presenter : jen- hua chi advisor: frank, yeong -sung lin
DESCRIPTION
Modeling and Security Analysis of Enterprise Network Using Attack-defense Stochastic Game Petri Nets. Presenter : Jen- Hua Chi Advisor: Frank, Yeong -Sung Lin. Agenda. Part I Introduction (Game T heory, Petri Net) Part II Model Part III Enterprise Network - PowerPoint PPT PresentationTRANSCRIPT
Modeling and Security Analysis of Enterprise Network
Using Attack-defense Stochastic Game
Petri Nets
Presenter: Jen-Hua ChiAdvisor: Frank, Yeong-Sung Lin
2
Part I Introduction (Game Theory, Petri Net)Part II Model
Part III Enterprise Network
Part IV Analysis and Conclusion
Agenda
3
Introduction
Journal: Security and Communication NetworksSecurity Comm. Networks 2013 Impact Factor: 0.414Author: Yuanzhuo Wang( 王卓元 )
4
Enterprise networkfirewall, VPN, IDS/IPS, antivirus software,
content monitoring
prevent or to counteract attacks more effective
Introduction
5
Stochastic Game Net
Stochastic Petri Net
Introduction - ADSGN
ADSGN
Introduction - SGN
Game Theory :Nash Equilibrium(NE)
Limitations:1. do not have enough modeling abilities to
describe interaction relations 2. existing modeling methods are nearly
impossible to model the dynamic behaviors because of the complexity of state transitions
3. the full state space can be extremely large
7
Stochastic Game Nets : - use of the NE as part of the transition probabilities in SGN models - build player models => combine - backwards: attack and defense actions that are interrelated with one another
Introduction- SGN
8
Mathematical modeling languages directed bipartite graph nodes: transitions and places transitions : events that may occur places: conditionsThe directed arcs describe which places are
pre- and/or post conditions for which transitions occur.
Introduction- Stochastic Petri Net
9
Introduction- Stochastic Petri Net
P is a set of states, called places. P = {P1,P2,P3,P4} T is a set of transitions. T = {T1,T2} M represents the number of tokens m0 ={1,0,2,1} Transition firing rates
10
Introduction - ADSGNAccording to the characteristics of the
network attack and defense actions
suitable to investigate the complex and dynamic game-related issues in network attack
11
Part I Introduction
Part II Model
Part III Enterprise Network
Part IV Analysis and Conclusion
Agenda
12
Definition - Stochastic Game Nets Nine-tuple vector SGN :
is the action set of player k
13
Nine-tuple vector SGN :Definition1 - Stochastic Game Nets
14
Nine-tuple vector SGN :Definition - Stochastic Game Nets
15
Definition - Stochastic Game Nets
Each token S is assigned a reward vector h(s) = (h1(s), h2(s),. . .,hn(s)),where hk(s) is the reward of player k in token s
Transition firing rates: consists of removing tokens from a subset of places and adding them to another subset
16
Definition - Stochastic Game Nets
a strategy for player k is described as a vector
17
(p denotes the initial state of player k)
Definition2 - Stochastic Game Nets
Player k’s utility is defined as : An n-players game
18
Definition3 - Stochastic Game Nets
NE is a vector
such that
19
Definition3 - ADSGN
Players: n => 2 administrator, attacker
每個 player 只會有一個最佳策略 , 且此策略對另一 player 的效用較差 exist some transitions ti such that ti is no action
20
For an ADSGN, if the two sets P and T contain finite elements, then there exists an NE under the setting of mixed strategies.
P : places describe the states of the system
Theorem 1 - ADSGN
21
Modeling and analysis
Reward values R
represent the reward gained by the player when an action is completed
22
First:)Construction
Players model => combine the models
combining the places p that denote the same meanings in SGN models of different players:
- case1 - case2
23
Construction – case1
Inhibition type
24
Construction – case2
Termination type
25
Utilities of players
each players objective is to maximize the expected return
k = 1, 2 is the initial place of strategy is the discount index of place
26
Utilities of players
player k chooses an action using the probability distribution at place
In order to determine the optimal defense strategy, we must find the NE
27
Continuous ACO(CACO)Calculation of the Nash Equilibrium
For each place pi, the behavior is modeled as a matrix game Gi
action sets of the attacker action sets of the administrator
if an attack action is chosen in place pi , the intrusion is successful and undetected the system may transfer to another place pj
where the game can continue
28
Calculation of the Nash equilibrium
U(pi) to denote the expected utility at place pi
29
Calculation of the Nash equilibrium
30
objective function
Calculation of the Nash equilibrium
31
divide the place set into four parts, namely
MTFSB: mean time to first security breach
MTTSB: mean time to security breach
Evaluation and analysis
32
Part I Introduction
Part II Model
Part III Enterprise Network
Part IV Analysis and Conclusion
Agenda
33
Enterprise network
security process control structure
34
security process control structure
(1) Scan the weak ports (attacker)(2) IDS detects the attack (administrator)(3) Administrator server orders the firewall and
trap node(administrator)(4) The attacker enters the trap node(attacker)(5) The trap node returns the false information
to the attacker (administrator)(6) obtain the evidence of the attacker (administrator)
35
(7) cracks a common user’s user name and password (attacker)(8) The attacker gets the competence of root by handling the database (attacker)(9) The attacker installs the sniffer (attacker)(10) The administrator server orders the firewall and antivirus server to blockade the IP of the attacker and remove the sniffer (administrator)
security process control structure
36
we have two action sets
security process control structure
37
ADSGN model is based on the following three assumptions (1) the administrator does not know whether there is an attacker or not (2) the attacker may have several objectives and strategies that the defender does not know (3) not all of the attacker’s actions can be observe by the defender
security process control structure
38
在此 model 中有六個 places
ADSGN Model of Enterprise Network
{p(normal), p(web server with vulnerability), p(get general permission), p(get root permission), p(sniffer installing), p(information stolen)} = {p1, p2, p3, p4, p5, p6}
39
p2: web server with vulnerabilityP3: get general permissiona1:Scanvulnerability ; a2:CrackPassworda3:Attackdatabase ; a7:emptyd1: IDSscan ; d2: Cheatattacker ; d3:Getevidenced6: empty
ADSGN Model of Enterprise Network
40
ADSGN Model of Enterprise Network
p4: get root permissionP5:sniffer installinga4: Enhance permission ;a5:Installsniffera7:emptyd1:IDSscan ; d4: Blockade IPd5:Removesniffer ; d6:empty
41
ADSGN Model of Enterprise Network
p6:information stolen
a6:Installsniffer ; a7:emptyd1:IDSscan; d4:BlockadeIPd5: Remove sniffer ; d6: empty
42
Model-attacker
43
Model - administrator
44
Model - combine
45
Part I Introduction
Part II Model
Part III Enterprise Network
Part IV Analysis and Conclusion (MTTSB, MTTFB, attack rate)
Agenda
46
Experimental Security Analysis
47
Experimental Security Analysis
48
Experimental Security Analysis
49
Experimental Security Analysis
50
Experimental Security Analysis
51
Inherit the advantages of Petri nets and SGNinvestigate key factors of the attack and
defense models, trying to find the inherent rules and patterns
Conclusion
52
Thanks for your attention