Post on 30-Mar-2015
Research Direction Introduction
Advisor: Frank, Yeong-Sung LinPresented by Hui-Yu, Chung
Agenda
• Paper review– Contest success function– Worm Characteristics– Worm propagation
• Problem descriptions– Defender attributes– Attacker attributes– Attack-defense scenarios
Contest success function (CSF)• The idea of CSF came from the problem of
“rent-seeking” in economic field– Which refers to efforts to capture special
monopoly privileges• The phenomenon of rent-seeking in
connection with monopolies was first formally identified in 1967 by Gordon Tullock– To identify the probability that certain party wins
the privilege
Tullock, Gordon (1967). "The Welfare Costs of Tariffs, Monopolies, and Theft". Western Economic Journal 5 (3): 224–232
Contest success function (CSF)
• For 2 players in Tullock’s basic model• Original form: (Ratio form)
• Since p1 + p2 = 1, the original form can be transferred to:
• In our scenario, CSF is transformed as follow:
About contest intensity
• Contest intensity m– m=0• The efforts have equal impact on the vulnerability
regardless of their size
– 0<m<1• Disproportional advantage of investing less than one’s
opponent.
– m=1• The investment have proportional impact on the
vulnerability
→Random
→Fighting to win or die
→Normal case
About contest intensity• Contest intensity m– m>1• Disproportional advantage of investing more than one’s
opponent.
– m=∞• A step function where “winner-takes-all”
– The most popular versions of the Tullock CSF are the lottery (m = 1) and the all-pay auction (m = ∞)
→God is on the side of larger battalions
→Like Auction
Jack Hirshleifer "Conflict and rent-seeking success functions - Ratio vs difference models of relative success," Proc. Public Choice 63, 1989, pp.101-112Jack Hirshleifer "The Paradox of Power," Proc. Economics and Politics Volume 3 November 1993, pp.177-200
About contest intensity
• The result came from “Lanchester's laws”– Which is used to calculating the relative strengths of a
predator/prey pair by Frederick Lanchester in 1916, during the height of World War I.
• Lanchester's Linear Law – for ancient combat which one man could only ever
fight exactly one other man at a time.• Lanchester's Square Law – for modern combat with long-range weapons such as
firearms
About contest intensity
Inflection Point
Worm CharacteristicsInformation collection
◦ Collect information about the local or target network.Probing
◦ Scans and detects the vulnerabilities of the specified host, determines which approach should be taken to attack and penetrate.
Communication◦ Communicate between worm and hacker or among worms.
Attack◦ Makes use of the holes gained by scanning techniques to create a
propagation path.Self-propagating
◦ Uses various copies of worms and transfers these copies among different hosts.
Worm propagation model
• Classical epidemic model– Does not consider any countermeasures– Used to analyze complicated scenario
( )( )[ ( )]
dI tI t N I t
dt
Su Fei, Lin Zhaowen, Ma Yan “A survey of internet worm propagation models” Proc. IC-BNMT2009, pp.453-457Stefan Misslinger “Internet worm propagation”, Departement for Computer Science Technische UniversitÄat MÄunchen
Worm propagation model
• Kermack-Mckendrick model ( SIR model)– Takes remove process into consideration• susceptible• susceptible → infectious → removed
– But doesn’t take network congestion into account( )( )[ ( )]
( )( )
( ) ( ) ( ) ( )
dI tI t N I t
dtdR t
I tdtJ t I t R t N S t
# of infectious hosts including removed hosts
Worm propagation model• Two-factor Model– Considers human countermeasures and network
countermeasures into account• Increasing removable rate• Decreasing infectious rate
– More accurate model
0
( ) ( )( ) ( )
( )( )
( )( ) ( )
( ) [1 ( ) / ]
( ) ( ) ( ) ( )
dS t dQ tS t I t
dt dtdR t
I tdtdQ t
S t J tdt
t I t N
N S t I t R t Q t
# of removed host from susceptible hosts
# of removed host from infectious hosts People’s awareness
of the worm
Worm propagation time• Two-factor fit (Code Red Worm in July 2001)
– Take both I → R and S → R into account– Decreased infectious rate– About 120,000 hosts are infected in 8 hours
Cliff Changchun Zou, Weibo Gong, Don Towsley, "Code Red Worm Propagation Modeling and Analysis"
Node compromise time
• Using State-space predator model to be the attack model and estimate the MTTC (Mean Time-to-Compromise) of the system
• Three levels of attacker capabilities– Beginner– Intermediate attacker– Expert attacker
David John Leversage, Eric James “Estimating a System’s Mean Time-to-Compromise”, IEEE Computer Security & Privacy Volume 6, Number 1 pp. 52-60, January/February 2008
Node compromise time
• Divide the attacker’s actions into three statistical processes– Process 1 – The attacker has identified one or more known
vulnerabilities and has one or more exploits on hand– Process 2 – The attacker has identified one or more known
vulnerabilities but doesn’t have an exploit on hand– Process 3 – No known vulnerabilities or exploits are available
• Mean time-to-compromise
Node compromise time
• Time-to-compromise
– t1, t2, t3: expected mean time of process 1,2,3– P1: prob. of a finding a vulnerability– u: failure probability to find an exploit
– t1 is hypothesized to be 1 working day (8 hrs)– t2 is hypothesized to be 5.8*(expected tries) working
days– t3 = ((1/s)-0.5)*30.42+5.8 days, where s = AM/V
Node compromise time
• Estimated number or tries, ET
– AM: avg # of vulnerabilities for which an exploit can be found or created by the attacker whose skill level is given
– V: avg # of vulnerabilities per node within a zone– NM: the # of vulnerabilities an attacker with given skill won’t be
able to use• NM = V-AM
• Expected avg time needed in process 2:– ET*5.8 working days
Node compromise time
• Skill indicator s = AM/V• Prob. that attacker in process 1:
– M: # of exploits readily available to the attacker– K: total # of nonduplicate vulnerabilities
• Prob. That process 2 is unsuccessful
Node compromise time• Results
Measured in working days
Agenda
• Paper review– Contest success function– Worm Characteristics– Worm propagation
• Problem descriptions– Defender attributes– Attacker attributes– Attack-defense scenarios
Attack-Defense scenario
• Collaborative attack– One commander who has a group of attackers– Different attackers has different attributes• Budget, Capability
– The commander has to decide his attack strategy at every round• ex. # of attackers, resource used
• Once the strategy is given, all the attackers will exercise the attack simultaneously
Defender attributes
• Objective– Protect provided services
• Budget– General defense resources(ex: Firewall, IDS)– Worm profile distribution mechanisms– Worm source identification methods
Defender attributes
• General defense mechanisms – Defense resource on each node– Dynamic topology reconfiguration
• If the QoS is not satisfied, the disconnected link must be reconnect back
• Worm defense mechanisms– Decentralized information sharing system
• Unknown worm detection & profile distribution
– Worm origin identification– Rate limiting
• To slow down worm propagation
– Firewall reconfiguration• May decrease QoS at the same time
Defender attributes
• Fixed defense resource– General defense resource on each node– Detection system on specific nodes
• Dynamic defense resource– Generating worm signatures
• Without expending budget– Worm origin identification– Rate limiting– Firewall reconfiguration– Dynamic topology reconfiguration
Attacker attributes
• Objective– To decrease the QoS of the defender– To steal information (by attacking some specific
nodes)• Budget– Preparing Phase: worm injection– Attacking Phase: node compromising
Attacker attributes
• Attack mechanisms– Compromising Nodes• The goal is to finally compromise core nodes, which
reduce the QoS of those core nodes to below certain level or steal sensitive information
– Worm injection• The purpose is to get further topology information• After a node is compromised, the commander will
decide whether to inject worms
Attacker attributes
• ProcessUsing the aggressiveness of risk avoidance to compromise several nodes, and find the nodes with large traffic link to inject worms
After getting the topology information of the defender by the worms, try to find the shortest path to the core node and compromise the nodes along the path
If the attacker find that the defender uses dynamic topology reconfiguration and cut down the link along the shortest path, then he can use pretend to attack strategy to make the link connected back
Compromising nodes
• How to select the attackers?– The commander has to select the attackers who have
enough attack resource• The resource required is computed via contest success
function
• During decision phase, all that commander has to do is to find out the interval of defense resource whose values are near the defense resource on that node– After every round the table will be updated by the new
resource owned by the attacker selected
How to select the attackers?• A corresponding defense resource table is
created right after the defender had constructed his network topology– The value of an attacker resource T is computed
by the budget and attack time of that attacker• Attack power• Aggressiveness
– The value of the defense resource t is the defense resource on a node in the network
– The table is sorted in ascending order of t
( , ( ))Attack Power f budget time capability
How to select the attackers?Defense Rsc Attacker Rsc Aggressiveness
102 29 0.3
195 200 0.5
… … …
598 929 0.9
601 487 0.4
602 808 0.7
609 953 0.8
… … …
1036
1139 805 0.2
Aggressiveness Df Rsc At Rsc
0.4 601 487
0.7 602 808
0.8 609 953
0.9 598 929
… … …
The budget, capability, and aggressiveness of the attackers is predetermined.The value of contest intensity m is given
m
m m
T
T t
Aggressiveness
• High Aggressiveness (Risk avoidance)– Often used to compromise nodes– Before worm injection– Higher when approaching core nodes
• Low Aggressiveness (Risk tolerance)– Used to pretend to attack– Ex. To lower the risk level of certain core node
Worm injection
• Used to get more topology information behind nodes before compromising them– After compromising one node, the attacker can decide
whether to inject a worm into it– Often choose a node with high link degree to inject worms
• Worm Immune– Once a worm is detected by the defender, the defender
may take some defense mechanism to immune from it– In that case, the attacker has to inject another type worm
to get new information• Different types of worms
– Scanning method, propagation rate, capability
Terminate Condition
The QoS decreases to a certain level
The attacker has got the sensitive information
The attacker runs out of his budget
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
One attacker to compromise node A
Compromised
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
Two attackers to compromise node C &D
Compromised
Compromised
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
Inject Type I worm to node C
Type I Worm
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
Type I Worm
Self-propagation of the worm
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
Two attackers to compromise node I & F
Type I Worm
Compromised
Compromised
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
Type I Worm
Compromised
Compromised
Detection alarm
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
Two attackers to compromise node N & J
Type I Worm
Detection alarm
Compromised
Compromised
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
Inject type II worm to node N and J
Type I Worm
Detection alarm
Type II Worm
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
Type I Worm
Detection alarm
Type II Worm
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
Type I Worm
Detection alarm
Type II Worm
Dynamic topology reconfiguration
Firewall reconfiguration
Worm origin identification
Rate limiting
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
Two attackers to compromise node Q & P
Type I Worm
Detection alarm
Type II Worm
Firewall reconfiguration
Rate limiting
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
Type I Worm
Detection alarm
Type II Worm
Dynamic topology reconfiguration
Reconnect to satisfy QoS
Firewall reconfiguration
Rate limiting
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
One attacker to compromise node O
Type I Worm
Detection alarm
Type II Worm
Firewall reconfiguration
Rate limiting
Scenarios
A
B
D
C
E
H
M
N
IJ
F
G
K
L
P
O
QR
S
T
AS Node
Core AS Node
Firewall
DecentralizedInformationSharing System
Attacker
Commander
Two attackers to compromise core node R & S
Type I Worm
Detection alarm
Type II Worm
Firewall reconfiguration
Rate limiting
~THANKS FOR YOUR ATTENTION~