Advisor: Yeong -Sung Lin Presented by Chi-Hsiang Chan

1

EVALUATING THE DAMAGE ASSOCIATED WITH INTENTIONAL NETWORK

DISINTEGRATIONG LEVITIN, I GERTSBAKH, Y SHPUNGIN

Advisor: Yeong-Sung LinPresented by Chi-Hsiang Chan

2011/3/28

2

AGENDA

+ Introduction+ Problem formulation+ Multi-dimensional D-spectrum+ F>3 clusters in the network+ Illustrative example: attack and defense of a network+ Conclusion

2011/3/28

3

AGENDA


2011/3/28

4

INTRODUCTION

+ Defense against external impacts, and especially against intentional external impacts, becomes increasingly important due to the increasing threats of malicious attacks.

+ The defender’s objective for a system is that it survives and functions reliably under all circumstances.

+ In order to evaluate the efficiency of defensive measures the defender should evaluate the effect of these measures on the expected damage that can be caused by attacks.

2011/3/28

5

INTRODUCTION

+ Research in network reliability and risk analysis must help understand how to prevent or mitigate the damage caused by intentional attacks on the networks.

+ Usually assumed:– An interdictor is interested in reducing the flow through the

network by interdicting network elements, usually the links.– The interdictor has limited resources to interdict network

elements and as suck it faces a resource allocation problem, where the objective is to maximize the damage inflicted to the network.

2011/3/28

6

INTRODUCTION

+ In the case when the network provides connection among different terminal nodes corresponding to users or critical facilities, the damage caused by an attack can be different depending on the amount of terminals that become isolated from any other terminal because of link interdiction.

+ It is important to find a way that evaluates the probability of network disintegration into disconnected sub-networks and estimates the associated damage in order to compare different options of network defense.

2011/3/28

7

INTRODUCTION

+ This work considers the expected damage caused by the network disintegration into separated clusters (with at least one terminal node) and presents a novel multi-dimensional spectra technique for evaluating this damage.

+ We assume that the damage caused by disintegration is proportional to the number of clusters and does not depend on their size.

+ The assumption is relevant for information networks, where the information can freely flow within each cluster and the damage is proportional to the effort needed to restore the inter-cluster connectivity.

2011/3/28

8

INTRODUCTION

+ A network has a node set N, edge (link) set E and a subset of special nodes called terminals.

+ All nodes are absolutely reliable while the edges are subject to failure.

+ Edge(link) failure means its elimination from the network.

+ The attacker strikes the network links trying to cause damage by disintegrating the network into clusters.

2011/3/28

9

INTRODUCTION

+ Both the attacker and the defender have limited and fixed resources.

+ The attacker does not know the network structure and arracks a randomly chosen subset of links distributing its attack resources evenly among these links.

+ The defender has no information about the subset of links chosen for the attack. All links are equally protected.

2011/3/28

10

INTRODUCTION

+ The model presented in this paper is based on a multi-dimensional destruction spectra approach that allows evaluating the probability of network disintegration into a given number of clusters when a fixed number of randomly chosen links is eliminated.

+ It uses the contest success function that evaluates vulnerability of individual links as a function of per-link attack and defense efforts.

2011/3/28

11

AGENDA


2011/3/28

12

NOMENCLATUREL Number of links in the network f number of disconnected clusters

F Number of terminals in the network d(f) damage associated with network disintegration into f disconnected clusters

k Number of attacked links D(k) expected damage caused by an attack on k randomly chosen links

R Entire attacker’s resource Δ expected damage for uniformly distributed number of attacked links

y Attacker’s impact effort per attacked link

m contest intensity

z Defender’s protection effort per link p(j,f) the probability that the network falls apart into f clusters if j links re destroyed

v(y,z) link vulnerability as a function of attacker’s and defender’s efforts

P(x) probability of event x

probability that exactly j links are destroyed after attack on k links

( )jq k2011/3/28

13

PROBLEM FORMULATION

+ A network with a given topology contains L protected links. Each link is protected with effort z.

+ The attacker strikes k randomly chosen links evenly with resource R. The per-link attack effort is y=R/k.

+ The vulnerability of attacked link is determined by a contest between the defender and the attacker, form as

(1)

m

m m

yvy z

2011/3/28

14

CONTEST SUCCESS FUNCTION

+ Skaperdas offered three axioms for contest success functions:– 1≥v≥0 and the contest success for the defender and the

attacker sum to one.– ∂v/ ∂y>0 and ∂v/ ∂z<0.– Each agent’s contest success depends on its effort and not

on the identity of agent or opponent.

2011/3/28

15

CONTEST INTENSITY M

+ m ≥0 is a parameter that expresses the intensity of the contest.

+ A benchmark intermediate value is m=1, where the investment have proportional impact on the vulnerability. 0 < m < 1gives a disproportional advantage of investing less than one’s opponent. m>1 gives a disproportional advantage of investing more effort than one’s opponent.

+ m=0 , vulnerability = 50%+ m=∞ gives a step function where “ winner-takes-all”.+ The parameter m is a characteristic of the contest which

can be illustrated by the history of warfare.

2011/3/28

16

PROBLEM FORMULATION

+ In the case when the attacker distributes its resource R among k links the link vulnerability takes the form

(2)

+ If the attacker attacks k links, it succeeds to destroy exactly j links with probability

(3)

1( )1 ( / )

m

m m m

yv ky z zk R

( ) ( ) (1 ( ))j k jj

kq k v k v k

j

2011/3/28

17

PROBLEM FORMULATION

+ The probability that the network falls apart into f disconnected clusters as a result of destruction of j randomly chosen links be p(j,f), and the damage associated with the network falling apart into f disconnected clusters be d(f).

+ The expected damage D(k) in the case of attack against k randomly chosen links is

(4)

where F is the maximal number of clusters, which is equal to the number of terminals.

0 2

( ) ( ) ( , ) ( )k F

jj f

D k q k p j f d f

2011/3/28

18

PROBLEM FORMULATION

+ If the defender knows the distribution of k, ε(i)=P(k=i), It can evaluate the total expected damage as

(5)

+ When the defender has no information about the distribution of k, it assumes that the attacker acts completely at random and can choose k from 1 to L with equal probability. The expected damage is

(6)

1 1 0 2

( ) ( ) ( ) ( ) ( , ) ( )L L i F

ji i j f

i D i i q i p j f d f

1

1 ( )L

i

D iL

2011/3/28

19

AGENDA


2011/3/28

20

MULTI-DIMENSIONAL D-SPECTRUM

+ By network N=(V,E,T) we denote an undirected graph with a node-set V, |V|=n, an edge-set E,|E|=L, and a set of special nodes called terminals, |T|=F.

+ If all nodes of the network are connected to each other directly or indirectly, the network N is called connected.

V

2011/3/28

21


+ For example, N has 4 nodes V=(a,b,s,t), two terminals t=(s,t), 2 edges E={(a,s),(b,t)}. Obviously, N is not connected, it has two components, and each of them is a cluster.

s

a

b

t

2011/3/28

22


+ The network can be only in two states UP and DOWN, where the UP state takes place if and only if all terminals of the network are connected to each other by the elements which are in the UP state. Otherwise, the network is DOWN.

+ In this paper we split the DOWN state into several sub-states according to the number of disconnected clusters in the network. When F=|T|=3.– UP => number of cluster=1– DOWN2 => number of cluster=2– DOWN3 => number of cluster=3

2011/3/28

23


+ Definition 1. Let be a permutation of network links. Suppose initially that they all are UP. Start turning them from UP to DOWN by moving π from left to right.

+ Fixed the first element when the network state become DOWN 2 => ,called the second anchor.

+ Fixed the first element when the network state become DOWN 3 => ,called the third anchor.

+ Define the probability the probability of the event A(i,j) = {r2

=i, r3=j} as

(7)

1 2( , ,....., )

Li i ie e e

rie

2 ( )ri

r e

gie

3( )gi

r e

2 3,

# ( )( ( , ))

!i jof permutations with r i and r j

w P A i jL

2011/3/28

24


+ Definition 2. The two-dimensional discrete density function d ={wi,j}, i,j = 1,2,….,L , is called network two-dimensional destruction spectrum(D-spectrum).

+ Definition 3. The marginal distribution of the first component of the D-spectrum is called the second spectrum, and is called the third spectrum.

+ and for k=1,…,L are called the second and the third cumulative spectra of the network.

+ U2(L) = U3(L) = 1

1 2{ , ,..., }Lu u u u

1 2{ , ,..., }Lg g g g

21

( )k

ii

U k u

31

( )k

ij

U k g

2011/3/28

25


+ The total number of permutations of L=4 links is 4!=24.

+ u1=0,u2=5/6,u3=1/6,u4=0 + g1=0,g2=0,g3=3/6,g4=3/6+ U2(1)=0,U2(2)=5/6, U2(3)=U2(4)=1+ U3(1)=U3(2)=0, U3(3)=1/2,U3(4)=1

(3,4) 4 permutations (2,4) 8 permutations (2,3) 12 permutations

1,4,2,3 1,2,4,3 1,2,3,4

w3,4 = 1/6 w2,4 = 2/6 w2,3 = 3/6

2011/3/28

26


+ Remark 1. The standard reliability theory deals mostly with binary systems consisting of binary components. The system has only one DOWN state, its D-spectrum becomes a one-dimensional distribution.

+ Gertsbakh and Shpungin and Samaniego considered the case of i.i.d. continuous component lifetimes Xi, i=1,…,k and defined the r-th element of the signature as the probability that system failure coincides with the r-th order statistic in a sample of X1,X2,…,Xk.

+ The considered two-dimensional signature is an extension of the one-dimensional situation.

2011/3/28

27


+ Denote by p(j,f) the probability that elimination of exactly j links causes network disintegration into f clusters. The principal probabilities which we need in the context of the present paper take the following form:

(8)2 3( , 2) ( ,3) ( ); ( ,3) ( )p j p j U j p j U j

2011/3/28

28


+ Remark 2. Suppose that all network links have i.i.d. continuous lifetime τ with cumulative distribution function (CDF) Q(t). Let τnet be the random network lifetime, Denote by Qnet(t) its CDF. The probability that a link is UP at time t0. We can get:

(9)

where Q(j)(t0) is the CDF of the j-th order statistic from the random sample of link lifetimes τ1, τ2,…, τL.

0 ( ) 01

( ) ( )L

net j jj

Q t u Q t

2011/3/28

29


+ Substituting into(9) the well-known expression for Q(j)(t0) and rearranging the terms in the sum, can get:

(10)

where

(11)

+ From (10) it follows that C(j) is the number of network failure sets with exactly j links being down. Therefore, (11) implies that the ratio of the number of all j-link failures sets to the total number of randomly chosen sets of j links out of L, equals U3(j).

( )0

1

( ) ( )(1 )L

j L jnet

j

P t C j p p

2( ) ( )L

C j U jk

2011/3/28

30

AGENDA


2011/3/28

31

F>3 CLUSTERS IN THE NETWORK

+ When F>3, the system has states UP and DOWN J, J=2,3,…,F, where DOWN J is the state with J clusters, having J-th anchor rJ(π).

+ We can get the J-th cumulative spectrum of the network

+ It is easy to derive that

(12)

( , ) ( , 1) ... ( , ) ( ), 2,...,Jp x J p x J p x F U x J F

1( , ) ( ) ( ), 2,...,J Jp x J U x U x J F

2011/3/28

32

F>3 CLUSTERS IN THE NETWORK

+ The calculation of he spectrum is an NP-hard combinatorial problem. We suggest using a Mont Carlo procedure for its numerical estimation.

+ The most time consuming step of the procedure is checking the number of clusters in the network after a link is being erased. To do it efficiently, the so-called disjoint set structure is used.

2011/3/28

33

+ Using DSS takes O(L*logL)on each step, so the algorithm complexity as O(M*L*logL).

2011/3/28

34

AGENDA


2011/3/28

35

ILLUSTRATIVE EXAMPLE: ATTACK AND DEFENSE OF A NETWORK

+ 17nodes, 3terminals, 34links+ Two and three clusters caused

defender damage d(2)=1000, d(3)=3000.

+ Defender can add four additional links to enhance the network connectivity.

2011/3/28

36


2011/3/28

37


z/R=0.01

2011/3/28

38


+ Assume that the defender can spend the same budget that is needed for adding four links on enhancing protection of all the links.

+ The cost of the protection effort unit is c and the defense budget B can be use d for increasing the protection effort. The defender’s per-link protection effort z increases from z0 to z0+B/c, which causes the increase of effort ratio from z0/R to z0/R+B/cr=z0/r+1/c*, where c*=cr/B is the normalized cost of protection effort unit.

2011/3/28

39


+ With increase of the contest intensity the influence of the protection on the link vulnerability and damage increase, which makes the link protection option more beneficial for greater values of the

protection cost.

+ Bold lines- protection enhancement+ Thin lines- addition of four links.

2011/3/28

40


+ To evaluate the effectiveness of a mixed defense strategy with both links addition and protection enhancement, considering the case when the defender splits its budget evenly between the two types.

+ F (3,11) (7,10)+ G (3,11) (2,15)+ H (5,8) (7,10)

2011/3/28

41


+ The protection effort increases from z0 to z0+B/(2c).

2011/3/28

42

AGENDA


2011/3/28

43

CONCLUSION

+ The paper suggests a computationally effective algorithm for evaluating the damage inflicted to interconnected networks by intentional attack on randomly chosen links.

+ The suggested algorithm is based on a multi-dimensional spectra approach.

+ The presented method allows analysts to evaluate and compare different options.

+ The presented example of a network with three terminals illustrates the practical methodology of choosing the most effective defense strategy.

2011/3/28

44

THANKS FOR LISTENING

2011/3/28

Documents

Advisor: Yeong -Sung Lin Presented by Chi-Hsiang Chan