advisor: yeong-sung lin presented by i-ju shih

Defending simple series and parallel systems with imperfect false targets R. Peng, G. Levitin, M. Xie, S.H. Ng

Advisor: Yeong-Sung LinPresented by I-Ju Shih

2011/11/291Defender Message Strategies to Maximize Network Survivability for Multi-Stage Defense Resource Allocation under Incomplete Information1Agenda2011/11/292Problem DescriptionProblem Formulation

2

Problem Description 2011/11/2933Defender versus Attacker2011/11/294Defender AttackerDefendersinformation1. Common knowledgeThe information was known to both.2. Defenders private information(ex. nodes type, and network topology)The defender knew all of it.The attacker knew a part of it.3. The defenders other information(ex. system vulnerabilities)The defender did not know it before the game started.The attacker knew a part of it.4Defender versus Attacker2011/11/295Defender AttackerBudget1. Based on the importance of nodeDefense.Attack.2. On each node Releasing message.Updating information.3. Reallocated or recycledYes. But the defender with extra cost.No.4. RewardNo.Yes. If the attacker compromised a node, the nodes resource could be controlled by the attacker before the defender had not repaired it yet.5. Repaired nodeYes.No.6. Resource accumulationYes. But the resource needed to be discounted.5Defender versus Attacker2011/11/296Defender AttackerImmune benefitYes. The defender could update information about system vulnerabilities after attacks or do penetration test to patch system vulnerabilities.No.RationalityFull or bounded rationality.Full or bounded rationality.6Objective2011/11/297The network survivability is measured by ADOD.The game has two players: an attacker (he, A) and a defender (she, D). Defender Objective - minimize the damage of the network (ADOD).Budget Constraint - deploying the defense budget in nodes repairing the compromised node releasing message in nodes patching system vulnerabilitiesAttackerObjective - maximize the damage of the network (ADOD).Budget Constraint deploying the attack budget in nodes updating information

7Defenders information2011/11/298The defender had private information, including each nodes type and network topology. There were two types (lower or higher valuation) of nodes and each nodes prior belief in the first round was common knowledge.

The attack success probability of node i = The probability of node i belonged to type 1 * The attack success probability of node i belonged to type 1 + The probability of node i belonged to type 2 * The attack success probability of node i belonged to type 2 8Defenders information2011/11/299

9Defenders action2011/11/2910In each round, the defender moves first, determines strategy and chooses message which may be truth, secrecy, deception or doing nothing at all to each node.

10Message releasing2011/11/2911Message releasing could be classified into two situations. A nodes information could be divided into different parts to release message by the defender. The defender could release a nodes defensive state as a message to the attacker.

11Message releasing- type 12011/11/2912The defender could choose a part of information from a node according to his strategy to release truthful message, deceptive message and secrecy or do nothing at all.

12Message releasing- type 22011/11/2913The defender released a nodes defensive state as a message, which was truth, deception, secrecy or doing nothing at all to each node as a mixed strategy.

?13Message releasing2011/11/2914The defender chooses :

Cost: Deceptive message > Secrecy > Truthful message > doing nothing at all1.Doing nothing at all if and only if does not publicize information/defense.2.Truthful message if and only if the public message = actual information/defense.3.Secrecy if and only if the message is secret. 4.Deceptive message if and only if the message actual information/defense.14The effect of deception/secrecy2011/11/2915The effect of deception or secrecy would be discounted if the attacker knew defenders partial private information.

15The effect of deception/secrecy2011/11/2916The effect of deception or secrecy would be zero if the attacker knew something that the defender did not know.

16Immune benefit17Although the attacker knew something that the defender did not know, the defender could update information after observing the result of each rounds contest. Or the defender used resources doing penetration test to patch system vulnerabilities.After the defender updated information, she had immune benefit which meant that the attacker was unable to use identical attack.

17Defenders resources2011/11/2918From the view of the defender, the budget could be reallocated or recycled but the discount factor was also considered. Besides, the compromised nodes could be repaired. The defender could accumulate resources to decrease attack success probability to defend network nodes in next time.

Defense resource on node i

Defender

RecycledReallocatedReallocated18Attackers information 2011/11/2919The attacker knew only partial network topology.The attacker could update information after observing the result of each rounds contest.

19Attackers resources2011/11/2920The attacker could accumulate experience to increase attack success probability to compromise network nodes in next time.The attacker could increase resources when the attacker compromised network nodes, before the defender had not repaired the nodes yet.

20Network topology 2011/11/2921We considered a complex system with n nodes in series-parallel.A node consisted of M components which might be different component or the same. (M 1)

21Network topology 2011/11/2922A nodes composition could be classified into two types. A node with backup component A k-out-of-m node

22Network topology 2011/11/2923The relationship between nodes could be classified into three types. Independence A node could function solely. Dependence When a node was destroyed, the nodes dependent on the destroyed node would not operate normally. InterdependenceWhen a node was destroyed, the node interdependent on the destroyed node would not operate normally and vice versa.

23

2011/11/292424

Problem Formulation 2011/11/292525Given2011/11/2926The total budget of network defender.The total budget of cyber attacker.Both the defender and the attacker have incomplete information about each other.

26Objective2011/11/2927Minimize the maximum damage degree of network (ADOD).

27Subject to2011/11/2928The total budget constraint of network defender.The total budget constraint of cyber attacker.

28To determine2011/11/2929The attackerHow to allocate attack budget to each node and whether to use the system vulnerabilities of node i to attack node i in each round.The defender How to allocate defense budget and determine which message strategy would use to each node in each round.Whether to repair the compromised node in each round.Whether to patch or using penetration test to patch system vulnerabilities to each node in each round.Whether to reallocate or recycle nodes resource in each round.

29

Given parameter2011/11/293030




Decision variable2011/11/293434

Decision variable2011/11/293535

Decision variable2011/11/293636Objective function2011/11/2937

37

Subject to2011/11/293838

Subject to2011/11/293939Subject to2011/11/2940

40Subject to2011/11/2941

41Subject to2011/11/2942

42 Thanks for your listening.2011/11/2943Defender's information

Defender's private information

Attacker does not know the information

Attacker knows defender's partial private information

The information is unknown to defender

Attacker knows the partial information


Common knowledge

Defender's information







Common knowledge








Common knowledge








Common knowledge

advisor: yeong-sung lin presented by i-ju shih

Documents