‧ 指導教授：林永松博士

‧指導教授：林永松博士

【 Master Thesis 】 Oral Examination

A Near-Optimal Redundancy Allocation Policy to Minimize System Vulnerability against Hazardous Events and Malicious Attacks

考量危害事件與惡意攻擊下系統脆弱度最小化之近似最佳化冗餘配置策略

‧研究生：江坤道

國立台灣大學‧資訊管理研究所碩士論文口試審查

2

Outline

Introduction Problem Description & Formulation Solution Approach Computational Experiments Conclusion & Future Work

3

Outline

Introduction Background Motivation

Introduction Problem Solution Experiments Conclusion

4

Background

We are in an environment where hazardous events occur frequently and malicious attacks emerge in an endless stream. Hazardous events

Natural disasters Man-made

Modern organizations have become increasingly reliant on information technology.


5

CSI/FBI 2006 Computer Crime and Security Survey 2006: 313 respondentsSource: Computer Security Institute

Total losses for 2006 = $52,494,290

6

Motivation

How to develop a solid redundancy allocation policy which supports continuous services.

Related researches considering hazardous events and targeted malicious attacks at the same time are scant.


7

Outline

Problem Description Formulation

RAPMA Model ARS Model


Redundancy Allocation Problem considering Malicious AttacksAttacking Redundancy Strategy

8

Description


Uncompromised Node (Primary)

Attacked Node (Primary)

Compromised Node (Primary)

Secondary Component

Attacked Secondary Component

Non-attacked Secondary Component

Unreachable Link

Reachable Link

Link upon the Attack Tree

Objective: maximize the vulnerability of the network when hazardous events occurring.

9

Description

Two scenarios in the real world Software

Malicious attacks: manipulation of configuration files Hazardous events: power cut incurred by natural disasters

Hardware Malicious attacks: malicious program making CPU overheated Hazardous events: breakdown of air conditioner in the server room


10

Description

Two antithesis metrics Vulnerability of the network

Total node vulnerability Node vulnerability = Total

component vulnerability

The network is compromised if

no component is functional. Survivability of the network

(1 - Vulnerability of the network)


network node

all nodes

v v

node componentselected components

v v

11

Description

Assumptions1. The attacker’s objective is to maximize the total

vulnerability of the network against hazardous events.

2. The defender’s objective is to minimize the total vulnerability by redundancy allocation.

3. Both attacker and defender have complete information about the network topology.

4. Both attacker and defender have resource budget limitations.

5. Only node attack is considered.

6. Only malicious attacks are considered.


12

Description

7. Only AS-level networks are considered.8. A node is only subject to attack if a path exists from

attacker’s position to that node, and all the intermediate nodes on the path have been compromised.

9. “A node is compromised” if and only if the primary component deployed to it is compromised by allocating more attack power than the minimum level.

10. Failures of individual components are independent.11. All redundant components are in a hot-standby state.12. All redundant components which are compromised by

attacker are never repaired or detected.


13

Description

Given1. Defense resource budget B.2. Attack resource budge A.3. The minimum attack power required to compromise a

component.4. Attacker’s position s, which is connected to the target

network5. The network topology and the network size6. The estimated probability of hazardous event d occurring7. All available redundant components for node i to support

operating function and provide failure tolerance.


14

Description

Objective For attacker, to maximize the vulnerability against hazardous events. For defender, to minimize the maximized vulnerability against

hazardous events.

Subject to The total defense cost must be no more than B. The total attack cost most be no more than A. The node to be attacked must be connected to the existing attack tree.

To determine Defender: redundancy allocation policy. Attacker: which nodes to attack, and attack power.


15

Formulation


Decision Variables

im 1 if redundant component m for node i is selected as primary to support

operating function; 0 otherwise, where irmNi ,

im 1 if redundant component m for node i is selected as secondary one to provide

failure tolerance; 0 otherwise, where irmNi ,

gim Attack power applied to redundant component m for node i, where irN,mi

yi 1 if node i is compromised, that is, the attack power allocated to the primary

component is greater than the threshold, imim ca ; 0 otherwise, where Ni

xp 1 if path p is selected as attack path; 0 otherwise, where WwPp w ,

fimd(gim) The vulnerability of redundant component m for node i against events d, where

10 ,gfD,d,rmN,i imimdi

16

Formulation (RAPMA)


Objective function

Dd Ni rmimimdd

gi

imim

imimim

gfp

11maxmin

, (IP 1)

Subject to

iWw Pp

pip yNxw

1

Ni (IP 1.1)

iPp

p yxw

iswNi ,, (IP 1.2)

1 wPp

px Ww (IP 1.3)

irm imim

imim ycg

g

i

ˆ

Ni (IP 1.4)

“A node is compromised” if and only if the primary component deployed to it is compromised by allocating more attack power than the minimum level.

17

Formulation (RAPMA)


10 or xp WwPp w , (IP 1.5)

10 or yi Ni (IP 1.6)

10 or im irmNi , (IP 1.7)

10 or βim irmNi , (IP 1.8)

18

Formulation (RAPMA)


1 imim irmNi , (IP 1.9)

1 irm

im Ni (IP 1.10)

irm

im leveli

Ni (IP 1.11)

Bcirm

imimim

0 Ni (IP 1.12)

BcNi rm

imimim

i

(IP 1.13)

i

imi N m r

g A

(IP 1.14)

ˆ0 im im img g c irN, mi (IP 1.15)

19

Formulation (ARS)


Objective function

Dd Ni rmimimdd

g

Dd Ni rmimimdd

gIP

i

imim

im

i

imim

im

gfp

gfpZ

11min

11max2

(IP 2)

Subject to

iWw Pp

pip yNxw

1

Ni (IP 2.1)

iPp

p yxw

iswNi ,, (IP 2.2)

1 wPp

px Ww (IP 2.3)

irm imim

imim ycg

g

i

ˆ

Ni (IP 2.4)

20

Formulation (ARS)


10 or xp WwPp w , (IP 2.5)

10 or yi Ni (IP 2.6)

AgNi rm

im

i

(IP 2.7)

Ag im 0 irN, mi (IP 2.8)

21

Outline

Solution Solution Approach Lagrangean Relaxation Approach to ARS Model Approach to RAPMA Model


22

Solution Approach

Lagrangean relaxation is applied to the ARS model. Attacking strategy

Attack power Target components

Defender adjusts redundancy allocation according to the attacking strategy to satisfy RAPMA model. Redundancy allocation policy

Components

23

Lagrangean Relaxation

Primal Problem

Lagrangean Relaxation Problem

Subproblem Subproblem

LagrangeanDual Problem

Upper Bound

Lower Bound

Adjust Lagrangean Multipliers

‧‧‧‧‧‧‧

LB Optimal Objective Function Value UB


24

Approach to ARS Model


‧ Related to Xp (Attack Tree) ‧ Time Complexity: O(|N|2), where N is the number of nodes.

Subproblem 1

‧ Related to yi (Target) ‧ Time Complexity: O(|N|), where N is the number of nodes.

Subproblem 2

‧ Related to gim (Attack Power) ‧ Time Complexity: O(A|C|2), where C is the number of components, A is total attack power.

Subproblem 3

25

Approach to ARS Model


Step 1: Utilize the attack policy derived from Sub- problem 1 as the initial solution. Step 2: If the attack tree is available, go to Step 4, otherwise, go to Step 3.Step 3: “Recycle” the wasted attack power, which is allocated to the leaf node, and re-allocate the recycled power to the uncompromised nodes according to the associated weight, . . Go to Step 2.

Step 4: Allocate residual power to reachable components according to its side effect.

Getting Primal Feasible Solution

w

p pii N w W p P

x

W=5

W=2

W=1

W=1

W=1

26

Approach to RAPMA Model


Step 1: Sort the nodes according to the associated weight, , in descending order. Step 2: If the node is survival, degrade and recycle allocated defense resources; otherwise, upgrade its protection level.Step 3: Allocate residual resources to secondary components according to its side effect.Step 4: A practical redundancy allocation policy is found.

Redundancy Allocation Policy

W=5

W=2

W=1

W=1

W=1w

p pii N w W p P

x

W=0

W=0

27

Outline

Experiments Environment Simple Algorithm Result


28

Environment (Scalability of ARS)


Parameters Value

Test Topology

‧ Grid network

‧ Random network

‧ Cellular Network

Scale

Number of nodes Number of components

16 (Small) 16 * 5 = 80

64 (Medium) 64 * 5 = 320

196 (Large) 196 * 5 = 980

Simple Algorithms ‧ Minimum cost spanning tree (SA1)

‧ Greedy-based algorithm (SA2)

29

Environment (Applicability of ARS)


Parameters Value

Test Topology

‧ Grid network

‧ Random network

‧ Tree network

‧ Ring network

‧ Star network


ScaleNumber of nodes Number of components

49 49 * 5 = 245

Simple Algorithms ‧ Minimum cost spanning tree (SA1)

‧ Greedy-based algorithm (SA2)

30

Environment (Scalability of RAPMA)


Parameters Value

Test Topology

‧ Grid network

‧ Random network


Scale

Number of nodes Number of components

16 (Small) 16 * 5 = 80

64 (Medium) 64 * 5 = 320

196 (Large) 196 * 5 = 980

Budgets Reallocation ‧ Uniform Budget Allocation (B1)

‧ Damage-based Budge Allocation (B2)

31

Environment (Applicability of RAPMA)


Parameters Value

Test Topology

‧ Grid network

‧ Random network

‧ Tree network

‧ Ring network

‧ Star network


ScaleNumber of nodes Number of components

49 49 * 5 = 245

Budgets Reallocation ‧ Uniform Budget Allocation (B1)

‧ Damage-based Budge Allocation (B2)

32

Simple Algorithm

Minimum cost spanning tree (SA1) Applying prim’s algorithm to construct the attack tree Edge weight: Similar to DFS algorithm


1

min(number of hops from attacker)

1

1

1/2

1/2 1/3

1/4

1/4

1/2

1/3

1/2

33

Simple Algorithm

Greedy-based algorithm (SA2) Hill climbing Using only local information to obtain local optimal

solution


34

Result (Scalability of ARS)


Test Topology: Grid Network

ScaleARS SA1 SA2

Vulnerability GAP MPI MPI

Small 0.15157984 0.82% 1.26% 12.86%

Medium 0.16621758 1.71% 8.17% 15.45%

Large 0.17754317 4.58% 4.12% 17.67%

Test Topology: Cellular Network

ScaleARS SA1 SA2


Small 0.21771277 0.74% 2.56% 18.94%

Medium 0.19572636 1.97% 9.34% 19.25%

Large 0.18656719 5.27% 8.1% 18.11%

%1001

SA

SAARS

V

VVMPI %100

,min

LBUB

LBUBGAP

35



Test Topology: Random Network

ScaleARS SA1 SA2


Small 0.26587439 1.12% 5.24% 15. 62%

Medium 0.28546145 2.36% 12.63% 25.29%

Large 0.28886455 9.62% 14.28% 26.45%

36



00.05

0.10.150.2

0.25

0.30.35

G C R G C R G C R

Small Medium Large

Vul

nera

bilit

y

ARS

SA1

SA2

37

Result (Applicability of ARS)


00.1

0.20.30.40.5

0.60.7

Grid Cellular Tree Ring Star Random

Network Topology

Vul

nera

bilit

y

ARS

SA1

SA2

38

Result (Scalability of RAPMA)


Test Topology: Grid Network

ScaleRAPMA B1 B2

Survivability MPI MPI

Small 0.87213465 63.22% 35.18%

Medium 0.86542113 63.34% 23.11%

Large 0.86352289 64.56% 6.02%

Test Topology: Cellular Network

ScaleRAPMA B1 B2


Small 0.85228767 60.62% 28.69%

Medium 0.85344421 58.15% 26.60%

Large 0.83328114 61.38% 11.63%

39



Test Topology: Random Network

ScaleRAPMA B1 B2


Small 0.85228767 60.62% 28.69%

Medium 0.85344421 58.15% 26.60%

Large 0.83328114 61.38% 11.63%

40


0

0.2

0.4

0.6

0.8

1

G C R G C R G C R

Small Medium Large

Surv

ivab

ility

RAPMA

B1

B2

41

Result (Applicability of RAPMA)

0

0.2

0.4

0.6

0.8

1

Grid Cellular Tree Ring Star Random

Network Topology

Surv

ivab

ility

RAPMA

B1

B2

42

Outline

Conclusion Conclusion Contribution Future Work


43

Conclusion

A practical approach is proposed to effectively solve RAP; therefore, continuous service can be realized.

As a whole, a network with higher average degree is more robust.

Defense-in-depths might be the best strategy in designing a robust network.


44

Contribution

We propose a more robust framework which assists organization in providing continuous service via redundant allocation.

From our survey of literature, we might be the pioneer to consider malicious attacks and hazardous events at the same time.

Besides, RAP is extended to the realm of network management.


45

Future Work

Hazardous events occurred round by round. The sequential hazardous events can be extended to

multiple rounds. Hazardous events occurred prior to targeted

malicious attacks. Issue: how to determine which nodes will survive after the

occurrence of hazardous events, such as fire, flood, and blizzard.


46

Thanks for your listening

‧ 指導教授：林永松 博士

Documents

‧ 指導教授：林永松博士