Research Direction Introduction
Advisor : Frank, Y.S. Lin
Presented by Yu Pu Wu
Agenda
• Problem Description
• Mathematical Formulation
Agenda
• Problem Description
• Mathematical Formulation
Problem Description
• Collaborative Attack
• Special Defense Resources
• “Fake Traffic”, “False Target” or “Dual Function”
Honeypots
• Virtualization
• Dynamic Topology Reconfiguration
• To minimize maximized attackers’ success
probability by adjusting the defense
parameters of planning and defending phase.
Special Defense Resources
• Honeypots
• Fake Traffic function
• False Target function
• Dual function
• Virtualization
• Dynamic Topology Reconfiguration
Attack Strategies & Risk Acceptance
• Attack Strategies
• Compromise
• Pretend to attack
• Test reaction
• Take opportunity
• Risk Acceptance
• Risk Avoidance
• Risk Tolerance
Stage & Selection Criteria
• Stage
• Early stage
• Late stage
• Selection Criteria
• Defense resource
• Traffic
Time Issue
• Attackers
• Compromise time
• Recovery time
• Defenders
• Reconfiguration impact QoS time
• Reconfiguration QoS recovery time
Pros and Cons of Collaborative Attack
• Advantage
• Decrease budget cost of each attackers
• Less compromise time
• Less recovery time
• Disadvantage
• Probability of detected
Agenda
• Problem Description
• Mathematical Formulation
Mathematical Formulation
• Objective
• To minimize maximized attackers’ success probability
• Given
• Total Defense Budget
• Each Cost of Constructing a Defense Mechanism
• Virtualization Cost
• Service Priority
• To be determined
• Attack and Defense Configurations
• Budget Spent on Constructing Node or Link
• General and Special Defense Resource
Given Parameters
Notation
Description
N
The index set of all nodes.
C
The index set of all core nodes.
L
The index set of all links.
S
The index set of all types of services.
M
The index set of all level of virtual machine monitors (VMMs).
H
The index set of all types of honeypots.
P
The index set of candidate nodes equipped with false target
function.
Q
The index set of candidate nodes equipped with fake traffic
generating function.
R
The index set of candidate nodes equipped with false target
and fake traffic generating function.
Given Parameters
Notation
Description
B
The defender’s total budget.
w
The cost of constructing one intermediate node.
o
The cost of constructing one core node.
p
The cost of each virtual machine (VM).
r
The cost of constructing a reconfiguration function to one
node.
Given Parameters
Notation
Description
ki
The maximum number of virtual machines on VMM level i,
where i∈M
ai
The weight of ith service, where i∈S.
E
All possible defense configurations, including defense resources
allocation and defending strategies.
Z
All possible attack configurations, including attacker’s attributes,
commander’s strategies and transition rules.
Fi
The number of commanders targeting on ith service, where i∈S.
Decision Variables
Notation
D
A
Description
A instance of defense configuration, including defense
resources allocation and defending strategies on ith service,
where i∈S.
A instance of attack configuration, including attacker’s
attributes, commander’s strategies and transition rules of the
commander launches jth attack on ith service, where i∈S, 1≤ j ≤ Fi
.
T(D,A)
1 if the commander achieve his goal successfully, and 0
otherwise, where i∈S, 1≤ j ≤ Fi.
Decision Variables
Notation
Bnodelink
Bgeneral
Bspecial
Bvirtualization
Bhoneypot
Breconfiguration
Description
The budget spent on constructing nodes and links.
The budget spent on allocating general defense resource.
The budget spent on deploying special defense resource.
The budget of virtualization.
The budget of honeypots.
The budget of reconfiguration functions.
Decision Variables
Notation
Description
e
The total number of intermediate nodes.
ni
The general defense resources allocated to node i, where i∈N.
li
The capacity of direct link between node i and j, where i∈N,
j∈N.
The cost of constructing a link from node i to node j with
capacity qij, where i∈N, j∈N.
The number of VMM level i purchased, where i∈M.
δi
The number of services that honeypot i can simulate, where i∈H.
εi
The interactive capability of false target honeypot i, where i∈P.
θi
The maximum throughput of fake traffic that fake traffic
generator honeypot i can achieve, where i∈Q.
qij
g(qij)
Decision Variables
Notation
v( li )
h( δi , εi )
f( δi , θi )
t( δi , εi , θi )
xi
yi
zi
Description
The cost of VMM level i with li VMMs, where i∈M.
The cost of constructing a false target honeypot with the number
of simulating services and the interactive capability, where i∈P.
The cost of constructing a fake traffic generator honeypot with
the number of simulating services and the maximum achievable
throughput of fake traffic, where i∈Q.
The cost of constructing a honeypot equipped with false target
and fake traffic generating functions with the number of
simulating services, the interactive capability and the maximum
achievable throughput of fake traffic, where i∈R.
1 if node i is equipped with false target function, and 0
otherwise, where i∈N.
1 if node i is equipped with fake traffic generating function, and
0 otherwise, where i∈N.
1 if node i is equipped with reconfiguration function, and 0
otherwise, where i∈N.
Verbal Notations
Notation
Description
Gcore
Loading of each core node i, where i∈C.
Ulink
Link utilization of each link i, where i∈L.
i
i
Keffect
Ieffect
Jeffect
Otocore
Y
Negative effect caused by applying fake traffic adjustment.
Negative effect caused by applying dynamic topology
reconfiguration.
Negative effect caused by applying local defense.
The number of hops legitimate users experienced from one
boundary node to destination.
The total compromise events.
Wthreshold
The predefined threshold regarding quality of service.
Wfinal
The level of quality of service at the end of an attack.
W()
The value of quality of service is determined by several factors.
Verbal Notations
Notation
ρdefense
τhops
ωdegree
Spriority
i
βthreshlod
β()
Description
The defense resource of the shortest path from detected
compromised nodes to core node i divided by total defense
resource, where i∈C.
The minimum number of hops from detected compromised
nodes to core node i divided by the maximum number of hops
from attacker’s starting position to one core node, where i∈C.
The link degree of core node i divided by the maximum link
degree among all nodes in the topology, where i∈C.
The priority of service i provided by core nodes divided by the
maximum service priority among core nodes in the topology,
where i∈C and j∈S.
The risk threshold of core nodes.
The risk status of each core node which is the aggregation of
defense resource, number of hops, link degree and service
priority
Objective Function
(IP 1)
Mathematical Constraints
•1
•2
(IP 1.1)
(IP 1.2)
• Direct Link Capacity Constraints :
• qij ≥ 0
(IP 1.3)
• Honeypot Types Constraints :
• xi + yi ≥ 1
(IP 1.4)
Mathematical Constraints
• Budget Constraints :
• Bnodelink ≥ 0
• Bgeneral ≥ 0
• Bspecial ≥ 0
(IP 1.5)
(IP 1.6)
(IP 1.7)
• Constructing Topology Constraints :
• ni ≥ 0
• w×e≥0
• g (qij) ≥ 0
(IP 1.8)
(IP 1.9)
(IP 1.10)
Mathematical Constraints
• Budget Constraints :
• Bnodelink ≥ 0
(IP 1.11)
• Bspecial ≥ 0
(IP 1.12)
• 123
(IP 1.13)
• 123
(IP 1.14)
• 123
(IP 1.15)
Mathematical Constraints
• Budget Constraints :
•1
(IP 1.16)
•1
(IP 1.17)
Mathematical Constraints
• Special defense resource cost constraints :
•1
(IP 1.18)
•1
(IP 1.19)
•1
(IP 1.20)
•1
(IP 1.21)
•1
(IP 1.22)
•1
(IP 1.23)
•1
(IP 1.24)
Verbal Constraints
• QoS constraints:
(IP 1.25)
The performance reduction cause by compromised core nodes should not violate
IP1.26.
The performance reduction caused by link utilization should not violate IP1.26.
(IP 1.26)
The performance reduction caused by fake traffic should not violate IP1.26.
(IP 1.28)
The performance reduction caused by dynamic topology reconfiguration should
not violate IP1.26.
The performance reduction cause by local defense should not violate IP1.26.
(IP 1.29)
(IP 1.30)
(IP 1.27)
Legitimate users’ QoS satisfaction with the maximum number of hops from
attacking initial point to core node should not violate IP1.26.
Wfinal should not lower than Wthreshold at the end of attack.
(IP 1.31)
The defender has to guarantee at least one core node is not compromised at any
time.
(IP 1.33)
(IP 1.32)
QoS Constraints
40
35
30
QoS
25
20
QoS
15
10
5
0
1
2
3
4
5
6
Attack Event
7
8
9
10
Verbal Constraints
• QoS constraints:
(IP 1.25)
The performance reduction cause by compromised core nodes should not violate
IP1.25.
The performance reduction caused by link utilization should not violate IP1.25.
(IP 1.26)
The performance reduction caused by fake traffic should not violate IP1.25.
(IP 1.28)
The performance reduction caused by dynamic topology reconfiguration should
not violate IP1.25.
The performance reduction cause by local defense should not violate IP1.25.
(IP 1.29)
(IP 1.30)
(IP 1.27)
Legitimate users’ QoS satisfaction with the maximum number of hops from
attacking initial point to core node should not violate IP1.25.
Wfinal should not lower than Wthreshold at the end of attack.
(IP 1.31)
The defender has to guarantee at least one core node is not compromised at any
time.
(IP 1.33)
(IP 1.32)
Verbal Constraints
• Reconfiguration constraints:
(IP 1.34)
The reconfiguration initial point and the reconfigured node must be equipped with
reconfiguration function.
The reconfiguration initial point must be the neighbor of core node detected risky.
(IP 1.35)
(IP 1.36)
The defense resource of reconfiguration initial point should be the minimum one
among all neighbors of core node detected risky.
The reconfigured node must be the neighbor of reconfiguration initial point.
(IP 1.37)
(IP 1.38)
The reconfigured node must not be the neighbor of core node detected risky.
(IP 1.39)
The defense resource of the reconfigured node should be the maximum one among
all neighbors of reconfiguration initial node.
(IP 1.40)
Verbal Constraints
• Traffic adjustment constraints:
(IP 1.41)
The honeypot must be equipped with fake traffic generating function.
(IP 1.42)
The throughput of fake traffic delivered by one fake traffic generating honeypot
should not greater than the maximum achievable throughput.
(IP 1.43)
Verbal Constraints
• Local defense constraints:
For each core node, when the attack event has been detected, the mechanism is
activated.
Only virtualized nodes and virtual machine monitors (VMMs) can activate this
mechanism.
The capacity of all the VMs’ links connect with the VMM will decrease certain
ratio.
(IP 1.44)
(IP 1.45)
(IP 1.46)
THANKS FOR YOUR ATTENTION