Defending simple series and parallel systems with imperfect false targets R. Peng, G. Levitin, M. Xie, S.H. Ng

Advisor: Yeong-Sung LinPresented by I-Ju Shih

2011/11/291Research Direction Introduction1Agenda2011/11/292Problem DescriptionProblem AssumptionProblem Formulation

2

Problem Description 2011/11/2933Defender versus Attacker2011/11/294Defender AttackerDefendersinformation1. Common knowledgeThe information was known to both.2. Defenders private information(ex. nodes type, and network topology)The defender knew all of it.The attacker knew a part of it.3. The defenders other information(ex. system vulnerabilities)The defender did not know it before the game started.The attacker knew a part of it.4Defender versus Attacker2011/11/295Defender AttackerBudget1. Based on the importance of nodeDefense.Attack.2. On each node Releasing message.Updating information.3. Reallocated or recycledYes. But the defender with extra cost.No.4. RewardNo.Yes. If the attacker compromised a node, the nodes resource could be controlled by the attacker before the defender had not repaired it yet.5. Repaired nodeYes.No.6. Resource accumulationYes. But the resource needed to be discounted.5Defender versus Attacker2011/11/296Defender AttackerImmune benefitYes. The defender could update information about system vulnerabilities after attacks.No.RationalityFull or bounded rationality.Full or bounded rationality.6Objective2011/11/297The network survivability is measured by ADOD.The game has two players: an attacker (he, A) and a defender (she, D). Defender Objective - minimize the damage of the network (ADOD).Budget Constraint - deploying the defense budget in nodes repairing the compromised node releasing message in nodesAttackerObjective - maximize the damage of the network (ADOD).Budget Constraint deploying the attack budget in nodes updating information

7Defenders information2011/11/298The defender had private information, including each nodes type and network topology. There were two types (lower or higher valuation) of nodes and each nodes prior belief in the first round was common knowledge.

The attack success probability of node i = The probability of node i belonged to type 1 * The attack success probability of node i belonged to type 1 + The probability of node i belonged to type 2 * The attack success probability of node i belonged to type 2 8Defenders information2011/11/299

9Defenders action2011/11/2910In each round, the defender moves first, determines strategy and chooses message which may be truth, deception or secrecy to each node.

10Message releasing2011/11/2911Message releasing could be classified into two types. A nodes information could be divided into different parts to release message by the defender. The defender could release a nodes defensive state as a message to the attacker.

11Message releasing- type 12011/11/2912The defender could choose a part of information from a node according to his strategy to release truthful message, deceptive message or secrecy.

12Message releasing- type 22011/11/2913The defender released a nodes defensive state as a message, which was truth, deception or secrecy, to each node as a mixed strategy.

?13Message releasing2011/11/2914The defender chooses :1. Truthful message if and only if message = actual information/defense.2. Secrecy if and only if message is secret. 3. Deceptive message if and only if message actual information/defense.

Cost: Deceptive message > Secrecy > Truthful message14The effect of deception/secrecy2011/11/2915The effect of deception or secrecy would be discounted if the attacker knew defenders partial private information.

15The effect of deception/secrecy2011/11/2916The effect of deception or secrecy would be zero if the attacker knew something that the defender did not know.

16Immune benefit2011/11/2917Although the attacker knew something that the defender did not know, the defender could update information after observing the result of each rounds contest.After the defender updated information, she had immune benefit which meant that the attacker was unable to use identical attack.

17Defenders resources2011/11/2918From the view of the defender, the budget could be reallocated or recycled but the discount factor was also considered.The defender could accumulate resources to decrease attack success probability to defend network nodes in next time.

Defense resource on node i

Defender

RecycledReallocatedReallocated18Attackers information 2011/11/2919The attacker knew only partial network topology.The attacker could update information after observing the result of each rounds contest and defenders messages.

19Attackers resources2011/11/2920The attacker could accumulate experience to increase attack success probability to compromise network nodes in next time.The attacker could increase resources when the attacker compromised network nodes, before the defender had not repaired the nodes yet.

20Network topology 2011/11/2921We considered a complex system with n nodes in series-parallel.A node consisted of M components which might be different component or the same. (M 1)

21Network topology 2011/11/2922A nodes composition could be classified into two types. A node with backup component A k-out-of-m node

22Network topology 2011/11/2923The relationship between nodes could be classified into three types. Independence A node could function solely. Dependence When a node was destroyed, the nodes dependent on the destroyed node would not operate normally. InterdependenceWhen a node was destroyed, the node interdependent on the destroyed node would not operate normally and vice versa.

23

2011/11/292424

Problem Assumption 2011/11/292525Problem assumption2011/11/29261. The problem involved both cyber attacker and network defender. The objective of attacker was to maximize the value of the Average DOD. On the other hand, the defenders goal was to minimize the value of the Average DOD.2. Both the attacker and the defender were based on the importance of node to take actions.

26Problem assumption2011/11/29273. Cyber attacker had incomplete information about:Network topology: The attacker could only attack nodes of the network which had been known to the attacker and kept collecting information.Defenders private information: The defender did not know the attacker knew it.Defenders system vulnerabilities: The defender did not know it.27Problem assumption2011/11/29284. The attacker had private information which included the attackers budget and the defenders system vulnerabilities.5. The defender had private information which included each nodes type and the network topology.6. Both attacker and defender were limited by the total budget.7. Both attacker and defender might be rational or bounded rational.

28Problem assumption2011/11/29298. Both attacker and defender knew that there were two types (lower or higher valuation) of nodes.9. Both attacker and defender knew each nodes prior belief in the first round.10. Both attacker and defender could update information by Bayes theorem after observing the result of each rounds contest. The attacker could also update his information by Bayes theorem after observing the defenders messages.

29Problem assumption2011/11/293011. There were no enforceable agreements between attacker and defender which meant that the attacker and the defender could not cooperate.12. In each round, the defender moves first, determines strategy and chooses message which may be truth, deception or secrecy to each node. 13. The cost of releasing truthful message was lower than the costs of releasing secrecy and deception, respectively. Also, the cost of releasing secrecy was lower than the cost of releasing deception. And the cost of releasing message would not be accumulated or recycled.

30Problem assumption2011/11/293114. The defender using deceptive messages could lower the attack success probability. 15. The defenders message releasing could be classified into two types:

16. Only node attack was considered. (We did not consider the link attack)17. Only malicious attack was considered. (We did not consider the random errors)

A nodes information could be divided into different part to release message by the defender.The defender could release a nodes defensive state as a message to the attacker.31Problem assumption2011/11/293218. Cyber attacker could accumulate experience to increase attack success probability to compromise network nodes in next time.19. Network defender could accumulate resources to decrease attack success probability to defend network nodes in next time.20. The attacker could increase budget when the attacker compromised network nodes, which meant that the compromised network nodes were controlled by the attacker.21. From the view of the defender, the budget could be reallocated or recycled but the discount factor was also considered.

32Problem assumption2011/11/293322. From the view of the defender, the compromised nodes could be repaired. 23. Only static network was considered. (We did not consider the growth of network)24. The defender used redundant components to design system to achieve high availability.25. The network survivability was measured by Average DOD value.26. Any two nodes of network could form to be an O-D pair.27. The attack success probability was calculated by contest success function, considering the resource allocation on each node of both parties.

33

Problem Formulation 2011/11/293434Given2011/11/2935The total budget of network defender.The total budget of cyber attacker.Both the defender and the attacker have incomplete information about each other.

35Objective2011/11/2936Minimize the maximum damage degree of network (ADOD).

36Subject to2011/11/2937The total budget constraint of network defender.The total budget constraint of cyber attacker.

37To determine2011/11/2938The attackerHow to allocate attack budget to each node in each round.The defender How to allocate defense budget and determine which message would use to each node in each round.Whether to repair the compromised node in each round.Whether to reallocate or recycle nodes resource in each round.

38

Given parameter2011/11/293939

Given parameter2011/11/294040Given parameter2011/11/2941

41Decision variable2011/11/2942

42

Decision variable2011/11/294343Objective function2011/11/2944

44

Subject to2011/11/294545Subject to2011/11/2946

46Subject to2011/11/2947

47 Thanks for your listening.2011/11/2948Defender's information

Defender's private information

Attacker does not know the information

Attacker knows defender's partial private information

The information is unknown to defender

Attacker knows the partial information

Attacker does not know the information

Common knowledge

Defender's information

Defender's private information

Attacker does not know the information

Attacker knows defender's partial private information

The information is unknown to defender

Attacker knows the partial information

Attacker does not know the information

Common knowledge

Defender's information

Defender's private information

Attacker does not know the information

Attacker knows defender's partial private information

The information is unknown to defender

Attacker knows the partial information

Attacker does not know the information

Common knowledge

Defender's information

Defender's private information

Attacker does not know the information

Attacker knows defender's partial private information

The information is unknown to defender

Attacker knows the partial information

Attacker does not know the information

Common knowledge