Advisor: Yeong-Sung Lin Presented by I-Ju Shih 2011/10/25 1 Research Direction Introduction.

Advisor: Yeong-Sung Lin Presented by I-Ju Shih 2011/10/25 1 Research Direction Introduction

Agenda 2011/10/25 2 Introduction Network Survivability Problem Description

Introduction 2011/10/25 3

Game theory 2011/10/25 4 Game theory is a way to analyze interaction among a group of rational agents who behave strategically. Game theory has been successfully applied in different areas as competition, biology, economics, political science, computer science, military strategy, and more.

Finitely repeated game 2011/10/25 5 In recent years, the game theory has been applied in lots of network security issues. In the real world, attackers and defenders frequently interact repeatedly over time. The interaction between attacker and defender could be viewed as an N-period game.

Non-cooperative game 2011/10/25 6 Games are classified into two major classes: cooperative games and non-cooperative games. In the context of information security, cyber attacker would not cooperate with network defender. X

Incomplete information 2011/10/25 7 In traditional non-cooperative games it is assumed that 1. The players are rational. 2. There are no enforceable agreements between players. 3. The players know all the data of the game. However, real-game situations may involve other types of uncertainty. The players may lack complete information about other players or themselves.

Sequential game 2011/10/25 8 Most past literature has focused on sequential games in which the defender moves first, since network defender will be able to deter cyber attacker or shift attack to unimportant target.

High availability 2011/10/25 9 Users want their systems, for example hospitals, airplanes or computers, to be ready to serve them at all times. High availability (HA) is a system design approach and associated service implementation that ensures a prearranged level of operational performance will be met during a contractual measurement period.

High availability 2011/10/25 10 High availability (HA) clusters operate by harnessing redundant computers in groups or clusters that provide continued service when system components fail. High availability (HA) clusters can sometimes be categorized into one of the following models: Active/active Active/passive High availability (HA) cluster implementations attempt to build redundancy into a cluster to eliminate single point of failure.

Network Survivability 2011/10/25 11

ADOD (Average Degree of Disconnectivity) 2011/10/25 12 DOD (Degree of Disconnectivity) Contest success function

DOD 2011/10/25 13 The DOD (Degree of Disconnectivity) metric could be used to measure the damage degree of network. Definition

DOD 2011/10/25 14 OD pairs = 12 34 route 1, 2 1, 3 1, 2, 4 (1, 3, 4) 2, 4, 3 (2, 1, 3) 2, 4 3, 4

DOD 2011/10/25 15 OD pairs = DOD = 3/6 12 34 routenumber of broken node 1, 21 1, 31 1, 2, 4 (1, 3, 4)1 2, 4, 3 (2, 1, 3)0 2, 40 3, 40

DOD 2011/10/25 19 The larger number of the DOD value, the more damage degree of network would be.

Contest success function (CSF) 2011/10/25 20 Skaperdas, S., 1996. Contest success functions. Economic Theory 7, 283290. Definition T:the attackers budget t:the defenders budget m:contest intensity S:attack success probability

ADOD example 2011/10/25 21 Node statesAttack success probability (S)DODS*DOD 1, 2, 3, 4(1-S 1 )*(1-S 2 )*(1-S 3 )*(1-S 4 )00 1, 2, 3, 4S 1 *(1-S 2 )*(1-S 3 )*(1-S 4 )3/63/6*S 1 *(1-S 2 )*(1- S 3 )*(1-S 4 ) 1, 2, 3, 4S 1 *S 2 *S 3 *S 4 14/614/6*S 1 *S 2 *S 3 *S 4

ADOD (Average Degree of Disconnectivity) 2011/10/25 22 The larger number of the Average DOD value is, the more damage degree of the network would be.

Problem Description 2011/10/25 23

Defender versus Attacker 2011/10/25 24 DefenderAttacker Information1. Common knowledgeThe information is known to both. 2. Defenders private information (ex. nodes valuation, nodes type, and network topology) The defender knew all of it. The attacker knew a part of it. 3. The defenders other information (ex. system vulnerabilities) The defender did not know it before the game starts. The attacker knew a part of it.

Defender versus Attacker 2011/10/25 25 DefenderAttacker Budget1. Based on the importance of node Defense.Attack. 2. On each nodeReleasing message.Updating information. 3. Reallocated or recycledYes. But the defender needed extra cost. No. 4. RewardNo.Yes. If the attacker compromised a node, the nodes resource could be controlled by the attacker before the defender has not repaired it yet. 5. Repaired nodeYes.No. 6. Resource accumulationYes. But the resource needed to be discounted.

Defender versus Attacker 2011/10/25 26 DefenderAttacker Immune benefit Yes. The defender could update information about system vulnerabilities after attacks. No. RationalityFull or bounded rationality.

Objective 2011/10/25 27 The network survivability is measured by ADOD. The game has two players: an attacker (he, A) and a defender (she, D). Defender Objective - minimize the damage of the network (ADOD). Budget Constraint - deploying the defense budget in nodes repairing the compromised node releasing message in nodes Attacker Objective - maximize the damage of the network (ADOD). Budget Constraint deploying the attack budget in nodes updating information

Defenders characteristics- Private information (Defenders view) 2011/10/25 28 The defender has private information, including each nodes valuation, each nodes type and network topology.

2011/10/25 29 The defender has private information, including each nodes valuation, each nodes type and network topology. Defenders characteristics- Private information (Attackers view)

Defenders characteristics 2011/10/25 30 Effective resources: t m. Resource reallocation, recycling and accumulation. Each nodes type. Bounded rationality. High availability system.

Attackers characteristics 2011/10/25 31 Attackers private information: attackers budget and something defender did not know. Effective resources: T m. Resource growth: attacker could increase resources when the attacker compromised network nodes. Resource accumulation. Bounded rationality.

Defenders action 2011/10/25 32 In each round, the defender moves first, determines strategy and chooses message which may be truth, deception or secrecy to each node.

Message releasing 2011/10/25 33 Message releasing can be classified into two types. A nodes information could be divided into different parts to release message by the defender. The defender could release a nodes defensive state as a message to the attacker.

Message releasing- type 1 2011/10/25 34 The defender could choose a part of information from a node according to his strategy which released truthful message, deceptive message or secrecy.

Message releasing- type 1 example 2011/10/25 35 The defender chooses : 1. Truthful message if and only if message = actual information; 2. Secrecy if and only if message is secret; 3. Deceptive message if and only if message actual information. Defender 1.OS: Linux 2.FTP: Filezilla server 3.DB: MYSQL Cost: Deceptive message > Secrecy > Truthful message Message 1.OS: Linux 2.FTP: Filezilla server 3.DB: MYSQL Message 1.OS: Win 7 2.FTP: Filezilla server 3.DB: unknown

Message releasing- type 1 scenario (Defender's view in each round ) 2011/10/25 36 The defender chose the part of information to release truth message The defender chose the part of information to use deception Keep the nodes part of information secret

2011/10/25 37 The defender chose the part of information to release truth message The defender chose the part of information to use deception Keep the nodes part of information secret Message releasing- type 1 scenario (Defender's view in each round )

Message releasing- type 2 2011/10/25 38 The defender released different message, which are truth, deception or secrecy, on each node as a mixed strategy.

Message releasing- type 2 scenario (Defender's view in each round ) 2011/10/25 39 The defenders actual strategy: Defense resource on node i The defenders message: Defense resource on node i Keep defenders actual strategy secret

Message releasing- type 2 scenario (Attacker's view in each round ) 2011/10/25 43 The defenders actual strategy: Defense resource on node i The defenders message: Defense resource on node i Keep defenders actual strategy secret

The effect of deception/secrecy 2011/10/25 44 The effect of deception or secrecy would be discounted if the attacker knew defenders partial private information.

The effect of deception/secrecy 2011/10/25 45 The effect of deception or secrecy would be zero if the attacker knew something that the defender did not know.

Immune benefit 2011/10/25 46 Although the attacker knows something that the defender did not know, the defender can update information after observing the result of each rounds contest. After the defender updated information, she had immune benefit which means that the attacker was unable to use identical attack.

Defenders resources 2011/10/25 47 From the view of the defender, the budget could be reallocated or recycled but the discount factor is also considered. The defender could accumulate resources to decrease attack success probability to defend network nodes in next time.

Defenders resources example type 2 scenario 2011/10/25 48 The defenders actual strategy: Defense resource on node i The defenders message: Defense resource on node i Keep defenders actual strategy secret Defender Recycled Reallocated

Attackers information 2011/10/25 49 The attacker knows only partial network topology. The attacker could update information after observing the result of each rounds contest and defenders messages.

Attackers resources 2011/10/25 50 The attacker could accumulate experience to increase attack success probability to compromise network nodes in next time. The attacker could increase resources when the attacker compromised network nodes. i In the first round, the attacker put 3 units of attack budget to collect information of node i. In the second round, the attacker put 6 units of attack budget to attack node i. Total attack resource= 3*discount rate +6

Attackers resources example type 2 scenario 2011/10/25 51 The defenders actual strategy: Defense resource on node i The defenders message: Defense resource on node i Keep defenders actual strategy secret

Network topology 2011/10/25 52 Consider a complex system with n nodes in series- parallel. A node consists of M components which may be different components or the same. (M 1)

Network topology 2011/10/25 53 A nodes composition could be classified into two types. A node with backup component A k-out-of-m node

Network topology 2011/10/25 54 The relationship between nodes could be classified into three types. Independent A node can function solely.

Network topology 2011/10/25 55 The relationship between nodes could be classified into three types. Dependent When a node was destroyed, the node dependent on the destroyed node was also destroyed.

Network topology 2011/10/25 56 The relationship between nodes could be classified into three types. Interdependent When a node was destroyed, the node interdependent on the destroyed node was also destroyed and vice versa.

2011/10/25 57

Thanks for your listening. 2011/10/25 58

Date post:	17-Dec-2015
Category:	Documents
Upload:	joseph-foster
View:	213 times
Download:	0 times

Advisor: Yeong-Sung Lin Presented by I-Ju Shih 2011/10/25 1 Research Direction Introduction.

Documents