‧ 指導教授:林永松 博士
DESCRIPTION
國立台灣大學 ‧ 資訊管理研究所 碩士論文口試審查. A Near-Optimal Redundancy Allocation Policy to Minimize System Vulnerability against Hazardous Events and Malicious Attacks 考量危害事件與惡意攻擊下系統脆弱度最小化之 近似最佳化冗餘配置策略. ‧ 指導教授:林永松 博士. ‧ 研究生:江坤道. 【Master Thesis】 Oral Examination. Outline. Introduction - PowerPoint PPT PresentationTRANSCRIPT
‧指導教授:林永松 博士
【 Master Thesis 】 Oral Examination
A Near-Optimal Redundancy Allocation Policy to Minimize System Vulnerability against Hazardous Events and Malicious Attacks
考量危害事件與惡意攻擊下系統脆弱度最小化之近似最佳化冗餘配置策略
‧研究生:江坤道
國立台灣大學‧資訊管理研究所碩士論文口試審查
2
Outline
Introduction Problem Description & Formulation Solution Approach Computational Experiments Conclusion & Future Work
3
Outline
Introduction Background Motivation
Introduction Problem Solution Experiments Conclusion
4
Background
We are in an environment where hazardous events occur frequently and malicious attacks emerge in an endless stream. Hazardous events
Natural disasters Man-made
Modern organizations have become increasingly reliant on information technology.
Introduction Problem Solution Experiments Conclusion
5
CSI/FBI 2006 Computer Crime and Security Survey 2006: 313 respondentsSource: Computer Security Institute
Total losses for 2006 = $52,494,290
6
Motivation
How to develop a solid redundancy allocation policy which supports continuous services.
Related researches considering hazardous events and targeted malicious attacks at the same time are scant.
Introduction Problem Solution Experiments Conclusion
7
Outline
Problem Description Formulation
RAPMA Model ARS Model
Introduction Problem Solution Experiments Conclusion
Redundancy Allocation Problem considering Malicious AttacksAttacking Redundancy Strategy
8
Description
Introduction Problem Solution Experiments Conclusion
Uncompromised Node (Primary)
Attacked Node (Primary)
Compromised Node (Primary)
Secondary Component
Attacked Secondary Component
Non-attacked Secondary Component
Unreachable Link
Reachable Link
Link upon the Attack Tree
Objective: maximize the vulnerability of the network when hazardous events occurring.
9
Description
Two scenarios in the real world Software
Malicious attacks: manipulation of configuration files Hazardous events: power cut incurred by natural disasters
Hardware Malicious attacks: malicious program making CPU overheated Hazardous events: breakdown of air conditioner in the server room
Introduction Problem Solution Experiments Conclusion
10
Description
Two antithesis metrics Vulnerability of the network
Total node vulnerability Node vulnerability = Total
component vulnerability
The network is compromised if
no component is functional. Survivability of the network
(1 - Vulnerability of the network)
Introduction Problem Solution Experiments Conclusion
network node
all nodes
v v
node componentselected components
v v
11
Description
Assumptions1. The attacker’s objective is to maximize the total
vulnerability of the network against hazardous events.
2. The defender’s objective is to minimize the total vulnerability by redundancy allocation.
3. Both attacker and defender have complete information about the network topology.
4. Both attacker and defender have resource budget limitations.
5. Only node attack is considered.
6. Only malicious attacks are considered.
Introduction Problem Solution Experiments Conclusion
12
Description
7. Only AS-level networks are considered.8. A node is only subject to attack if a path exists from
attacker’s position to that node, and all the intermediate nodes on the path have been compromised.
9. “A node is compromised” if and only if the primary component deployed to it is compromised by allocating more attack power than the minimum level.
10. Failures of individual components are independent.11. All redundant components are in a hot-standby state.12. All redundant components which are compromised by
attacker are never repaired or detected.
Introduction Problem Solution Experiments Conclusion
13
Description
Given1. Defense resource budget B.2. Attack resource budge A.3. The minimum attack power required to compromise a
component.4. Attacker’s position s, which is connected to the target
network5. The network topology and the network size6. The estimated probability of hazardous event d occurring7. All available redundant components for node i to support
operating function and provide failure tolerance.
Introduction Problem Solution Experiments Conclusion
14
Description
Objective For attacker, to maximize the vulnerability against hazardous events. For defender, to minimize the maximized vulnerability against
hazardous events.
Subject to The total defense cost must be no more than B. The total attack cost most be no more than A. The node to be attacked must be connected to the existing attack tree.
To determine Defender: redundancy allocation policy. Attacker: which nodes to attack, and attack power.
Introduction Problem Solution Experiments Conclusion
15
Formulation
Introduction Problem Solution Experiments Conclusion
Decision Variables
im 1 if redundant component m for node i is selected as primary to support
operating function; 0 otherwise, where irmNi ,
im 1 if redundant component m for node i is selected as secondary one to provide
failure tolerance; 0 otherwise, where irmNi ,
gim Attack power applied to redundant component m for node i, where irN,mi
yi 1 if node i is compromised, that is, the attack power allocated to the primary
component is greater than the threshold, imim ca ; 0 otherwise, where Ni
xp 1 if path p is selected as attack path; 0 otherwise, where WwPp w ,
fimd(gim) The vulnerability of redundant component m for node i against events d, where
10 ,gfD,d,rmN,i imimdi
16
Formulation (RAPMA)
Introduction Problem Solution Experiments Conclusion
Objective function
Dd Ni rmimimdd
gi
imim
imimim
gfp
11maxmin
, (IP 1)
Subject to
iWw Pp
pip yNxw
1
Ni (IP 1.1)
iPp
p yxw
iswNi ,, (IP 1.2)
1 wPp
px Ww (IP 1.3)
irm imim
imim ycg
g
i
ˆ
Ni (IP 1.4)
“A node is compromised” if and only if the primary component deployed to it is compromised by allocating more attack power than the minimum level.
17
Formulation (RAPMA)
Introduction Problem Solution Experiments Conclusion
10 or xp WwPp w , (IP 1.5)
10 or yi Ni (IP 1.6)
10 or im irmNi , (IP 1.7)
10 or βim irmNi , (IP 1.8)
18
Formulation (RAPMA)
Introduction Problem Solution Experiments Conclusion
1 imim irmNi , (IP 1.9)
1 irm
im Ni (IP 1.10)
irm
im leveli
Ni (IP 1.11)
Bcirm
imimim
0 Ni (IP 1.12)
BcNi rm
imimim
i
(IP 1.13)
i
imi N m r
g A
(IP 1.14)
ˆ0 im im img g c irN, mi (IP 1.15)
19
Formulation (ARS)
Introduction Problem Solution Experiments Conclusion
Objective function
Dd Ni rmimimdd
g
Dd Ni rmimimdd
gIP
i
imim
im
i
imim
im
gfp
gfpZ
11min
11max2
(IP 2)
Subject to
iWw Pp
pip yNxw
1
Ni (IP 2.1)
iPp
p yxw
iswNi ,, (IP 2.2)
1 wPp
px Ww (IP 2.3)
irm imim
imim ycg
g
i
ˆ
Ni (IP 2.4)
20
Formulation (ARS)
Introduction Problem Solution Experiments Conclusion
10 or xp WwPp w , (IP 2.5)
10 or yi Ni (IP 2.6)
AgNi rm
im
i
(IP 2.7)
Ag im 0 irN, mi (IP 2.8)
21
Outline
Solution Solution Approach Lagrangean Relaxation Approach to ARS Model Approach to RAPMA Model
Introduction Problem Solution Experiments Conclusion
22
Solution Approach
Lagrangean relaxation is applied to the ARS model. Attacking strategy
Attack power Target components
Defender adjusts redundancy allocation according to the attacking strategy to satisfy RAPMA model. Redundancy allocation policy
Components
23
Lagrangean Relaxation
Primal Problem
Lagrangean Relaxation Problem
Subproblem Subproblem
LagrangeanDual Problem
Upper Bound
Lower Bound
Adjust Lagrangean Multipliers
‧‧‧‧‧‧‧
LB Optimal Objective Function Value UB
Introduction Problem Solution Experiments Conclusion
24
Approach to ARS Model
Introduction Problem Solution Experiments Conclusion
‧ Related to Xp (Attack Tree) ‧ Time Complexity: O(|N|2), where N is the number of nodes.
Subproblem 1
‧ Related to yi (Target) ‧ Time Complexity: O(|N|), where N is the number of nodes.
Subproblem 2
‧ Related to gim (Attack Power) ‧ Time Complexity: O(A|C|2), where C is the number of components, A is total attack power.
Subproblem 3
25
Approach to ARS Model
Introduction Problem Solution Experiments Conclusion
Step 1: Utilize the attack policy derived from Sub- problem 1 as the initial solution. Step 2: If the attack tree is available, go to Step 4, otherwise, go to Step 3.Step 3: “Recycle” the wasted attack power, which is allocated to the leaf node, and re-allocate the recycled power to the uncompromised nodes according to the associated weight, . . Go to Step 2.
Step 4: Allocate residual power to reachable components according to its side effect.
Getting Primal Feasible Solution
w
p pii N w W p P
x
W=5
W=2
W=1
W=1
W=1
26
Approach to RAPMA Model
Introduction Problem Solution Experiments Conclusion
Step 1: Sort the nodes according to the associated weight, , in descending order. Step 2: If the node is survival, degrade and recycle allocated defense resources; otherwise, upgrade its protection level.Step 3: Allocate residual resources to secondary components according to its side effect.Step 4: A practical redundancy allocation policy is found.
Redundancy Allocation Policy
W=5
W=2
W=1
W=1
W=1w
p pii N w W p P
x
W=0
W=0
27
Outline
Experiments Environment Simple Algorithm Result
Introduction Problem Solution Experiments Conclusion
28
Environment (Scalability of ARS)
Introduction Problem Solution Experiments Conclusion
Parameters Value
Test Topology
‧ Grid network
‧ Random network
‧ Cellular Network
Scale
Number of nodes Number of components
16 (Small) 16 * 5 = 80
64 (Medium) 64 * 5 = 320
196 (Large) 196 * 5 = 980
Simple Algorithms ‧ Minimum cost spanning tree (SA1)
‧ Greedy-based algorithm (SA2)
29
Environment (Applicability of ARS)
Introduction Problem Solution Experiments Conclusion
Parameters Value
Test Topology
‧ Grid network
‧ Random network
‧ Tree network
‧ Ring network
‧ Star network
‧ Cellular Network
ScaleNumber of nodes Number of components
49 49 * 5 = 245
Simple Algorithms ‧ Minimum cost spanning tree (SA1)
‧ Greedy-based algorithm (SA2)
30
Environment (Scalability of RAPMA)
Introduction Problem Solution Experiments Conclusion
Parameters Value
Test Topology
‧ Grid network
‧ Random network
‧ Cellular Network
Scale
Number of nodes Number of components
16 (Small) 16 * 5 = 80
64 (Medium) 64 * 5 = 320
196 (Large) 196 * 5 = 980
Budgets Reallocation ‧ Uniform Budget Allocation (B1)
‧ Damage-based Budge Allocation (B2)
31
Environment (Applicability of RAPMA)
Introduction Problem Solution Experiments Conclusion
Parameters Value
Test Topology
‧ Grid network
‧ Random network
‧ Tree network
‧ Ring network
‧ Star network
‧ Cellular Network
ScaleNumber of nodes Number of components
49 49 * 5 = 245
Budgets Reallocation ‧ Uniform Budget Allocation (B1)
‧ Damage-based Budge Allocation (B2)
32
Simple Algorithm
Minimum cost spanning tree (SA1) Applying prim’s algorithm to construct the attack tree Edge weight: Similar to DFS algorithm
Introduction Problem Solution Experiments Conclusion
1
min(number of hops from attacker)
1
1
1/2
1/2 1/3
1/4
1/4
1/2
1/3
1/2
33
Simple Algorithm
Greedy-based algorithm (SA2) Hill climbing Using only local information to obtain local optimal
solution
Introduction Problem Solution Experiments Conclusion
34
Result (Scalability of ARS)
Introduction Problem Solution Experiments Conclusion
Test Topology: Grid Network
ScaleARS SA1 SA2
Vulnerability GAP MPI MPI
Small 0.15157984 0.82% 1.26% 12.86%
Medium 0.16621758 1.71% 8.17% 15.45%
Large 0.17754317 4.58% 4.12% 17.67%
Test Topology: Cellular Network
ScaleARS SA1 SA2
Vulnerability GAP MPI MPI
Small 0.21771277 0.74% 2.56% 18.94%
Medium 0.19572636 1.97% 9.34% 19.25%
Large 0.18656719 5.27% 8.1% 18.11%
%1001
SA
SAARS
V
VVMPI %100
,min
LBUB
LBUBGAP
35
Result (Scalability of ARS)
Introduction Problem Solution Experiments Conclusion
Test Topology: Random Network
ScaleARS SA1 SA2
Vulnerability GAP MPI MPI
Small 0.26587439 1.12% 5.24% 15. 62%
Medium 0.28546145 2.36% 12.63% 25.29%
Large 0.28886455 9.62% 14.28% 26.45%
36
Result (Scalability of ARS)
Introduction Problem Solution Experiments Conclusion
00.05
0.10.150.2
0.25
0.30.35
G C R G C R G C R
Small Medium Large
Vul
nera
bilit
y
ARS
SA1
SA2
37
Result (Applicability of ARS)
Introduction Problem Solution Experiments Conclusion
00.1
0.20.30.40.5
0.60.7
Grid Cellular Tree Ring Star Random
Network Topology
Vul
nera
bilit
y
ARS
SA1
SA2
38
Result (Scalability of RAPMA)
Introduction Problem Solution Experiments Conclusion
Test Topology: Grid Network
ScaleRAPMA B1 B2
Survivability MPI MPI
Small 0.87213465 63.22% 35.18%
Medium 0.86542113 63.34% 23.11%
Large 0.86352289 64.56% 6.02%
Test Topology: Cellular Network
ScaleRAPMA B1 B2
Survivability MPI MPI
Small 0.85228767 60.62% 28.69%
Medium 0.85344421 58.15% 26.60%
Large 0.83328114 61.38% 11.63%
39
Result (Scalability of RAPMA)
Introduction Problem Solution Experiments Conclusion
Test Topology: Random Network
ScaleRAPMA B1 B2
Survivability MPI MPI
Small 0.85228767 60.62% 28.69%
Medium 0.85344421 58.15% 26.60%
Large 0.83328114 61.38% 11.63%
40
Result (Scalability of RAPMA)
0
0.2
0.4
0.6
0.8
1
G C R G C R G C R
Small Medium Large
Surv
ivab
ility
RAPMA
B1
B2
41
Result (Applicability of RAPMA)
0
0.2
0.4
0.6
0.8
1
Grid Cellular Tree Ring Star Random
Network Topology
Surv
ivab
ility
RAPMA
B1
B2
42
Outline
Conclusion Conclusion Contribution Future Work
Introduction Problem Solution Experiments Conclusion
43
Conclusion
A practical approach is proposed to effectively solve RAP; therefore, continuous service can be realized.
As a whole, a network with higher average degree is more robust.
Defense-in-depths might be the best strategy in designing a robust network.
Introduction Problem Solution Experiments Conclusion
44
Contribution
We propose a more robust framework which assists organization in providing continuous service via redundant allocation.
From our survey of literature, we might be the pioneer to consider malicious attacks and hazardous events at the same time.
Besides, RAP is extended to the realm of network management.
Introduction Problem Solution Experiments Conclusion
45
Future Work
Hazardous events occurred round by round. The sequential hazardous events can be extended to
multiple rounds. Hazardous events occurred prior to targeted
malicious attacks. Issue: how to determine which nodes will survive after the
occurrence of hazardous events, such as fire, flood, and blizzard.
Introduction Problem Solution Experiments Conclusion
46
Thanks for your listening