redundancy vs. protection vs. false targets for systems under attack gregory levitin, senior member,...

1

REDUNDANCY VS. PROTECTION VS. FALSE TARGETS FOR SYSTEMS UNDER ATTACKGregory Levitin, Senior Member, IEEE, and Kjell Hausken

IEEE Transactions on ReliabilityVol. 58, No.1, March 2009

Advisor: Frank Yeong-Sung, LinPresented by : Hui-Yu, Chung

2

AgendaIntroductionThe ModelDetermining the Optimal StrategiesConsidering Intervals of the Contest

IntensityConclusions

3

IntroductionResources of The Defender◦Three measures to remain survivability

Deploying redundant genuine elements (GE) Deploy false elements (FE) to attract the attacker Protecting some of the GE

Resources of The Attacker◦The Attacker’s object is to maximize damage

But the Attacker is expected to expend resources on both GE and FEs.

4

IntroductionDefender’s strategy◦How to allocate its resource between GE, FE,

and protect GEAttacker’s strategy◦How many elements to attack

Two period game with minmax defender strategy◦First period: defender, second period: attacker◦Minimize the maximum risk

5

Basic Aefinition & Acronym• Lowest-level part of the system characterized by performance g,

and cost x

Genuine system element (GE)

• Imitation of GE that has actual performance 0, and cost y

False Elements (FE)

• Either GE, or FE

Element

• Conditional probability of element destruction even it is attacked

Vulnerability

• Technical or organizational measure aimed at reduction of element vulnerability

Protection

6

Nomenclatures

7

AssumptionsThe attacker cannot distinguish between

GE and FEBoth the attacker/defender

attacks/protects each element with equal resources

Considering a non-strategic attacker (fixed attack or fixed attack probability)

Both the attacker and the defender have limited, fixed resources

8



9

The ModelAll parameters are known by both the

defender and the attacker◦except the attacker cannot distinguish GE and

FEThe system is built to meet a demand H:

Minimal elements required:Total resource cannot exceed r: Nx r

/H g

→ /r x H g

Ng H

10

The Model

The attacker attacks elementsThe attacked unprotected GE can be destroyed with

fixed probability b.Using the most conservative defense policy◦ Assuming a maximum attacker’s budget

Defender Side Attacker Side

Measures Increase GE Deploy FE Protect GE Attack elements

Resource Needed x y ( ) /t r Nx Fy K /T R Q

Q N F

11

Contest Success FunctionAttack success probability (vulnerability)

for each protected GE

Contest Intensity Parameter m◦Reflect how the survivability of the system

depends on the resources expanded

12

Contest Success FunctionContest intensity parameter m:

m = 0 v = 50%t and T have equal impact on vulnerability

0 < m < 1 Disproportional advantage of investing less than the opponent

m = 1 The investments have proportional impact on vulnerability

m > 1 Disproportional advantage of investing more effort than opponent (economics of scare)

m = Winner-takes-all

13

Problem Formulation The prob. that attacker attacks exactly n GE is

For any n, the conditional prob. That exactly k out of n attacked GE are protected is

The prob. That exactly n GE are attacked, and among them k GE are protected is

( ) ( ) ( | )P A B P A P B A

14

Problem FormulationThe conditional prob. That exactly s out

of k protected attacked GE are destroyed is

The prob. That exactly n GE are attacked, e out of the n - k attacked unprotected elements are destroyed is

15

Problem Formulation :The prob. That exactly j elements are

destroyed by the attack, which is the sum of prob. Of all possible combinations that produce the same value of j. ( j = s + e)

jp

Unprotected elements

Destroyed unprotected elements

# of attacked GE, n,can range from max{0,Q - F}to min{Q, N}

# of protected attacked GE, k, can range from max{0,Q – N + K} to min{n, K}

16

Problem FormulationIf b = 1 → e = n - k

17

Algorithm Which obtains the prob. of different number of GE destroyed by attack Q

elements

18

Measures of risk In terns of expected damage:

Damage exists whenIn terns of system vulnerability:◦(prob. Of not meeting the demand)

/j N H g

19



20

The Optimal StrategiesThe optimal defender can be a solution of

a minmax game that minimize the risk given that for any N, F, K, the attacker chooses Q elements to attack to maximize the risk .

21

The Optimal StrategiesThe risk can be replaced by D or V

22

SolutionsSolutions for different contest intensities◦H = 10, g = 2, y = 1, x = 3, b = 1, R = 10, r = 40

23

SolutionsThe solution of the two measures of risk (considering

expected damage and system vulnerability) are similar

With small m → Increase system redundancy with minimal protection, and FE is less important.

Increasing m → FE becomes more important

Larger m → Since attacker only attacks a subset of the elements, FE slightly decreases.

24



25

Intervals of the Contest Intensity

In many practical situations, the values of the contest intensities cannot be exactly determined.

Most conservative defense strategy→ Consider most favorable m for the attacker

The defender’s strategy is to choose N*, F*, K* that minimize the risk under attacker’s optimal strategy Q = Q*(N, K, F, m) in the range min maxm m m

26

Intervals of the Contest Intensity

Algorithm

max min0.04( )m m mIn this case,

27

Optimal defender’s minmax strategies as a function of rH = 10, g = 2, y = 1, b = 1, R = 10, x = 3

28

Optimal defender’s minmax strategies as a function of xH = 10, g = 2, y = 1, b = 1, R = 10, r = 50

29

Optimal defender’s minmax strategies

The influence when increasing the defender’s resource is similar to the influence when decreasing the GE cost.

Small m→Need large N → more sensitive to N

Intermediate m→Prefer large F → less sensitive to N

Large m→Need to protect GE → N decreases

30

Optimal defender’s minmax strategies as a function of RH = 10, g = 2, x= 3, y = 1, b = 1, r = 30

31

Optimal defender’s minmax strategies as a function of R

With the growth of R, the defender must decrease the number of GE and K/N, to allocate more resource to protect some of the GE.

Low attacker resource◦The defender benefits from high contest intensity

High attacker resource◦The defender benefits form small contest intensity◦The attacker benefits from intermediate contest

intensity

32

Optimal defender’s minmax strategies as a function of bH = 10, g = 2, x= 3, y = 1, r = 30, R = 10

33

Optimal defender’s minmax strategies as a function of bWith the growth of b, the importance of

protecting GE increasesDefender protect more GE

→ Limits the # of GE that can be deployed→ Deploy more FE to compensate

K < N→ The expected damage increases

K = N → No unprotected GE→ b has no effect on expected damage

34

Considering Optimal FEThe number of FE, F, is most sensitive to

variation of the game parameter m, x, r, and R.◦The cost of FE is lower than GE◦Balance?

Deploy more FE?

Protecting more on

GE?

35

Considering Optimal FE F = 10, g = 2, y = 1, x = 3, b = 1, R = 10, 1 < m < 5

36

Considering Optimal FEConsider a fixed and optimal number of

FEWhen r grows, the difference between D

corresponding to different fixed values of F decreases.◦ If the defender has enough resources, non-

optimal F can be compensated by other defensive measures.

37



38

ConclusionsUsing a two-period minmax game to

analyze the defender’s strategy.Considering the system redundancy, # of

FEs, and protection resource◦Small m : high system redundancy with

minimum protection, low FE◦Intermediate m: redundancy decreased, FE

increased, invest more on protection◦High m: FE decreases (since attacker attacks

only part of the elements)

39

ConclusionsConsidering non-certain determined

contest intensities, the influence on defender’s increase of resource is similar to the influence on decrease of the GE cost.

Low GE cost/ High defender’s resource:◦The defender benefits from extremely low m

High GE cost/ Low defender’s resource:◦The attacker benefits from intermediate m

40

ConclusionsWhen the attacker’s resource is high, the

defender need to lower the ration of protected GE and deployed GE to make more effort on protecting them.

Low attacker resource:◦Defender benefits from large m

High attacker resource:◦The defender benefits from low m◦The attacker benefits from intermediate m

41

ConclusionsThe balance between deploying more FE,

spending more resources toward protection of the GE, depends on the agents’ resources, the contest intensity, and the relative cost of deploying FE an GE.◦While the optimal # of FE provides lowest

possible expected damage, some other # of FE may differ from the possible lowest one.

Future works can concern on cost and budget issues

42

THANKS FOR YOUR LISTENING~!!!

redundancy vs. protection vs. false targets for systems under attack gregory levitin, senior member,...

Documents

attacked ge

unprotected ge

j elements

minimal elements

assumptionsthe attacker

fixed resources

fixed attack probabilityboth

attack redundancy