presented by yu-shun wang advisor: frank, yeong-sung lin near optimal defense strategies to...
DESCRIPTION
Agenda Introduction Solution Approach Evaluation Process Policy enhancement Initial parameter configuration Experiment on M Summary 2016/3/11 3 OP IM, NTUTRANSCRIPT
Presented by Yu-Shun WangAdvisor: Frank, Yeong-Sung Lin
Near Optimal Defense Strategies to Minimize Attackers’ Success
Probabilities for networks of Honeypots
AgendaIntroductionSolution Approach
Evaluation ProcessPolicy enhancement
Initial parameter configurationExperiment on MSummary
112/05/142 OP Lab @ IM, NTU
AgendaIntroductionSolution Approach
Evaluation ProcessPolicy enhancement
Initial parameter configurationExperiment on MSummary
112/05/143 OP Lab @ IM, NTU
IntroductionIn order to make attack and defense behavior close to
the real world, we add some new perspectives in this work.
For instance, due to the advent of new technology, defenders have different kind of solutions to deal with malicious attackers.
Therefore, in this work, we not only consider general defense resource but also another kind of defensive technology, honeypot, as a deceptive tool to distract attackers.
112/05/144 OP Lab @ IM, NTU
IntroductionFor defense resource, we have two different types:
honeypot, and non-honeypot.Honeypot
The main objective of this kind of defense resource is to cheat attackers. Once attackers compromise these systems, they wasted their finite budget. Learning attack tactic and wasting attack resourceFalse target
Non-honeypotThis kind of defense resource is allocated to nodes in the network.
The purpose of this resource is to increase defense capability on nodes.
112/05/14OP Lab @ IM, NTU5
IntroductionFor attackers, we also made a classification. The
classifying criteria are :Budget level
High, medium, and lowCapability
High, medium, and lowNext hop selecting criteria
Highest link utilizationLowest link utilizationLowest defense levelRandom attack
112/05/14OP Lab @ IM, NTU6
AgendaIntroductionSolution Approach
Evaluation ProcessPolicy enhancement
Initial parameter configurationExperiment on MSummary
112/05/147 OP Lab @ IM, NTU
Solution ApproachEvaluation Process
Since our scenario and environment are very dynamic, it is hard to solve the problem purely by mathematical programming.
For each attacker category, although attackers in it belong to the same type, there is still some randomness between each other.
This is caused by honeypots. if an attacker compromises a false target honeypot, there is a probability that he will believe the core node is compromised and terminate this attack.
Therefore, we can never guarantee the result of an attack is successful or failed until at the end of the evaluation.
112/05/148 OP Lab @ IM, NTU
Solution ApproachEvaluation Process
Initial state
Run evaluation with the 36 kinds of different attackers for M times and get the core node compromise frequency.
Let the frequency divided by M to gather average core node compromised probability.
Adjust defense parameters by policy enhancement
Run another evaluation M times using adjusted defense parameters and get the corresponding probability
N times
Compare result with the initial one
No
Yes
112/05/149 OP Lab @ IM, NTU
Solution ApproachEvaluation Process
Parameter generationM (Total evaluation frequency for one round)
First, we make an initial value, for example, 10 million. Then, we let 10 thousands as a chunk to summary the result and draw a diagram depicting the relationship between compromised frequency and number of chunks.
If the diagram shows a converging trend, it implies the value of M is an ideal one.
N (Total rounds for policy enhancement)We set this value by resource constrained approach.
112/05/1410 OP Lab @ IM, NTU
AgendaIntroductionSolution Approach
Evaluation ProcessPolicy enhancement
Initial parameter configurationExperiment on MSummary
112/05/1411 OP Lab @ IM, NTU
Solution Approach• Policy enhancement The main concept of Policy enhancement can be
summarized into the following parts.Popularity Based Strategy
This strategy is focuses on those nodes are frequently attacked. Therefore, we let the total cost attackers spent on each node as the metric in the Policy enhancement.
DerivativeThis concept is using to measure the marginal effectiveness of
each defense resource allocation.
112/05/1412 OP Lab @ IM, NTU
Solution Approach• Policy enhancement
By the attack cost spent on each node, we chose first three of the highest (and lowest) nodes as two groups.
Is it a honeypot
Is it a honeypot
Calculate derivative of defense resource with one virtual positive unit resource
Calculate derivative of defense resource and link utilization with one virtual positive unit resource
Calculate derivative of defense resource and link utilization with one virtual negative unit resource
Calculate derivative of defense resource with one virtual negative unit resource
Select the highest derivative from the two groups respectively and remove one unit resource from the lowest group to the highest group
Yes
Yes
No
No
Highest group
Lowest group
112/05/1413 OP Lab @ IM, NTU
Solution ApproachThe relationship between evaluation process and
policy enhancement.
By the attack cost spent on each node, we chose first three of the highest (and lowest) nodes as two groups.
Is it a honeypot
Is it a honeypot
Calculate derivative of defense resource with one virtual positive unit resource
Calculate derivative of defense resource and link utilization with one virtual positive unit resource
Calculate derivative of defense resource and link utilization with one virtual negative unit resource
Calculate derivative of defense resource with one virtual negative unit resource
Select the highest derivative from the two groups respectively and remove one unit resource from the lowest group to the highest group
Yes
Yes
No
No
Highest group
Lowest group
Initial state
Run evaluation with the 36 kinds of different attackers for M times and get the core node compromise frequency.
Let the frequency divided by M to gather average core node compromised probability.
Adjust defense parameters by improving procedure
Run another evaluation M times using adjusted defense parameters and get the corresponding probability
N times
Compare result with the initial one
No
Yes
112/05/1414 OP Lab @ IM, NTU
AgendaIntroductionSolution Approach
Evaluation ProcessPolicy enhancement
Initial parameter configurationExperiment on MSummary
112/05/1415 OP Lab @ IM, NTU
Initial parameter configurationDefender
Defense resource allocationWe allocate resource according to two major metrics:
Hop count to the core nodeo The larger hop count the lower defense level is
Number of out links of each node o The higher number of out links the higher defense level
is.Honeypot link utilization
Initial value is set to be 0.5.
112/05/14OP Lab @ IM, NTU16
t
FW
W
S
F
Initial parameter configurationAttacker
Budget levelMultiple of Minimum attack cost
Low level: 1~3 times of minimum attack costMedium level: 3~5 times of minimum attack costHigh level: over 5 times
CapabilityHigh level: 30% deceived probabilityMedium level: 50% deceived probabilityHigh level: 70% deceived probability
112/05/14OP Lab @ IM, NTU17
AgendaIntroductionSolution Approach
Evaluation ProcessPolicy enhancement
Initial parameter configurationExperiment on MSummary
112/05/1418 OP Lab @ IM, NTU
Experiment on MWe run different number of chunks to discover
which one is an ideal value for M.10 chunks100 chunks1,000 chunks10,000 chunks
Each chunk represents result of 10 thousand times evaluation, i.e., attacking.
112/05/14OP Lab @ IM, NTU19
Experiment on MResult of 10 chunks
112/05/14OP Lab @ IM, NTU20
chunkNo.
ComFreq.
1 32612 34813 28324 34465 32426 28557 33168 36609 3309
10 3015
Experiment on MResult of 100 chunks
112/05/14OP Lab @ IM, NTU21
chunkNo.
ComFreq.
1 28282 28183 35394 32035 33606 33937 31898 30839 3182
10 279911 312512 309013 256814 349415 3059‧ ‧‧ ‧
Experiment on MResult of 1,000 chunks
112/05/14OP Lab @ IM, NTU22
Experiment on MResult of 10,000 chunks
112/05/14OP Lab @ IM, NTU23
AgendaIntroductionSolution Approach
Evaluation ProcessPolicy enhancement
Initial parameter configurationExperiment on MSummary
112/05/1424 OP Lab @ IM, NTU
SummaryAccording to the experiment result, we can discover the
core node compromised frequency in 10 thousand (one chunk) attacks is only 3~4 thousand times.
Many attackers with high budget level is deceived by honeypots.
112/05/14OP Lab @ IM, NTU25
112/05/1426 OP Lab @ IM, NTU
Experiment data Information of attacker 3 is as follows:
Budget level is: 415.092896 Capability is 0.500000 Next hop selecting criteria is 4 Round time is: 14 compromising path is: Path: 10 7 4 2 5 8 6 0 0 0
Information of attacker 30 is as follows: Budget level is: 364.396271 Capability is 0.500000 Next hop selecting criteria is 3 Round time is: 58 compromising path is: Path: 10 9 6 0 0 0 0 0 0 0
112/05/14OP Lab @ IM, NTU27
Information of attacker 6 is as follows: Budget level is: 316.021667 Capability is 0.700000(High level) Next hop selecting criteria is 3 Round time is: 7 compromising path is: Path: 10 9 6 0 0 0 0 0 0 0
Information of attacker 18 is as follows: Budget level is: 286.996918 Capability is 0.300000(Low level) Next hop selecting criteria is 3 Round time is: 8 compromising path is: Path: 10 9 6 8 5 7 4 2 3 1
Total defense budget is set to be 100