Upload
gwenda-charles
View
224
Download
1
Embed Size (px)
Citation preview
Redundancy and Defense Resource Allocation Algorithms to Assure Service Continuityagainst Natural Disasters and Intelligent Attackers
Advisor: Professor Frank Y.S. LinRay J.P. Lo 駱睿斌
考量自然災害與智慧型攻擊下確保服務持續性之冗餘及防禦資源配置演算法
112/04/21 NTU IM OPLab 2
Agenda
Introduction Problem Formulation Lagrangean Relaxation
Decomposition Heuristics for Getting Primal Feasible
Solutions
Problems
112/04/21 NTU IM OPLab 3
Agenda
Introduction Problem Formulation Lagrangean Relaxation
Decomposition Heuristics for Getting Primal Feasible
Solutions
Problems
112/04/21 NTU IM OPLab 5
Scenario
Considering a network consisted of AS-level nodes: Just one kind of specified function is
provided by each node. The plan about which node providing what
kind of function is predefined and consistent.
Multiple core nodes
112/04/21 NTU IM OPLab 6
Defender
The defender hopes to enhance the survivability of whole network by exploiting unified purchase to implement redundancy allocation. There is a product list that is known by
both the defender and the attacker.
112/04/21 NTU IM OPLab 7
Defender (cont’d)Redundant Component Choice Sets of Different Functions
Defense Mechanism Choice Sets of
Different Redundant Components
112/04/21 NTU IM OPLab 8
Attacker The attacker also has the perfect
knowledge about this target network. The topology of the network The allocation of redundant components and
defense mechanisms in each node
Extreme experience accumulation The attacker’s final goal is minimizing the
total attack cost of compromising all core nodes by choosing proper nodes to compromise.
112/04/21 NTU IM OPLab 9
Scenario
S
C C
S
C C
112/04/21 NTU IM OPLab 10
S
Scenario
S
CS
CS
S
CS
C
prefer
S
C C
112/04/21 NTU IM OPLab 11
Agenda
Introduction Problem Formulation Lagrangean Relaxation
Decomposition Heuristics for Getting Primal Feasible
Solutions
Problems
112/04/21 NTU IM OPLab 12
Assumption Every node in this network is at AS-level. No attack on links is considered. Both the defender and the attacker have
perfect knowledge about this network. Each node in the network must provide just one
kind of predefined function. The defender has limitation of total defense
budget. The requirement of service availability
threshold, which defines the minimum expected number of redundant components for every node, must be satisfied.
112/04/21 NTU IM OPLab 13
Assumption (cont’d) All kinds of redundant components in a
choice set provide identical main function.
Other than providing the main function, all kinds of redundant components also have little basic defensive ability.
All redundant components are in hot-standby state.
All compromised redundant components are never repaired.
112/04/21 NTU IM OPLab 14
Assumption (cont’d)
There are several extra defense mechanisms available for further protecting each kind of redundant component.
The defender must decide which extra defense mechanisms to deploy for protecting a redundant component when allocating a redundant component in a node.
112/04/21 NTU IM OPLab 15
Assumption (cont’d) A node is subject to attack only if a path exists
from node s to that node, and all the intermediate nodes on the path have been compromised.
The attacker will compromise just one redundant component, the primary one, in non-core nodes for penetrating, and compromise all redundant components in core nodes for whole dysfunction. A non-core node is compromised if one of redundant
components allocated in it has been compromised. A core node is compromised if and only if all
redundant components allocated in it have been compromised.
112/04/21 NTU IM OPLab 16
Assumption (cont’d) While attempting to compromise a non-core
node, the attacker can always arbitrarily choose the redundant component with most advantage for minimizing total attack cost to compromise.
A redundant component is subject to attack only if all extra defense mechanisms allocated to protect it have been compromised.
The probability that a redundant component operates properly is independent of whether extra defense mechanisms are deployed to it.
112/04/21 NTU IM OPLab 17
Assumption (cont’d) If the attacker has compromised the extra defense
mechanism d of redundant component m once, he/she then learned some effective skills or developed some powerful hacker tools to deal with this kind of defensive mechanism d of redundant component m. Hence, the attacker can compromise the same kind of
defensive mechanism d of the same kind of redundant component m without spending any cost afterward.
According to the same reason mentioned above, the attacker can compromise any kind of redundant component which he/she has ever compromised without spending any cost.
112/04/21 NTU IM OPLab 18
Given
The Core nodes The initial position of attacker The topology and size of the network The total defense budget The service availability threshold for
all nodes in the network The predefined function of each node
112/04/21 NTU IM OPLab 19
Given (cont’d) The redundant component choice set of each kind
of function The defense mechanism choice set of each kind of
redundant component The cost of each kind of redundant component The cost of each kind of extra defense mechanism
available for each kind of redundant component The threshold of compromising each kind of
redundant component The threshold of compromising each kind of extra
defense mechanism available for each kind of redundant component
The probability of each kind of redundant component operating properly
112/04/21 NTU IM OPLab 20
Objective To maximize the minimized total attack
cost Subjected to
The total cost spending on allocating redundant components and extra defense mechanisms must be no more than the limitation of total defense budget.
The expected number of redundant components in each node must be no less than the service availability threshold.
The node to be attacked must be connected to the existing attack tree.
112/04/21 NTU IM OPLab 21
To determine
Defender Which redundant components and extra
defense mechanisms in which nodes to allocate
Attacker Which redundant components and extra
defense mechanisms in which nodes to compromise
RAP-EDM Model(Redundancy Allocation Problem with Extra Defense Mechanisms)
112/04/21 NTU IM OPLab 23
Given parameters B The total defensive budgetary limitation
N The index set of all nodes in the network
T The index set of all core nodes in the network
U The index set of all non-core nodes in the network
F The index set of all functions provided by the nodes in the network
Mf
The index set of all redundant components which can be selected to provide the same main function f, where f F
WThe index set of all Origin-Destination (O-D) pairs, where the origin is node s and the destination is the core node t, where t T
112/04/21 NTU IM OPLab 24
Given parameters (cont’d)
PwThe index set of all candidate paths of an O-D pair w, where w W
Dm
The index set of all extra defensive mechanisms available for the kind of redundant component m, where m Mf, f F
α The threshold of service availability assurance that defines the minimum expected number of
redundant components for every node
σifThe indicator function, which is 1 if node i provides function f, and 0 otherwise (where i N, f F)
δpi
The indicator function, which is 1 if node i is on the
path p, and 0 otherwise (where i N, p Pw, w W)
112/04/21 NTU IM OPLab 25
Given parameters (cont’d)
cmThe cost of the kind of redundant component m, where m Mf, f F
m(cm)
The threshold of the attack cost required to compromise the kind of redundant component m, where m Mf, f F
Qm The probability of the kind of redundant component m that operates properly, where m Mf, f F
a
112/04/21 NTU IM OPLab 26
Given parameters (cont’d)
cmd
The cost of the defensive mechanism d of the kind of redundant component m, where d Dm, m Mf, f F
md(cmd)
The threshold of the attack cost required to compromise the defensive mechanism d of the kind of redundant component m, where d Dm, m Mf, f F
a
112/04/21 NTU IM OPLab 27
Decision variables
Rim 1 if the redundant component m is allocated in node i, and 0 otherwise (where m Mf, f F, i N)
Rimd
1 if the defensive mechanism d of redundant component m is allocated in node i, and 0 otherwise (where d Dm, m Mf, f F, i N)
yi 1 if node i is compromised, and 0 otherwise (where i N)
yim 1 if the redundant component m in node i is compromised, and 0 otherwise (where m Mf, f F, i N)
yimd 1 if the defensive mechanism d of redundant component m in node i is compromised, and 0 otherwise (where d Dm, m Mf, f F, i N)
112/04/21 NTU IM OPLab 28
Decision variables (cont’d)
zm
1 if the attacker has compromised the kind of redundant component m so far, and 0 otherwise (where m Mf, f F)
zmd
1 if the attacker has compromised the kind of defensive mechanism d of the kind of redundant component m so far, and 0 otherwise (where d Dm, m Mf, f F)
xp1 if path p is selected as the attack path, and 0 otherwise (where p Pw, w W)
112/04/21 NTU IM OPLab 29
Objective
(IP 1)
, , ,
ˆ ˆ1 1max minim m imd md
f m
if im m m m imd md md mdy z y z i N f F m M d D
y z a c y z a c
Attack cost for compromising all extra defense mechanisms protecting a redundant component
Attack cost for really compromising a redundant component
112/04/21 NTU IM OPLab 30
Subject to
(IP 1.1)
(IP 1.2)
(IP 1.3)
(IP 1.4)
(IP 1.5)
(IP 1.6)
(IP 1.7)
w
p pi ip P
x y
1
w
pp P
x
imd imR R
,i N w W
w W
,wp P w W
i N
, , ,f mi N m M f F d D
, ,fi N m M f F
, , ,f mi N m M f F d D
0 1px or0 1iy or
0 1imR or
0 1imdR or
112/04/21 NTU IM OPLab 31
Subject to (cont’d)
(IP 1.8)
(IP 1.9)
(IP 1.10)
(IP 1.11)
(IP 1.12)
(IP 1.13), , ,f mi N m M f F d D
, ,fi N m M f F
, , ,f mi N m M f F d D
imd imdy R
m m
im imd imdd D d D
y R y
, , ,f mi N m M f F d D
,i U f F
0 1imdy or
0 1imy or
f
i imm M
y y
f f
i im imm M m M
y R y
,i T f F
112/04/21 NTU IM OPLab 32
Subject to (cont’d)
(IP 1.14)
(IP 1.15)
(IP 1.16)
(IP 1.17)
(IP 1.18)
(IP 1.19)
, ,fi N m M f F
, , ,f mi N m M f F d D
1i im my y z
1im imd mdy y z
,fm M f F
, ,f mm M f F d D
0 1mz or
0 1mdz or
m imi N
z y
md imdi N
z y
,fm M f F
, ,f mm M f F d D
112/04/21 NTU IM OPLab 33
Subject to (cont’d)
(IP 1.20)
(IP 1.21)
f
im mm M
R Q
f m
if im m imd mdi N f F m M d D
R c R c B
,i N f F
AEA Model(Attack with Experience Accumulation)
112/04/21 NTU IM OPLab 35
Given parameters B The total defensive budgetary limitation
N The index set of all nodes in the network
T The index set of all core nodes in the network
U The index set of all non-core nodes in the network
F The index set of all functions provided by the nodes in the network
Mf
The index set of all redundant components which can be selected to provide the same main function f, where f F
WThe index set of all Origin-Destination (O-D) pairs, where the origin is node s and the destination is the core node t, where t T
112/04/21 NTU IM OPLab 36
Given parameters (cont’d)
PwThe index set of all candidate paths of an O-D pair w, where w W
Dm
The index set of all extra defensive mechanisms available for the kind of redundant component m, where m Mf, f F
σifThe indicator function, which is 1 if node i provides function f, and 0 otherwise (where i N, f F)
δpi
The indicator function, which is 1 if node i is on the
path p, and 0 otherwise (where i N, p Pw, w W)
112/04/21 NTU IM OPLab 37
Given parameters (cont’d)
cmThe cost of the kind of redundant component m, where m Mf, f F
m(cm)
The threshold of the attack cost required to compromise the kind of redundant component m, where m Mf, f F
cmd
The cost of the defensive mechanism d of the kind of redundant component m, where d Dm, m Mf, f F
md(cmd)
The threshold of the attack cost required to compromise the defensive mechanism d of the kind of redundant component m, where d Dm, m Mf, f F
a
a
112/04/21 NTU IM OPLab 38
Given parameters (cont’d)
Rim 1 if the redundant component m is allocated in node i, and 0 otherwise (where m Mf, f F, i N)
Rimd
1 if the defensive mechanism d of redundant component m is allocated in node i, and 0 otherwise (where d Dm, m Mf, f F, i N)
112/04/21 NTU IM OPLab 39
Decision variables
yi 1 if node i is compromised, and 0 otherwise (where i N)
yim 1 if the redundant component m in node i is compromised, and 0 otherwise (where m Mf, f F, i N)
yimd 1 if the defensive mechanism d of redundant component m in node i is compromised, and 0 otherwise (where d Dm, m Mf, f F, i N)
112/04/21 NTU IM OPLab 40
Decision variables (cont’d)
zm
1 if the attacker has compromised the kind of redundant component m so far, and 0 otherwise (where m Mf, f F)
zmd
1 if the attacker has compromised the kind of defensive mechanism d of the kind of redundant component m so far, and 0 otherwise (where d Dm, m Mf, f F)
xp1 if path p is selected as the attack path, and 0 otherwise (where p Pw, w W)
112/04/21 NTU IM OPLab 41
Objective
(IP 2)
, , ,
ˆ ˆ1 1minim m imd md
f m
if im m m m imd md md mdy z y z i N f F m M d D
y z a c y z a c
112/04/21 NTU IM OPLab 42
Subject to
(IP 2.1)
(IP 2.2)
(IP 2.3)
(IP 2.4)
1w
pp P
x
,i N w W
w W
,wp P w W
i N
0 1px or0 1iy or
w
p pi ip P
x y
112/04/21 NTU IM OPLab 43
Subject to (cont’d)
(IP 2.5)
(IP 2.6)
(IP 2.7)
(IP 2.8)
(IP 2.9)
(IP 2.10), , ,f mi N m M f F d D
, ,fi N m M f F
, , ,f mi N m M f F d D
imd imdy R
m m
im imd imdd D d D
y R y
, , ,f mi N m M f F d D
,i U f F
0 1imdy or
0 1imy or
f
i imm M
y y
f f
i im imm M m M
y R y
,i T f F
112/04/21 NTU IM OPLab 44
Subject to (cont’d)
(IP 2.11)
(IP 2.12)
(IP 2.13)
(IP 2.14)
(IP 2.15)
(IP 2.16)
, ,fi N m M f F
, , ,f mi N m M f F d D
1i im my y z
1im imd mdy y z
,fm M f F
, ,f mm M f F d D
0 1mz or
0 1mdz or
m imi N
z y
md imdi N
z y
,fm M f F
, ,f mm M f F d D
112/04/21 NTU IM OPLab 45
Agenda
Introduction Scenario Problem Formulation Lagrangean Relaxation
Decomposition Heuristics for Getting Primal Feasible
Solutions
Problems
112/04/21 NTU IM OPLab 46
Lagrangean Relaxation
We turn the primal problem (IP 2) into the Lagrangean relaxation problem (LR 1) by relaxing the constraints (IP 2.1), (IP 2.5), (IP 2.6), (IP 2.7), (IP 2.8), (IP 2.11), (IP 2.12), (IP 2.13), and (IP 2.14).
112/04/21 NTU IM OPLab 47
Optimization problem (LR 1)
Only μ3 is non-restricted, and all the other multipliers are non-negative.
1 2 3 4 5 6 7 8 9
, , ,
1 2 3
( , , , , , , , , )
ˆ ˆ1 1minim m imd md
f m
w f m f
D
if im m m m imd md md mdy z y z i N f F m M d D
iw p pi i if ifmd imd imd if if i imi N w W p P i N f F m M d D f F m M
Z
y z a c y z a c
x y y R y y
4 5 6
7 8
1f f f m m f
f f m
i U
if if i im im if ifm im imd imd if ifm i im mi T f F m M m M i N f F m M d D d D i N f F m M
mf m if im if ifmd imm M f F i N i N f F m M d D
y R y y R y y y z
z y y
91f m
imd md mfd md if imdm M f F d D i N
y z z y
112/04/21 NTU IM OPLab 48
Subject to
(LR 1.1)
(LR 1.2)
(LR 1.3)
(LR 1.4)
(LR 1.5)
(LR 1.6)
(LR 1.7)
1w
pp P
x
w W
,wp P w W
i N
, , ,f mi N m M f F d D
, ,fi N m M f F
, ,f mm M f F d D
0 1px or
0 1iy or
0 1imy or
0 1imdy or
0 1mz or
0 1mdz or
,fm M f F
112/04/21 NTU IM OPLab 49
Decomposition
Subproblem 1.1 (related to decision variable xp)
Subproblem 1.2 (related to decision variable yi)
Subproblem 1.3(related to decision variable yim, zm)
Subproblem 1.4 (related to decision variable yimd, zmd)
112/04/21 NTU IM OPLab 50
Subproblem 1.1 (related to decision variable xp)
(Sub 1.1)
Subject to:
11.1 1( ) min
w
Sub iw p pii N w W p P
Z x
(Sub 1.1.1)
(Sub 1.1.2)
1w
pp P
x
0 1px or ,wp P w W
w W
112/04/21 NTU IM OPLab 51
Subproblem 1.2 (related to decision variable yi)
(Sub 1.2)
Subject to
(Sub 1.2.1)0 1iy or i N
1.2 1 3 4 6
1 3
4 6
( , , , )
min
f f
sub
iw i if if ii N w W i U f F
if if i im if ifm ii T f F m M i N f F m M
Z
y y
y R y
112/04/21 NTU IM OPLab 52
Subproblem 1.3(related to decision variable yim, zm)
(Sub 1.3)
Subject to(Sub 1.3.1)
(Sub 1.3.2)
0 1imy or , ,fi N m M f F 0 1mz or ,fm M f F
1.3 3 4 5 6 7 8
3 4
5 6
( , , , , , )
ˆ ˆminf f
f f
f m f
sub
if im m m if im m m mi N f F m M i N f F m M
if if im if if imi U f F m M i T f F m M
if ifm im imd if ifm imi N f F m M d D i N f F m M
if ifmf F
Z
y a c y z a c
y y
y R y
6 7
7 8
f f
f f m
m mf mi N m M m M f F
mf if im if ifmd imm M f F i N i N f F m M d D
z z
y y
112/04/21 NTU IM OPLab 53
Subproblem 1.4 (related to decision variable yimd, zmd)
(Sub 1.4)
Subject to(Sub 1.4.1)
(Sub 1.4.2)
0 1imdy or , , ,f mi N m M f F d D 0 1mdz or , ,f mm M f F d D
1.4 2 5 8 9
2 5
8
( , , , )
ˆ ˆminf m f m
f m f m
f m
sub
if imd md md if imd md md mdi N f F m M d D i N f F m M d D
if ifmd imd if ifm imdi N f F m M d D i N f F m M d D
if ifmd imd if ifmdi N f F m M d D f F
Z
y a c y z a c
y y
y
8
9 9
f m
f m f m
mdi N m M d D
mfd md mfd if imdm M f F d D m M f F d D i N
z
z y
112/04/21 NTU IM OPLab 54
Agenda
Introduction Scenario Problem Formulation Lagrangean Relaxation
Decomposition Heuristics for Getting Primal Feasible
Solutions
Problems
112/04/21 NTU IM OPLab 55
Heuristics for Getting Primal Feasible Solutions
Step 1 The defender initializes a network that
conforms to all the related constraints. Defense Budget (B) Functions of nodes Service continuity requirement (α)
112/04/21 NTU IM OPLab 56
Heuristics for Getting Primal Feasible Solutions (cont’d)
Step 1.1 Build a tree from node s to all core
nodes by using Dijkstra’s algorithm. Step 1.2
Allocate redundant components to the nodes on the tree.
112/04/21 NTU IM OPLab 57
Heuristics for Getting Primal Feasible Solutions (cont’d) Step 1.2
Step 1.2.1 Allocate the combinations of the most expensive
redundant components to different-functioned core nodes.
Step 1.2.2 Allocate the combinations of the redundant components
with the second high level price to 1 hop away non-core nodes from node s.
Step 1.2.3 Allocate the combinations of the redundant components
with the third high level price to 1 hop away non-core nodes from the core nodes.
Step 1.2.4 Allocate the redundant components that were not used
in the above steps to the remained non-core nodes.
112/04/21 NTU IM OPLab 58
Heuristics for Getting Primal Feasible Solutions (cont’d)
Step 1.3 Considering the diversity, allocate the
cheapest combinations of redundant components to the remained non-core nodes that were not on the tree.
112/04/21 NTU IM OPLab 59
Heuristics for Getting Primal Feasible Solutions (cont’d)
Step 1.4 Allocate corresponding defense mechanisms for
protecting redundant components to the nodes. Consider the diversity. Follow the order used in the above steps.
The nodes on the tree The Core nodes The 1 hop away non-core nodes from node s The 1 hop away non-core nodes from the core
nodes The remained non-core nodes
The other nodes
Heuristics for Getting Primal Feasible Solutions (cont’d) Step 2
The attacker decides the initial attack tree according to the results of solving sub 1.1.
Step 3 Compromise all core nodes, i.e., compromise all
redundant components with defense mechanisms within them.
Step 4 According to the results of Step 2 and Step 3,
the attacker decides which redundant components (with defense mechanisms) to compromise in the non-core nodes that belong to the initial attack tree.
112/04/21 NTU IM OPLab 61
Another Heuristics for Getting Primal Feasible Solutions
Step 1 The defender initializes a network just
like we mentioned before.
Step 2 Let all the core nodes be compromised.
112/04/21 NTU IM OPLab 62
Another Heuristics for Getting Primal Feasible Solutions (cont’d)
Step 3 Set a weight for each non-core node,
and the weight includes three parts: μ3 of subproblem 1.2
The expected value of attack cost for each non-core node
Each non-core node’s importance of connection
Each non-core node’s importance of connection
The expected value of attack cost for each non-core node
Another Heuristics for Getting Primal Feasible Solutions (cont’d)
112/04/21 NTU IM OPLab 63
Attack cost = 10Frequency = 5
Attack cost = 3Frequency = 6
Attack cost= 12Frequency = 4
Exp(Attack cost) = 10/5 + 3/6 + 12/4 = 5.5
2
2
2
1
3
Total hops = 2+1+2+3+2 = 9
112/04/21 NTU IM OPLab 64
Another Heuristics for Getting Primal Feasible Solutions (cont’d)
Step 4 From each core node, build up an attack
path to the starting node s. Choose a direct neighbor node with
smallest weight to compromise each time. If there is a compromised node within direct
neighbors, reuse it as a hop site. If a neighbor node includes the kinds of
redundant components or defense mechanisms that have been compromised before, their attack cost are then set to 0.
112/04/21 NTU IM OPLab 65
Agenda
Introduction Scenario Problem Formulation Lagrangean Relaxation
Decomposition Heuristics for Getting Primal Feasible
Solution
Problems
112/04/21 NTU IM OPLab 66
Problems How to properly set those given
parameters? The number of different functions The sizes of
redundant component choice set defense mechanism choice set
The relation between cm, m(cm), and Qm
The relation between cmd and md(cmd)
aa
Thanks for your listening!