national taiwan university master...
TRANSCRIPT
國立臺灣大學管理學院資訊管理學研究所
碩士論文
Department of Graduate Institute of Management
College of Information Management
National Taiwan University
Master Thesis
在智慧型與惡意型攻擊下存活時間最大化
Maximization of Network Survival Time upon Intelligent
and Malicious Attacks
陳俊維
Franson, Chun-Wei Chen
指導教授:林永松 博士
Advisor: Frank, Yeong-Sung Lin, Ph.D.
中華民國 96 年 7 月
July, 2007
I
謝 詞
研究生生活飛逝,還記得剛從大學畢業的徬徨懵懂,經過這兩年的學習與磨
練,使得我精神與心理更加的成長茁壯。如果大學的目的是學會如何學習,則研
究所就是培養做學問的態度,而這兩年也正是我學生生涯中付出最多心力也獲得
最多收穫的階段。
首先,我想感謝在這段時間給予我最多幫助與鼓勵的指導教授 林永松博士。
您除了論文指導上提供學生無比的支持之外,更重要的是您為學風範,在老師的
陶冶之下使學生了解並建立研究的精神。除了學業研究外,在待人處事上老師也
給予學生很多的幫助,讓學生在與人相處的態度與品行上能有更進一步的改進。
此外,承蒙孫雅麗所長、呂俊賢老師、祝國忠老師與顏宏旭老師在口試期間提供
學生許多意見與建議,使得本論文能趨於完善。
感謝博士班佩玲學姊、國維、演福、政達、柏皓、俊甫、明宗與建璋學長在
這兩年所給予的鼓勵。其中特別感謝柏皓學長,老師與您一同帶領我進入資訊安
全的領域,您的經驗與分享更讓我沉醉其中。每每在我最需要幫助的時候,不管
您多麼繁忙或有多少壓力,總是不令伸出援手提供協助。感謝去年畢業的中蓮學
姊在我剛進入研究所時給予我許多的指導,讓我能快速的進入狀況;謝謝義倫、
弘翕、文政、勇誠、孝穎與建宏學長在論文與生活中給予的幫助與指教。感謝一
同努力的夥伴們岦毅、承賓、坤道、翊恆、雅芳與怡孜,我會永遠記得與岦毅、
承賓一起在實驗室熬夜早上去吃麥當勞的時光,跟岦毅去好市多大採購,承賓的
主程式架構,坤道給予程式與演算法上的幫助,翊恆英文上的指導,雅芳提供的
八卦讓我們生活更添樂趣,與怡孜提供的下午茶小蛋糕。謝謝研一的各位學弟奐
庭、志浩、志元、政佑與孜謙,謝謝你們的幫忙,讓我能順利完成口試。
此外,感謝方毓這兩年來不斷的給予我支持與鼓勵,在我緊張與心情不好時
帶給我歡笑,在我散漫時給予我提醒,在我難過時提供安慰,讓我能一次又一次
II
度過層層關卡與低潮,陪伴我一起走過這一段特別的時光。感謝小豆干在最後一
段時間給予我歡樂,也謝謝所有關心豆干的人對我的包容與提供許多幫助。
另外最重要就是感謝我的父母,陳文標先生與張淑美女士,您們對我無止境
的愛與包容,讓我在人生中沒有後顧之憂,就算我曾經使您們失望,但因為有您
們的支持與鼓勵,讓我有勇氣再度站起來並爬得更高,謝謝您們的關愛、支持與
體諒。
最後,感謝這一路上所有關心我、鼓勵我、支持我與幫助我的親人、老師、
同學與朋友們,謝謝你們。
陳俊維 謹識
于臺大資訊管理研究所
中華民國九十六年七月
III
論文摘要
論文題目:在智慧型與惡意型攻擊下存活時間最大化
作 者:陳俊維 民國九十六年七月
指導教授:林永松 博士
沒有一套資訊系統是完全安全的。有經驗的攻擊者能夠在各式各樣的攻擊方
式中選擇一個最適當的,包括利用員工的濫用、系統的弱點、字典攻擊,甚至是
暴力攻擊來侵入並毀壞系統。因此對於網路管理者而言,擬定有效的防禦策略使
得網路中重要的系統或主機在遭受攻擊時能夠將存活時間拉長,藉此讓管理者有
更長的時間來回應惡意的網路攻擊。
在這篇論文中,我們考慮在智慧型與惡意型攻擊下目標節點存活時間最大化
的問題,而攻擊者攻克網路中節點的時間是該節點分配到的防禦資源之函數。這
個問題可以被表示為一個最小最大化的雙層整數規劃問題,其中,內層的最大化
問題表示攻擊者在固定的時間與防禦資源配置策略下,決定到達目標節點最佳的
攻擊路徑以達到最大的成功機率;外層的最小化問題表示網路管理者藉由調整防
禦資源配置策略使得攻擊者成功的機率最小化。我們也將問題加以延伸,考慮攻
擊者從攻擊的過程中獲得經驗累積所造成的影響。我們假設每攻克一個節點就會
獲得一個折扣係數,而這個係數會影響之後攻擊者攻克網路中節點的時間與防禦
資源之函數。此論文利用拉格蘭日鬆弛法與次梯度法這兩種基本方式來發展演算
法,並利用電腦實驗來衡量這個演算法的效率與效果。
關鍵字:防禦資源配置策略、資訊安全、網路攻防、存活時間、拉格蘭日鬆弛法、
最佳化
IV
V
Thesis Abstract
GRADUATE INSTITUTE OF INFORMATION MANAGEMENT
NATIONAL TAIWAN UNIVERSITY
NAME: FRANSON, CHUN-WEI CHEN MONTH/YEAR: JULY/2007
ADVISOR: FRANK, YEONG-SUNG LIN, Ph.D.
Maximization of Network Survival Time upon Intelligent and
Malicious Attacks
No information system in a network is absolutely secure. Sophisticated attackers
may adopt various types of hacking techniques, such as staff abuses, system
vulnerabilities, dictionary attacks, or brute force attacks, to penetrate and damage the
system. Therefore, it is essential that effective defense strategies be devised by network
administrators to maximize the survival time of critical/core components in networks
upon attacks so as to achieve the longest response time.
In this thesis, the problem of maximization of the core node survival time upon
intelligent and malicious attacks is considered. The time for an attacker to compromise a
node in the network is considered as a random variable, of which the associated CDF is
assumed to be a function of the allocated defense resource. The problem is formulated
as a mini-max integer programming problem, where the inner (maximization) problem
VI
is for the attacker to determine an optimal attack path to the core node so as to
maximize his/her success probability under a given time constraint and a given defense
resource allocation policy, while the outer (minimization) problem is for the network
administrator to adjust his/her defense resource allocation policies so as to minimize the
success probability of the attacker. The basic approach to the algorithm development is
Lagrangean relaxation and the subgradient method. The efficiency and effectiveness of
the proposed algorithms will be evaluated by computational experiments.
Key Words: Defense Resource Allocation Strategy, Information Security, Network
Attack and Defense, Survival Time, Lagrangean Relaxation Method, Optimization.
VII
Table of Contents
謝 詞 ........................................................................................................... I
論文摘要 .................................................................................................... III
Table of Contents ..................................................................................... VII
List of Figures ............................................................................................ XI
Chapter 1 Introduction ............................................................................... 1
1.1 Background ....................................................................................................... 1
1.2 Motivation ......................................................................................................... 4
1.3 Literature Survey ............................................................................................. 6
1.3.1 Survival Time ......................................................................................... 6
1.3.2 Offense and Defense Strategies ............................................................ 7
1.4 Proposed Approach ........................................................................................ 10
1.5 Thesis Organization ......................................................................................... 11
Chapter 2 Problem Formulation ............................................................. 13
2.1 Problem Description and Assumption .......................................................... 13
2.2 Notations .......................................................................................................... 18
2.3 Problem Formulation ..................................................................................... 22
2.4 Problem Reformulation ................................................................................. 25
Chapter 3 Solution Approach................................................................... 29
3.1 Lagrangean Relaxation Method .................................................................... 29
3.2 Solution Approach .......................................................................................... 33
3.3 Lagrangean Relaxation .................................................................................. 33
3.4 The Dual Problem and the Subgradient Method......................................... 39
3.5 Getting Primal Feasible Solution .................................................................. 40
VIII
Chapter 4 Computational Experiments .................................................. 43
4.1 Simple Algorithms .......................................................................................... 43
4.2 Experiment Environment .............................................................................. 44
4.3 Experiment Results ........................................................................................ 46
4.4 Discussion of Results ...................................................................................... 57
Chapter 5 Conclusion and Future Work ................................................ 59
5.1 Conclusion ....................................................................................................... 59
5.2 Future Work .................................................................................................... 60
Reference .................................................................................................... 63
IX
List of Tables
Table 2 - 1 Problem Assumptions and Description .................................................... 17
Table 2 - 2 P-function ................................................................................................... 19
Table 3 - 1 Heuristic for the Model ............................................................................. 41
Table 4 - 1 Experiment Parameter Settings ............................................................... 45
Table 4 - 2 Experiment Results of Grid Network ( |N| = 9 )...................................... 47
Table 4 - 3 Experiment Results of Random Network ( |N| = 9 ) ............................... 48
Table 4 - 4 Experiment Results with 30 unit Budget ( |N| = 25 ) .............................. 50
X
XI
List of Figures
Figure 1 - 1 Type of Attackers or Misuse Detected in the Last 12 Months ................. 2
Figure 1 - 2 Percentage of Targeted Attack by E-mail .................................................. 4
Figure 1 - 3 Monthly Survival Time ............................................................................... 7
Figure 2 - 1 The pdf of Compromise probability ........................................................ 13
Figure 2 - 2 The cpf of Compromise probability ......................................................... 13
Figure 2 - 3 Initial State ................................................................................................. 15
Figure 2 - 4 Different Probability Distribution ........................................................... 15
Figure 2 - 5 Choosing a Target ...................................................................................... 15
Figure 2 - 6 Continued Selecting .................................................................................. 15
Figure 2 - 7 Post-choosing Network State .................................................................... 16
Figure 2 - 8 Selected Nodes and Links ......................................................................... 16
Figure 2 - 9 Attack Path ................................................................................................ 16
Figure 2 - 10 Detection Rate for Different Security Softwares .................................. 21
Figure 2 - 11 μ-function ................................................................................................. 21
Figure 2 - 12 σ2-function ................................................................................................ 21
Figure 3 - 1 Concepts of the Lagrangean Relaxation Method ................................... 31
Figure 3 - 2 The Lagrangean Relaxation Procedure ................................................... 32
Figure 4 - 1 Compromise Probability of the Grid Network with 20 Budget (|N|=9) 51
Figure 4 - 2 Compromise Probability of the Grid Network with 25 Budget (|N|=9)
................................................................................................................................. 51
Figure 4 - 3 Compromise Probability of the Grid Network with 30 Budget (|N|=9) 52
Figure 4 - 4 Compromise Probability of the Grid Network with Different Budget
(|N|=9) ...................................................................................................................... 52
XII
Figure 4 - 5 Compromise Probability of the Grid Network with Different Topology
Size (30 Budget) ...................................................................................................... 53
Figure 4 - 6 Compromise Probability of the Random Network with 5 Budget (|N|=9)
................................................................................................................................. 53
Figure 4 - 7 Compromise Probability of the Random Network with 10 Budget
(|N|=9) ...................................................................................................................... 54
Figure 4 - 8 Compromise Probability of the Random Network with 15 Budget
(|N|=9) ...................................................................................................................... 54
Figure 4 - 9 Compromise Probability of the Random Network with 20 Budget
(|N|=9) ...................................................................................................................... 55
Figure 4 - 10 Compromise Probability of the Random Network with Different
Budget (|N|=9) ......................................................................................................... 55
Figure 4 - 11 Compromise Probability of the Random Network with Different
Topology Size (30 Budget) ..................................................................................... 56
Figure 4 - 12 Compromise Probability of with Different Budget and Topologies
(|N|=9) ...................................................................................................................... 56
Figure 5 - 1 The Survival Time of UNIX and Windows system ................................. 61
1
Chapter 1 Introduction
1.1 Background
The internet has become parts of our life. As computers and networks are more and
more important, they also bring us various threats such as virus, worm, Trojan horse,
and spyware, etc. Many kinds of information security equipments, such as anti-virus
applications, firewall systems, Intrusion Detection Systems (IDS), Intrusion Prevention
Systems (IPS), and Unified Threat Management (UTM) systems, have been developed.
However, none of them is secure enough. Attackers could use a variety of skills and
exploit vulnerabilities of those equipments to penetrate them, so that computers behind
them are compromised. What the attackers need is to spend enough resources against
those equipments.
The Trend of Attack and Misuse
In the past, most of the attackers scanned equipments on the network widely by
some tools to discover vulnerabilities and aimed at those weaknesses, or launched
Denial-of- Services (DoS) violently. As information security techniques are enhanced,
many kinds of security software and hardware (e.g. anti-virus applications, firewall
systems, IDSs) are getting better and better. At the same time, the content inspection
and destination address filtering mechanisms decrease the number of security incidents,
2
including insider abuse of network access permission and unauthorized access to
information.
According to the CSI/FBI Computer Crime and Security Survey (2006) [1], the
successful probability of traditional attacks descended sharply as we saw in Figure 1-1
[1]. As for virus, the probability was up to 90% in 2001, but it had dropped year by year
and was only about 65% left by 2006. Insider abuse of network access to cause serious
damages fell steeply from 97% of 1999 to 42% of 2006. As unauthorized access to
information, the success rate only had 32% in 2006 from 71% in 2000. DoS attacks
were up to 42% in 2003 and declined to 25% in2006. The defense mechanisms we
mentioned before let the probability decrease, and forced attackers to change the ways
to attack.
Figure 1 - 1 Type of Attackers or Misuse Detected in the Last 12 Months
3
New kind of Attack
Most of security threats today are aimed at financial reward, and this kind of
malicious attack always focus on particular enterprises and their staff, or special groups
of users. For example, an attacker might pretend the boss of any of well-known
companies and send an e-mail with malicious software (malware) to the secretary,
therefore he/she would open it with no doubt, and then the attacker could access
everything he/she wants. Unlike past attacks, launched randomly and widely, today’s
attacks combine several kinds of malwares, such as Trojan horse, backdoor, spyware,
and rootkit, etc, and send an e-mail or some malicious applets to the target. Furthermore,
they induced him/her who does not have enough awareness to fall into the trap.
Many security experts referred to “targeted attack” in the Virus Bulletin 2006
Conference, and Alex Shipp, MessageLabs Imagineer, had a speech about targeted
Trojan attacks and industrial espionage [2]. He said typical targeted attacks include one
to ten similar e-mails focusing on one to three enterprises, and on the average seven of
them belong to targeted Trojan attacks everyday. It is less than 0.001% of the malware
spreading by e-mails, but attackers’ intending to inject spywares into the company is the
most troubling thing (Fig 1-2 [2]).
4
Figure 1 - 2 Percentage of Targeted Attack by E-mail
The Core Node
Because of lots attackers focusing on financial rewards, the most important assets
of organizations are their know-how or mission critical system keeping the business
going, and this sensitive and valuable segment in the network domain, called “core
node,” which attackers desire to take over [3]. However, we only have some ways, such
as buying some defense products, obtaining some advices from security experts, and
education training, etc, to increase our network survivability under limited budgets.
1.2 Motivation
In the past, the main attack type was massive scan and exploiting discovered
vulnerabilities, or launching DoS attacks; however, attackers today tend to adopt
targeted attacks instead. The attackers focus on computers with sensitive information of
enterprises or organizations, and depict an attacking blueprint to the target. Although
5
information security experts try their best to stop this new attack type, one hundred
percent security cannot be achieved only by network protection.
Many attackers do not have sufficient technique skills, high patience, ample
preparations, and enough time for attacking, they just use some existing common
hacking tools on the internet. When the tools are not suitable for specific situations, the
attackers do not have the ability to amend those tools. Therefore, we can add some
varieties and complexities on the attack path, so that the attackers have to spend more
time to achieve the target, even turn to an easier target. In many cases, the more time the
attackers spend, the easier intrusions are detected. Although stopping the attackers to
penetrate systems is improbable, it is higher possible to detect the intrusions through
investing security budgets properly for establishing defense mechanisms to delay time
spent on attack [4].
In some cases, we would like to know how long the core node will survive upon
malicious targeted attacks, or what the probability of the core node to be compromised
in time constraint is. Because of the core node’s sensitivity, attackers would try their
best to compromise it, and defenders would defend as hard as possible on the opposite.
Defense resources for building up related mechanisms are limited; therefore how to
allocate those resources in a precise way to obtain an optimal defense strategy is an
important issue. This research wants to discuss how to arrange defense budgets properly
6
to reduce the compromise probability of the core node under different considerations of
time slot.
1.3 Literature Survey
1.3.1 Survival Time
Attackers compromised computers or networks might steal the critical information
and cause them stop servicing. From the start to the downtime, it is the survival time of
them, and the definition by SANS-ISC (SysAdmin, Audit, Network, Security Institute -
Internet Storm Center) is shown below.
Definition of survival time:
The survival time is calculated as the average time between reports for an
average target IP address [5].
The SANS-ISC also points out how to increase the survival time. Updating
security patches what a system needs is the first thing to do. According to the
researchers at the ISC, the survival time raises from 20mins in 2003 to 40mins in 2004
because of the adoption of Windows Service Pack 2 [6] [7]. Second, blocking ports
which are commonly used by worms is another important way to avoid malicious
attacks. Finally, malwares frequently aim at high speed networks, such as University
7
Networks, and the survival time will be much smaller. Therefore we should take more
care when connecting to that kind of networks [5].
Figure 1 - 3 Monthly Survival Time
(2006/12/25 12:00PM)
In Figure 1-3 [5], the red line from Jul 2005 to Nov 2006 indicates the tendency of
the average survival time; the thick red line of each month means the standard
deviation’s range; the peak and the lowest point represent the maximum survival time
for a month and the minimum one. Through this figure, we could image that the
distribution of survival time is a normal distribution. The survival time reflects the
compromise probability, so that it could be assumed as a normal distribution.
1.3.2 Offense and Defense Strategies
Practically, attackers and defenders both change their offense and defense
strategies frequently. As defenders adjust their network security frameworks and
8
equipments, opponents will try to find out new system vulnerabilities and network
weaknesses to keep obtaining benefits. However, defenders will rearrange their defense
strategies again, and so will attackers. The strategies of both sides will be mutually
adjusted repeatedly.
F. Cohen indicated the main strategies of attackers in practices including many
types as shown below [8].
• Speed: Some attackers choose to do only the fastest attacks available. This gives
them the advantage that they can win before the defender can detect or react to
their presence.
• Stealth: Some attackers choose to conceal themselves to avoid detection.
• Overwhelming force: Some attackers try to generate enough force - typically in
the form of physical assault or sheer volume of resources - to overwhelm the
defender.
• Indirection (Reflexive control): Some attackers use deceptive techniques to
cause the defender to spend resources on the wrong defenses or to cause the
defender to act in ways that provide openings to attack.
• Random: Some attackers just try whatever they happen to come across as an
idea on any given day.
9
• Least Resistance: Some attackers try to do things they think are least likely to
be defended against and which are easiest for them to do.
• Easiest to find: Some attackers just get software from the Internet and try it
against many systems.
Furthermore, defenders can essentially select different strategies from among the
following elements [8].
• Dissuasion: Many defenders try to convince possible attackers to go elsewhere.
• Deception: Many defenders create fictions intended to prevent attackers from
attacking or to cause them to attack elements of less value.
• Prevention: Defenders often choose to build defenses intended to keep attackers
from succeeding in their attempted activities.
• Detection and Reaction: With the belief that no prevention can be perfect,
detection and reaction are commonly used as a part of the mix.
• Repair: After detection - or when there is a belief that vulnerabilities exist,
repair is often undertaken to mitigate risk.
• Exploitation: In some cases, it is determined that an attacker can be exploited in
some way to the advantage of the defender. If the defender is so inclined, this
strategy may be undertaken.
10
• Capture and Punishment: In many cases, defenders try to capture and
prosecute attackers in order to recoup losses and dissuade others from attacking.
• Cover Up: It is often considered desirable to cover up an attack so that nobody
else knows about it.
• Constant Change: Some people take the strategy of changing the way they
operate at a pace that is so fast that long-term attacks are destined to failure
because the nature of the systems under attack has changed by the time a
long-term attack can succeed.
Attackers can gain rewards, such as thrills for self-satisfaction, confidential data, or
large amount of money, through attacking networks; on the other hand, defenders suffer
damages including leakages of confidential data, unauthorized alteration of important
information, or system downtime, etc [9]. Offense and defense strategies are trying to
maximize self-benefits, or minimize damages on the contrary, and hence they both have
their own strategies.
1.4 Proposed Approach
In this paper, we describe a resource allocation problem, which is a mixed
nonlinear integer programming optimization problem. It can be solved by using the
Lagrangean relaxation method in conjunction with heuristic algorithms. The defense of
11
networks is not all-or-nothing, whereas there is a spectrum of it. Therefore, we use the
probability to measure the survivability of networks.
This is a min-max mathematical model, which for the inner problem is to
maximize the compromise probability of the core node in the attacker’s aspect, and for
the outer problem is to minimize it in the defender’s view. The probability of each node
is affected by budgets allocating on it, and the probability of the core node is decided by
nodes on the attack path. Therefore, the lower probability is, the longer survival time of
the core node has.
1.5 Thesis Organization
This thesis is organized as follows. In Chapter 2, the formulation of the budget
allocation problem is proposed. In Chapter 3, the solution approach of the problem is
presented. The computational results of the problem are shown in Chapter 4. Finally, we
present our conclusions and indicate possible directions of future research.
12
13
Chapter 2 Problem Formulation
2.1 Problem Description and Assumption
We assume that the network is at the Autonomous System (AS) level, and therefore
attackers must attack forward the core node step by step instead of attacking directly.
There must be more than one attacker in the network, but we could model a group of
attackers in different locations as an omnipresent attacker, so as defenders [3]. Although
it is improbable for attackers to know everything of the network in the real world, there
is the worst case to be considered. Therefore, we could assume that attackers have
complete information about the network.
According to the article mentioned before, the probability of each node to be
compromised by attackers is the normal distribution (Fig 2-1, Fig 2-2). Compromising a
node is not so easy, so that many of attackers should spend the average time. As
defenders aspect, they could allocate more budgets for each node to increase the mean
and the variance of its distribution, thus the compromise probability decreased.
Time
Figure 2 - 1 The pdf of Compromise
probability
Time
Figure 2 - 2 The cpf of Compromise
probability
Compromised Probability
Compromised Probability
14
The following figures describe the attacking scenario. An attacker occupies an
initial node, s, at the beginning, and the target is the core node, t (Fig 2-3). Because of
allocating different budgets to each node, the compromised probabilities are
distinguished one from the other (Fig 2-4). Next, he chooses a node, which is connected
to s, with the highest compromise probability (Fig 2-5). The attacker continues selecting
nodes, which are neighbored on s or pass through the node just chosen, with the highest
probability until reaching t (Fig 2-6, Fig 2-7). To ignore links and nodes not used or
chosen, the attacker only considers the chosen ones (Fig 2-8), and then tracking back
from t to s would construct a attack path, called Origin-Destination pair (O-D pair), and
bring out the new compromise probability distribution by doing the convolutions of
nodes on the path (Fig 2-9).
If the defender would not assign any efforts on a node, it still has some resistant
ability to the attacker, so that he could have more probability to compromise it, but it
also costs him some time to find vulnerabilities and to penetrate them. As every
investment amounts are discontinuous, we assume that the choices of each node’s
budget are limited. However, the total budget of the defender is also limited; therefore,
how to arrange those resources effectively is the main subject of this research. The
assumptions and description of this model are given in Table 2-1.
15
Figure 2 - 3 Initial State
Initially, the attacker is on node s, and the target is
on node t.
Figure 2 - 4 Different Probability Distribution
Each node has its probability distribution because of
allocating different budgets.
Figure 2 - 5 Choosing a Target
The attacker chooses a node, which has the highest
compromise probability at the time, from neighbors.
Figure 2 - 6 Continued Selecting
Repeating to choose a node directly connecting to
the initial node s or passing through the node just
chosen.
s
t
s
t
s
t
s
t
16
Figure 2 - 7 Post-choosing Network State
Continuing choosing until the core node t be chosen.
Figure 2 - 8 Selected Nodes and Links
Only considering the chosen links and nodes.
Figure 2 - 9 Attack Path
Tracking back from t to s and constructing the attack
path, therefore binging out the new pdf by doing the
convolutions of nodes on path.
Candidate node
Unchosen node
Attacker’s initial position s
Chosen node
Unreachable link
Reachable link
Link to the chosen node
s
s
t
s
t
s
t
17
Table 2 - 1 Problem Assumptions and Description
Assumption:
The attacker is on node s.
Only one node (node t, the core node) is the target of attack.
A node i is subject to attack only if a path exists from node s to node i where all
the intermediate nodes on the path have been compromised (they can be viewed
as the hop sites for attacking the target).
The defense budget allocated to the node will affect to the compromise
probability distribution of it.
The compromise probability distribution of the node t depends on all the
intermediate nodes on the path.
Both the attacker and the defender have complete information about the network.
The attacker will always find the best strategy to reach the objective.
The defender is subject to the total budget constraint, and the budget choice of
each node is limited.
No link attacks are considered.
No random failures are considered.
Given:
The network topology
The total budget for the defender
The mean and the variance of a node are functions of the node’s budget
allocation.
The tail distribution of a normal distribution with mean μ and variance σ2 at the
time t.
18
Objective:
To minimize the maximized compromise probability of the core node at the
constant time
Subject to:
Budget constraint of the defender
To determine:
The budget allocated to each node by the defender
Which node will be attacked by the attacker
Which routing path will be chosen to reach the core node
2.2 Notations Given Parameters Notation Description N The index set of all nodes in the network w The O-D pair ( s , t )
wP The index set of all candidate paths for O-D pair w
ipδ The indicator function, which is 1 if node i is on path p, and 0 otherwise (where i∈N, p∈ Pw).
*ipδ The indicator function which is 1 if node i is on the shortest path p* (where the cost associated with node i is μi(min{Bi}) ), and 0 otherwise (where i∈N).
*iqσ The indicator function which is 1 if node i is on the shortest path q* (where the cost associated with node i is μi(max{Bi}) ), and 0 otherwise (where i∈N).
B The total budget Bi All kinds of bi on the node i, where i∈N
19
T The time the attacker used M All kinds of μ on the attack path. Σ2 All kinds of σ2 on the attack path. Mp All kinds of mp on the path p, where p∈Pw Sp
2 All kinds of sp2 on the path p, where p∈Pw
2( , , )P t μ σ This is a polynomial approximation tail distribution of a normal distribution with mean μ and variance σ2 at the time t .
The indicator function ipδ means whether node i is on path p or not, but *ipδ and
*iqσ especially point out the special routes, p* and q*, which are two kinds of extreme
cases. Because of using the normal distribution as the probability function, we consult
some Mathematics documents and obtain the P function, which is a polynomial
approximation tail distribution of a normal distribution (Table 2-2) [10].
Table 2 - 2 P-function
Time t μ
2
2 2 3 4 521 2 3 4 5
1( , , ) ( )2
z
P t e d x d x d x d x d x zμ σ επ
−⎡ ⎤= + + + + +⎣ ⎦ ,
where 8( ) 7.5 10zε −< × , tz μσ−= , 1
1x
pz=
+, p=0.2316419,
d1=0.3193815, d2=-0.3565638, d3=1.7814779,
d4=-1.8212560, d5=1.3302744
Compromised Probability
20
Decision Variables Notation Description bi Budget allocated to protect node i, where i∈N.
μ The mean of the normal distribution that is the convolution by the probability density functions of all nodes on the attack path.
σ2 The variance of the normal distribution that is the convolution by the probability density functions of all nodes on the attack path.
mp The mean of the normal distribution that is the convolution by the probability density functions of all nodes on the path p, where p∈Pw.
sp 2 The variance of the normal distribution that is the convolution by the probability density functions of all nodes on the path p, where p∈Pw.
μi(bi) The mean of the normal distribution, which is the probability density function of the node i, is the function of budget, where i∈N
σi (bi)2 The variance of the normal distribution, which is the probability density function of the node i, is the function of budget, where i∈N
yi 1 if the node i is chosen, and 0 otherwise (where i∈N). yt 1 if the core node t is chosen, and 0 otherwise.
xp 1 if the path p is selected as the attack path, and 0 otherwise (where p∈ Pw).
Nodes without putting any resource still possess some defense abilities, so that the
mean and variance at zero budgets also have initial value μ0 and σ02. Malware-Test Lab
is an institute to test the quality of information security softwares, and published an
antivirus comparison report on June 28th, 2007. In this report, the terminology, malware,
includes virus, Trojan horse, worm, backdoor, spyware, adware, dialer, key logger, hack
tool and so on. The samples we use are collected daily from honey pot, the total
malware count is 267,287, and total file size is about 34,156 MB [11]. We could see the
trend of different security software by analyzing this report (Fig 2-10), and therefore, as
budgets increasing, the margin effects would cause μ0 and σ02 to tend towards stability
21
(Fig 2-11, Fig 2-12).
Figure 2 - 10 Detection Rate for Different Security Softwares
Budget
0( ) ln( 1)i i A B ib bμ μ λ λ= + +
Figure 2 - 11 μ-function
Budget
2 20( ) ln( 1)i i C D ib bσ σ λ λ= + +
Figure 2 - 12 σ2-function
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%Pa
nda
Inte
rnet
Sec
urity
200
7ES
ET N
OD
32 2
.7CA
Inte
rnet
Sec
urity
200
7W
ebro
ot S
py S
wee
per w
ith A
ntiv
irus
5.5
Ahn
Lab
V3 In
tern
et S
ecur
ity 2
007 …
McA
fee
Inte
rnet
Sec
urity
200
7Jia
ngm
in A
ntiv
irus
KV2
007
Tren
d M
icro
Clie
nt S
erve
r M
essa
ging
…F-
Prot
Ant
ivir
us 3
.16f
Fils
ecla
b Tw
iste
r A
nti-T
roja
nVir
us V
7Sy
man
tec
Nor
ton
Inte
rnet
Sec
urity
200
7Ki
ngso
ft In
tern
et S
ecur
ity 2
007
Tren
d M
icro
Inte
rnet
Sec
urity
200
7 …Tr
end
Mic
ro C
lient
Ser
ver
Mes
sagi
ng …
ALW
IL a
vast
Pro
fess
iona
l 4.7
Risi
ng A
ntiv
irus
200
7Bi
tDef
ende
r 8 F
ree
Editi
on (F
ree)
Clam
Win
Fre
e A
ntiv
irus
0.9
0 (F
ree)
AVI
RA A
ntiV
ir P
erso
nalE
ditio
n Cl
assi
c …Ka
sper
sky
Inte
rnet
Sec
urity
6.0
AO
L A
ctiv
e Vi
rus
Shie
ld (F
ree)
Mic
roW
orld
eSc
an In
tern
et S
ecur
ity 9
.0Zo
neA
larm
Sec
urity
Sui
te 7
.0F-
Secu
re In
tern
et S
ecur
ity 2
007
Nor
man
Vir
us C
ontr
ol P
lus
5.90
BitD
efen
der I
nter
net S
ecur
ity v
10A
VIRA
Pre
miu
m S
ecur
ity S
uite
7.0
Fort
inet
For
tiClie
nt C
onsu
mer
Edi
tion …
Detection Rate (2007/06/28 Malware-Test Lab)
Mean Variance
22
2.3 Problem Formulation
Objective function: 2min max 1 ( , , )
i ib yP T μ σ− (IP 1)
Subject to: ( )i i i
i Nb yμ μ
∈=∑ (IP 1.1)
2 2( )i i ii N
b yσ σ∈
=∑ (IP 1.2)
* *(min{ }) (max{ })i i ip i i iqi N i N
B Bμ δ μ μ σ∈ ∈
≤ ≤∑ ∑ (IP 1.3)
2 2 2
* *(min{ }) (max{ })i i ip i i iqi N i N
B Bσ δ σ σ σ∈ ∈
≤ ≤∑ ∑ (IP 1.4)
Mμ ∈ (IP 1.5)
2 2σ ∈∑ (IP 1.6)
w
p ip ip P
x yδ∈
=∑ i N∀ ∈ (IP 1.7)
1w
pp P
x∈
=∑ (IP 1.8)
0 1px or= wp P∀ ∈ (IP 1.9)
0 1iy or= { }i N t∀ ∈ − (IP 1.10)
1ty = (IP 1.11)
min{ } max{ }i i iB b B≤ ≤ i N∀ ∈ (IP 1.12)
ii N
b B∈
≤∑ (IP 1.13)
23
i ib B∈ i N∀ ∈ . (IP 1.14)
Explanation of the mathematical formulation:
Objective function: The objective is to minimize the maximized the compromise
probability of core node 1-P (T, μ, σ2). In the inner problem, an attacker tries to
maximize the probability of compromising the core node by selecting which nodes
to attack, i.e. yi. In the outer problem, the defender intends to minimize the
compromise probability of the target node, t, by allocating defense budget, bi, to
each node. As P function is a tail distribution of probability from T to infinity, we
want to cumulate from zero to T and utilize one minus P function as the objective
function.
Constraints (IP 1.1) and (IP 1.2) is the mean and variance of probability
distribution by doing the convolutions of nodes which are chosen for
compromising, i.e., yi=1, and the attacker must find an attack path between the
initial position, s, and the targeted node, t. A convolution is defined as product of
functions, and convolution of two functions f and g over an infinite range is given
by ( ) ( ) ( ) ( )f g f g t d g f t dτ τ τ τ τ τ∞ ∞
−∞ −∞∗ = − = −∫ ∫ . Therefore, the convolution of
two normal distributions is another normal distribution with summing up both
means and variances [12].
24
Constraints (IP 1.3) and (IP 1.4) limit the boundary of the mean and variance. They
would lie between the shortest path, p*, of all nodes with minimum budget and it,
q*, of all nodes with maximum budget.
Constraints (IP 1.5) and (IP 1.6) mean that the mean value and the variance of
probability distribution on the attack path are selected out from the choices set M
and Σ2. They are affected by the resources, which are discrete values, allocated on
each node; therefore μ and σ2 are discrete values.
Constraint (IP 1.7) enforces that if the path p is chosen by the attacker, nodes on it
must also be chosen.
Constraint (IP 1.8) indicates that only one path from the source node, s, to the
targeted node, t, could be chosen by the attacker.
Constraints (IP 1.9) and (IP 1.10) restrict the xp and yi to 1 or 0, which means the
path and the node be selected or not.
Constraint (IP 1.11) is a redundant constraint that describes the targeted node, t, has
to be chosen.
Constraints (IP 1.12) and (IP 1.13) restrain the range of the allocating defense
resources of each node, bi, and the total allocated budgets, ii N
b∈∑ , must not exceed
the defense budget, B.
Constraint (IP 1.14) means that the allocating budget of each node is selected out
25
from the choices set of node i, Bi.
2.4 Problem Reformulation
We replace the inner problem with the constraint, and reformulate the original
objective function, ZIP1. Furthermore, the constant value of the objective function, ZIP1,
is ignored, and the reconstructed problem is shown below.
Objective function: 2
2 ,min ( , , )
i iIP b y
Z P T μ σ= − (IP 2)
Subject to: 2 2( , , ) ( , , )p pP T P T m sμ σ ≤ wp P∀ ∈ (IP 2.1)
( )i i ii N
b yμ μ∈
=∑ (IP 2.2)
2 2( )i i ii N
b yσ σ∈
=∑ (IP 2.3)
* *(min{ }) (max{ })i i ip i i iqi N i N
B Bμ δ μ μ σ∈ ∈
≤ ≤∑ ∑ (IP 2.4)
2 2 2* *(min{ }) (max{ })i i ip i i iq
i N i NB Bσ δ σ σ σ
∈ ∈≤ ≤∑ ∑ (IP 2.5)
Mμ ∈ (IP 2.6)
2 2σ ∈∑ (IP 2.7)
( )p i i ipi N
m bμ δ∈
=∑ wp P∀ ∈ (IP 2.8)
2 2( )p i i ipi N
s bσ δ∈
=∑ wp P∀ ∈ (IP 2.9)
26
(min{ }) (max{ })i i ip p i i ipi N i N
B m Bμ δ μ δ∈ ∈
≤ ≤∑ ∑ wp P∀ ∈ (IP 2.10)
2 2 2(min{ }) (max{ })i i ip p i i ipi N i N
B s Bσ δ σ δ∈ ∈
≤ ≤∑ ∑ wp P∀ ∈ (IP 2.11)
p pm M∈ wp P∀ ∈ (IP 2.12)
2 2p ps S∈ wp P∀ ∈ (IP 2.13)
w
p ip ip P
x yδ∈
≤∑ i N∀ ∈ (IP 2.14)
1w
pp P
x∈
=∑ (IP 2.15)
0 1px or= wp P∀ ∈ (IP 2.16)
0 1iy or= { }i N t∀ ∈ − (IP 2.17)
1ty = (IP 2.18)
min{ } max{ }i i iB b B≤ ≤ i N∀ ∈ (IP 2.19)
ii N
b B∈
≤∑ (IP 2.20)
i ib B∈ i N∀ ∈ . (IP 2.21)
Explanation of the mathematical formulation:
Objective function: the defender wants to minimize the compromise probability of
the core node by adjusting the budgets allocation after replacing the inner problem
to the constraint.
27
Constraint (IP 2.1) lets the original inner problem still satisfy by keeping the
probability of the core node passing though the attack path always less than or
equal to it passing though the other paths.
Constraints (IP 2.8) ~ (IP 2.9) define the mean and variance of probability
distribution by doing the convolutions of nodes on any path, p, between the initial
position, s, and the targeted node, t.
Constraints (IP 2.10) and (IP 2.11) limit the boundary of the mean and variance of
the candidate path, p. They would lie between nodes on p with minimum budget
and them with maximum budget.
Constraints (IP 2.12) and (IP 2.13) mean that the mean value and the variance of
probability distribution on any path are selected out from the choices set Mp and
Sp2. They are affected by the resources, which are discrete values, allocated on each
node; therefore mp and sp2 are discrete values.
Constraint (IP 2.14) replaces “equal to” to “less than or equal to” because of (IP 2.1)
tending yi to be smaller.
Constraints (IP 2.2) ~ (IP 2.7) and (IP 2.15) ~ (IP 2.21) are the same as the original
problem, ZIP1.
28
29
Chapter 3 Solution Approach
3.1 Lagrangean Relaxation Method
In the 1970s, many approaches had been published to solve complex mathematical
problems by using decomposition technique which separates an improbable solved
problem into several easy subproblems by a relatively set of side constraints [14] [15].
Besides its flexibility, Lagrangean relaxation method permits us to develop bounds of
the optimal objective value and assists us to design effective heuristic algorithms.
Therefore, it has become one of the most popular tools for solving optimization
problems. Its scopes include linear programming, integer programming, combinatorial
optimization, and nonlinear programming problems [13].
As the essential of Lagrangean relaxation method, we redeploy some complicated
constraints to the objective function of the primal problem (P) with associated
multipliers (u), and the new optimization problem with fewer constraints is called the
Lagrangean relaxation problem (LRu). Figure 3-1illustrates the major concepts of the
Lagrangean relaxation method. Depending on the (LRu), we decompose the relaxation
problem into several stand-alone subproblems which could be optimal solved by any
known methodology or algorithm [13].
30
For the minimization problems, the optimal value of (LRu) is the lower bound (LB)
of the original problem after solving the subproblems and making substitutions into
(LRu). However, it does not mean that is the feasible solution of the original, but helps
us to know what the LB of it is. For getting the tighter LB to close the optimal value, we
are continuously tuning the multipliers, and this procedure is named as “Lagrangean
dual problem.” During solving Lagrangean and dual problem, we can obtain values of
the decision variables and multipliers. Therefore, they could be hints for us to develop
proper heuristics to tune the infeasible solution to a feasible one, and this step is called
“getting primal feasible solution.” All feasible solutions we found are the upper bound
(UB) of the original problem, and thus the optimal value is between UB and LB [15].
For tuning the multiplier, the subgradient method is the most popular technique
because of the scalar which can modulate the step size of tuning multipliers in a
iteration. At the beginning, the scalar is a little big, so the vibration of multipliers is
bigger. However, it will reduce in later period, and then the variation range of
multipliers narrows with time. At last, it tends to be stable and converges to one value,
and thus it is the time to stop the Lagrangean relaxation method [14]. There are more
details of the method presented in Figure 3-2.
The Lagrangean relaxation method has four significant adventures. First, there are
many possible ways to decompose a model by this method, and therefore it is a general
31
problem solving strategy and solution framework than any solution technique. Second,
decomposing to several subproblems, we can choose any known algorithm for solving
each of them. Third, it can help us to derive the bounds of the objection function, and to
evaluate the solution quality for primal feasible solution. Last, we can design effective
heuristic methods for solving complicated and large-scale optimization problems [13].
Therefore, we apply the Lagrangean relaxation method to be the solution approach in
this research.
Figure 3 - 1 Concepts of the Lagrangean Relaxation Method
Primal Problem
Lagrangean Relaxation
Problem (LRu)
Subproblem
Optimal Solution
Lagrangean Dual Problem
‧‧‧‧
Adjust Lagrangean
Multipliers (u)
Lower Bound (LB)
Upper Bound (UB)
Subproblem
Optimal Solution
LB ≤ Optimal Objective Function Value ≤ UB
32
Initialization Z* Best known feasible solution value of primal problem = Initial feasible solution
u0 Initial multiplier value = 0 k Iteration count = 0 i Improvement count = 0 LB Lower bound of primal problem = ∞- λ0 Initial step size coefficient = 2
Solve Lagrangean Relaxation Problem
1. Solve each subproblem of ( )kLRu
optimally 2. Get decision variables kx and
optimal value ( )kDZ u
Get Primal Feasible Problem ‧ if kx is feasible in primal problem,
the result is a UB of primal problem.
‧ if kx is not feasible in primal problem, tune it with specific heuristic.
Figure 3 - 2 The Lagrangean Relaxation Procedure
Adjustment of multipliers 1. If i reaches the Improvement
Counter Limit, 0 ,2/ == iλλ
2. ( )( )2
kk D
k k
Z Z ut
Ax b
λ ∗ −=
+
3. ( )( )1 max 0,k k kku u t Ax b+ = + +
4. 1+= kk Update Bounds
1. ( )( )( )k
D
Z min Z ,UB
LB max LB,Z u
∗ ∗=⎧⎪⎨
=⎪⎩
2. i = i+1 if LB does not change
Check Termination if ( ) ( ) ε<∗∗ Z,LB/minLB-Z
or k reaches Iteration Count Limit
or LB ∗≥ Z ?
S T O P Yes
No
33
3.2 Solution Approach
As applying the Lagrangean relaxation method, we transform the reformulation
problem (IP 2) into the following Lagrangean relaxation problem (LR 1) with relaxing
Constraints (IP 2.1), (IP 2.2), (IP 2.3), (IP 2.8), (IP 2.9), (IP 2.14) and (IP 2.20). With a
vector of Lagrangean multipliers, the Lagrangean relaxation problem of (IP 2) is
converted to (LR 1).
3.3 Lagrangean Relaxation
Optimization Problem:
( )1 2 3 4 5 6 7 2 1 2 2( , , , , , , ) min ( , , ) ( , , ) ( , , )w
D p p pp P
Z u u u u u u u P T u P T P T m sμ σ μ σ∈
= − + −∑
2 3 2 2 4( ) ( ) ( )w
i i i i i i p p i i pii N i N p P i N
u b y u b y u m bμ μ σ σ μ δ∈ ∈ ∈ ∈
⎛ ⎞ ⎛ ⎞ ⎛ ⎞+ − + − + −⎜ ⎟ ⎜ ⎟ ⎜ ⎟⎝ ⎠ ⎝ ⎠ ⎝ ⎠
∑ ∑ ∑ ∑
5 2 2 6 7( )w w
p p i i pi i p pi i ip P i N i N p P i N
u s b u x y u b Bσ δ δ∈ ∈ ∈ ∈ ∈
⎛ ⎞⎛ ⎞ ⎛ ⎞+ − + − + −⎜ ⎟⎜ ⎟ ⎜ ⎟⎜ ⎟⎝ ⎠ ⎝ ⎠⎝ ⎠∑ ∑ ∑ ∑ ∑
(LR 1)
Subject to: * *(min{ }) (max{ })i i ip i i iq
i N i NB Bμ δ μ μ σ
∈ ∈
≤ ≤∑ ∑ (LR 1.1)
2 2 2
* *(min{ }) (max{ })i i ip i i iqi N i N
B Bσ δ σ σ σ∈ ∈
≤ ≤∑ ∑ (LR 1.2)
Mμ ∈ (LR 1.3)
2 2σ ∈∑ (LR 1.4)
34
(min{ }) (max{ })i i ip p i i ipi N i N
B m Bμ δ μ δ∈ ∈
≤ ≤∑ ∑ wp P∀ ∈ (LR 1.5)
2 2 2(min{ }) (max{ })i i ip p i i ipi N i N
B s Bσ δ σ δ∈ ∈
≤ ≤∑ ∑ wp P∀ ∈ (LR 1.6)
p pm M∈ wp P∀ ∈ (LR 1.7)
2 2p ps S∈ wp P∀ ∈ (LR 1.8)
1w
pp P
x∈
=∑ (LR 1.9)
0 1px or= wp P∀ ∈ (LR 1.10)
0 1iy or= { }i N t∀ ∈ − (LR 1.11)
1ty = (LR 1.12)
min{ } max{ }i i iB b B≤ ≤ i N∀ ∈ (LR 1.13)
i ib B∈ i N∀ ∈ . (LR 1.14)
The Lagrangean multipliers u1, u2, u3, u4, u5, u6, and u7 are the vectors of {up1},
{u2}, {u3}, {up4}, {up
5}, {ui6}, and {u7}, in which u1, u6, and u7 are non-negative and u2,
u3, u4,and u5 are unrestricted. For solving (LR 1), we could decompose it into four
independent subproblems as shown below.
Subproblem 1 (related to decision variable xp)
6 61( ) min
pw
sub i p pix i N p Pz u u x δ
∈ ∈= ∑∑ (SUB 1)
35
Subject to: 1
w
pp P
x∈
=∑ (LR 1.9)
0 1px or= wp P∀ ∈ . (LR 1.10)
(SUB 1) could be considered as a shortest path problem with a node cost ui6.
Because of the non-negative costs, we would like to use Dijkstra’s minimum cost
algorithm to optimal solve this subproblem. However, that algorithm requests link cost,
therefore we could be using “node splitting” technique to separate one node, i, into two
nodes, i and i', that are connected by an artificial link with the weight ui6. At last, we
transfer the node cost to the link weight, and then apply it to optimal solve this
subproblem.
The time complexity of (SUB 1) is O(|N|2).
Subproblem 2 (related to decision variable yi , bi)
2 3 4 5 6 7 2 3 2 42 ,( , , , , , ) min ( ) ( ) ( )
i iw
sub i i i i i i p i i pib y i N i N p P i Nz u u u u u u u b y u b y u bμ σ μ δ
∈ ∈ ∈ ∈
⎛= − + +⎜⎜
⎝∑ ∑ ∑∑
5 2 6 7 7( )w
p i i pi i i ip P i N i N i N
u b u y u b u Bσ δ∈ ∈ ∈ ∈
⎞+ + − + ⎟⎠
∑ ∑ ∑ ∑ (SUB 2)
Subject to: 0 1iy or= i N∀ ∈ (LR 1.11)
1ty = (LR 1.12)
36
min{ } max{ }i i iB b B≤ ≤ i N∀ ∈ (LR 1.13)
i ib B∈ i N∀ ∈ . (LR 1.14)
We make the substitutions of μi(bi) for μ0+λAln(λB bi +1) and σi (bi)2 for
σ02+λCln(λD bi +1) in (SUB 2). Because of ignoring the constant value u7B, it could be
decomposed into a continuity of |N| subproblems. For each node i,
2 3 2 4 5 2 6 72' min ( ) ( ) ( ) ( )
iw w
sub i i i i i i p i i pi p i i pi i i ib p P p Pz u b y u b y u b u b u y u bμ σ μ δ σ δ
∈ ∈
⎛ ⎞= − + + + + −⎜ ⎟⎜ ⎟
⎝ ⎠∑ ∑
( ) ( ){ 2 3 20min ln 1 ln 1
io A B i i C D i ib
u b y u b yμ λ λ σ λ λ⎡ ⎤⎡ ⎤= − + + + + +⎣ ⎦ ⎣ ⎦
( ) ( )4 5 2 6 70ln 1 ln 1
w w
p o A B i pi p C D i pi i i ip P p P
u b u b u y u bμ λ λ δ σ λ λ δ∈ ∈
⎫⎪⎡ ⎤⎡ ⎤+ + + + + + + − ⎬⎣ ⎦ ⎣ ⎦ ⎪⎭∑ ∑
( ) ( ){ 2 3 2 6 2 30min ln 1 ln 1
io i A B i C D i ib
u u u u b u b yμ σ λ λ λ λ⎡ ⎤= − + + + + + +⎣ ⎦
( ) ( ) ( )4 5 7 4 5 20 0ln 1 ln 1
w w w
p A B i p C D i pi i p p pip P p P p P
u b u b u b u uλ λ λ λ δ μ σ δ∈ ∈ ∈
⎫⎡ ⎤ ⎪+ + + + − + + ⎬⎢ ⎥⎪⎣ ⎦ ⎭
∑ ∑ ∑
(SUB 2’)
Subject to: 0 1iy or= (LR 1.11)
1ty = (LR 1.12’)
min{ } max{ }i i iB b B≤ ≤ (LR 1.13’)
i ib B∈ . (LR 1.14’)
However, yi has only two choices, 0 or 1, so that we could make the substitutions
of it for each value.
37
If yi=0
( ) ( ) ( )4 5 7 4 5 22' 0 0min ln 1 ln 1
iw w w
sub p A B i p C D i pi i p p pib p P p P p P
z u b u b u b u uλ λ λ λ δ μ σ δ∈ ∈ ∈
⎧ ⎫⎡ ⎤⎪ ⎪= − + + + − + +⎨ ⎬⎢ ⎥⎪ ⎪⎣ ⎦⎩ ⎭∑ ∑ ∑
If yi=1
( ) ( )2 4 3 5 72' min ln 1 ln 1
iw w
sub p pi A B i p pi C D i ib p P p P
z u u b u u b u bδ λ λ δ λ λ∈ ∈
⎧⎛ ⎞ ⎛ ⎞⎪= − + + + + + −⎜ ⎟ ⎜ ⎟⎨⎜ ⎟ ⎜ ⎟⎪⎝ ⎠ ⎝ ⎠⎩∑ ∑
( )2 3 2 6 4 5 20 0 0
w
o i p p pip P
u u u u uμ σ μ σ δ∈
⎫⎡ ⎤⎪+ + + + + ⎬⎢ ⎥⎪⎣ ⎦⎭
∑
This problem could be solved by the exhausted search of each node. In case of
yi=0, we find the optimal value of bi, so as yi=1, and compare one optimal solutions of
zsub2’ with another. Therefore, the smaller one is the optimal solution of this node’s
subproblem.
The time complexity of (SUB 2) is O(|N| |Bi|).
Subproblem 3 (related to decision variable μ, σ2)
2
1 2 3 1 2 2 3 23 ,( , , ) min 1 ( , , )
w
sub pp P
z u u u u P T u uμ σ
μ σ μ σ∈
⎛ ⎞= − + +⎜ ⎟⎜ ⎟
⎝ ⎠∑ (SUB 3)
Subject to: * *(min{ }) (max{ })i i ip i i iq
i N i NB Bμ δ μ μ σ
∈ ∈
≤ ≤∑ ∑ (LR 1.1)
2 2 2* *(min{ }) (max{ })i i ip i i iq
i N i NB Bσ δ σ σ σ
∈ ∈
≤ ≤∑ ∑ (LR 1.2)
Mμ ∈ (LR 1.3)
38
2 2σ ∈∑ . (LR 1.4)
The mean and variance, μ and σ2, are discrete, and exist in the limited range
separately. Therefore, this subproblem could be optimally solved by exhausted search
again. We replace each the possible values of μ and σ2 to (SUB 3) and select the best
one which is the optimal solution of this subproblem.
The time complexity of (SUB 3) is O(|M| |∑2|).
Subproblem 4 (related to decision variable mp , sp2)
2
1 4 5 1 2 4 5 24 ,( , , ) min ( , , )
p pw w w
sub p p p p p p pm s p P p P p Pz u u u u P T m s u m u s
∈ ∈ ∈= − + +∑ ∑ ∑ (SUB 4)
Subject to: (min{ }) (max{ })i i ip p i i ip
i N i NB m Bμ δ μ δ
∈ ∈
≤ ≤∑ ∑ wp P∀ ∈ (LR 1.5)
2 2 2(min{ }) (max{ })i i ip p i i ipi N i N
B s Bσ δ σ δ∈ ∈
≤ ≤∑ ∑ wp P∀ ∈ (LR 1.6)
p pm M∈ wp P∀ ∈ (LR 1.7)
2 2p ps S∈ wp P∀ ∈ . (LR 1.8)
Distinguished from above, (SUB 4) must consider all the paths from s to t, and that
is an enormous number for the networks. Therefore, we should find some way to
decrease the complexity of it, and save the computational power.
39
There is no need to list all paths on the computing stage, as the paths we concern
about are those whose one of the multipliers, up1, up
4 or up5, is non-zero at least. When
all of them are zero, the optimization problem zsub4 would be enforced to zero; when one
of them is non-zero, we could consider it as a possible active path, and mark it to the list.
After marking over all possible paths, the next step solving this subproblem only goes
through paths on the list.
The time complexity of (SUB 4) is O(|Pw| |Mp| |Sp2|).
3.4 The Dual Problem and the Subgradient Method
According to the weak duality theorem of Lagrangean relaxation method, it states
that the optimal objective value ZD of the Lagrangean multiplier is never larger than the
optimal objective function value of the problem (IP 2) [13]. Therefore, we construct the
dual problem (D 1) in order to obtain the tightest lower bound by the subgradient
method [14][15].
Dual Problem :
1 2 3 4 5 6 71 1max ( , , , , , , )D DZ Z u u u u u u u= (D 1)
Subject to: 1 6 7, , 0u u u ≥ .
Let a vector f be a subgradient of ZD1(u1,u2,u3,u4,u5,u6,u7). Then, in iteration k of
the subgradient optimization procedure, the multiplier vector uk = (u1k, u2k, u3k, u4k, u5k,
40
u6k, u7k) is updated by uk = uk + αk f k, where
1 2 3 4 5 6 7 2 2( , , , , , , ) ( , , ) ( , , ), ( ) ,k k k k k k k kp p i i i
i N
f u u u u u u u P T P T m s b yμ σ μ μ∈
⎛= − −⎜⎝
∑
2 2 2 2( ) , ( ) , ( ) , , ;w
i i i p i i pi p i i pi p pi i ii N i N i N p P i N
b y m b s b x y b Bσ σ μ δ σ δ δ∈ ∈ ∈ ∈ ∈
⎞− − − − − ⎟⎟
⎠∑ ∑ ∑ ∑ ∑
and the step size, αk, is determined by
*2 1
2
( )kk IP D
k
Z Z u
fα ρ −= ,
where ZIP2*, the best primal objective function value found by iteration k, is the upper
bound (UB) of (IP2), and ρ is a constant where 0≤ρ≤2.
3.5 Getting Primal Feasible Solution
According to the solutions to (LR 1) and the multipliers getting from (D 1), we can
get some hints for a heuristic designed and implemented to improve the solution quality
of (IP 2). The proposed heuristic’s concept is described below.
The algorithm we devise is derived solutions of bi, xp, and ui6 in the dual problem.
The bi we obtain from (SUB2) could be the initial budget allocation strategy for the
defender. We could observe that the multiplier ui6 represents the important of each node,
therefore, the more important the node i is the bigger multiplier ui6 it has. Hence, if the
budget the defender allocated are exceeded the total budget, we remove the budget from
node i which has the minimum ui6. On the contrary, if the budget allocated to the
41
network is less than the total budget, we add the budget from node i which has the
maximum ui6 and not fill with the limit budget of it.
The xp we derive from (SUB1) as the attack path the attacker chooses is the critical
path of the network. We take budget ai=6 6
6
max( )i i
ii N
u u Bu
∈
⎡ ⎤−⎢ ⎥×⎢ ⎥
⎢ ⎥⎣ ⎦∑
from a node which is not
on the critical path and is allocated budget to a node which is on that path and does not
meet the budget limited of it. Though this process the critical path of network is stronger
than before, and the compromise probability from the source node to the core node is
decrease.
Table 3 - 1 Heuristic for the Model
Step 1. Allocating budget bi to each node, where bi is derived by (SUB2), i∈N
Step 2. Checking the budget allocated on the network to meet the constraint.
Step 3. Choosing the path xp derived by (SUB 1) as the attack path
Step 4. Moving budget ai=6 6
6
max( )i i
ii N
u u Bu
∈
⎡ ⎤−⎢ ⎥×⎢ ⎥
⎢ ⎥⎣ ⎦∑
from a node which is not on the
attack path to a node which is on it, i∈N, if node i was allocated budget
bi and bi > 0 at step 1
42
43
Chapter 4 Computational Experiments
4.1 Simple Algorithms
We implement two kinds of simple algorithms, the popularity based and the greedy
based budget allocation strategy, to demonstrate that the heuristic we proposed are
effective.
As the heuristic we describe at chapter 3, the popularity based budget allocation
strategy dispense budget by accumulated compromised frequency of each node which
appears on the candidate paths. Generally, the more times a node is compromised, the
more important it is, hence we assign more budget to it. The budget we allocate on node
i, bi, is { }'max ,max'
ii
total
f B Bf
⎛ ⎞×⎜ ⎟
⎝ ⎠, where fi‘ is the accumulated compromised
frequency of node i on this simple algorithm 1, denoted as SA1, and ftotal‘ is the
summation of the accumulated compromised frequency of all nodes on SA1. If there
still have some budget left, we could randomly allocate the remainder to the nodes
which don’t have any defense resource to construct the defense mechanisms.
Simple algorithm 2, denoted as SA2, used for comparing our heuristic is greedy
based budget allocation strategy whereby the node with the smallest compromise
probability form the source node to the core node is allocated first. Because budget of
each node we could dispense is limited, the maximum budget of node i is max{Bi}. This
44
algorithm will finish as all defender’s total budget is allocated.
4.2 Experiment Environment
The algorithm we proposed is written in C++ and coded by Dev-C++, moreover, it
runs on a PC with an INTELTM Pentium-4 2.40 GHz CPU with 512MB RAM. The
Iteration Counter Limit and the Improvement Counter Limit are set to 10000 and 250.
The step size scalar, λ, is initialized to 2 and is halved as the iterations which the
objective function value, ZD, does not improve reach to the Improvement Counter Limit.
We choose two kinds of popular network topology which accord with real
networks as attack targets. The first one is a grid network which with p nodes along one
side has pxp nodes in total [16]. Another kind of topology is a random network that the
probability that two nodes are connected is random and uniform [17].
Because of the marginal effect, the mean function, µi(bi), and the variance function,
σi(bi)2, are defined as concave functions. In the real world, a network with many nodes
but not allocated any budget would not have more defense power than it with less nodes
but some budget. To incooperate this character, the initial value of two function, μ0 and
σ02, could not be too big to violate it.
More details of the experimental parameters are shown in Table 4-1.
45
Table 4 - 1 Experiment Parameter Settings
Parameter of LR
Parameter Value
Iteration Counter Limit 5000
Improvement Counter Limit 200
Initial Upper Bound 0
Initial Multiplier Value u1= u2= u3= u4= u5= u6= u7=0
Initial Scalar of Step Size λ 2
Test Platform
CPU: INTELTM Pentium-4 2.40 GHz
RAM: 512 MB
OS: Microsoft Windows XP SP2
Parameter of the Model
Parameter Value
Number of Nodes, |N| 9, 25
Network Topology Grid networks, Random networks
Time, T 2.5 ~ 20
Budget, B Grid 20, 25, 30
Random 5, 10, 15, 20, 25, 30
Mean function, µi(bi) µi(bi) = 1.3 ln ( 1.3 bi + 1 ) + 0.11, bi is the
budget allocated to node i,∀i∈N
Variance function, σi(bi)2 σi(bi)2 = 1.3 ln ( 1.3 bi + 1 ) + 0.01 , bi is the
budget allocated to node i,∀i∈N
46
4.3 Experiment Results
The LR represents the compromise probability distribution by the heuristic we
proposed, and the LB indicates a lower bound obtained from (LR1). The gap between
LR and LB to evaluate the quality of LR is calculated by 100%LB LRLR− × ; and the
improvement ratio of LR to SA1 and SA2 is calculated by 1
1
100%LR SASA− × and
2
2
100%LR SASA− × .
47
Table 4 - 2 Experiment Results of Grid Network ( |N| = 9 )
Budget Time LR LB Gap (%)
SA1 Imp. R. to SA1 (%)
SA2 Imp. R. to SA2 (%)
20
2.5 0.000000 0.000000 0.00 0.000000 0.00% 0.000000 0.00
5 0.051500 0.026859 47.85 0.051500 0.00% 0.158745 67.56
7.5 0.233279 0.192291 17.57 0.233279 0.00% 0.475315 50.92
10 0.525892 0.394229 25.04 0.538458 2.33% 0.808397 34.95
12.5 0.811826 0.608574 25.04 0.821334 1.16% 0.964535 15.83
15 0.955841 0.809985 15.26 0.959453 0.38% 0.996927 4.12
17.5 0.994199 0.943722 5.08 0.994890 0.07% 0.999880 0.57
20 0.999587 0.988902 1.07 0.999653 0.01% 0.999998 0.04
25
2.5 0.000000 0.000000 0.00 0.000000 0.00 0.000000 0.00
5 0.013924 0.000303 97.82 0.037238 62.61 0.066146 78.95
7.5 0.149934 0.129941 13.33 0.199660 24.91 0.268791 44.22
10 0.399889 0.334734 16.29 0.486124 17.74 0.589064 32.11
12.5 0.700140 0.573440 18.10 0.779870 10.22 0.856881 18.29
15 0.903751 0.796167 11.90 0.942751 4.14 0.971784 7.00
17.5 0.981313 0.941364 4.07 0.991457 1.02 0.997011 1.57
20 0.997882 0.987729 1.02 0.999292 0.14 0.999835 0.20
30
2.5 0.000000 0.000000 0.00 0.000000 0.00 0.000000 0.00
5 0.000000 0.000000 0.00 0.004016 100.00 0.004016 100.00
7.5 0.101712 0.093571 8.00 0.131732 22.79 0.131732 22.79
10 0.296311 0.283188 4.43 0.365481 18.93 0.365481 18.93
12.5 0.594121 0.537707 9.50 0.663970 10.52 0.663970 10.52
15 0.837708 0.792037 5.45 0.883065 5.14 0.883065 5.14
17.5 0.958363 0.937134 2.22 0.974860 1.69 0.974860 1.69
20 0.993411 0.987262 0.62 0.996782 0.34 0.996782 0.34
48
Table 4 - 3 Experiment Results of Random Network ( |N| = 9 )
Budget Time LR LB Gap (%)
SA1 Imp. R. to SA1 (%)
SA2 Imp. R. to SA2 (%)
5
2.5 0.142353 0.114240 19.75 0.275634 48.35 0.142353 0.00
5 0.548481 0.436925 20.34 0.783825 30.03 0.548481 0.00
7.5 0.904537 0.687764 23.97 0.984841 8.15 0.904537 0.00
10 0.993682 0.893309 10.10 0.999805 0.61 0.993682 0.00
12.5 0.999883 0.981595 1.83 1.000000 0.01 0.999883 0.00
15 0.999999 0.998519 0.15 1.000000 0.00 0.999999 0.00
17.5 1.000000 0.999947 0.01 1.000000 0.00 1.000000 0.00
20 1.000000 0.999999 0.00 1.000000 0.00 1.000000 0.00
10
2.5 0.030389 0.011736 61.38 0.100796 69.85 0.030389 0.00
5 0.236336 0.208038 11.97 0.442252 46.56 0.236336 0.00
7.5 0.602791 0.526778 12.61 0.833956 27.72 0.602791 0.00
10 0.892255 0.833036 6.64 0.981470 9.09 0.892255 0.00
12.5 0.986676 0.971136 1.57 0.999313 1.26 0.986676 0.00
15 0.999300 0.997650 0.17 0.999992 0.07 0.999300 0.00
17.5 0.999985 0.999915 0.01 1.000000 0.00 0.999985 0.00
20 1.000000 0.999999 0.00 1.000000 0.00 1.000000 0.00
15
2.5 0.008146 0.002483 69.52 0.042162 80.68 0.008146 0.00
5 0.179497 0.174524 2.77 0.270065 33.54 0.179497 0.00
7.5 0.508097 0.508092 0.00 0.651539 22.02 0.508097 0.00
10 0.830343 0.830342 0.00 0.917924 9.54 0.830343 0.00
12.5 0.970671 0.970671 0.00 0.991645 2.12 0.970671 0.00
15 0.997643 0.997643 0.00 0.999657 0.20 0.997643 0.00
17.5 0.999915 0.999915 0.00 0.999994 0.01 0.999915 0.00
20 0.999999 0.999999 0.00 1.000000 0.00 0.999999 0.00
49
Budget Time LR LB Gap (%)
SA1 Imp. R. to SA1 (%)
SA2 Imp. R. to SA2 (%)
20
2.5 0.008146 0.002483 69.52 0.008146 0.00 0.008146 0.00
5 0.179497 0.174524 2.77 0.179497 0.00 0.179497 0.00
7.5 0.508097 0.508092 0.00 0.508097 0.00 0.508097 0.00
10 0.830343 0.830342 0.00 0.830343 0.00 0.830343 0.00
12.5 0.970671 0.970671 0.00 0.970671 0.00 0.970671 0.00
15 0.997643 0.997643 0.00 0.997643 0.00 0.997643 0.00
17.5 0.999915 0.999915 0.00 0.999915 0.00 0.999915 0.00
20 0.999999 0.999999 0.00 0.999999 0.00 0.999999 0.00
25
2.5 0.008146 0.002483 69.52 0.008146 0.00 0.008146 0.00
5 0.179497 0.174524 2.77 0.179497 0.00 0.179497 0.00
7.5 0.508097 0.508092 0.00 0.508097 0.00 0.508097 0.00
10 0.830343 0.830342 0.00 0.830343 0.00 0.830343 0.00
12.5 0.970671 0.970671 0.00 0.970671 0.00 0.970671 0.00
15 0.997643 0.997643 0.00 0.997643 0.00 0.997643 0.00
17.5 0.999915 0.999915 0.00 0.999915 0.00 0.999915 0.00
20 0.999999 0.999999 0.00 0.999999 0.00 0.999999 0.00
30
2.5 0.008146 0.002483 69.52 0.008146 0.00 0.008146 0.00
5 0.179497 0.174524 2.77 0.179497 0.00 0.179497 0.00
7.5 0.508097 0.508092 0.00 0.508097 0.00 0.508097 0.00
10 0.830343 0.830342 0.00 0.830343 0.00 0.830343 0.00
12.5 0.970671 0.970671 0.00 0.970671 0.00 0.970671 0.00
15 0.997643 0.997643 0.00 0.997643 0.00 0.997643 0.00
17.5 0.999915 0.999915 0.00 0.999915 0.00 0.999915 0.00
20 0.999999 0.999999 0.00 0.999999 0.00 0.999999 0.00
50
Table 4 - 4 Experiment Results with 30 Budget ( |N| = 25 )
Network Topology
Time LR LB Gap (%)
SA1 Imp. R. to SA1 (%)
SA2 Imp. R. to SA2 (%)
Grid
2.5 0 0 0.00 0 0.00 0 0.00
5 0 0 0.00 0.008578 100.00 0.019746 100.00
7.5 0.046776 0 0.00 0.144887 67.72 0.167204 72.02
10 0.193235 0 0.00 0.397629 51.40 0.438668 55.95
12.5 0.438692 0.027709 1483.21 0.703465 37.64 0.743273 40.98
15 0.716562 0.04491 1495.55 0.907954 21.08 0.928031 22.79
17.5 0.901672 0.145253 520.76 0.983086 8.28 0.988369 8.77
20 0.977764 0.305606 219.94 0.998227 2.05 0.998954 2.12
Random
2.5 0.000000 0.000000 0.00 0.000000 0.00 0.000000 0.00
5 0.044755 0.044755 0.00 0.117928 62.05 0.044755 0.00
7.5 0.215477 0.215477 0.00 0.387539 44.40 0.215477 0.00
10 0.509349 0.509349 0.00 0.726932 29.93 0.509349 0.00
12.5 0.797681 0.797681 0.00 0.932260 14.44 0.797681 0.00
15 0.949839 0.949839 0.00 0.991393 4.19 0.949839 0.00
17.5 0.992921 0.992921 0.00 0.999465 0.65 0.992921 0.00
20 0.999449 0.999449 0.00 0.999984 0.05 0.999449 0.00
51
Figure 4 - 1 Compromise Probability of the Grid Network with 20 Budget (|N|=9)
Figure 4 - 2 Compromise Probability of the Grid Network with 25 Budget (|N|=9)
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
2.5 5 7.5 10 12.5 15 17.5 20
Com
prom
ise
Prob
abili
ty
Time
LR LB SA1 SA2
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
2.5 5 7.5 10 12.5 15 17.5 20
Com
prom
ise
Prob
abili
ty
Time
LR LB SA1 SA2
52
Figure 4 - 3 Compromise Probability of the Grid Network with 30 Budget (|N|=9)
Figure 4 - 4 Compromise Probability of the Grid Network with Different Budget (|N|=9)
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
2.5 5 7.5 10 12.5 15 17.5 20
Com
prom
ise
Proa
bbili
ty
Time
LR LB SA1 SA2
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
2.5 5 7.5 10 12.5 15 17.5 20
Com
prom
ise
Prob
abili
ty
Time
Budget 20 Budget 25 Budget 30
53
Figure 4 - 5 Compromise Probability of the Grid Network with Different Topology Size (30 Budget)
Figure 4 - 6 Compromise Probability of the Random Network with 5 Budget (|N|=9)
0.00
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
2.5 5 7.5 10 12.5 15 17.5 20
Com
prom
ise
Prob
abili
ty
Time
Grid 9 Grid 25
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
2.5 5 7.5 10 12.5 15 17.5 20
Com
prom
ise
Prob
abili
ty
Time
LR LB SA1 SA2
54
Figure 4 - 7 Compromise Probability of the Random Network with 10 Budget (|N|=9)
Figure 4 - 8 Compromise Probability of the Random Network with 15 Budget (|N|=9)
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
2.5 5 7.5 10 12.5 15 17.5 20
Com
prom
ise
Prob
abili
ty
Time
LR LB SA1 SA2
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
2.5 5 7.5 10 12.5 15 17.5 20
Com
prom
ise
Prob
abili
ty
Time
LR LB SA1 SA2
55
Figure 4 - 9 Compromise Probability of the Random Network with 20 Budget (|N|=9)
Figure 4 - 10 Compromise Probability of the Random Network with Different Budget (|N|=9)
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
2.5 5 7.5 10 12.5 15 17.5 20
Com
prom
ise
Prob
abili
ty
Time
LR LB SA1 SA2
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
2.5 5 7.5 10 12.5 15 17.5 20
Com
prom
ise
Prob
abili
ty
Time
Budget 5 Budget 10 Budget 15
Budget 20 Budget 25 Budget 30
56
Figure 4 - 11 Compromise Probability of the Random Network with Different Topology Size (30
Budget)
Figure 4 - 12 Compromise Probability of with Different Budget and Topologies (|N|=9)
0.00
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
2.5 5 7.5 10 12.5 15 17.5 20
Com
prom
ise
Prob
abili
ty
Time
Random 9 Random 25
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
2.5 5 7.5 10 12.5 15 17.5 20
Com
prom
ise
Prob
abili
ty
Time
Grid 20 Grid 25 Grid 30
Random 20 Random 25 Random 30
57
4.4 Discussion of Results
Figures 4-1 to 4-4 show the compromise probability of the grid network under
different total budget the defender has. We have some observations to make on these
figures. The first thing we notice is that the compromise probability from the source
node to the destination node continually increases as time goes by, and the core node
would be penetrated in the end. The next observation is that the heuristic we propose
has better results to be close to the LB which obtains by (LR1) than SA1 and SA2, and
has a smaller gap for the optimal objective function value. The last one from figure 4-4
could tell us that the more budget we allocate on this network the lower compromise
probability attackers have.
Figure 4-6 to 4-9 spread out the compromise probability of the random network
under different total budget. As the condition we observe in the grid network, the
compromise probability of this network still rise continually and the core node will be
intruded in the course of time. The major distinction from the grid network is that the
compromise probability could not be improved as the budget a defender can allocate
more than 15 unit budget. The reason of this special situation is that this network has a
shortest path from the source node to the core node. When nodes on this critical path
allocated maximum budget of each node an attacker still intend to choose it as an attack
path, this kind of network has compromise probability limit. Therefore, the remainder of
58
total budget should be allocated for other uses.
Figure 4-12 compares the grid network with the random network under different
total budget, and we could observe that the compromise probability of the grid network
is smaller than another kind. It is because the grid network has the larger diameter than
the random network. An attacker trying to penetrate the grid network needs to through
more hubs than the random network. Thus we could see the advantage of
defense-in-depth, and this condition also shows on figure 4-5 and 4-11.
59
Chapter 5 Conclusion and Future Work
5.1 Conclusion
Although it is improbable to prevent attackers from penetrating networks, through
the defense resource allocation strategy defenders could establish defense mechanisms
for networks. With well budget allocation of a network, we could decrease the
compromise probability of the core node, in other words, the targeted node is increased
the survival probability. Hence, we have more chance to detect, alert, and response to
attacks.
In this thesis we use the attack-defense behavior to describe the targeted attack. As
an attacker intends to maximize the compromise probability from the source node to the
core node by choosing an attack path, a defender tries to minimize it by well allocating
the resource.
Providing more resource does not always decrease compromise probability for
some networks, it means this kind of network’s compromise probability has some
limited. Therefore, it is alright that the defender could only offer enough budgets for the
network, and the remainder should be allocated to the other use, or supported to the
other networks.
Although raising the total resource to networks is a good way to defend the
60
intrusions, another way to reduce the compromise probability of them is to increase the
depth of networks. The more step an attacker needs to pass, the more time he could
spend, and the more possibility he could be detected. Hence, adding an extra defense
device on the critical path of networks is another choice to increase survival time of the
core node.
The main contribution of this research is combining with single core node,
probability, and survival time, and we proposed a mathematical model to well formulate
a complex problem. Although there are already some papers discussed about the single
core node problem, and measured networks survivability by probability, we proceed
from a new dimension, “time”, to concern with. This research affords the defender the
budget allocation strategy to reduce the compromise probability of the core node under
different considerations of time slot, and they could know what the probability of the
core node to be compromised in time constraint upon intelligent and malicious attack.
5.2 Future Work
There still has several issues and topics could be extended for further discuss, and
we describe as follows.
Different kinds of operating system
According to the report gathering by SANS-ISC, UNIX systems’ survival
time is mu
not so frien
off for defe
node to UN
Attack
Throu
attacking te
let attacker
compromis
attacker pa
uch longer th
ndly for the
fenders to ad
NIX systems
Figure 5 - 1
ker experien
ugh attackin
echniques,
rs penetrate
se probabili
arameter fo
han Window
e users as W
djust. Henc
s for increa
The Surviva
nce
ng network
social engin
e next nod
ity distribu
or raising th
61
ws systems
Windows sy
ce, we could
sing the sur
al Time of UN
ks, attacke
neering skil
de easier th
ution of eac
he comprom
s’ [5]. Neve
ystems. The
d only repla
rvival time.
NIX and Wind
ers would
lls, etc. Thi
han before,
ch node. Th
mise probab
rtheless, UN
ese two cha
ace some W
dows system
learn some
is kind of ex
and shoul
herefore, w
bility to ea
NIX system
aracters are
Windows sys
ething, suc
xperience w
ld reflect t
we could ad
ach node o
ms are
trade
stems
ch as
would
o the
dd an
n the
62
attack path. We consider the effect of experience accumulated by the attacker alone
the attack process. More precisely, it is assumed that a discount factor be gained for
each compromised node, and this discount factor will affect the aforementioned
CDF function (in an opposite direction as opposed to the allocated defense
resource) of each subsequently attacked node.
63
Reference
[1] Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, and Robert Richardson,
“CSI/FBI Computer Crime and Security Survey,” 2006
[2] Alex Shipp, “Targeted Trojan Attacks and Industrial Espionage ,” Virus Bulletin
Conference, 2006
[3] Yi-Luen Lin, “Near Optimal Protection Strategies against Targeted Attacks on the
Core Node of a Network”
[4] Partha Pal, Franklin Webber, and Richard Schaniz, “Survival by Defense-Enable,”
OASIS, 2003
[5] SANS-ISC (SysAdmin, Audit, Network, Security Institute - Internet Storm Center),
http://isc.sans.org/survivalhistory.php
[6] Matt Loney and Robert Lemos, “Study: Unpatched PCs compromised in 20
minutes,” CNET News.com, Aug. 2004
[7] Zeid Nasser, “‘Survival Time’ must be increased!” http://zeidnasser.blogspot.com,
Jun. 2005
[8] Fred Cohen, “Managing Network Security - Attack and Defense Strategies,”
Network Security, Jul. 1999
64
[9] Kong-wei Lye, and Jeannette M. Wing, “Game strategies in network security,”
International Journal of Information Security , Vol. 4, No. 1-2, pp. 71-86, Feb.
2005
[10] Milton Abramowitz., and Irene A. Stegun, “Normal or Gaussian Probability
Function,” Handbook of Mathematical Functions with Formulas, Graphs, and
Mathematical Tables, p.931, 1964
[11] Malware-Test Lab, http://www.malware-test.com/
[12] Bracewell, R. "Convolution" and "Two-Dimensional Convolution," The Fourier
Transform and Its Applications, 3rd Ed, pp. 25-50 and 243-244, New York:
McGraw-Hill, 1999
[13] Ravindra K. Ahuja, Thomas L. Magnanti, and James B. Orlin, “Lagrangian
Relaxation and Network Optimization,”Network Flows: Theory, Algorithm, and
Application, pp. 598-639, Prentice Hall, Inc., Jan. 1993
[14] Marshall L. Fisher, “The Lagrangian Relaxation Method for Solving Integer
Programming Problems,” Management Science, Vol. 27, No. 1, pp. 1-18, Jan. 1981
[15] Marshall L. Fisher, “An Application Oriented Guide to Lagrangian Relaxation,”
Interfaces, Vol. 15, No. 2, pp. 10-21, Apr. 1985
[16] Wasel Chemij, “Parallel Computer Taxonomy,” MPhil, Aberystwyth University,
1994
65
[17] Albert-Laszlo Barabasi, and Reka Albert, “Emergence of Scaling in Random
Networks,” Science, Vol. 286, pp. 509-512, Oct. 1999
66
67
簡 歷
姓 名:陳俊維
出生地:菲律賓 馬尼拉市
出生日:中華民國六十九年三月二十九日
學 歷:九十一年九月至九十四年六月
國立中央大學資訊管理學系
電機工程學系
九十四年九月至九十六年七月
國立臺灣大學資訊管理研究所
68
69
70