack-Defense Scenario The goal of this research is to optimize system survivability Collaborative attack – One commander who has a group of attackers – Different attackers has different attributes Budget, Capability – The commander has to decide his attack strategy at every round ex. # of attackers, resource used 2011/11/22
Attacker attributes Attack mechanisms – Compromising Nodes The goal is to finally compromise core nodes, which reduce the QoS of those core nodes to below certain level or steal sensitive information – Worm injection The purpose is to get further topology information After a node is compromised, the commander will decide whether to inject worms The worm propagation model follows two-factor model 2011/11/22
Topology Structure Attackers attack the AS nodes with a direction from edge nodes to core nodes Several million hosts per AS node Some AS nodes equipped with decentralized information sharing system Along relatively low-cost path – Continuous constraint 2011/11/22 Guangsen Zhang, Manish Parashar “Cooperative detection and protection against network attacks using decentralized information sharing” Cluster Comput (2010) Vol.13, pp. 67–86
Special Defense Resources Distributed information sharing system – Signature generation & distribution – Rate limiting Worm origin identification – Worm propagation path identification Firewall reconfiguration – Used on nodes without DISS Dynamic topology reconfiguration – Disconnect or reconnect a link → Detection → Mitigation → Avoidance 2011/11/22
Core Node Risk Level Dynamic Topology Reconfiguration – Whether to use topology reconfiguration defense strategy is determined by the risk level of the core nodes – The lower the value of V ij, the more danger the core node – HopsToCoreNode: The distance of one core node to the nearest hop which is detected to be attacked – maxHopsToCoreNode: The maximum number of hops from attacker’s starting position to one core node – The lowest V ij is saved as V lowest 2011/11/22
Defending Costs Planning Phase: – Node and link deployment – General Defense Resources – Special Defense Resources Defending Phase: – Defending Costs When generating worm signatures 2011/11/22
Negative Effect Caused by Special Defense Resources QoS damage: – Firewall reconfiguration – Rate Limiting – Dynamic topology reconfiguration Resource consumption – False positive of worm detection 2011/11/22
Scenarios AS Node Core AS Node Firewall Decentralized Information Sharing System Attacker Commander Type I Worm Detection alarm Type II Worm Dynamic topology reconfiguration Firewall reconfiguration Worm origin identification Rate limiting 2011/11/22
Agenda Scenario Review Mathematical Formulation 2011/11/22
Description Objective: – To minimize maximized service compromised probability Given: – Total defense budget and attacker budget – Each cost of construction of defense or attack mechanism – QoS requirement To be determined: – Attack and defense strategies – Attack and defense resource allocation scheme 2011/11/22
Given Parameters NotationDescription N The index set of all nodes CThe index set of all core nodes IThe index set of all possible attacker groups LThe index set of all links Q The index set of all candidate nodes that is appropriate to deploy the distributed information sharing system S The index set of all types of services αiαi The weight of i th service, where i ∈ S B The defender’s total budget The cost of constructing one intermediate AS node The cost of constructing one core node d The cost of deploying a distributed information sharing system to one node E All possible defense configurations, including defense resources allocation and defending strategies Z All possible attack configurations, including attacker’s attributes, corresponding strategies and transition rules FiFi The number of commanders targeting on i th service, where i ∈ S 2011/11/22
Decision Variables NotationDescription An defense configuration, including defense resources allocation and defending strategies on i th service, where i ∈ S The i th attacker group, including all of their attributes, where i ∈ I A instance of attack configuration, including attacker’s attributes, commander’s strategies and transition rules of the commander launches j th attack on i th service by commanding k th attacker group, where i ∈ S, 1≤ j ≤ F i, k ∈ I 1 if the commander achieve his goal successfully, and 0 otherwise, where i ∈ S, 1≤ j ≤ F i, k ∈ I B nodelink The budget spent on constructing nodes and links. B general The budget spent for general defense resource B special The budget spent for special defense resource B defending The budget applied for defending stage. eThe total number of intermediate AS nodes nini The general defense resources allocated to node i, where i ∈ N xixi 1 if node i is equipped with the distributed information sharing system, and 0 otherwise, where i ∈ Q q ij The capacity of direct link between node i and j, where i ∈ N, j ∈ N g(q ij ) The cost of constructing a link from node i to node j with capacity q ij, where i ∈ N, j ∈ N 2011/11/22
Verbal Notation (1/2) Verbal Notations (1/2) NotationDescription Loading of each core node i, where i ∈ C Link utilization of each link i, where i ∈ L O tocore The number of hops legitimate users experienced from one boundary node to destination IeIe Negative effect caused by applying dynamic topology reconfiguration FeFe Negative effect caused by applying firewall reconfiguration ReRe Negative effect caused by applying rate limiting FP e Negative effect caused by false positive of worm detection The total attack events W threshold The predefined threshold regarding quality of service W final The level of quality of service at the end of an attack The value of quality of service is determined by,, O tocore, I e, F e,R e, and FP e,where i ∈ C, j ∈ L 2011/11/22
Verbal Notation (2/2) Verbal Notations (2/2) NotationDescription The defense resource of the shortest path from detected attacked nodes to core node i divided by total defense resource, where i ∈ C The minimum number of hops from detected attacked nodes to core node i divided by the maximum number of hops from attacker’s starting position to one core node, where i ∈ C The link degree of core node i divided by the maximum link degree among all nodes in the topology, where i ∈ C The priority of service i provided by core nodes divided by the maximum service priority among core nodes in the topology, where i ∈ C and j ∈ S The risk threshold of core nodes The risk status of each core node which is the aggregation of defense resource, number of hops, link degree and service priority The output traffic rate to node i, where i ∈ N The input traffic rate to node i, where i ∈ N The limit ratio of traffic rate 2011/11/22
Mathematical Formulation Objective function: (IP 1) 2011/11/22 Sum of all kinds of services The sum of attack results (0 or 1) for a certain service Total weighted # commanders targeting on service i Given defense configuration and then maximize commander’s service compromised probability After maximizing commander’s attack success probability, the defender minimize attack success probability
Mathematical Formulation Mathematical constraints: (IP 1.1) (IP 1.2) (IP 1.3) (IP 1.4) (IP 1.5) (IP 1.6) (IP 1.7) (IP 1.8) 2011/11/22
Mathematical Formulation Mathematical constraints: (IP 1.9) (IP 1.10) (IP 1.11) (IP 1.12) (IP 1.13) (IP 1.14) (IP 1.15) 2011/11/22
Mathematical Formulation Verbal constraints: (IP 1.16) The performance reduction caused by compromised core nodes should not make current status violate IP1.16. (IP 1.17) The performance reduction caused by firewall reconfiguration should not make current status violate IP (IP 1.18) The performance reduction caused by rate limiting should not make current status violate IP (IP 1.19) The performance reduction caused by dynamic topology reconfiguration should not make current status violate IP (IP 1.20) The performance reduction caused by false positive of worm detection should not make current status violate IP (IP 1.21) Legitimate users’ QoS satisfaction should not make current status violate IP1.16. (IP 1.22) 2011/11/22
Mathematical Formulation Verbal constraints: For each service, there is at least one core node that survives to end of an attack. (IP 1.23) The level of quality of service at the end of an attack should not be lower than W final at the end of an attack. (IP 1.24) Only nodes equipped with the distributed information sharing system are able to generate the signature. (IP 1.25) Only the nodes equipped with distributed information systems are able to enable the rate limiting mechanism.. (IP 1.26) 2011/11/22
For each core node, when, the defender is able to activate dynamic topology reconfiguration to avoid the node being compromised. (IP 1.27) Only survival nodes are able to activate dynamic topology reconfiguration. (IP 1.28) The signature generating and distributing process is activated if the confidence level exceeds a certain threshold. (IP 1.29) (IP 1.30) A node is subject to attack only if a path exists from the attacker’s position to that node, and all the intermediate nodes on the path have been compromised. (IP 1.31) Mathematical Formulation Verbal constraints: 2011/11/22
~THANKS FOR YOUR ATTENTION~ 2011/11/22