S

Research Direction IntroductionAdvisor: Professor Frank, Y.S. Lin

Presented by Yu Pu Wu

Agenda

Introduction

Problem description

Scenario

Definition of Survivability

We define survivability as the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents. We use the term system in the broadest possible sense, including networks and large-scale systems of systems. [1]

[1] R. J. Ellison, D. A. Fisher, R. C. Linger, H. F. Lipson, T. Longstaff, and N. R. Mead, “Survivable Network Systems: An Emerging Discipline,” Technical Report CMU/SEI-97-TR-013, November 1997.(Revised: May 1999 ）

Defense strategies Honeypot

Existing Classifications Lure Defend (deception& intimidation ) Study

[2] H. Debar, F. Pouget, and M. Dacier, “White Paper: “Honeypot, Honeynet, Honeytoken: Terminological issues”,” Institut Eurécom Research Report RR-03-081, 2003

Defense strategies Honeypot

Level of interaction classification Low-Interaction Mid-Interaction High-Interaction

[3] H. Debar, F. Pouget, and M. Dacier, “White Paper: “Honeypot, Honeynet, Honeytoken: Terminological issues”,” Institut Eurécom Research Report RR-03-081, 2003

Defense strategies Honeypot

The objective of a false target is to distract or conceal something that someone else may search for (to gain access to, control, destroy, etc.)

[4] G. Levitin, and K. Hausken, “False targets efficiency in defense strategy,” European Journal of Operational Research, Vol. 194, Issue 1, Pages 155-162, 1 April

Defense strategies Rotation

[5] Y. Huang, D. Arsenault, and A. Sood, “Closing Cluster Attack Windows Through Server Redundancy and Rotations”, Proc. IEEE CGRIDW'06.

Defense strategies Rotation

Outrunning Component Failures, which replicates key application components and intelligently places new replicas on suitable hosts upon noticing failures.

Attack Containment, which isolates host intrusions and network based distributed denial of service attacks and stops their propagation.

Continuous Unpredictable Changes, which tries to put strict time constraints on the usefulness of obtained attack information by constantly changing unpredictably.

[6] M. Atighetchi, P. Pal, F. Webber, and C. Jones, “Adaptive Use of Network-Centric Mechanisms in Cyber-Defense”, BBN Technologies LLC.

Agenda

Introduction

Problem description

Scenario

Collaborative Attacks

Attack Strategies

Compromise Pretend to Attack

Test Reaction Take Opportunity

[8] S. Braynov and M. Jadliwala, “Representation and Analysis of Coordinated Attacks”,” FMSE'03, 2003,

Risk Avoidance & Risk Tolerance

Risk Avoidance Compromise

Risk Tolerance Pretend to Attack

Period, P

N ： The total numbers of nodes in the Defense Networks.

F ： The total numbers of node which is compromised in the Defense Networks.

If N is 100 and F is 10, the Period will be 90%.

Success Rate, SR

Success Rate (SR) = Risk Avoidance Compromised / Risk Avoidance Attacks

Risk Avoidance - Compromise Nodes ： 10 Risk Tolerance - Pretend to Attack ： 5 Compromised Successfully ： 6

( 3 Compromise Nodes ： 3 Pretend to Attack) Success Rate = 30%

Stage & Risk Attackers

N = 100Risk Avoidance(P, N - F / N)

Risk Tolerance(1-P, F / N)

Early StageF = 5 Most (95%) Rare (5%)

Late StageF = 40 Part (60%) Part (40%)

Early Stage

Early StageCriteria

High Defense Resource

Low Defense Resource

High TrafficLow Traffic

Late Stage

Late Stage

Selection Criteria

High Traffic & Low Defense Resource

No. of Attackers

Number of Attackers

M ： Number of selected candidates M = 4, Period = 99%, Success Rate = 100%

Risk Avoidance ： 6 Risk Tolerance ： 0 M = 25, Period = 80%, Success Rate = 0%

Risk Avoidance ： 6 Risk Tolerance ： 0

Choose Ideal Attackers

Attack Energy Budget & Capability

Corresponding Defense Resource for Each Attacker Aggressiveness Attack Energy

m

m m

TT t

Choose Ideal Attackers

Example Choose Ideal Attacker 100 Defense Resource

90 ~ 110 Corresponding Defense Resource Appropriate Aggressiveness Lower Bound (50%, 0%)

If Success Rate (SR) is low, raise the Lower Bound. If Success Rate (SR) is high, reduce the Lower

Bound.

Fake Traffic

Fake Traffic

Fake Traffic

Fake Traffic

Dynamic Topology Reconfiguration

Dynamic Topology Reconfiguration

Dynamic Topology Reconfiguration

Dynamic Topology Reconfiguration

Virtual Machine

Virtual Machine Virtual Machine Monitor Local Defense Effect

Core Node could be one of the Virtual Machines. If VMM was compromised, all of its VM would be

compromised, too.

Agenda

Introduction

Problem description

Scenario

Scenario

7

Core Node Compromised False Target Next Hop

Defense Resource Fake Traffic False Target & Fake Traffic Insider

7

9

9

45

5

8

3

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

7

9

9

45

5

8

3

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

7

9

9

45

5

8

D

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

7

9

9

C5

5

8

D

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O+2

+2

C

7

9

9

5

5

8

D

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O+2

+2

7

9

9

B5

5

8

D

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O+2

+2

7

9

9

B5

A

8

D

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O+2

+2

7

9

9

B5

A

8

D

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O+2

+2

9

9

7

B5

A

8

D

A

B

C

E

D

F

G

H

I

J

K

L

M

N

O+2

+2

9

9

7

B5

A

5

D

A

B

C

E

D

F

G

H

I

J

K

L

M

N

O+2

+2

9

9

7

B5

A

8

D

A

B

C

E

D

F

G

H

I

J

K

L

M

N

O+2

+2

S

9

7

BB

A

8

D

A

B

C

E

D

F

G

H

I

J

K

L

M

N

O+2

+2

S

9

7

BB

A

8

D

A

B

C

E

D

F

G

H

I

J

K

L

M

N

O+2

+2

S

9

7

BB

A

8

D

A

B

C

E

D

F

G

H

I

J

K

L

M

N

O+2

+2

Thanks for your attention.