1

Advisor: Professor Frank, Y.S. LinPresented by Chi-Hsiang Chan2011/11/291Research Direction Introduction1Agenda2011/11/292Problem DescriptionMathematical FormulationAgenda2011/11/293Problem DescriptionMathematical FormulationProblem Description2011/11/294Network survivabilityCollaborative attackVarious defense mechanisms

networksurvivabilitynetwork survivabilitycollaborative attackdefendervirtualization4Defender View2011/11/295Special Defense ResourceCost budgetVM IDS signatureCloud security serviceCostless(impact QoS)VMM local defenseDynamic topology reconfigurationdefenderdefender4budgetVM IDS signaturecloud security serviceIDS Cloud security servicebudgetQoSSDRlocal defensedynamic topology reconfiguration

5Attacker View2011/11/296Attack NetworkCommanderAttackerBudgetInitial location(Insider, Outsider)Capability(How well attacker uses attack tools)GoalSteal confidential information(Specific core node)Service disruptionattackerattackcommanderattackerattacker groupattackerbudgetinitial locationcapabilityinitial locationcapabilityattackerbudgetCommanderattackergoal6Per Hop Decision(Attack Event)2011/11/297Period decisionEarly stageLate stageStrategy decision by criteriaCompromise -> risk avoidancePretend to attack -> risk toleranceNo. of attackersChoose ideal attackersAggressivenessAttack EnergyBudgetCapability

networkattack eventattack eventcommandertopologycommandercompromisedtopologycore nodecore nodecommander Attacker risk avoidancerisk tolerance...Number of selected attack candidatesperiodsuccess rate(@@)contest success functionaggressivenessattack energy

7Time Issue2011/11/298AttackerCompromise timeRecovery timeDefenderSignature generateReconfiguration impact QoSattackercompromised timerecovery timeattack eventattack energy100%Defendersignature generatereconfigurationQoSVM IDSattackerdefense centerdefense centersignatureVM IDScore noderisk levelreconfigurationlinklinkcore nodepathQoS8Synergy2011/11/299ProsDecrease budget cost of each attackereg. A(budget:100 capability:10) B(budget:200 capability:5)Less recovery timeLess compromise timeConsProbability of detected1+1>2attackerbudgeteventAB60A budgetbudgetattacker A capabilitycompromise timerecovery time9Agenda2011/11/2910Problem DescriptionMathematical FormulationMathematical Formulation2011/11/2911ObjectiveTo minimize maximized service compromised probabilityGivenAttackers and defenders total budgetCost of construct topology and defending resourceQoS requirementTo be determinedAttack and defense configurationBudget spend on each defending mechanismObjectiveGivendefendertotal budgettopologydefending resourcenodecore nodeVM defenderprioritypriorityserviceserviceTo be determinedtotal budgetbudgettopology

11Assumptions2011/11/2912There are multiple core nodes and services in the network.Each core node can provide only one specific service.Each service has different weight, which is determined by the defender.There is an SOC with full control of the network.The defender has complete information of network and can allocate resources or adopt defense solutions by the SOC.Commanders have only incomplete information about the network.Only nodes with VMM-IPS have local defense function.Only nodes with VMM-IPS have signature request function.Only nodes with cloud security agent have cloud security function.

1.Networkservicecore node2.core nodeservice3.servicedefenderweight4.Networksecurity operating center5. DefenderSOC6.one hop away7. 8.VMMlocal defensesignature9.cloud security agentnode security

12Given Parameters-Index Set2011/11/2913NotationDescriptionNThe index set of all nodesCThe index set of all core nodesLThe index set of al linksMThe index set of all level of virtual machine monitors(VMMs)HThe index set of all level of cloud security servicesSThe index set of all kinds of servicesQThe index set of all candidate nodes equipped with cloud security agentGiven ParameterIndex Settopology

defender13Given Parameters-Cost2011/11/2914NotationDescriptionBThe defenders total budgetwThe cost of constructing one intermediate nodeoThe cost of constructing one core nodepThe cost of each virtual machine(VM)cThe cost of setting a cloud security agent to one nodeGiven parameters for cost and budget14Given Parameters-Attacker2011/11/2915NotationDescriptionFiThe number of commanders targeting on ith service, where iSuijThe number of attackers subordinates in the attack group launching jth attack on service i, where iS, 1 j Fi vijThe degree of collaboration of attack group launching jth attack on service i, which affects the effectiveness of synergy, where iS, 1 j Fi Service 1Service 2Service 3Attack group AAttack group BAttack group CAttack group DAttack group EF1=3F2=5F3=21,5,82,6,7,11,174,9,12,16commanderservice i F1service 1 (A,C,E)3

23ijservice i jattack groupi=1,j=2Attack group Cuijgroupattacker = 5(budgetcostuij)vijgroup15TimeDegree of Collaborations2011/11/2916Time aspectvij=> t, t

Cost aspect

vijcompromise timerecovery timenormal distributionVijgroupcompromise timerecovery time

16Given Parameters2011/11/2917NotationDescriptionkpThe maximum number of virtual machines on VMM level p, where pMiThe weight of ith service, where iSdThe ratio of defense strengthen on VMs and VMM when local defense is activatedrqThe ratio of defense strengthen using cloud security services level q, where qH EAll possible defense configurations, including defense resources allocations and defending strategiesZAll possible attacker categories, including attacker attributes, corresponding strategies and transition ruleslevel pVMMVMservice iservice priority

local defenseVMdefenselevel qcloud securitynodedefense

17Decision Variables2011/11/2918NotationDescriptionA defense configuration, including defense resource allocation and defending strategies on ith service, where iSA instance of attack configuration, including attackers attributers, commanders strategies and transition rules of the commander launches jth attack on ith service, where iS, 1 j Fi1 if the commander achieves his goal successfully, and 0 otherwise, where iS, 1 j Fi

Defenderservice i

uij(degree of collaboration)vijattackercommander

18Decision Variables2011/11/2919NotationDescriptionnkThe non-deception based defense resource allocated to node k, where kNeThe total number of intermediate nodesqklThe capacity of direct link between node k and l, where k, lNg(qkl)The cost of constructing a link from node k to node l with capacity qkl , where k, lNlpThe number of VMs equipped on a level p VMM, where pMv(lp)The cost of VMM level p with lp VMs, where pMxk1 if node k is equipped with cloud security agent, and 0 otherwise, where kNtopologyGDRnode kNode kllinkcapacitylinkcost

VMMVMLevel p VMMVMM Cost

cloud security19Decision Variables-Budget2011/11/2920NotationDescriptionBnodelinkThe budget spent on constructing nodes and linksBgeneralThe budget spent on allocating general defense resourceBspecialThe budget spent on deploying special defense resourceBvirtualizationThe budget spent on virtualizationBcloud agentThe budget spent on deploying cloud agentsBdefendingThe budget applied for defending stagebudget20Verbal Notation-QoS2011/11/2921NotationDescriptionYThe total attack eventsLoading of each core node k, where kCLink utilization of each link m, where mLKeffectNegative effect caused by applying fallacious signaturesIeffectNegative effect caused by applying dynamic topology reconfigurationJeffectNegative effect caused by false positive while applying local defensePeffectNegative effect caused by fallacious diagnosis of cloud security serviceOtocoreThe number of hops legitimate users experienced from one boundary node to core nodesThe value of QoS determined by , , Keffect, Ieffect, Jeffect and Otocore, where kC, mLWthresholdThe predefined threshold about QoSWfinalThe QoS level at the end of attack

Core nodeloadinglinkutilization4Usercore nodehop21Verbal Notation-Risk Level2011/11/2922NotationDescriptionThe defense resource of the shortest path from detected attacked nodes to core node k divided by total defense resource, where kCThe minimum number of hops from detected attacked nodes to core node k divided by the maximum number of hops from attackers starting position to core node k, where kCThe link degree of core node k divided by the maximum link degree among all nodes in the topology, where kCThe priority of service i provided by core node k divided by the maximum service priority among core nodes in the topology , where iS, kCThe risk status of core node k which is the aggregation of , , and , where iS, kCThe risk threshold of core node k, where kC

1.core node kshortest pathdefense resource / total defense resource2.attacknodecore node khop / core node khop3.Core node link degree / topologylink degree4.Core nodeservice priority

22Objective Function2011/11/2923

IP 1Objectivecommanderservicenetworkvector A vector D 23Math Constraints2011/11/2924 Budget constraintBnodelink 0Bgeneral 0Bspecial 0Bdefending 0

IP 1.2IP 1.1IP 1.3IP 1.4IP 1.5IP 1.6 24Math Constraints2011/11/2925Constraints for topology constructionqkl 0g(qkl) 0w e 0

IP 1.7IP 1.8IP 1.9IP 1.10Node klcapacitylinkcost0total cost0total cost + core node total cost + linktotal cost Budget for nodes & links25Math Constraints2011/11/2926Constraints for general defense resourcenk 0

Constraints for cloud security agentxk = 0 or 1

IP 1.11IP 1.12IP 1.13IP 1.14node k0Total cost budget for GDR

Node kcloud agentTotal cost budget for GDR

26Math Constraints2011/11/2927Constraints for virtualizationv(lp) 0 0 < lp < kp

Bvirtualization + Bcloudagent BspecialBnodelink + Bgeneral + Bspecial + Bdefending B

IP 1.15IP 1.16IP 1.17IP 1.18

IP 1.19lpVMlevel pVMMcostlevel p VMMVMlevelvmVMMcost + VMcostBudget for virtualization

SDRbudgetSDR budgetbudget defender total budget27Verbal Constraints2011/11/2928

The performance reduction cause by compromised core nodes,activatingdynamic topology reconfiguration, local defense, cloud security or applying fallacious signature should notmakelegitimate usersQoS satisfaction violate IP1.20.At the end ofanattack,WfinalWthreshold.All the defense strategies are adopted only if the risk levels are lower than a predefined threshold. IP 1.20IP 1.21IP 1.22

IP 1.23QoS Constraint2011/11/2929QoSAttack EventThanks For Your Attention2011/11/2930Period2011/11/2931NThe total numbers of nodes in the Defense NetworksFThe total numbers of node which is compromised in the Defense Networks.

Selecting Criteria2011/11/2932

No. of Attackers2011/11/2933M Number of selected candidatesSuccess Rate (SR) = Risk Avoidance Compromised / Risk Avoidance Attacks