Research Direction Introduction

Advisor: Frank, Yeong-Sung LinPresented by Hui-Yu, Chung

2011/11/22

Agenda• Scenario Review• Mathematical Formulation

2011/11/22

Attack-Defense Scenario• The goal of this research is to optimize system

survivability• Collaborative attack– One commander who has a group of attackers– Different attackers has different attributes• Budget, Capability

– The commander has to decide his attack strategy at every round• ex. # of attackers, resource used

2011/11/22

Attacker attributes• Attack mechanisms– Compromising Nodes• The goal is to finally compromise core nodes, which

reduce the QoS of those core nodes to below certain level or steal sensitive information

– Worm injection• The purpose is to get further topology information• After a node is compromised, the commander will

decide whether to inject worms• The worm propagation model follows

two-factor model2011/11/22

Topology Structure• Attackers attack the AS nodes with a direction from

edge nodes to core nodes• Several million hosts per AS node• Some AS nodes equipped with decentralized

information sharing system• Along relatively low-cost path– Continuous constraint

2011/11/22

Guangsen Zhang, Manish Parashar “Cooperative detection and protection against network attacks using decentralized information sharing” Cluster Comput (2010) Vol.13, pp. 67–86

Special Defense Resources• Distributed information sharing system– Signature generation & distribution– Rate limiting

• Worm origin identification– Worm propagation path identification

• Firewall reconfiguration– Used on nodes without DISS

• Dynamic topology reconfiguration– Disconnect or reconnect a link

→ Detection→ Mitigation

→ Mitigation

→ Mitigation

→ Avoidance

2011/11/22

Core Node Risk Level• Dynamic Topology Reconfiguration

– Whether to use topology reconfiguration defense strategy is determined by the risk level of the core nodes

– The lower the value of Vij, the more danger the core node

– HopsToCoreNode: The distance of one core node to the nearest hop which is detected to be attacked

– maxHopsToCoreNode: The maximum number of hops from attacker’s starting position to one core node

– The lowest Vij is saved as Vlowest

1 2 3

{ } { }ij ij jij

min HopsToCoreNode min pathDefenseResource maxLinkDegree linkDegreeV w w w

maxHopsToCoreNode maxPathDefenseResource maxLinkDegree

2011/11/22

Defending Costs• Planning Phase:– Node and link deployment– General Defense Resources– Special Defense Resources

• Defending Phase:– Defending Costs• When generating worm signatures

2011/11/22

Negative Effect Caused by Special Defense Resources

• QoS damage:– Firewall reconfiguration– Rate Limiting– Dynamic topology reconfiguration

• Resource consumption– False positive of worm detection

2011/11/22

Scenarios

A

B

D

C

E

H

M

N

IJ

F

G

K

L

P

O

QR

S

T

AS Node

Core AS Node

Firewall

DecentralizedInformationSharing System

Attacker

Commander

Type I Worm

Detection alarm

Type II Worm

Dynamic topology reconfiguration

Firewall reconfiguration

Worm origin identification

Rate limiting

2011/11/22

Agenda• Scenario Review• Mathematical Formulation

2011/11/22

Description• Objective: – To minimize maximized service compromised probability

• Given: – Total defense budget and attacker budget– Each cost of construction of defense or attack

mechanism– QoS requirement

• To be determined:– Attack and defense strategies– Attack and defense resource allocation scheme

2011/11/22

Given ParametersNotation Description

N The index set of all nodesC The index set of all core nodesI The index set of all possible attacker groupsL The index set of all links

QThe index set of all candidate nodes that is appropriate to deploy the distributed information sharing system

S The index set of all types of servicesαi The weight of ith service, where i∈SB The defender’s total budget

The cost of constructing one intermediate AS nodeThe cost of constructing one core node

d The cost of deploying a distributed information sharing system to one node

EAll possible defense configurations, including defense resources allocation and defending strategies

ZAll possible attack configurations, including attacker’s attributes, corresponding strategies and transition rules

Fi The number of commanders targeting on ith service, where i∈S

w

o

2011/11/22

Decision VariablesNotation Description

An defense configuration, including defense resources allocation and defending strategies on ith service, where i∈S

The ith attacker group, including all of their attributes, where i∈IA instance of attack configuration, including attacker’s attributes, commander’s strategies and transition rules of the commander launches jth attack on ith service by commanding kth attacker group, where i∈S, 1≤ j ≤ Fi, k∈I1 if the commander achieve his goal successfully, and 0 otherwise, where i∈S, 1≤ j ≤ Fi , k∈I

BnodelinkThe budget spent on constructing nodes and links.

BgeneralThe budget spent for general defense resource

BspecialThe budget spent for special defense resource

BdefendingThe budget applied for defending stage.

e The total number of intermediate AS nodes

niThe general defense resources allocated to node i, where i∈N

xi

1 if node i is equipped with the distributed information sharing system, and 0 otherwise, where i∈Q

qijThe capacity of direct link between node i and j, where i∈N, j∈N

g(qij) The cost of constructing a link from node i to node j with capacity qij, where i∈N, j∈N

iD

( )ij kA

( , ( ))ij i ij kT D A

nodelink general special defendingB B B B B

2011/11/22

i

Verbal Notation (1/2)Verbal Notations (1/2)

Notation Description

Loading of each core node i, where i∈C

Link utilization of each link i, where i∈L

OtocoreThe number of hops legitimate users experienced from one boundary node to destination

IeNegative effect caused by applying dynamic topology reconfiguration

FeNegative effect caused by applying firewall reconfiguration

ReNegative effect caused by applying rate limiting

FPeNegative effect caused by false positive of worm detection

The total attack events

WthresholdThe predefined threshold regarding quality of service

WfinalThe level of quality of service at the end of an attack

The value of quality of service is determined by , , Otocore, Ie, Fe,Re , and FPe ,where i∈C, j∈L icoreG

ilinkU

Y

( )W

icoreG

jlinkU

2011/11/22

Verbal Notation (2/2)Verbal Notations (2/2)

Notation DescriptionThe defense resource of the shortest path from detected attacked nodes to core node i divided by total defense resource, where i∈C

The minimum number of hops from detected attacked nodes to core node i divided by the maximum number of hops from attacker’s starting position to one core node, where i∈CThe link degree of core node i divided by the maximum link degree among all nodes in the topology, where i∈C

The priority of service i provided by core nodes divided by the maximum service priority among core nodes in the topology, where i∈C and j∈S

The risk threshold of core nodesThe risk status of each core node which is the aggregation of defense resource, number of hops, link degree and service priority

The output traffic rate to node i, where i∈NThe input traffic rate to node i, where i∈NThe limit ratio of traffic rate

defensei

hopsi

degreei

jpriorityis

threshold

( )

( )out irate A( )in irate A

confidence

2011/11/22

Mathematical Formulation• Objective function:

(IP 1)

1

( )

( , ( ))i

i ij k

F

i ij i ij ki S j

D A

i ii S

T D Amin max

F

2011/11/22

Sum of all kinds of services

The sum of attack results (0 or 1)for a certain service

Total weighted # commanders targeting on service i

Given defense configuration and thenmaximize commander’s service compromised probability

After maximizing commander’sattack success probability, thedefender minimize attack successprobability

Mathematical Formulation• Mathematical constraints:

(IP 1.1)

(IP 1.2)

(IP 1.3)

(IP 1.4)

  (IP 1.5)

  (IP 1.6)

  (IP 1.7)

  (IP 1.8)

iD E i S

( )ij kA Z

0nodelinkB

0generalB

0specialB

0defendingB

2011/11/22

,1 ,ii S j F k I

i generali N

n B

0in i N

Mathematical Formulation• Mathematical constraints:

(IP 1.9)

  (IP 1.10)

(IP 1.11)

   (IP 1.12)

   (IP 1.13)

  (IP 1.14)

  (IP 1.15)

0w e

( ) 0ijg q ,i N j N

nodelink general special defendingB B B B B

( )

2

iji N j N

nodelink

g qw e o C B

i speciali N

x d B

2011/11/22

0ijq ,i N j N

0 1ix or i N

Mathematical Formulation• Verbal constraints:

(IP 1.16)

The performance reduction caused by compromised core nodes should not make current status violate IP1.16.

(IP 1.17)

The performance reduction caused by firewall reconfiguration should not make current status violate IP 1.16.

(IP 1.18)

The performance reduction caused by rate limiting should not make current status violate IP 1.16.

(IP 1.19)

The performance reduction caused by dynamic topology reconfiguration should not make current status violate IP 1.16.

(IP 1.20)

The performance reduction caused by false positive of worm detection should not make current status violate IP 1.16.

(IP 1.21)

Legitimate users’ QoS satisfaction should not make current status violate IP1.16.

(IP 1.22)

[ ( , , , , , , )] 1, ,

core link tocore e e e ei jY W G U O I F R FP dyy

W where i C j LthresholdY

2011/11/22

Mathematical Formulation• Verbal constraints:For each service, there is at least one core node that survives to end of an attack.

(IP 1.23)

The level of quality of service at the end of an attack should not be lower than Wfinal at the end of an attack.

(IP 1.24)

Only nodes equipped with the distributed information sharing system are able to generate the signature.

(IP 1.25)

Only the nodes equipped with distributed information systems are able to enable the rate limiting mechanism..

(IP 1.26)

2011/11/22

For each core node, when , the defender is able to activate dynamic topology reconfiguration to avoid the node being compromised.

(IP 1.27)

Only survival nodes are able to activate dynamic topology reconfiguration.

(IP 1.28)

The signature generating and distributing process is activated if the confidence level exceeds a certain threshold.

(IP 1.29)

(IP 1.30)

A node is subject to attack only if a path exists from the attacker’s position to that node, and all the intermediate nodes on the path have been compromised.

(IP 1.31)

Mathematical Formulation• Verbal constraints:

( ) ( )out i in irate A rate A confidence

2011/11/22

( , , , ) , i

defense hops degree thresholdprioritys where i S

~THANKS FOR YOUR ATTENTION~

2011/11/22