Advisor: Yeong-Sung Lin Presented by I-Ju Shih 2011/10/25 1
Research Direction Introduction
Slide 2
Agenda 2011/10/25 2 Introduction Network Survivability Problem
Description
Slide 3
Introduction 2011/10/25 3
Slide 4
Game theory 2011/10/25 4 Game theory is a way to analyze
interaction among a group of rational agents who behave
strategically. Game theory has been successfully applied in
different areas as competition, biology, economics, political
science, computer science, military strategy, and more.
Slide 5
Finitely repeated game 2011/10/25 5 In recent years, the game
theory has been applied in lots of network security issues. In the
real world, attackers and defenders frequently interact repeatedly
over time. The interaction between attacker and defender could be
viewed as an N-period game.
Slide 6
Non-cooperative game 2011/10/25 6 Games are classified into two
major classes: cooperative games and non-cooperative games. In the
context of information security, cyber attacker would not cooperate
with network defender. X
Slide 7
Incomplete information 2011/10/25 7 In traditional
non-cooperative games it is assumed that 1. The players are
rational. 2. There are no enforceable agreements between players.
3. The players know all the data of the game. However, real-game
situations may involve other types of uncertainty. The players may
lack complete information about other players or themselves.
Slide 8
Sequential game 2011/10/25 8 Most past literature has focused
on sequential games in which the defender moves first, since
network defender will be able to deter cyber attacker or shift
attack to unimportant target.
Slide 9
High availability 2011/10/25 9 Users want their systems, for
example hospitals, airplanes or computers, to be ready to serve
them at all times. High availability (HA) is a system design
approach and associated service implementation that ensures a
prearranged level of operational performance will be met during a
contractual measurement period.
Slide 10
High availability 2011/10/25 10 High availability (HA) clusters
operate by harnessing redundant computers in groups or clusters
that provide continued service when system components fail. High
availability (HA) clusters can sometimes be categorized into one of
the following models: Active/active Active/passive High
availability (HA) cluster implementations attempt to build
redundancy into a cluster to eliminate single point of
failure.
Slide 11
Network Survivability 2011/10/25 11
Slide 12
ADOD (Average Degree of Disconnectivity) 2011/10/25 12 DOD
(Degree of Disconnectivity) Contest success function
Slide 13
DOD 2011/10/25 13 The DOD (Degree of Disconnectivity) metric
could be used to measure the damage degree of network.
Definition
ADOD (Average Degree of Disconnectivity) 2011/10/25 22 The
larger number of the Average DOD value is, the more damage degree
of the network would be.
Slide 23
Problem Description 2011/10/25 23
Slide 24
Defender versus Attacker 2011/10/25 24 DefenderAttacker
Information1. Common knowledgeThe information is known to both. 2.
Defenders private information (ex. nodes valuation, nodes type, and
network topology) The defender knew all of it. The attacker knew a
part of it. 3. The defenders other information (ex. system
vulnerabilities) The defender did not know it before the game
starts. The attacker knew a part of it.
Slide 25
Defender versus Attacker 2011/10/25 25 DefenderAttacker
Budget1. Based on the importance of node Defense.Attack. 2. On each
nodeReleasing message.Updating information. 3. Reallocated or
recycledYes. But the defender needed extra cost. No. 4.
RewardNo.Yes. If the attacker compromised a node, the nodes
resource could be controlled by the attacker before the defender
has not repaired it yet. 5. Repaired nodeYes.No. 6. Resource
accumulationYes. But the resource needed to be discounted.
Slide 26
Defender versus Attacker 2011/10/25 26 DefenderAttacker Immune
benefit Yes. The defender could update information about system
vulnerabilities after attacks. No. RationalityFull or bounded
rationality.
Slide 27
Objective 2011/10/25 27 The network survivability is measured
by ADOD. The game has two players: an attacker (he, A) and a
defender (she, D). Defender Objective - minimize the damage of the
network (ADOD). Budget Constraint - deploying the defense budget in
nodes repairing the compromised node releasing message in nodes
Attacker Objective - maximize the damage of the network (ADOD).
Budget Constraint deploying the attack budget in nodes updating
information
Slide 28
Defenders characteristics- Private information (Defenders view)
2011/10/25 28 The defender has private information, including each
nodes valuation, each nodes type and network topology.
Slide 29
2011/10/25 29 The defender has private information, including
each nodes valuation, each nodes type and network topology.
Defenders characteristics- Private information (Attackers
view)
Slide 30
Defenders characteristics 2011/10/25 30 Effective resources: t
m. Resource reallocation, recycling and accumulation. Each nodes
type. Bounded rationality. High availability system.
Slide 31
Attackers characteristics 2011/10/25 31 Attackers private
information: attackers budget and something defender did not know.
Effective resources: T m. Resource growth: attacker could increase
resources when the attacker compromised network nodes. Resource
accumulation. Bounded rationality.
Slide 32
Defenders action 2011/10/25 32 In each round, the defender
moves first, determines strategy and chooses message which may be
truth, deception or secrecy to each node.
Slide 33
Message releasing 2011/10/25 33 Message releasing can be
classified into two types. A nodes information could be divided
into different parts to release message by the defender. The
defender could release a nodes defensive state as a message to the
attacker.
Slide 34
Message releasing- type 1 2011/10/25 34 The defender could
choose a part of information from a node according to his strategy
which released truthful message, deceptive message or secrecy.
Slide 35
Message releasing- type 1 example 2011/10/25 35 The defender
chooses : 1. Truthful message if and only if message = actual
information; 2. Secrecy if and only if message is secret; 3.
Deceptive message if and only if message actual information.
Defender 1.OS: Linux 2.FTP: Filezilla server 3.DB: MYSQL Cost:
Deceptive message > Secrecy > Truthful message Message 1.OS:
Linux 2.FTP: Filezilla server 3.DB: MYSQL Message 1.OS: Win 7
2.FTP: Filezilla server 3.DB: unknown
Slide 36
Message releasing- type 1 scenario (Defender's view in each
round ) 2011/10/25 36 The defender chose the part of information to
release truth message The defender chose the part of information to
use deception Keep the nodes part of information secret
Slide 37
2011/10/25 37 The defender chose the part of information to
release truth message The defender chose the part of information to
use deception Keep the nodes part of information secret Message
releasing- type 1 scenario (Defender's view in each round )
Slide 38
Message releasing- type 2 2011/10/25 38 The defender released
different message, which are truth, deception or secrecy, on each
node as a mixed strategy.
Slide 39
Message releasing- type 2 scenario (Defender's view in each
round ) 2011/10/25 39 The defenders actual strategy: Defense
resource on node i The defenders message: Defense resource on node
i Keep defenders actual strategy secret
Slide 40
Message releasing- type 2 scenario (Defender's view in each
round ) 2011/10/25 40 The defenders actual strategy: Defense
resource on node i The defenders message: Defense resource on node
i Keep defenders actual strategy secret
Slide 41
Message releasing- type 2 scenario (Defender's view in each
round ) 2011/10/25 41 The defenders actual strategy: Defense
resource on node i The defenders message: Defense resource on node
i Keep defenders actual strategy secret
Slide 42
Message releasing- type 2 scenario (Defender's view in each
round ) 2011/10/25 42 The defenders actual strategy: Defense
resource on node i The defenders message: Defense resource on node
i Keep defenders actual strategy secret
Slide 43
Message releasing- type 2 scenario (Attacker's view in each
round ) 2011/10/25 43 The defenders actual strategy: Defense
resource on node i The defenders message: Defense resource on node
i Keep defenders actual strategy secret
Slide 44
The effect of deception/secrecy 2011/10/25 44 The effect of
deception or secrecy would be discounted if the attacker knew
defenders partial private information.
Slide 45
The effect of deception/secrecy 2011/10/25 45 The effect of
deception or secrecy would be zero if the attacker knew something
that the defender did not know.
Slide 46
Immune benefit 2011/10/25 46 Although the attacker knows
something that the defender did not know, the defender can update
information after observing the result of each rounds contest.
After the defender updated information, she had immune benefit
which means that the attacker was unable to use identical
attack.
Slide 47
Defenders resources 2011/10/25 47 From the view of the
defender, the budget could be reallocated or recycled but the
discount factor is also considered. The defender could accumulate
resources to decrease attack success probability to defend network
nodes in next time.
Slide 48
Defenders resources example type 2 scenario 2011/10/25 48 The
defenders actual strategy: Defense resource on node i The defenders
message: Defense resource on node i Keep defenders actual strategy
secret Defender Recycled Reallocated
Slide 49
Attackers information 2011/10/25 49 The attacker knows only
partial network topology. The attacker could update information
after observing the result of each rounds contest and defenders
messages.
Slide 50
Attackers resources 2011/10/25 50 The attacker could accumulate
experience to increase attack success probability to compromise
network nodes in next time. The attacker could increase resources
when the attacker compromised network nodes. i In the first round,
the attacker put 3 units of attack budget to collect information of
node i. In the second round, the attacker put 6 units of attack
budget to attack node i. Total attack resource= 3*discount rate
+6
Slide 51
Attackers resources example type 2 scenario 2011/10/25 51 The
defenders actual strategy: Defense resource on node i The defenders
message: Defense resource on node i Keep defenders actual strategy
secret
Slide 52
Network topology 2011/10/25 52 Consider a complex system with n
nodes in series- parallel. A node consists of M components which
may be different components or the same. (M 1)
Slide 53
Network topology 2011/10/25 53 A nodes composition could be
classified into two types. A node with backup component A
k-out-of-m node
Slide 54
Network topology 2011/10/25 54 The relationship between nodes
could be classified into three types. Independent A node can
function solely.
Slide 55
Network topology 2011/10/25 55 The relationship between nodes
could be classified into three types. Dependent When a node was
destroyed, the node dependent on the destroyed node was also
destroyed.
Slide 56
Network topology 2011/10/25 56 The relationship between nodes
could be classified into three types. Interdependent When a node
was destroyed, the node interdependent on the destroyed node was
also destroyed and vice versa.