考慮攻防雙重角色與協同攻擊情況下之資源分配策略

(1)

國立臺灣大學管理學院資訊管理研究所碩士論文

Graduate Institute of Information Management College of Management

National Taiwan University Master Thesis

考慮攻防雙重角色與協同攻擊情況下之資源分配策略 Resource Allocation Strategies under Attack-Defense

Dual-Role and Collaborative Attacks

陳瀅如 Ying-Ju Chen

指導教授：林永松博士

Advisor: Frank Yeong-Sung Lin, Ph.D.

中華民國 101 年 7 月

July, 2012

(2)

I

謝誌

回首兩年碩士生活，能夠完成專屬於自己一生的作品、順利通過最後「火盃的考驗」，由衷感恩許多人的幫助。首先是親愛的父母，陳茂章先生與林蘭香女士，謝謝在我碩士生涯上一路的支持，無止盡的關懷與體諒讓我在遇上論文瓶頸時能擁有一絲堅持下去的力量；親愛的外婆，林春妹女士，您的期望一直是我最甜蜜的負荷，感恩此刻的自己是讓您感到驕傲的，未來仍然會繼續努力；親愛的大哥，陳憲修先生，總是用各種方式調解我碩士生活偶爾的苦悶，感恩那些帶小妹觀賞展覽與一同單車行的紓壓時刻，有大哥真好。

在兩年的求學生涯中，學生由衷感恩林永松老師的教導。老師總是不嫌棄學生的駑鈍，也總是耐心解答學生遇上的困難，並且在研究遇上瓶頸時給予許多有價值的建議，這些幫助都讓學生在研究迷失方向時能及時走回正確的道路。這兩年來學生從老師身上學習到最多的，是努力不懈的研究精神，面對一個問題，除了找出最適合的解法來漂亮地解決問題，在解決問題的過程中，亦需逐漸培養敏銳的觀察力，分析實驗結果背後真實的涵義，透過不斷重新設計實驗、進行實驗、

分析實驗結果，反覆比較、推論與驗證，最終才能提供一個合理、具科學價值且有貢獻的結論。而這過程考驗的除了是專業的知識，更重要的是也考驗著學生的耐力，老師曾與我說過：「行百里半九十。」，這句話一直放在心裡，我想不只是做研究，這是一生都應拿來砥礪自己不斷往前走的一句話。永松老師，真心感恩您！

謝謝口試委員老師們，輔大資工系的呂俊賢教授、國立高雄第一科技大學行銷與流通管理系的傅新彬教授、國立台北大學資訊工程系的莊東穎教授，與國立台灣科技大學電機工程學系的鍾順平教授，非常感謝各位老師於口試當天給予的專業見解與寶貴建議，使學生於口試後在實驗設計與論文撰寫上有更實質的延伸探討與修正，獲益匪淺。感謝所有口試委員老師們！

(3)

II

另外最感恩的，莫過於霈語學姊！這一路上，學姐都在身旁適時給予幫助，

當我遇上瓶頸時，學姊也總是空下充裕的時間與我討論，甚至在我不知該如何解決問題時，扮演一語點醒夢中人的角色讓我恍然大悟。越到後來，就越覺得自己與學姊是生命共同體，從最初研究問題情境的建立、模型成形、數學式的討論、

論文初稿的撰寫、實驗設計、實驗結果分析，甚至到口試前都還是帶著我與怡如一同先進行一次預演，讓我們慌亂不安的心能夠穩定下來。學姊，如果沒有妳，

這一趟旅程無法這麼順利地走向終點，真的很謝謝妳！

猷順學長，謝謝學長總是在許多事情上提點我們，讓我們的碩士生活可以無所煩憂，也感恩學長在當初我碩一正處於研究方向摸索階段時，時常給予中肯的建議與專業的引導，架構了我之後在論文研究上深耕發展的基礎。此外，也謝謝明宗學長平日給予我們這些實驗室的小朋友們許多的關心與幫助。

怡如，我的最佳戰友，感恩這一路上有妳與我一同討論，透過彼此腦力激盪，

才使得許多在研究過程中遇到的問題能迎刃而解；另外，蕙宇、育溥、棨翔，感恩我們幾個彼此相伴，越到後面，那份感情就越發濃厚，謝謝所有的你們在碩班這兩年給我溫暖與歡笑，認識你們，是我碩班生活最大的收穫之一，你們每一位真的都很棒！我喜歡你們！學弟妹們，佳玲、聿軒、端駿，感恩實驗室有你們的加入，謝謝你們平常的可愛與貼心！

最後，由衷感恩與讚美我心中的那位，在低潮時給予我力量，讓我無所畏懼，

也讓我深信只要堅持就能完成，祢所給予我的禮物，我用感恩的心收下了。接下來迎接我的，是新的旅途，感恩所有生命中的一切，美好的藍圖繼續畫著、繼續一一實現！

陳瀅如謹識中華民國一○一年八月于國立台灣大學資訊管理研究所

(4)

III

論文摘要

論文題目：考慮攻防雙重角色與協同攻擊情況下之資源分配策略 作者：陳瀅如

指導教授：林永松博士

過去探討資訊安全時多以個人或組織企業為主體，然現階段國與國之間的資訊戰議題日益受到重視，資訊安全的範圍延伸至國防安全。當以國家為主體在探討資源分配之策略時，除了防禦資源需做完備之佈建外，亦需分配資源至攻擊上。

在傳統國與國之歷史戰爭中有所謂先發制人之攻擊策略，與對方相對應之報復攻擊；此外，一國之資訊專家在國家發動資訊戰時可以召集起來各司其職，不同於一般網路攻擊中通常僅有一位攻擊者的狀況。因此，引用上述概念至研究之情境中，本研究欲以國家為主體，考慮一國具攻防雙重角色並採取多位攻擊者之協同攻擊模式，透過有效地將資源分配至防禦與攻擊上，達成國防安全之目標。

如何有效的評估網路存活度，是一個重要且值得探討的議題。在本篇論文中，

我們採用平均網路分割度 (Average Degree of Disconnectivity, Average DOD) 作為

衡量網路存活度的指標。平均DOD 指標結合機率的概念與 DOD 指標，用以評估

網路破壞程度，其值越大表示其網路破壞的程度越高。在我們的情境裡，考慮兩位玩家，他們皆具攻擊與防禦之雙角色能力，且雙方一開始皆不知其網路弱點資訊，是在被對方攻打後才更新其網路弱點資訊並修補弱點。

(5)

IV

我們模擬一個多階段網路攻防情境問題，並建立最佳化資源配置之數學模型

且以平均 DOD 的指標評量其各自之網路在攻防情境下的網路存活度。每階段雙

玩家皆可在更新對方網路資訊後分配攻擊資源於彼方網路中的節點進行協同攻擊，

同時透過主動防禦與被動防禦策略佈建防禦資源；且每回合皆可重新分配防禦資源、修復已被攻克的節點。在求解過程中，採用了「梯度法」及「數學分析」技巧協助搜尋攻防雙方的最佳化資源分配決策。

關鍵字：攻防雙重角色、協同攻擊、弱點資訊更新、平均網路分割度、網路存活度、先發制人、先發制人效應、主動防禦、被動防禦、梯度法、資源分配、節點修復

(6)

V

THESIS ABSTRACT

THESIS TITLE：Resource Allocation Strategies under Attack-Defense Dual-Role

and Collaborative Attacks

NAME：Ying-Ju Chen

ADVISOR： Yeong-Sung Lin, Ph.D.

In the past, individuals and enterprises are usually the main subjects in the area of information security. Now the issue about information warfare between nation-sates is getting much attention. When discussing the resource allocation based on the subject of a nation-state, except for the allocation of defense resources, the resources allocated on attack should also be concerned. Historically, preventive strike and the corresponding retaliation from another nation-state are common in the war between two nation-states.

In addition, there would be various information experts launching an attack together for a nation-state, which is called collaborative attacks that different from the situation of only one attacker in an ordinary cyber attack. Therefore, we consider two players that could attack and defend simultaneously and adopt the concept of collaborative attacks in our research model.

How to efficiently evaluate the network survivability is an important issue and worthy of discussion. In this thesis, the Average Degree of Disconnectivity (Average

(7)

VI

DOD) metric is adopted to measure the network survivability. The Average DOD combines the concept of probability with DOD metric to evaluate the damage degree of the network. The larger the Average DOD value, the higher the damage degree of the network. In our scenario, there are two players who have the dual-roles as an attacker and a defender; furthermore, both of them do not know the vulnerability information about their networks. However, the counterpart knows some. Therefore, after being attacked, they would update their vulnerabilities information and patch the vulnerabilities.

We develop a multi-round network attack-defense scenario, and establish a mathematical model to optimize resource allocation and then predict their own network survivability by the Average DOD. In each round, the players could allocate their attack resources on the nodes of their own network and on another player’s network after updating related information about another player’s. Furthermore, they could reallocate existing defense resources and repair compromised nodes. To solve the problem, the “gradient method” and “game theory” would be adopted to find the optimal resource allocation strategies for both players.

Keyword: Attack-Defense Dual-Role, Collaborative Attacks, Update Unknown

Vulnerabilities Information, Average DOD, Network Survivability, Preventive

(8)

VII

Strike, After-Strike Effect, Active Defense, Passive Defense, Gradient Method,

Resource Allocation, Repair Nodes

(9)

VIII

(10)

IX

List of Figures

Figure 1-1: Vulnerability Disclosures Growth by Year 1996-2011 H1 ... 2

Figure 1-2: Types of Attacks Experienced by Percent of Respondents ... 4

Figure 1-3: Costs of Cyber Attacks ... 6

Figure 1-4: Attacker Types and Techniques 2011 H1 ... 7

Figure 2-1: An Example of the Intact Network ... 34

Figure 2-2: The Allocated Resources on Each Node ... 34

Figure 2-3: The Attack Success Probability of Each Node ... 35

Figure 2-4: Two Players and Their Own Network Topologies ... 39

Figure 2-5: The Information Update of the Defender and the Attacker ... 50

Figure 3-1: The Solution Procedure of this Problem ... 68

Figure 3-2: The Solution Procedure to Find the Optimal Resource Allocation on Each Node ... 75

Figure 3-3: Calculating the Final Average DOD Value in Multi-Round ... 79

Figure 4-1: Grid Network ... 93

Figure 4-2: Random Network A ... 93

Figure 4-3: Random Network B ... 93

Figure 4-4: Scale-Free Network A ... 93

Figure 4-5: Scale-Free Network B ... 93

Figure 4-6: Comparing Results of Taking PS or Not in Network A (0.3, 0.7) ... 110

Figure 4-9: Comparing Results of Taking PS or Not in Network B (0.3, 0.7) ... 113

(15)

XIV

Figure 4-12: Comparing Results of Both Players not Taking PS Strategy with Both Players Respectively Taking PS Strategy in Network A (0.3, 0.7) ... 116

Figure 4-15: Comparing Results of Both Players not Taking PS Strategy with Both Players Respectively Taking PS Strategy in Network B (0.3, 0.7) ... 119

Figure 4-18: Experiment Results of Grid Network Topology (0.5, 0.5) ... 129

Figure 4-19: Experiment Results of Random Network Topology (0.5, 0.5) ... 130

Figure 4-20: Experiment Results of Scale-Free Network Topology (0.5, 0.5) ... 130

Figure 4-21: Experiment Results of Grid Network Topology (0.7, 0.3) ... 131

Figure 4-22: Experiment Results of Random Network Topology (0.7, 0.3) ... 132

Figure 4-23: Experiment Results of Scale-Free Network Topology (0.7, 0.3) ... 132

Figure 4-24: Comparing Results of Network A under Different Proportions of Attack to Defense Resource ... 135

Figure 4-25: Comparing Results of Network B under Different Proportions of Attack to Defense Resource ... 136

Figure 4-26: Comparing Results of Player B’s Achievement of Objective under Different Proportions of Attack to Defense Resource ... 138

(16)

XV

Figure 4-27: Comparing Results of ADOD Values under Balanced Bipolarity and Unbalanced Bipolarity in Network A (0.3, 0.7) ... 141

Figure 4-30: Comparing Results of ADOD Values under Balanced Bipolarity and Unbalanced Bipolarity in Network B (0.3, 0.7) ... 142

Figure 4-33: Comparing Results of Player A’s Achievement of Objective under Balanced Bipolarity and Unbalanced Bipolarity (0.3, 0.7) ... 145

Figure 4-36: Comparing Results of Player B’s Achievement of Objective under Balanced Bipolarity and Unbalanced Bipolarity (0.3, 0.7) ... 147

Figure 4-39: Comparing Results of ADOD Values of Network A in Three Different kinds of

Network Topology under Balanced Bipolarity ... 150

Figure 4-40: Comparing Results of ADOD Values of Network A in Three Different kinds of

Network Topology under Unbalanced Bipolarity ... 150

(17)

XVI

Figure 4-41: Comparing Results of ADOD Values of Network B in Three Different kinds of

Network Topology under Balanced Bipolarity ... 151

Figure 4-42: Comparing Results of ADOD Values of Network B in Three Different kinds of Network Topology under Unbalanced Bipolarity ... 151

Figure A-1: Random Network A ... 171

Figure A-2: Random Network B ... 171

Figure A-3: Scale-Free Network A ... 172

Figure A-4: Scale-Free Network B ... 172

Figure A-5: Results of Taking Adjusted PS Strategy or Not in Network A (0.3, 0.7) ... 174

Figure A-6: Results of Taking Adjusted PS Strategy or Not in Network A (0.5, 0.5) ... 174

Figure A-7: Results of Taking Adjusted PS or Not in Network A (0.7, 0.3) ... 175

Figure A-8: Comparison between Previous PS and Adjusted PS of Network A (GD) ... 177

Figure A-9: Comparison between Previous PS and Adjusted PS of Network A (RD) ... 178

Figure A-10: Comparison between Previous PS and Adjusted PS of Network A (SF) ... 178

Figure A-11: Results of Taking Adjusted PS Strategy or Not in Network B (0.3, 0.7) ... 180

Figure A-14: Adjusted PS Strategy (GD) ... 183

Figure A-15: Adjusted PS Strategy (RD) ... 183

Figure A-16: Adjusted PS Strategy (SF) ... 184

Figure A-17: Results of the Achievement Ratio under Different Proportions of Attack to Defense Resource ... 186

(18)

XVII

List of Tables

Table 1-1: Types of Attacks Experienced by Percent of Respondents ... 5

Table 1-2: The Summary of the behaviors of the Attack-Defense Dual-Role ... 23

Table 1-3: The Summary of Survivability Definition ... 25

Table 2-1: The Definition of Contest Success Function ... 31

Table 2-2: The Impact Degree of Different Contest Intensities ... 32

Table 2-3: An Example about Calculating the Average DOD Value ... 37

Table 2-4: Problem Description ... 50

Table 2-5: Problem Assumption ... 52

Table 2-6: Given Parameters ... 56

Table 2-7: Decision Variables ... 59

Table 3-1: The Algorithm of the Gradient Method ... 70

Table 3-2: An Example of the Game Theory ... 82

Table 3-3: An Example of the Game Theory 2 ... 85

Table 4-1: Experiment Parameters Settings ... 97

Table 4-2: Optimal Strategies under the Proportion of Attack to Defense Resource is (0.3, 0.7) ... 99

Table 4-8: Optimal Strategies in Network A (0.7, 0.3) ... 106

(19)

XVIII

Table 4-9: Optimal Strategies in Network B (0.7, 0.3) ... 107

Table 4-10: Optimal Strategies for Both Players in Network A (0.3, 0.7) ... 123

Table 4-11: Optimal Strategies for Both Players in Network B (0.3, 0.7) ... 127

Table A-1: Experiment Parameters Settings ... 172

Table A-2: Optimal Strategies for Both Players on Network A ... 187

Table A-3: Optimal Strategies for Both Players on Network B ... 188

Table A-4: Optimal Strategies for Both Players to Achieve their Objectives ... 189

(20)

1

Chapter1 Introduction

1.1 Background

Due to the rising and flourishing of information technology, nowadays the Internet has played an important role as a channel for communications and data exchange among individuals, organizations, and governments. It provides diverse and vivid applications such as e-mail, instant messaging, video conference, blog, online shopping, etc. Nevertheless, behind the convenience it brings, emerging spam mail, virus, malicious code, malware, etc. also cause great impact and high risks on human being’s digital lives. Apparently, the importance of the Internet implies the significance of the Internet security, especially in the part of internet security vulnerability.

According to Integrated Network Vulnerability Scanning and Penetration Testing by SAINT in 2009 [1] shows that there are several types of vulnerabilities including buffer overflows, missing format strings, web application vulnerabilities, malicious content vulnerabilities, etc.

(21)

2

Network technology advances so rapidly that the quality control of different computer systems and programs can be very difficult to keep up with the demands. The period of time between vulnerability disclosure and patch release therefore decides the period of time that an attacker targeting the security vulnerability. IBM X-Force Mid-year Trend and Risk Report in 2011 [2] (Figure 1-1) indicates that about 58 percent of the vulnerabilities that were disclosed during the first half of 2011 had a remedy available on the same day that they were publicly disclosed. On the other hand, about 37 percent have no remedy available, which however is a significant improvement from previous years—the number of unpatched vulnerabilities has not dropped below 44 percent of the total in over 5 years. The remaining 5 percent in the middle represent cases where a patch was made available sometime after public disclosure of the vulnerability.

Figure 1-1: Vulnerability Disclosures Growth by Year 1996-2011 H1

(22)

3

According to CSI Computer Crime and Security Survey presented in 2010 and 2011

[3]

, there are three major types of attacks: Malware infection (67.1%), Laptop/

mobile device theft (33.5%), and phishing where represented as sender (38.9%). We could also see in Figure 1-2 and Table 1-1 that the first two categories remain “winners”

this year, but only malware is on the rise.

(23)

4

Figure 1-2: Types of Attacks Experienced by Percent of Respondents

(24)

5

Table 1-1: Types of Attacks Experienced by Percent of Respondents

(25)

6

However, since the experiences, technologies, know-how, and resources have been accumulated many years by cyber attackers, the types of cyber attacks have changed a lot nowadays. As reported in State of Security Survey in April and May of 2011 by Symantec [4] (Figure 1-3), in Latin America, 20 percent of businesses incurred at least $181,220 in expenses from attacks within the last year. Based on the statistics, among the three top costs of cyber attacks to business are: Lost productivity (36%), Lost revenue (22%), and Costs to comply with regulations after an attack (18%). We could induce that the problem of cyber attacks are getting even worse today and which should be highly concerned.

Figure 1-3: Costs of Cyber Attacks

As observed in IBM X-Force Mid-year Trend and Risk Report in 2011 [2], we

13%

16%

17%

18%

21%

22%

36%

0% 5% 10% 15% 20% 25% 30% 35% 40%

We don't know what was taken or impacted Litigation costs Reduced stock price Direct financial cost (money or goods) Loss of organization, customer, or employee …

Damaged brand reputation Regulatory fines Loss of customer trust/damaged customer …

Costs to comply with regulations after an … Lost revenue Lost productivity

(26)

7

might notice that there are various attacker types and techniques thriving through these years (Figure 1-4). Some network attackers break into as many computer systems as possible regardless of where they exist; while others are targeted in penetrating specific victim networks that attract their interests. Some botnet operators lack sophisticated technical skills and mostly know how to use a tool chest of exploit and malware kits they have purchased; while others work in well-organized, state-sponsored teams that discover new vulnerabilities and develop totally unprecedented attack techniques. Over all, external threats can be classified based on the object of their attacks as well as how sophisticated their attacks are.

Figure 1-4: Attacker Types and Techniques 2011 H1

Among these attacker fashions, “Cyberwar” is now a notable attacker type, which is an Internet-based conflict involving politically motivated attack on information and

(27)

8

information systems. There are several reasons to mount a cyberwar: one is for stealing the secrets of military affairs, politics, diplomacy, technology, or business; another is for pure destructions or producing terrorist attacks. The goal of the latter might be destroying political military information system or other essential national infrastructures, like electrical power grids, oil refineries, petroleum pipelines, traffic control systems, or financial security systems, in order to paralyze the opposite side’s politics, military affairs, economics, or business operations and finally induce social fear and anxiety. As a matter of fact, information security issues now have been raised from personal and organizational levels to national level.

From the discussions and statistics above, we may gradually realize that with the increase in complexity, scale, and speed of networks, network performance under attacks, random failures, or accidents has become a great concern in the network security. The degree to which a system or a network is able to provide critical services under the pressure of various kinds of natural and artificial disasters is broadly defined as survivability. How to evaluate the survivability of a huge network can be viewed as an important issue. Therefore, this research is going to introduce the definitions and measures of network survivability in the following sections.

(28)

9

1.2 Motivation

At present, network survivability is becoming an important issue of network security technology. Numerous studies have been devoted to defining the meaning of network survivability and estimating the impact of external and internal factors on the network survivability [12][13]. When evaluating the survivability of a network, the mathematical programming approaches such as game theory [14][15], Lagrangean Relaxation Method [16][17], etc. would be the most significant work, which may carry out the precise description and formal analysis for the dynamic behavior of network system through the attack-defense scenario.

When it comes to network optimization problems under the attack-defense problems, we usually consider there are a cyber attacker and a network defender interacting with each other. On one hand, the goal of the cyber attacker is to minimize the maximum network survivability of the defender; on the other hand, the network defender expects to maximize the minimum network survivability of his own. As a result, the attack-defense problem becomes a min-max or max-min problem.

In addition, previous related works often consider one-round in the attack-defense problem [14][15][16][17]. However, due to the tremendous amount of uncertainty

(29)

10

about the attacker’s behaviors, e.g., motivations, preferences, actions, the types of attacks, attack prediction is a very challenging task and should be observed for a long time. Moreover, defense strategies against intentional attacks can influence the adaptive strategy of the attacker, and vice versa. In order to achieve the goal of maximizing or minimizing the network survivability, both of the cyber attacker and the network defender might consider carefully how to allocate or even reallocate their limited resources, which should be estimated to take several rounds of interactions in reality. As a result, it is necessary to develop the concept of multi-round attack-defense scenario analysis in our work.

How to evaluate the network survivability is a critical issue in the attack-defense model. Traditionally, the Degree of Disconnectivity (DOD) metric which was proposed in [17] is used to measure the damage degree of a network. However, the DOD metric is used under the assumption that the attack is either successful or unsuccessful, which ignores the attack might not be 100% successful or unsuccessful. Therefore, a novel metric which is called Average Degree of Disconnectivity (Average DOD; Average DOD could be abbreviated to “ADOD”) proposed in [18] is adopted in our model.

Average DOD consists of the concept of attack success probability calculated by contest success function [19] and the concept of DOD metric. The larger the Average

(30)

11

DOD value, the smaller the network survivability.

In the past, we usually consider the network security under the scope of an enterprise or a personal computer. However, due to political reasons, we often hear news about the information warfare between two conflicting nation-states. The former U.S. government security expert Richard A. Clarke, in his book Cyber War (May 2010), defines “cyberwarfare” as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.” [5]. In addition, in May, 2009, American president Obama assigned White House level security officials to help every government department set up their network security policies and establish response mechanisms to serious network attacks. Moreover, he also devoted his effort on raising awareness among all Americans of online threats in order to protect national critical infrastructures, and declared a plan which is called

“Cybersecurity”. Unavoidably, the scope of network security should be extended to national level.

In 2009, a worm named Stuxnet targeting of “high-valued” Iranian assets was first discovered. It is the first purpose-built worm designed to attack programmable logic controllers (PLC), industrial control systems that help run critical infrastructure

(31)

12

environments [6]. Stuxnet was designed purely to attack PLCs and cause damage to the infrastructure they operate and, ultimately, to the people and organizations that depend on that infrastructure.

Stuxnet is clearly an example of a stealthy worm developed by an adversary that spent a great deal of time and money on research and development. Ever since the discovery of the worm, there has been incessant speculation that Stuxnet is a nation-state attack against Iranian nuclear plants. From BBC new on September 23, 2010 [7], Symantec security researcher Liam O Murchu suggested that whoever had created the worm had put a “huge effort” into it. “It is a very big project, it is very well planned, it is very well funded,” he said. “It has an incredible amount of code just to infect those machines.” His analysis is backed up by other research done by security firms and computer experts. “With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge,”

said Ralph Langner, an industrial computer expert in an analysis he published on the web. “This is not some hackers sitting in the basement of his parents’ house. To me, it seems that the resources needed to stage this attack point to a nation-state,” he wrote.

The suspect has finally been confirmed in June this year, unnamed U.S.

(32)

13

government officials have told a New York Times reporter that the Stuxnet worm was created secretively by the U.S. and Israeli intelligence agencies [8]. It is estimated that Iran might expect a retaliatory strike to be launched against the U.S. by the Iranian cyber army [9]. Without a doubt, the cyberwar between the U.S. and Iran has just formally begun.

From the news that mentioned above, a nation-state cyberwar is getting more and more sobering and unavoidable, which should be highly concerned nowadays. In addition, there is a term best describe this kind of attack which is called Advanced Persistent Threat (APT). APT now is frequently used as a replacement term to describe cyberwarfare between nation-states [10]. It could be viewed as a type of collaborative attack that includes various resourced and specialized attackers working together to mount an attack.

As a result, from the point of view of a nation, military resources could be allocated not only to passive defense but also to active defense which means “attack”.

Traditionally, in previous attack-defense problem, we usually consider a cyber attacker who can only attack and a network defender who can only defense. However, under the fact that there are both attack and defense abilities existing in the nature of a nation, it

(33)

14

is essential to transfer the traditional scenario of a cyber attacker and a network defender into two players. Both of the two players can not only defend but also attack at the same time [27]. Hence, we would like to consider a dual-role of each player as an attacker and a defender.

Motivated by the reasons and previous works aforementioned, in this attack-defense model, the scenario will consider each of the two players having the abilities of attack and defense at the same time; furthermore, the attack behavior is launched by collaborative attack in this model. Moreover, under the framework of a multi-round model, resource allocation, resources reallocation, and information update of both players in each round are also considered in this paper. The more details would be further discussed in chapter 2.

1.3 Literature Survey

In this section, the related works of the behaviors of the dual-role of defender and attacker in each player and collaborative attack would be discussed respectively in the first part. In the end of the first part, there would be a short summary. Then the concept of network survivability would be introduced in the last part.

(34)

15

1.3.1 Defender’s and Attacker’s Behaviors

In this section, the related works about the behavior of the dual-role as a defender would be discussed in section 1.3.1.1 and section 1.3.1.2; furthermore, the behavior of the dual-role as an attacker would be introduced in section 1.3.1.3. In the end of this section, we would summarize the behaviors of the dual-role as an attacker and a defender in each player.

1.3.1.1 Proactive Defense and Reactive Defense

There have been many researchers devoted to proactive defense these years, but seldom works related to reactive defense.

Traditionally, proactive defense is regarded as a “forward-looking” approach to mitigating security risk by examining the enterprise for vulnerabilities that might be exploited in the future [20][21]. However, in [22], Barth and Rubinstein et al. give a novel concept of comparing the differences between proactive defense and reactive defense. They consider that proactive defense hinges on the defender’s model of the attacker’s incentives. For instance, without the knowledge of the attacker’s incentives to attack in advance, the defense budget would be equally allocated to each edge under

(35)

16

proactive defense because the edges are indistinguishable. On the other hand, reactive defense is defined as “gradually reinforcing attacked edges by shifting budget from unattacked edges learns the attacker’s incentives and constructs an effective defense.”

Reactive strategy is less wasteful than proactive strategy because the defender does not expend budget on attacks that do not actually occur. Therefore, under the assumption that the defender does not know all the vulnerabilities in the system or the attacker’s inception, reactive defense would become an efficient strategy. These two kinds of defense strategies would be adopted in our model.

In general, defense strategies can be conceptually categorized into active defense and passive defense. Nevertheless, different researchers have diverse opinions of the concepts of active defense and passive defense. According to [23], active defense involves protect victim end before the attacks start, actively finding the possible attacks, and traceback the real attacker. On the other hand, passive defense is taken when the attacks are launched and the target host or network is harmed before the attack sources can be found and controlled.

Furthermore, the distinction between active defense and passive defense is provided in [24]. Some measures, such as protective shields, are provided by their

(36)

17

nature defense. Other measures, and especially those equipped with manpower, can generate active defense which means exerting effort when certain conditions are encountered. The former one belongs to passive defense while the latter one belongs to active defense. Transparently, from the point of view of this paper, the major difference of active defense and passive defense is whether to actively exert an action to prevent being harmed or not.

Hence, in this paper, we would classify both proactive defense and reactive defense into passive defense based on the perspective of [24]. Moreover, the action measure of active defense would be further discussed in next section.

1.3.1.2 Preventive Strike

According to [25], the preventive strike can be viewed as an effective measure of active defense aimed at destroying the potential attacker and therefore preventing the defended object from destruction. In [28], Kroening makes a distinction between preventive war and preemptive war. He defines that a preventive war is “initiated inevitable, and that to delay would involve greater risk” while preemption is stated as

“an attack initiated on the basis of incontrovertible evidence that an enemy is imminent.” In [29], Tom also defines the difference. He said that “preemptive strikes

(37)

18

are attacks to prevent an attack that seems imminent. Preventive strikes are attacks that are in principle less urgent, in the sense that they aim, for instance, to destroy weapons programs before they reach the production stage.”

With an historical retrospect of the military affair that Israeli air strike on the Osiraq reactor in Iraq, the mission was not preemptive but preventive based on Kroening’s definitions. Israeli policymakers attempted diplomatic coercion to delay Iraq’s nuclear development before the preventive strike; meanwhile, Israeli planners also developed a plan to destroy Osiraq. Finally, Israeli leaders bear the international storm after the strike. Peter S. Ford [30] thus provides two conclusions: First, preventive strikes are valuable primarily for two purposes: buying time and gaining international attention. Second, the strike provided a one-time benefit for Israel.

Subsequent strikes will be less effective due to dispersed/hardened nuclear targets and limited intelligence. As a result, it’s essential for a nation to decide to take this active defense for national security purpose.

Furthermore, Levitin and Hausken et al. regard preventive strike as an active defense strategy in [24] and [26]. They consider how a defender balances between protecting an object passively and striking preventively against an attacker, equipped

(38)

19

with one or multiple attack facilities, seeking to destroy the object. In correspondence with the previous works mentioned, in [27], they provide an interesting work that directly consider a game involving two actors who fight offensively and defensively with each other over k rounds or until one target is destroyed.

Aside from the advantages might brought by preventive strike strategy, it also could induce a retaliation attack, which causes additional expenditure of the defender’s resource for passive defense [25]. Hence, the optimal balance between the passive defense and active defense would remarkably improve the network survivability under attack.

1.3.1.3 Collaborative Attacks

Traditionally, most attacks in the cyber space are launched by individual attackers independently even though an attack may involve many compromised computers.

However, there have been more and more researches recent years believe that the next generation cyber attack would be collaborative attacks.

Collaborative attacks are launched by some malicious adversaries to accomplish disruption, deception, usurpation or disclosure against the targeted networks [31]. In

(39)

20

other paper, collaborative attacks are defined as two or more types of attacks such as the blackhole attacks and the wormhole attacks, which can attack the mobile ad hoc network in a collaborative way [32].

In [33], Xiaohu and Shouhuai model coordinated internal and external attacks against networked systems. In this paper, there is an external attacker that can compromise legitimate system components or participants, which then become internal attackers. Then the internal attackers can report to the external attacker information such as “which other components have recently been compromised.” In the fully sophisticated scenarios, the internal attackers may receive from the external attacker orders such as “which components should be attacked next.” In other words, the external attacker may be fully coordinating the attacks, and the internal attackers may exchange information with each other.

Furthermore, [34] is the first step towards realizing and instantiating a framework of collaborative attacks from the relevant perspectives. From the point of view of the author, collaborative attacks in general would involve multiple human attackers or criminal organizations that have respective adversarial expertise but may not fully trust each other. Intuitively, collaborative attacks are more powerful than the sum of the

(40)

21

underlying individual attacks that can be launched by the individual attackers independently, which means collaborative attacks can exhibit the “1+1>2”

phenomenon.

In 2006, the U.S. Air Force coined a term called “Advanced Persistent Threat”

(APT) [35]. According to [36], APT in industry terminology is a sophisticated, targeted attack against a computing system containing a high-value asset or controlling a physical system. APT often requires formidable resources, expertise, and operational orchestration. Nation states are the most aggressive perpetrators.

Moreover, in other literature, Mandiant [37] regarded ATP as a cyber attack launched by a group of sophisticated, determined and coordinated attackers that have been systematically compromising a specific target’s machine or entity’s networks for prolonged period [10]. The famous Stuxnet worm mentioned earlier is considered as a typical APT attack according to the perspectives of several information security professionals [6] [38].

Besides, based on [39], the U.S. National Institute of Standards and Technology (NIST) defines APT as “an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives

(41)

22

by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders' efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.”

In our research, we consider the attack-defense scenario between two nation-states. From the attack aspect of a nation-state, there must exist every kind of talented experts specialize in information and network security who can be formed as a group to dedicate their effort to protect their nation-state. According to the literature that we surveyed, APT would be suitable to describe this kind of scenario; however, APT actually could be viewed as a specific type of collaborative attacks whereas the range of collaborative attacks to consider would be much broader. Therefore, in order to make our model more generic, we would like to adopt the concept of collaborative attacks into our model.

(42)

23

1.3.1.4 Summary

In our research, one of the significant contributions is that we consider the dual-role of each player as a defender and an attacker. Hence, we are going to summarize the behaviors aforementioned of the attack-defense dual-role. The details are listed in Table 1-2.

Table 1-2: The Summary of the behaviors of the Attack-Defense Dual-Role

Defender’s behavior Attacker’s behavior

 Proactive Defense

 Reactive Defense

 Preventive Strike

 Collaborative Attack

1.3.2 Network Survivability

The definition of network survivability has been discussed many years. To the best of our knowledge, the first formal definition of survivability was proposed by Consultative Committee for International Telegraph and Telephone (CCITT) in 1984 [11]. Survivability is defined as “ability of an item to perform a required function at a

given instant in time after a specified subset of components of the item to become

(43)

24

unavailable.”

In 2004, Westmark [12] tried to provide a template for defining survivability to facilitate subsequent research into computational quality attributes by using standard definitions. According to Westmark, survivability is “the ability of a given system with

a given intended usage to provide a pre-specified minimum level of service in the event of one or more pre-specified threats.”

In fact, the concept of the network survivability has been applied to evaluate the degree of the network security for many years. However, when surveying the related works about network security, we may find that there is no precise and uniform definition for network survivability until now.

Among these various definitions of network survivability, one of the more cited definitions of survivability would be what provided by Ellison [13]. The researcher defines survivability as the “capability of a system to fulfill its mission, in a timely

manner, in the presence of attacks, failures, or accidents”.

In addition to the definitions of network survivability mentioned above, there are still various definitions proposed by other authors. The other different definitions are summarized and listed inTable 1-3

.

(44)

25

Table 1-3: The Summary of Survivability Definition

No. Definition Author Year Origin

1 Survivability is the degree to which essential functions are still available even though some part of the system is down.

M.S. Deutsch and R.R. Willis

1988 [40]

2 Survivability is a property of a system, subsystem, equipment process, or procedure that provides a defined degree of assurance that the named entity will continue to function during and after natural or man-made disturbance.

U.S. Department of Commerce

1996 [41]

3 Survivability is the ability of a system to satisfy and to continue to satisfy critical requirements in the face of adverse conditions.

P. G. Neumann 2000 [42]

4 Survivability is if a system is complies with its survivability specification.

J. Knight and K. Sullivan

2000 [43]

(45)

26

5 Survivability is the degree to which a system has been able to withstand an attack or attacks, and is still able to function at a certain level in its new state after the attack.

S.D. Moitra and S.L. Konda

2000 [44]

6 Survivability is the ability of a system to continue operation despite the presence of abnormal events such as failures and intrusions.

S. Jha

and J.M. Wing

2001 [45]

7 Network survivability is the capability to maintain network performance against the failure of equipment.

Kerivin and Mahjoub,

2005 [46]

8 Survivability means preserving essential network services, even when a part of network is compromised or failed.

B. Bassiri and S.S. Heydari

2009 [47]

9 Survivability is the system’s ability to continuously deliver services in

P.E. Heegaard and K.S. Trivedi

2009 [48]

(46)

27

compliance with the given requirements in the presence of failures and other undesired events.

10 Network survivability is the ability of a network to stay connected under failures and attacks.

F. Xing and W.Wang

2010 [49]

While these definitions of network survivability provide a good description of the concept of survivability, they do not have the mathematical precision to lead to a quantitative characterization.

In [50], the authors try to propose a quantitative approach to evaluate network survivability, and perceive the network survivability as a composite measure consisting of both network failure duration and failure impact on the network. And in [51], the paradigm that can simultaneously unify the qualitative and quantitative analysis into the formal modeling has been proposed. The authors formally model and analyze the survivability of network system.

Moreover, in [17], this paper presents a mathematical programming problem, which adopts a novel metric called Degree of Disconnectivity (DOD) to evaluate the

(47)

28

damage level and survivability of a network. Furthermore, a new survivability metric is provided in [18]. The survivability metric called Average DOD combining the concept of the probability calculated by contest success function with the DOD metric. The combination of the two concepts provides an efficient and powerful evaluation to solve the quantitative analysis of network survivability. Therefore, the Average DOD metric would be adopted in our model, and further discussions about the concept of Average DOD would be explained and illustrated in section 2.

1.4 Thesis Organization

The rest of the paper is organized as follows. In chapter 2 we explain and illustrate the concept of the Average DOD. In addition, the two players’ network attack-defense scenario and formulation of this problem are introduced as well. In chapter 3, the solution approach using the gradient method and game theory would be discussed, and in chapter 4, the computational experiment results would be presented.

In the end, we conclude the paper and further discuss future work in chapter 5.

(48)

29

Chapter2 Problem Description

In this chapter, the concepts and calculating methods of Degree of Disconnectivity (DOD), contest success function (CSF), and Average Degree of Disconnectivity (Average DOD) would be introduced in the following parts. Then, the problem description and the related problem assumptions would be described in detail in section 2.4 and section 2.5 respectively. In the end, we would go to propose our mathematical formulation.

2.1 Degree of Disconnectivity

In [17], the author proposed a novel metric of network survivability called Degree of Disconnectivity (DOD) to evaluate the damage level and survivability of a network.

The definition of DOD is defined as below:

No. of broken nodes on the shortest path of each O-D pair No. of all OD pairs of a network

DOD

=



.

The DOD value could be explained as the average number of broken nodes in

(49)

30

each O-D (Origin-Destination) pair of a network. The larger the DOD value, the smaller the network survivability.

However, the DOD metric assumes that the cyber attacker launches the attack either successfully or unsuccessfully. This assumption is limited to take the situation that the attack result might not be 100% successful or unsuccessful into consideration.

Hence, the extended and revised concept of Average DOD proposed in [18] would be further introduced in section 2.3.

2.2 Contest Success Function

A contest is a game in which the players compete for a prize by exerting effort, money or other resources to increase their winning probability [19]. There are diverse topics about contests including rent-seeking, tournaments, conflict, and political campaigns have been studied. A critical component of a contest is the Contest Success

Function (CSF), which provides each player’s probability of winning as a function of

all players' efforts.

In our research, we would like to consider the attack-defense problem between the dual-role of attacker and defender in each player. Similarly, this problem could be

(50)

31

viewed as a kind of contest between the two players. Therefore, we could use the concept of the contest success function into predicting the winning probabilities of the two players.

Since there are a variety of definitions of contest success function, we choose the most common form of the contest success function which is proposed in [19]. The definition of contest success function is shown in Table 2-1

.

Table 2-1: The Definition of Contest Success Function

Definition Notation

( , ) 1

1 ( )

m i

i i i m m

i m

i i

i

s a b a

a b b

a

= =

+ +

where ≥0

∂

a

s

, ≥0

∂

b

s

, and

m

≥

0 s

i (ai,bi): the success probability of attacker compromising node i

a

i : the attacker’s resource allocated on node i

b

i : the defender’s resource allocated on node i

m: contest intensity

According to Table 2-1, the vulnerability of a node is expressed as a contest success function modeled with a common ratio form. The more attack resources

(51)

32

allocated on node i, the more attack success probability of compromising node i;

likewise, the more defense resources allocated on node i, the less attack success probability of the cyber attacker compromising node i. In addition, the factor of contest intensity would also influence the result of the contest success function. In [19], the author analyzed the impact degree of different contest intensities. When m=0, no matter how many efforts that both parties exerts, the attack success probability is invariably 50%. When 0<m<1, it has a disproportional advantage of investing less than the opponent. When m=1, the investments have the proportional impact on the attack success probability. When m>1, it gives a disproportional advantage of investing more efforts than the opponent. When m>∞, it gives a step function where “winner-takes-all”

meaning once one player invest more than the other, he would be the winner. The impact degree of different contest intensities is summarized in Table 2-2

.

Table 2-2: The Impact Degree of Different Contest Intensities Contest Intensity Result

m=0

The success probability is invariably 50%.

0<m<1

It has a disproportional advantage of investing fewer efforts than the opponent.

(52)

33

m=1

The investments have the proportional impact of the success probability.

m>1

It has a disproportional advantage of investing more efforts than the opponent.

m>∞

The contest will be winner-takes-all.

2.3 Average Degree of Disconnectivity

Average DOD is a new metric proposed in [18] that extends from the concept of DOD metric. The new metric combines the concept of the probability being calculated by contest success function with the concept of DOD metric. Further details about the concept of Average DOD are described in the following section.

2.3.1 Illustration

In this section, the concept and method to calculate the Average DOD value are introduced and some examples are illustrated as well. In Figure 2-1, it shows that the network is intact. Besides, every two network nodes would form an O-D pair.

Therefore, the total number of the O-D pair would be C₂ⁿ (Where n is the number of network nodes).

(53)

34

Figure 2-1: An Example of the Intact Network

In order to compromise and protect the network, both the cyber attacker and the network defender would allocate their attack and defense resources respectively on each node based on their strategies. Figure 2-2 represents the situation of attack and defense resources allocating on each node. It shows that there are five nodes being separately allocated attack resources by the cyber attacker and defense resources by the network defender. According to Figure 2-2, the shape of triangle represents the defense resources allocated to the node. On the other hand, the attack resources allocated to the node is expressed as the shape of square.

Figure 2-2: The Allocated Resources on Each Node

(54)

35

Based on the resources that the cyber attacker and network defender allocate on each node, the contest success function would be adopted to calculate the attack success probability of each node. As the result, the attack success probability of each node is demonstrated in Figure 2-3, where Si represents the attack success probability of node i .

After one time of attack-defense interaction, each node of the network would always be only two kinds of network configuration. One is still functional and the other one is dysfunctional. The total number of all possible network configurations would be 2 to the power of total number of network nodes ( Where n means the total number of network nodes). For example, in Figure 2-3, the total number possible outcome of network would be 32 (2⁵= 32 Where n equals 5).

Figure 2-3: The Attack Success Probability of Each Node

2n

(55)

36

Furthermore, each possible network configuration would have a probability which is determined by the attack success probability or attack failure probability of each node. The method to calculate the probability of each possible network configuration would be to multiply the attack success or failure probability of each node respectively.

As a result, for example, in Figure 2-3, if all the nodes of the network are compromised by the attacker, the probability of this network configuration would be ∏⁵_i=1

S

_i (Where Si represents the attack success probability of node i). On the other hand, if all the nodes of the network are still functional, the probability of this network configuration would be ∏⁵_i=1(1-S_i).

Moreover, each kind of network configuration would lead to different damage degree of network. The Degree of Disconnectivity (DOD) having been introduced in the preceding part could be adopted to measure the damage degree of network. For example, in Figure 2-3, if all the nodes of network are still functional, the DOD value would be 0.

The probability and DOD value of each kind of network configuration are calculated in the definition of the Average DOD. The concept of the Average DOD is an expectation value which is the predicted mean value of the result of the experiment

(56)

37

of statistics to evaluate the damage degree of a network. The larger the Average DOD value, the larger the damage degree of the network. Since the Average DOD value would be affected by the attack success probability which is calculated by the attack and defense resource allocations, Average DOD value could be adopted to find the optimal resource allocation on each node for both of the cyber attacker and the network defender. Table 2-3represents an example of how to calculate the Average DOD value.

Table 2-3: An Example about Calculating the Average DOD Value No. Network

configuration

(i means node i is

compromised)

Probability DOD

value

**Probability * DOD value**

1 1,2,3,4,5 0 0

2 1,2,3,4,5 0.5

3 1,2,3,4,5 0.5

32 1,2,3,4,5 2.5

You could get the expectation value by summarizing all the values of last column (Probability*DOD value) and the expectation value is called as the Average DOD.

∏

⁵_i ⁽¹⁻

^S

ⁱ⁾

∏

= 5 −

2

1 (1 )

i

S

i

S

∏

⁵_i

^S

ⁱ

∏

=

−

− ⁵

3 2

1) (1 )

1 (

i

S

i

S S

5 0 ) 1

5 (

2

1

S .

S

i − i ×

∏

=

5 0 ) 1 ( ) 1

( ⁵

3 2

1

S S .

S

i

i ×

−

∏

₌

5 2

5

. S

i i×

∏

(57)

38

2.3.2 The Calculation Procedure of the Average DOD

In the previous part, the concept and method to calculate the Average DOD value has been introduced. Here, the calculation procedure of the Average DOD value is summarized as below：

Step1. Finding out all the possible network configurations. The total number of possible network configurations would be the 2 to the power of the total number of network nodes.

Step2. Calculating the probability of each kind of possible network configurations. Because the probability of each kind of network configuration is determined by the attack success or failure probability of each node, the attack success or failure probability of each node would be multiplied as the probability of each network configuration.

Step3. Using the DOD metric to evaluate the damage degree of network of each possible network configuration.

Step4. Using the concept of expectation value combining the probability with the DOD value of each possible network configuration to evaluate damage degree of whole network. The calculated expectation value

(58)

39

2.4 Problem Description

In our attack-defense problem, there are two players in Figure 2-4 respectively called player A and player B to be taken into consideration. The two players are simultaneously playing the dual-role as a cyber attacker and a network defender, which means they could fight offensively or defensively at the same time according to their strategies. In addition, when playing in the character of the role of an attacker, both of the two players will take collaborative attack strategy to mount each other.

Figure 2-4: Two Players and Their Own Network Topologies

In every round, both players would make some defense and attack strategies through the game to attend their goals. From the perspective of player A, there are two goals to achieve. One is to minimize the damage degree of his own network topology;

one is to maximize the damage degree of player B’s network topology. On the other would be called as the Average DOD here.