Redundancy and Defense Resource Allocation Algorithms to Assure Service Continuity against Natural Disasters and Intelligent Attackers Advisor: Professor

Redundancy and Defense Resource Allocation Algorithms to Assure Service Continuityagainst Natural Disasters and Intelligent Attackers

Advisor: Professor Frank Y.S. LinRay J.P. Lo 駱睿斌

考量自然災害與智慧型攻擊下確保服務持續性之冗餘及防禦資源配置演算法

112/04/21 NTU IM OPLab 2

Agenda

Introduction Problem Formulation Lagrangean Relaxation

Decomposition Heuristics for Getting Primal Feasible

Solutions

Problems


Agenda



Solutions

Problems


Scenario

Considering a network consisted of AS-level nodes: Just one kind of specified function is

provided by each node. The plan about which node providing what

kind of function is predefined and consistent.

Multiple core nodes


Defender

The defender hopes to enhance the survivability of whole network by exploiting unified purchase to implement redundancy allocation. There is a product list that is known by

both the defender and the attacker.


Defender (cont’d)Redundant Component Choice Sets of Different Functions

Defense Mechanism Choice Sets of

Different Redundant Components


Attacker The attacker also has the perfect

knowledge about this target network. The topology of the network The allocation of redundant components and

defense mechanisms in each node

Extreme experience accumulation The attacker’s final goal is minimizing the

total attack cost of compromising all core nodes by choosing proper nodes to compromise.


Scenario

S

C C

S

C C


S

Scenario

S

CS

CS

S

CS

C

prefer

S

C C


Agenda



Solutions

Problems


Assumption Every node in this network is at AS-level. No attack on links is considered. Both the defender and the attacker have

perfect knowledge about this network. Each node in the network must provide just one

kind of predefined function. The defender has limitation of total defense

budget. The requirement of service availability

threshold, which defines the minimum expected number of redundant components for every node, must be satisfied.


Assumption (cont’d) All kinds of redundant components in a

choice set provide identical main function.

Other than providing the main function, all kinds of redundant components also have little basic defensive ability.

All redundant components are in hot-standby state.

All compromised redundant components are never repaired.


Assumption (cont’d)

There are several extra defense mechanisms available for further protecting each kind of redundant component.

The defender must decide which extra defense mechanisms to deploy for protecting a redundant component when allocating a redundant component in a node.


Assumption (cont’d) A node is subject to attack only if a path exists

from node s to that node, and all the intermediate nodes on the path have been compromised.

The attacker will compromise just one redundant component, the primary one, in non-core nodes for penetrating, and compromise all redundant components in core nodes for whole dysfunction. A non-core node is compromised if one of redundant

components allocated in it has been compromised. A core node is compromised if and only if all

redundant components allocated in it have been compromised.


Assumption (cont’d) While attempting to compromise a non-core

node, the attacker can always arbitrarily choose the redundant component with most advantage for minimizing total attack cost to compromise.

A redundant component is subject to attack only if all extra defense mechanisms allocated to protect it have been compromised.

The probability that a redundant component operates properly is independent of whether extra defense mechanisms are deployed to it.


Assumption (cont’d) If the attacker has compromised the extra defense

mechanism d of redundant component m once, he/she then learned some effective skills or developed some powerful hacker tools to deal with this kind of defensive mechanism d of redundant component m. Hence, the attacker can compromise the same kind of

defensive mechanism d of the same kind of redundant component m without spending any cost afterward.

According to the same reason mentioned above, the attacker can compromise any kind of redundant component which he/she has ever compromised without spending any cost.


Given

The Core nodes The initial position of attacker The topology and size of the network The total defense budget The service availability threshold for

all nodes in the network The predefined function of each node


Given (cont’d) The redundant component choice set of each kind

of function The defense mechanism choice set of each kind of

redundant component The cost of each kind of redundant component The cost of each kind of extra defense mechanism

available for each kind of redundant component The threshold of compromising each kind of

redundant component The threshold of compromising each kind of extra

defense mechanism available for each kind of redundant component

The probability of each kind of redundant component operating properly


Objective To maximize the minimized total attack

cost Subjected to

The total cost spending on allocating redundant components and extra defense mechanisms must be no more than the limitation of total defense budget.

The expected number of redundant components in each node must be no less than the service availability threshold.

The node to be attacked must be connected to the existing attack tree.


To determine

Defender Which redundant components and extra

defense mechanisms in which nodes to allocate

Attacker Which redundant components and extra

defense mechanisms in which nodes to compromise

RAP-EDM Model(Redundancy Allocation Problem with Extra Defense Mechanisms)


Given parameters B The total defensive budgetary limitation

N The index set of all nodes in the network

T The index set of all core nodes in the network

U The index set of all non-core nodes in the network

F The index set of all functions provided by the nodes in the network

Mf

The index set of all redundant components which can be selected to provide the same main function f, where f F

WThe index set of all Origin-Destination (O-D) pairs, where the origin is node s and the destination is the core node t, where t T


Given parameters (cont’d)

PwThe index set of all candidate paths of an O-D pair w, where w W

Dm

The index set of all extra defensive mechanisms available for the kind of redundant component m, where m Mf, f F

α The threshold of service availability assurance that defines the minimum expected number of

redundant components for every node

σifThe indicator function, which is 1 if node i provides function f, and 0 otherwise (where i N, f F)

δpi

The indicator function, which is 1 if node i is on the

path p, and 0 otherwise (where i N, p Pw, w W)



cmThe cost of the kind of redundant component m, where m Mf, f F

m(cm)

The threshold of the attack cost required to compromise the kind of redundant component m, where m Mf, f F

Qm The probability of the kind of redundant component m that operates properly, where m Mf, f F

a



cmd

The cost of the defensive mechanism d of the kind of redundant component m, where d Dm, m Mf, f F

md(cmd)

The threshold of the attack cost required to compromise the defensive mechanism d of the kind of redundant component m, where d Dm, m Mf, f F

a


Decision variables

Rim 1 if the redundant component m is allocated in node i, and 0 otherwise (where m Mf, f F, i N)

Rimd

1 if the defensive mechanism d of redundant component m is allocated in node i, and 0 otherwise (where d Dm, m Mf, f F, i N)

yi 1 if node i is compromised, and 0 otherwise (where i N)

yim 1 if the redundant component m in node i is compromised, and 0 otherwise (where m Mf, f F, i N)

yimd 1 if the defensive mechanism d of redundant component m in node i is compromised, and 0 otherwise (where d Dm, m Mf, f F, i N)


Decision variables (cont’d)

zm

1 if the attacker has compromised the kind of redundant component m so far, and 0 otherwise (where m Mf, f F)

zmd

1 if the attacker has compromised the kind of defensive mechanism d of the kind of redundant component m so far, and 0 otherwise (where d Dm, m Mf, f F)

xp1 if path p is selected as the attack path, and 0 otherwise (where p Pw, w W)


Objective

(IP 1)

, , ,

ˆ ˆ1 1max minim m imd md

f m

if im m m m imd md md mdy z y z i N f F m M d D

y z a c y z a c

Attack cost for compromising all extra defense mechanisms protecting a redundant component

Attack cost for really compromising a redundant component


Subject to

(IP 1.1)

(IP 1.2)

(IP 1.3)

(IP 1.4)

(IP 1.5)

(IP 1.6)

(IP 1.7)

w

p pi ip P

x y

1

w

pp P

x

imd imR R

,i N w W

w W

,wp P w W

i N

, , ,f mi N m M f F d D

, ,fi N m M f F


0 1px or0 1iy or

0 1imR or

0 1imdR or


Subject to (cont’d)

(IP 1.8)

(IP 1.9)

(IP 1.10)

(IP 1.11)

(IP 1.12)

(IP 1.13), , ,f mi N m M f F d D

, ,fi N m M f F


imd imdy R

m m

im imd imdd D d D

y R y


,i U f F

0 1imdy or

0 1imy or

f

i imm M

y y

f f

i im imm M m M

y R y

,i T f F



(IP 1.14)

(IP 1.15)

(IP 1.16)

(IP 1.17)

(IP 1.18)

(IP 1.19)

, ,fi N m M f F


1i im my y z

1im imd mdy y z

,fm M f F

, ,f mm M f F d D

0 1mz or

0 1mdz or

m imi N

z y

md imdi N

z y

,fm M f F

, ,f mm M f F d D



(IP 1.20)

(IP 1.21)

f

im mm M

R Q

f m

if im m imd mdi N f F m M d D

R c R c B

,i N f F

AEA Model(Attack with Experience Accumulation)


Given parameters B The total defensive budgetary limitation

N The index set of all nodes in the network

T The index set of all core nodes in the network

U The index set of all non-core nodes in the network

F The index set of all functions provided by the nodes in the network

Mf

The index set of all redundant components which can be selected to provide the same main function f, where f F

WThe index set of all Origin-Destination (O-D) pairs, where the origin is node s and the destination is the core node t, where t T



PwThe index set of all candidate paths of an O-D pair w, where w W

Dm

The index set of all extra defensive mechanisms available for the kind of redundant component m, where m Mf, f F

σifThe indicator function, which is 1 if node i provides function f, and 0 otherwise (where i N, f F)

δpi

The indicator function, which is 1 if node i is on the

path p, and 0 otherwise (where i N, p Pw, w W)



cmThe cost of the kind of redundant component m, where m Mf, f F

m(cm)

The threshold of the attack cost required to compromise the kind of redundant component m, where m Mf, f F

cmd

The cost of the defensive mechanism d of the kind of redundant component m, where d Dm, m Mf, f F

md(cmd)

The threshold of the attack cost required to compromise the defensive mechanism d of the kind of redundant component m, where d Dm, m Mf, f F

a

a



Rim 1 if the redundant component m is allocated in node i, and 0 otherwise (where m Mf, f F, i N)

Rimd

1 if the defensive mechanism d of redundant component m is allocated in node i, and 0 otherwise (where d Dm, m Mf, f F, i N)


Decision variables

yi 1 if node i is compromised, and 0 otherwise (where i N)

yim 1 if the redundant component m in node i is compromised, and 0 otherwise (where m Mf, f F, i N)

yimd 1 if the defensive mechanism d of redundant component m in node i is compromised, and 0 otherwise (where d Dm, m Mf, f F, i N)


Decision variables (cont’d)

zm

1 if the attacker has compromised the kind of redundant component m so far, and 0 otherwise (where m Mf, f F)

zmd

1 if the attacker has compromised the kind of defensive mechanism d of the kind of redundant component m so far, and 0 otherwise (where d Dm, m Mf, f F)

xp1 if path p is selected as the attack path, and 0 otherwise (where p Pw, w W)


Objective

(IP 2)

, , ,

ˆ ˆ1 1minim m imd md

f m


y z a c y z a c


Subject to

(IP 2.1)

(IP 2.2)

(IP 2.3)

(IP 2.4)

1w

pp P

x

,i N w W

w W

,wp P w W

i N

0 1px or0 1iy or

w

p pi ip P

x y



(IP 2.5)

(IP 2.6)

(IP 2.7)

(IP 2.8)

(IP 2.9)

(IP 2.10), , ,f mi N m M f F d D

, ,fi N m M f F


imd imdy R

m m

im imd imdd D d D

y R y


,i U f F

0 1imdy or

0 1imy or

f

i imm M

y y

f f

i im imm M m M

y R y

,i T f F



(IP 2.11)

(IP 2.12)

(IP 2.13)

(IP 2.14)

(IP 2.15)

(IP 2.16)

, ,fi N m M f F


1i im my y z

1im imd mdy y z

,fm M f F

, ,f mm M f F d D

0 1mz or

0 1mdz or

m imi N

z y

md imdi N

z y

,fm M f F

, ,f mm M f F d D


Agenda

Introduction Scenario Problem Formulation Lagrangean Relaxation


Solutions

Problems


Lagrangean Relaxation

We turn the primal problem (IP 2) into the Lagrangean relaxation problem (LR 1) by relaxing the constraints (IP 2.1), (IP 2.5), (IP 2.6), (IP 2.7), (IP 2.8), (IP 2.11), (IP 2.12), (IP 2.13), and (IP 2.14).


Optimization problem (LR 1)

Only μ3 is non-restricted, and all the other multipliers are non-negative.

1 2 3 4 5 6 7 8 9

, , ,

1 2 3

( , , , , , , , , )

ˆ ˆ1 1minim m imd md

f m

w f m f

D


iw p pi i if ifmd imd imd if if i imi N w W p P i N f F m M d D f F m M

Z

y z a c y z a c

x y y R y y

4 5 6

7 8

1f f f m m f

f f m

i U

if if i im im if ifm im imd imd if ifm i im mi T f F m M m M i N f F m M d D d D i N f F m M

mf m if im if ifmd imm M f F i N i N f F m M d D

y R y y R y y y z

z y y

91f m

imd md mfd md if imdm M f F d D i N

y z z y


Subject to

(LR 1.1)

(LR 1.2)

(LR 1.3)

(LR 1.4)

(LR 1.5)

(LR 1.6)

(LR 1.7)

1w

pp P

x

w W

,wp P w W

i N


, ,fi N m M f F

, ,f mm M f F d D

0 1px or

0 1iy or

0 1imy or

0 1imdy or

0 1mz or

0 1mdz or

,fm M f F


Decomposition

Subproblem 1.1 (related to decision variable xp)

Subproblem 1.2 (related to decision variable yi)

Subproblem 1.3(related to decision variable yim, zm)

Subproblem 1.4 (related to decision variable yimd, zmd)


Subproblem 1.1 (related to decision variable xp)

(Sub 1.1)

Subject to:

11.1 1( ) min

w

Sub iw p pii N w W p P

Z x

(Sub 1.1.1)

(Sub 1.1.2)

1w

pp P

x

0 1px or ,wp P w W

w W


Subproblem 1.2 (related to decision variable yi)

(Sub 1.2)

Subject to

(Sub 1.2.1)0 1iy or i N

1.2 1 3 4 6

1 3

4 6

( , , , )

min

f f

sub

iw i if if ii N w W i U f F

if if i im if ifm ii T f F m M i N f F m M

Z

y y

y R y


Subproblem 1.3(related to decision variable yim, zm)

(Sub 1.3)

Subject to(Sub 1.3.1)

(Sub 1.3.2)

0 1imy or , ,fi N m M f F 0 1mz or ,fm M f F

1.3 3 4 5 6 7 8

3 4

5 6

( , , , , , )

ˆ ˆminf f

f f

f m f

sub

if im m m if im m m mi N f F m M i N f F m M

if if im if if imi U f F m M i T f F m M

if ifm im imd if ifm imi N f F m M d D i N f F m M

if ifmf F

Z

y a c y z a c

y y

y R y

6 7

7 8

f f

f f m

m mf mi N m M m M f F

mf if im if ifmd imm M f F i N i N f F m M d D

z z

y y


Subproblem 1.4 (related to decision variable yimd, zmd)

(Sub 1.4)

Subject to(Sub 1.4.1)

(Sub 1.4.2)

0 1imdy or , , ,f mi N m M f F d D 0 1mdz or , ,f mm M f F d D

1.4 2 5 8 9

2 5

8

( , , , )

ˆ ˆminf m f m

f m f m

f m

sub

if imd md md if imd md md mdi N f F m M d D i N f F m M d D

if ifmd imd if ifm imdi N f F m M d D i N f F m M d D

if ifmd imd if ifmdi N f F m M d D f F

Z

y a c y z a c

y y

y

8

9 9

f m

f m f m

mdi N m M d D

mfd md mfd if imdm M f F d D m M f F d D i N

z

z y


Agenda



Solutions

Problems


Heuristics for Getting Primal Feasible Solutions

Step 1 The defender initializes a network that

conforms to all the related constraints. Defense Budget (B) Functions of nodes Service continuity requirement (α)


Heuristics for Getting Primal Feasible Solutions (cont’d)

Step 1.1 Build a tree from node s to all core

nodes by using Dijkstra’s algorithm. Step 1.2

Allocate redundant components to the nodes on the tree.


Heuristics for Getting Primal Feasible Solutions (cont’d) Step 1.2

Step 1.2.1 Allocate the combinations of the most expensive

redundant components to different-functioned core nodes.

Step 1.2.2 Allocate the combinations of the redundant components

with the second high level price to 1 hop away non-core nodes from node s.

Step 1.2.3 Allocate the combinations of the redundant components

with the third high level price to 1 hop away non-core nodes from the core nodes.

Step 1.2.4 Allocate the redundant components that were not used

in the above steps to the remained non-core nodes.



Step 1.3 Considering the diversity, allocate the

cheapest combinations of redundant components to the remained non-core nodes that were not on the tree.



Step 1.4 Allocate corresponding defense mechanisms for

protecting redundant components to the nodes. Consider the diversity. Follow the order used in the above steps.

The nodes on the tree The Core nodes The 1 hop away non-core nodes from node s The 1 hop away non-core nodes from the core

nodes The remained non-core nodes

The other nodes

Heuristics for Getting Primal Feasible Solutions (cont’d) Step 2

The attacker decides the initial attack tree according to the results of solving sub 1.1.

Step 3 Compromise all core nodes, i.e., compromise all

redundant components with defense mechanisms within them.

Step 4 According to the results of Step 2 and Step 3,

the attacker decides which redundant components (with defense mechanisms) to compromise in the non-core nodes that belong to the initial attack tree.


Another Heuristics for Getting Primal Feasible Solutions

Step 1 The defender initializes a network just

like we mentioned before.

Step 2 Let all the core nodes be compromised.


Another Heuristics for Getting Primal Feasible Solutions (cont’d)

Step 3 Set a weight for each non-core node,

and the weight includes three parts: μ3 of subproblem 1.2

The expected value of attack cost for each non-core node

Each non-core node’s importance of connection

Each non-core node’s importance of connection

The expected value of attack cost for each non-core node



Attack cost = 10Frequency = 5

Attack cost = 3Frequency = 6

Attack cost= 12Frequency = 4

Exp(Attack cost) = 10/5 + 3/6 + 12/4 = 5.5

2

2

2

1

3

Total hops = 2+1+2+3+2 = 9



Step 4 From each core node, build up an attack

path to the starting node s. Choose a direct neighbor node with

smallest weight to compromise each time. If there is a compromised node within direct

neighbors, reuse it as a hop site. If a neighbor node includes the kinds of

redundant components or defense mechanisms that have been compromised before, their attack cost are then set to 0.


Agenda



Solution

Problems


Problems How to properly set those given

parameters? The number of different functions The sizes of

redundant component choice set defense mechanism choice set

The relation between cm, m(cm), and Qm

The relation between cmd and md(cmd)

aa

Thanks for your listening!

Documents

Redundancy and Defense Resource Allocation Algorithms to Assure Service Continuity against Natural Disasters and Intelligent Attackers Advisor: Professor