optimal network protection against diverse interdictor strategies

Optimal Network Protection Against Diverse Interdictor Strategies

Jose E. Ramirez-Marquez, Claudio M. Rocco, Gregory Levitin

Advisor : Professor Frank Y.S. Lin

Presented by Yu-Pu Wu

About

Authors Jose E. Ramirez-Marquez, Claudio M. Rocco, Gregory

Levitin

Title Optimal Network Protection Against Diverse Interdictor

Strategies

Provenance Reliability Engineering and System Safety 96 (2011), 374-

382

Agenda

Introduction

Network Protection Background

Optimal Network Protection

Experimental Results

Conclusions

Introduction (1/6)

Based on common network models, current research has concentrated on determining the most critical parts of the networks and finding optimal distribution of security investments among these different elements of infrastructures.

NI problems assume that through a network with a known and fixed configuration some consumer product or service is delivered.

Under this setting, an interdictor is interested in reducing the flow of goods through the network by interdicting network elements.

Introduction (2/6)

Current NI research is valuable as a means to identify the most important set of components in a network.

Generally, NI models consider a fixed setting in the sense that they are focused on understanding how the network is damaged without any regard to potential defender and interdictor strategies.

These research efforts relate actual interdictor strategies to the defenders intent of improving the safety and security of systems by adequately building protection, within the system, against natural disasters and/or intentional attacks

Introduction (3/6)

Ramirez-Marquez et al. [25] have proposed an approach that provides an optimal protection plan to maximize the survivability of a network for a specific network flow when resources are equally distributed to protect network links and under a single pre-specified attacker strategy which considers that the interdictor distributes resources evenly among all network components.

However, the decision in [25] is of binary nature, considering the defense budget is equally distributed among the protected links. Therefore, it has been recognized that the general, and more realistic, problem the defender faces is of a continuous nature and thus, of an infinite solution space.

25 : Ramirez-MarquezJE,RoccoC,LevitinG.Optimalprotectionofgeneralsource- sink networks via evolutionary techniques.Reliability Engineering and System Safety 2009;94(10):1676–84.

Introduction (4/6)

There are two contributions. (1/2) Based on the assumption that link vulnerability is

determined by the ratio form of the attacker–defender contest success function as described in [19], a transformed stochastic NI approach [18] is used to maximize the survivability of the network for a given demand while satisfying a defense budget constraint for a set of potential interdictor strategies.

19 : Levitin G, Hausken K. Redundancy versus protection versus false targets for systems under attack. IEEE Transactions on Reliability 2009;58(1):58–68.18 : Ramirez-MarquezJE,RoccoC.Stochasticnetworkinterdictionoptimizationvia capacitated network reliability modeling and probabilistic solution discovery.

Reliability Engineering and System Safety 2009;94(5):913–21.

Introduction (5/6)

There are two contributions. (2/2) The solution approach developed to solve the new

optimization model is based on an evolutionary algorithm that allows considering continuous variables. The proposed algorithm is a newly developed continuous version of PSDA [27] that in a probabilistic manner iteratively explores regions of an optimization problem solution space with the intent of identifying an optimal solution.

27 : Concho A, Ramirez-Marquez JE. An evolutionary algorithm for port-of-entry security optimization considering sensor thresholds.Reliability Engineering and System Safety 2010;95(3):255–66.

Introduction (6/6)

This research is interest in understanding the optimal defender’s response against a set of visible or potential attacks.

25 : Ramirez-MarquezJE,RoccoC,LevitinG.Optimalprotectionofgeneralsource- sink networks via evolutionary techniques.Reliability Engineering and System Safety 2009;94(10):1676–84.

Agenda

Introduction




Conclusions

Network Protection Background(1/1)

There are three parts about Network Protection Background. Network Representation Link Vulnerability Network Vulnerability

Network Representation(1/1)

G(N,A) : capacitated network Known source node s Known sink node t

N : the set of nodes

A : the set of link A1 : = {(s,i), (j,t) | 1< i, j <n}

A2 : = {(i,j) | 1< i, j <n}

kijg : element of kij, the capacity vector of link (i,j). g = 0, 1

a : state vector describe the current capacity of each link in network. (as1, as2, ... , ant)

Link Vulnerability (1/3)

vij(w) : under a given interdictor strategy w, it is described using the ratio form of the attacker–defender contest success function.


& describe the attacker’s and defender’s resource allocation for attacking/defending the link between nodes i and j.

m : the contest intensity. m=0 0<m<1 (entrenchment + machine gun) 1<m<∞ (airplanes + tanks) m=1

32 : Hirshleifer J. Anarchy and its breakdown. Journal of Political Economy 1995;103(1):26–52.


t(w) : defense strategy vector t(w) = (ts1(w), ... , tnt(w))

tij(w) : a non-negative continuous variable representing the amount of resources allocated to defend link (i,j) under attack strategy w.

Network Vulnerability (1/1)

the function map a vector state vector into a network flow between s and t. Means network s–t flow under a

the survivability of the network under defense strategy vector t’(w) for a given s–t flow d and under attack strategy w can be defined as

Agenda

Introduction




Conclusions

Optimal Network Protection (1/2)

12

objective function

Optimal Network Protection (2/2)

The PSDA was originally developed to provide high quality solutions for integer and/or binary variable decision optimization problems.

tij(w), the proposed version of PSDA initially defines a range of values for the defense of each arc as dictated by and then, based on the fitness of solutions generated iteratively reduces the length of the initial range until its value equals zero or a stopping rule is enforced. pseudo-code in three main steps

Step 1 : Defense Strategy Development

Generate a specified number (called SAMPLE) of potential network defense strategies via Monte Carlo simulation.

. h means one of SAMPLE, one king of strategy.

. the is vector of initial range of values for the defense of each arc.

.

Step 1 : Defense Strategy Development

The algorithm will stop whenever vector can no longer be updated or when a user specified number of cycles, u has been reached.

Step 2 : Strategy analysis

Analyzes the defense resources allocated to each element of and then estimates the survivability 1 . MC simulation along with the Ford–Fulkerson procedure.

Once the survivability for each potential defense strategy has been obtained each strategy, needs to be analyzed for its fitness.

Immediately afterwards, the solution are ranked from highest to lowest with respect to the penalize survivability

Step 2 : Strategy analysis

1

Step 3 : Solution discovery

In the third and final step, of PSDA, a subset of size S of the set of ordered defense strategies (a set of size SAMPLE) is used to update the range of values for the defense of each arc.

This new vector is sent to Step 1 to check for termination or to guide the evolutionary search into potentially higher quality solutions.

The best feasible solution obtained in the cycle is stored in set K.

Step 3 : Solution discovery

1

Discussion of PSDA parameters (1/3)

The continuous version of PSDA requires four user input parameters. Namely U, S, SAMPLE, and NSIMUL.

While smaller values of the parameter SAMPLE can lead to a faster convergence of the final defense strategy, the bigger its size the more likely a diverse number of solutions will be generated and usually the better the solution quality.


S effectively drives the solution space Previous experimentation has found that good solutions

can be obtained when it is within 20% of the parameter SAMPLE.

U define the total number of runs for the PSDA.

NSIMUL define the total number of runs for the reliability estimation routine.


There is certainty about a single attack strategy such a model suffices.

Whenever intelligence provides more than one potential attack strategy, the defender faces a decision on which of the optimal defense strategies developed for each attack strategies to select.

Defense Strategy Selection (1/2)

In this paper, the rationale regarding attack strategies is that while visible there is no knowledge about the underlying likelihood of each attack strategy. That probabilities of occurrence for each attack strategy

can be obtained then, the survivability of the network can be computed equivalently as a weighted average.

Let R be defined as a payoff matrix where element aooooooooooooooooooo represents the survivability of the network for a given flow d when under defense strategy t*(w’) and attack strategy w.

Defense Strategy Selection (2/2)

Based on matrix R then the best defense strategy is given by

Agenda

Introduction




Conclusions

Experimental Results (1/1)

Two example

The first example is a simple network to provide in-depth discussion about Model Vulnerability and the continuous version of PSDA.

The second example is a larger two terminal network originally presented in [34]. Dai & Poh network

34 : Dai Y, Poh K. Solving the network interdiction problem with genetic algorithms.In: Proceedings of the fourth Asia-Pacific conference on industrial engineering and management system, Taipei, December 18–20, 2002.

Illustrative network (1/13)


Each of the links between the nodes has been assigned two values: capacity and index number. The link between nodes 1 and 2 has a capacity of 20 units

and is indexed as link 1.

In the case of no link failures, the network can handle a maximum flow of 45 units between the source node (node 1) and the sink node (node 8).


To illustrate the optimization model and its solution as described in Section 3. two required flows have been considered (d=20, 10) two attack budgets (B = 520 and 260) three defense budgets (b = 130, 650, and 1300) three contest intensities (m=0.3, 1, and 3) three different attack scenarios.

Following are the three attack scenarios


Scenario 1 Attack resources have been equally allocated among the

links in the network. The attacker has no information about the network

structure and importance of particular links and tries to destroy every link.

The attacker has no ability to direct the attack against specific links.

The system needs to be protected against natural destructive forces that hit the entire area of the system.


Scenario 2 Attack resources have been equally allocated among the

network links connected to the source node. This attack scenario assumes that the attacker has

obtained “some” insight about the configuration of the network and decides to allocate resources in an effort to interdict the network flow.

Scenario 3 It assumes that the attacker will target the network

links connected to the sink node.


The following parameters were used for PSDA U = 250 S = 140 SAMPLE = 1000 NSIMUL = 2000 Average cpu time per run is 150 seg on a AMD Athlon @

1.5 Ghz 1 Gb RAM The network reliability simulation the most time-

consuming element.


“Def. Tot.” : the total defense strategy cost

“Net. Surv.” : the network survivability probability that after the attack the network is able to

provide flow from source to sink not less than d

These results provide a good understanding of the defender strategy for maximizing the network survivability.


For both demands considered, the network configuration is highly redundant allowing for multiple source-sink paths to satisfy the requirement.

Because of this redundancy the defender can concentrate his effort on protecting only part of links and achieves the resource superiority for the protected links.

The resource superiority is highly related to contest intensity m.


When defense resources are scarce (b = 130), the links defended should be those that can guarantee the flow in a single source-sink path.

As defense resources increase (b = 650, 1300) redundant components or paths should also be defended.


The expectation was that even resource distribution among the defended links would yield lower network survivability than the unrestricted distribution considered in this manuscript. However, the results presented indicate that uneven resource

distribution does not improve the system survivability considerably.

However, it does yield a more cost effective resource distribution. If the problem were to minimize the defense cost when

considering a survivability requirement, the uneven resource distribution yields better results.


From Table 2.

When intelligence about the links to be attacked is available, in the case of scarce defense resources the defender should allocate all resources to a subset of links to be attacked in order to achieve the resource superiority over the attacker.

When the defense resource increases the defender can afford defending more links and protects all links that are to be attacked.

Dai & Poh Network (1/4)


Single Scenario (scenario 1 of Section 4.1) Three contest intensities (m = 0.2, 1, and 5) Three network flows (d = 44, 29, and 11) Three defense budgets (b = 1000, 3000, and 9000) Two attack budgets (B = 210 and 600)

The following parameters were used for PSDA U = 250; S = 140, SAMPLE = 1000, and NSIMUL = 2000 Average cpu time per run is 315 seg on a AMD Athon @

1.5 Ghz, 1 Gb RAM.


The total amount of defense resources used when considering continuous allocation of resources is lower than when distributing evenly among the defended links.

An advantage of this approach is to provide a defense strategy that provides desired network survivability by the minimal cost.

Agenda

Introduction




Conclusions

Conclusions (1/3)

There is a new network defense model in which a defender allocates protection resources to network links, so as to maximize the probability that a desired network flow can be delivered from source to sink. the survivability of the network

The optimization model is based on the attacker–defender contest success function that determines the vulnerability of each network link.

Conclusions (2/3)

That allowing the defender to distribute resources unevenly does not provide a significant increase in network survivability in the case of different attack scenarios. However, it does yield a more cost effective allocation.

If the problem is to minimize the defense cost when considering a survivability requirement, the results obtained in this manuscript illustrate that an uneven allocation of resources would yield the better defense resource allocation.

Conclusions (3/3)

The uneven allocation of resources becomes important when the vulnerability of the network links is not determined by the same function allocation of the same attack and defense resources in

two different links does not yield the same vulnerability It may be caused by different link accessibility,

different technical, or environmental conditions.

Thanks for your attention

optimal network protection against diverse interdictor strategies

Documents