Adviser : Frank , Yeong - Sung Lin Present by Jason Chang

Optimal Resource Allocation for Protecting System Availability against Random Cyber

AttackInternational Conference Computer Research and Development(ICCRD) , 2011

3rd

Li Wang

Adviser: Frank , Yeong - Sung LinPresent by Jason Chang

1

AgendaIntroductionRelated WorkSystem Model and AssumptionsProblem FormulationDetermine the Optimal SolutionExperimentationConclusion

2


3

IntroductionMany distributed system provide service with

different level of criticalities , loss of core service often results in catastrophic consequences.

The time duration in which the system is operating is also the time duration in which attacks make their effort to breach the system.

Under limited resources , how to ensure the availability of system core service within that time duration is a challenging issue.

4

IntroductionFor an attacker , the time to compromise a

system component depends on the component’s vulnerabilities and the attacker skill level.

Therefore , in order to increase system availability , it is advisable to ：extend the time needed by the attacker to

compromise the componentdecrease the probability that critical core

components are attacked

5

IntroductionIn general , there are three commonly used

approached to improve system availability ：component protection enhancement

prevent the attacker from exploiting component’s vulnerabilities and detect external attacks in early stage

creation of redundant componentsthe total time needed to compromise the system is prolonged

introducing camouflage of componentsdecrease the probability that genuine components being attacked

6

IntroductionOur current work is based on the assumption that some

type of technology , such as the one proposed by Wang et. al.[28] , is used and attackers only execute random attack strategy.

In particular , we consider a situation where the defender is allowed to apply the three approaches mentioned before to protect a distributed system but with only limited resources.

We formulate this attacker-defender problem as a defender’s optimization problem and present an algorithm to optimally distribute resources so as to obtain maximum system availability.

7


8

Related WorkDiffers from other referenced papers in two

aspects ：attacker’s model

given a fixed amount of time to compromise the system

defender’s modelconsider a combination of protection approaches that require system configuration change and that do not require system configuration change

9

Related WorkDiffers from Levitin’s work from three aspects ：

The system models are different

The attacker has no idea about the defender’s resource

The probability to compromise a component depends on the

attack-time units and component protection status

10


11

System Model and Assumptions

We assume that ： The criticality of system services varies , and the components

which are to provide critical services are called core components.

Service will not be maintained if its components fails.

Failure of any core service results in system failure.

Only one defensive approach can be applied to a component.

Components are independent of each other.

Attacker uses random attack strategy and can only attack one component at each time unit.

12


D the time units that the system required to provide all the core services

R the total amount of resources that can be used to enhance the system availability

cpthe cost for applying protection approach

crthe cost for applying replication approach

cfthe cost of creation one camouflaged component

13


n the total number of components

m the number of core components

npthe number of protected components

nfthe number of camouflaged components

nrthe number of redundant components

r the creation of redundant component for each nr

14


t1protected components required more than t1 time units to be compromised

t0unprotected components required more than t0 time units to be compromised

15


16

Problem FormulationThe distributed system is originally composed of

n components which are denoted as 。Defender’s resource R is distributed among

camouflaged components(nf) , protected components(np) , and the creation of r redundant components for each redundant components(nr).

The total number of components on which the redundancy approach or protection approach are applied should be no more than the total number of core components.

(1 i n)iX

17

Problem FormulationWe can formulate the attacker - defender problem

using the balls-and-bins model.The number of balls in a specific bin follows the

Poisson Distribution.The probability that a component will be attacked

k time units is ：

where Yi refers to the attack-time unit on a specific component Xi , and /D N * np r fN n r n

18

Problem FormulationAs component failures are assumed to be

independent of each other , the system availability can be represented as ：

where represents the probability that components Xi is operational

( )P Xi

19

Problem FormulationAs protected components require more than t1

attack-time units to be compromised , the probability that the protected component is operational is ：

When a redundancy approach is applied to the component , there will be components in total . Therefore , the probability that the composite component is operational is ：

1r

20

Problem FormulationIn addition , when the component is neither

protected nor replicated , its probability of being operational is ：

21

Problem FormulationThere are np components under protection and

nr components have redundant components. Thus , no defensive approach is applied on

core components.Therefore , the availability of system is ：

p rm n n

22

Problem FormulationAccording to the Poisson Distribution ：

Therefore , we have ：

where and /D N * np r fN n r n

23

Problem FormulationThe defender’s total resources are R , and

. Moreover , np , nr , and nf must be a non-negative integer.

Thus , the attacker-defender problem is a nonlinear integer programming problem in essence , and it can be expressed as ：

p rn n m

24


25

Determine the Optimal Solution

The optimal defensive strategy is to choose np , nr , and nf that maximizes the system availability.

Moreover , based on Equation 9 , we know that the system availability function is nonlinear , nonseparable , and nonconvex.

In [4] , Chern proved that the reliability redundancy optimization problem , even in a series system with two constraints , are NP-hard.

26


Existing methods for solving nonlinear integer programming problems are mainly separated into three categories ：heuristic

greatly decrease the computational complexityapproximations

performance depends on the system structureglobal optimization methods

guarantee the optimal solution , but the complexity is relatively high

27


Global optimization methods ：Dynamic programming

not applicable to nonseparable problem nor suitable for problem with more than two constraints

Branch-and-boundare used to solve problems with a large search space , but the effectiveness of a branch-and-bound procedure relies on the sharpness of the bound

Implicit enumerationvery suitable for problems of small scale and with few variants

28


Ex ：R=600 , D=100 , cf=20 , cr=50 ,

cp=30 , t1=5 , t0=3 , n=30 , m=10

r=1Result ：Maximum system availability is 0.77 where nf=15 , nr=0 , np=10

29


30

ExperimentationExperiment 1 ： the available resources are not

fixed

31

Experimentation Available resource is low.

Available resource increase.

Available resource reaches 1000

32

Experimentation Experiment 2 ： the total attack time units are not fixed

Total attack time is under 60.

Total attack time is over 70.

33

Experimentation Experiment 3 ： the amount of core components begin with 1 and

increase by 2 in the next round.

Core components is less than 13.

Core components is between 15 and 19.

Core components exceeds 21.

34


35

ConclusionThree sets of experiments are performed to

investigate the relationship between ：available resources and system availability ,

resources and resources allocations strategies

attack time and resources allocation strategies

resource allocation strategies and the number of core components

36

ConclusionIn this paper , we did not consider the cost the

attacker accrues when attacking different components in the next time unit.

If take into consideration , the optimal problem may be view from two different perspectives ：attacker’s perspective

how frequently to switch to another componentdefender’s perspective

analyze the attacker’s strategy , and take countermeasures to minimize the system damage

37

Thanks for your listening

38

Documents

Adviser : Frank , Yeong - Sung Lin Present by Jason Chang