Research Direction Introduction

Defending simple series and parallel systems with imperfect false targets R. Peng, G. Levitin, M. Xie, S.H. Ng

Advisor: Yeong-Sung LinPresented by I-Ju Shih

2011/10/251Research Direction Introduction

1Agenda2011/10/252Introduction Network SurvivabilityProblem Description

2

Introduction 2011/10/2533Game theory2011/10/254Game theory is a way to analyze interaction among a group of rational agents who behave strategically. Game theory has been successfully applied in different areas as competition, biology, economics, political science, computer science, military strategy, and more.

4Finitely repeated game2011/10/255In recent years, the game theory has been applied in lots of network security issues.In the real world, attackers and defenders frequently interact repeatedly over time. The interaction between attacker and defender could be viewed as an N-period game.

5Non-cooperative game2011/10/256Games are classified into two major classes: cooperative games and non-cooperative games.In the context of information security, cyber attacker would not cooperate with network defender.

X6Incomplete information2011/10/257In traditional non-cooperative games it is assumed that 1. The players are rational. 2. There are no enforceable agreements between players. 3. The players know all the data of the game.However, real-game situations may involve other types of uncertainty.The players may lack complete information about other players or themselves.

7Sequential game2011/10/258Most past literature has focused on sequential games in which the defender moves first, since network defender will be able to deter cyber attacker or shift attack to unimportant target.8High availability2011/10/259Users want their systems, for example hospitals, airplanes or computers, to be ready to serve them at all times. High availability (HA) is a system design approach and associated service implementation that ensures a prearranged level of operational performance will be met during a contractual measurement period.9High availability2011/10/2510High availability (HA) clusters operate by harnessing redundant computers in groups or clusters that provide continued service when system components fail.High availability (HA) clusters can sometimes be categorized into one of the following models:Active/activeActive/passiveHigh availability (HA) cluster implementations attempt to build redundancy into a cluster to eliminate single point of failure.10

Network Survivability 2011/10/251111ADOD (Average Degree of Disconnectivity)2011/10/2512DOD (Degree of Disconnectivity)Contest success function12DOD2011/10/2513The DOD (Degree of Disconnectivity) metric could be used to measure the damage degree of network.Definition

13DOD2011/10/2514OD pairs =

1234

route1, 21, 31, 2, 4 (1, 3, 4)2, 4, 3 (2, 1, 3)2, 43, 414DOD2011/10/2515OD pairs = DOD = 3/61234

routenumber of broken node1, 211, 311, 2, 4 (1, 3, 4)12, 4, 3 (2, 1, 3)02, 403, 4015DOD2011/10/2516OD pairs = DOD = 6/61234



routenumber of broken node1, 221, 321, 2, 4 (1, 3, 4)32, 4, 3 (2, 1, 3)32, 423, 4218DOD2011/10/2519The larger number of the DOD value, the more damage degree of network would be.

19Contest success function (CSF)2011/10/2520Skaperdas, S., 1996. Contest success functions. Economic Theory 7, 283290. Definition

T:the attackers budget t:the defenders budget m:contest intensity S:attack success probability 20ADOD example2011/10/2521Node statesAttack success probability (S)DODS*DOD1, 2, 3, 4(1-S1)*(1-S2)*(1-S3)*(1-S4)001, 2, 3, 4S1*(1-S2)*(1-S3)*(1-S4)3/63/6*S1*(1-S2)*(1-S3)*(1-S4)1, 2, 3, 4S1*S2*S3*S414/614/6*S1*S2*S3*S421ADOD (Average Degree of Disconnectivity)2011/10/2522The larger number of the Average DOD value is, the more damage degree of the network would be.22

Problem Description 2011/10/252323Defender versus Attacker2011/10/2524Defender AttackerInformation1. Common knowledgeThe information is known to both.2. Defenders private information(ex. nodes valuation, nodes type, and network topology)The defender knew all of it.The attacker knew a part of it.3. The defenders other information(ex. system vulnerabilities)The defender did not know it before the game starts.The attacker knew a part of it.24Defender versus Attacker2011/10/2525Defender AttackerBudget1. Based on the importance of nodeDefense.Attack.2. On each node Releasing message.Updating information.3. Reallocated or recycledYes. But the defender needed extra cost.No.4. RewardNo.Yes. If the attacker compromised a node, the nodes resource could be controlled by the attacker before the defender has not repaired it yet.5. Repaired nodeYes.No.6. Resource accumulationYes. But the resource needed to be discounted.25Defender versus Attacker2011/10/2526Defender AttackerImmune benefitYes. The defender could update information about system vulnerabilities after attacks.No.RationalityFull or bounded rationality.Full or bounded rationality.26Objective2011/10/2527The network survivability is measured by ADOD.The game has two players: an attacker (he, A) and a defender (she, D). Defender Objective - minimize the damage of the network (ADOD).Budget Constraint - deploying the defense budget in nodes repairing the compromised node releasing message in nodesAttackerObjective - maximize the damage of the network (ADOD).Budget Constraint deploying the attack budget in nodes updating information

27Defenders characteristics-Private information (Defenders view)2011/10/2528The defender has private information, including each nodes valuation, each nodes type and network topology.

282011/10/2529The defender has private information, including each nodes valuation, each nodes type and network topology.

Defenders characteristics-Private information (Attackers view)29Defenders characteristics2011/10/2530Effective resources: tm.Resource reallocation, recycling and accumulation.Each nodes type.Bounded rationality.High availability system.

30Attackers characteristics2011/10/2531Attackers private information: attackers budget and something defender did not know.Effective resources: Tm.Resource growth: attacker could increase resources when the attacker compromised network nodes.Resource accumulation.Bounded rationality.

31Defenders action2011/10/2532In each round, the defender moves first, determines strategy and chooses message which may be truth, deception or secrecy to each node.

32Message releasing2011/10/2533Message releasing can be classified into two types. A nodes information could be divided into different parts to release message by the defender. The defender could release a nodes defensive state as a message to the attacker.

33Message releasing- type 12011/10/2534The defender could choose a part of information from a node according to his strategy which released truthful message, deceptive message or secrecy.

34Message releasing- type 1 example2011/10/2535The defender chooses :1. Truthful message if and only if message = actual information;2. Secrecy if and only if message is secret; 3. Deceptive message if and only if message actual information.

DefenderOS: LinuxFTP: Filezilla serverDB: MYSQL

Cost: Deceptive message > Secrecy > Truthful messageMessageOS: LinuxFTP: Filezilla serverDB: MYSQLMessageOS: Win 7FTP: Filezilla serverDB: unknown35Message releasing- type 1 scenario (Defender's view in each round ) 2011/10/2536The defender chose the part of information to release truth message The defender chose the part of information to use deception

Keep the nodes part of information secret

362011/10/2537The defender chose the part of information to release truth message The defender chose the part of information to use deception

Keep the nodes part of information secret

Message releasing- type 1 scenario (Defender's view in each round ) 37Message releasing- type 22011/10/2538The defender released different message, which are truth, deception or secrecy, on each node as a mixed strategy.

?38Message releasing- type 2 scenario (Defender's view in each round ) 2011/10/2539

The defenders actual strategy: Defense resource on node i

The defenders message: Defense resource on node i

Keep defenders actual strategy secret

39Message releasing- type 2 scenario (Defender's view in each round ) 2011/10/2540












42Message releasing- type 2 scenario (Attacker's view in each round ) 2011/10/2543




43The effect of deception/secrecy2011/10/2544The effect of deception or secrecy would be discounted if the attacker knew defenders partial private information.

44The effect of deception/secrecy2011/10/2545The effect of deception or secrecy would be zero if the attacker knew something that the defender did not know.

45Immune benefit2011/10/2546Although the attacker knows something that the defender did not know, the defender can update information after observing the result of each rounds contest.After the defender updated information, she had immune benefit which means that the attacker was unable to use identical attack.

46Defenders resources2011/10/2547From the view of the defender, the budget could be reallocated or recycled but the discount factor is also considered.The defender could accumulate resources to decrease attack success probability to defend network nodes in next time.

47Defenders resources example type 2 scenario2011/10/2548




Defender

RecycledReallocatedReallocated48Attackers information 2011/10/2549The attacker knows only partial network topology.The attacker could update information after observing the result of each rounds contest and defenders messages.

49Attackers resources2011/10/2550The attacker could accumulate experience to increase attack success probability to compromise network nodes in next time.The attacker could increase resources when the attacker compromised network nodes.

iIn the first round, the attacker put 3 units of attack budget to collect information of node i. In the second round, the attacker put 6 units of attack budget to attack node i. Total attack resource= 3*discount rate +650Attackers resources example type 2 scenario2011/10/2551




51Network topology 2011/10/2552Consider a complex system with n nodes in series-parallel.A node consists of M components which may be different components or the same. (M 1)

52Network topology 2011/10/2553A nodes composition could be classified into two types. A node with backup component A k-out-of-m node

53Network topology 2011/10/2554The relationship between nodes could be classified into three types. Independent A node can function solely.

54Network topology 2011/10/2555The relationship between nodes could be classified into three types. Dependent When a node was destroyed, the node dependent on the destroyed node was also destroyed.

55Network topology 2011/10/2556The relationship between nodes could be classified into three types. InterdependentWhen a node was destroyed, the node interdependent on the destroyed node was also destroyed and vice versa.

562011/10/2557

57 Thanks for your listening.2011/10/2558Defender's information

Defender's private information

Attacker does not know the information

Attacker knows defender's partial private information

The information is unknown to defender

Attacker knows the partial information


Common knowledge

Defender's information







Common knowledge








Common knowledge








Common knowledge








Common knowledge

Documents

Research Direction Introduction