Transcript Redundancy vs. Protection vs. False Targets for Systems

REDUNDANCY VS. PROTECTION
VS. FALSE TARGETS FOR
SYSTEMS UNDER ATTACK
Gregory Levitin, Senior Member, IEEE, and Kjell Hausken
IEEE Transactions on Reliability
Vol. 58, No.1, March 2009
Advisor: Frank Yeong-Sung, Lin
Presented by : Hui-Yu, Chung
1
Agenda
Introduction
 The Model
 Determining the Optimal Strategies
 Considering Intervals of the Contest
Intensity
 Conclusions

2
Introduction

Resources of The Defender
◦ Three measures to remain survivability
 Deploying redundant genuine elements (GE)
 Deploy false elements (FE) to attract the attacker
 Protecting some of the GE

Resources of The Attacker
◦ The Attacker’s object is to maximize damage
 But the Attacker is expected to expend resources on
both GE and FEs.
3
Introduction

Defender’s strategy
◦ How to allocate its resource between GE, FE,
and protect GE

Attacker’s strategy
◦ How many elements to attack

Two period game with minmax defender
strategy
◦ First period: defender, second period: attacker
◦ Minimize the maximum risk
4
Basic Aefinition & Acronym
Genuine system element (GE)
• Lowest-level part of the system characterized by performance g,
and cost x
False Elements (FE)
• Imitation of GE that has actual performance 0, and cost y
Element
• Either GE, or FE
Vulnerability
• Conditional probability of element destruction even it is attacked
Protection
• Technical or organizational measure aimed at reduction of
element vulnerability
5
Nomenclatures
6
Assumptions
The attacker cannot distinguish between
GE and FE
 Both the attacker/defender
attacks/protects each element with equal
resources
 Considering a non-strategic attacker
(fixed attack or fixed attack probability)
 Both the attacker and the defender have
limited, fixed resources

7
Agenda
Introduction
 The Model
 Determining the Optimal Strategies
 Considering Intervals of the Contest
Intensity
 Conclusions

8
The Model

All parameters are known by both the
defender and the attacker
◦ except the attacker cannot distinguish GE and
FE

The system is built to meet a demand H:
Ng  H
H
/
g



 Minimal elements required:
 Total resource cannot exceed r: Nx  r
→r  x H / g 
9
The Model
The attacker attacks Q  N  F elements
 The attacked unprotected GE can be destroyed with
fixed probability b.
 Using the most conservative defense policy

◦ Assuming a maximum attacker’s budget
Defender Side
Attacker Side
Measures
Increase GE
Deploy FE
Protect GE
Attack elements
Resource
Needed
x
y
t  (r  Nx  Fy) / K
T R /Q
10
Contest Success Function

Attack success probability (vulnerability)
for each protected GE

Contest Intensity Parameter m
◦ Reflect how the survivability of the system
depends on the resources expanded
11
Contest Success Function

Contest intensity parameter m:
m=0
v = 50%
t and T have equal impact on vulnerability
0<m<1
Disproportional advantage of investing less than
the opponent
m=1
The investments have proportional impact on
vulnerability
m>1
Disproportional advantage of investing more
effort than opponent (economics of scare)
m =
Winner-takes-all
12
Problem Formulation

The prob. that attacker attacks exactly n GE is

For any n, the conditional prob. That exactly k out of n
attacked GE are protected is

The prob. That exactly n GE are attacked, and among
them k GE are protected is
P(A  B)  P(A) P(B| A)
13
Problem Formulation

The conditional prob. That exactly s out of
k protected attacked GE are destroyed is

The prob. That exactly n GE are attacked,
e out of the n - k attacked unprotected
elements are destroyed is
14
Problem Formulation

pj :The prob. That exactly j elements are
destroyed by the attack, which is the sum
of prob. Of all possible combinations that
produce the same value of j. ( j = s + e)
# of protected attacked
GE, k, can range from
max{0,Q – N + K} to min{n, K}
# of attacked GE, n,
can range from max{0,Q - F}
to min{Q, N}
Destroyed unprotected elements
Unprotected elements
15
Problem Formulation

If b = 1 → e = n - k
16
Algorithm

Which obtains the prob. of different number of GE destroyed by attack Q
elements
17
Measures of risk


In terns of expected damage:
Damage exists when j  N  H / g 

In terns of system vulnerability:
◦ (prob. Of not meeting the demand)
18
Agenda
Introduction
 The Model
 Determining the Optimal Strategies
 Considering Intervals of the Contest
Intensity
 Conclusions

19
The Optimal Strategies

The optimal defender can be a solution of
a minmax game that minimize the risk 
given that for any N, F, K, the attacker
chooses Q elements to attack to maximize
the risk  .
20
The Optimal Strategies

The risk  can be replaced by D or V
21
Solutions

Solutions for different contest intensities
◦ H = 10, g = 2, y = 1, x = 3, b = 1, R = 10, r = 40
22
Solutions

The solution of the two measures of risk
(considering expected damage and system
vulnerability) are similar
With small m
→ Increase system redundancy with minimal
protection, and FE is less important.
 Increasing m
→ FE becomes more important
 Larger m
→ Since attacker only attacks a subset of the
elements, FE slightly decreases.

23
Agenda
Introduction
 The Model
 Determining the Optimal Strategies
 Considering Intervals of the Contest
Intensity
 Conclusions

24
Intervals of the Contest Intensity
In many practical situations, the values of
the contest intensities cannot be exactly
determined.
 Most conservative defense strategy

→ Consider most favorable m for the attacker

The defender’s strategy is to choose N*,
F*, K* that minimize the risk under
attacker’s optimal strategy Q = Q*(N, K, F,
m) in the range mmin  m  mmax
25
Intervals of the Contest Intensity

Algorithm
In this case, m  0.04(mmax  mmin )
26
Optimal defender’s minmax
strategies as a function of r

H = 10, g = 2, y = 1, b = 1, R = 10, x = 3
27
Optimal defender’s minmax
strategies as a function of x

H = 10, g = 2, y = 1, b = 1, R = 10, r = 50
28
Optimal defender’s minmax
strategies

The influence when increasing the
defender’s resource is similar to the
influence when decreasing the GE cost.

Small m
→Need large N → more sensitive to N
Intermediate m
→Prefer large F → less sensitive to N
Large m
→Need to protect GE → N decreases


29
Optimal defender’s minmax
strategies as a function of R

H = 10, g = 2, x= 3, y = 1, b = 1, r = 30
30
Optimal defender’s minmax
strategies as a function of R

With the growth of R, the defender must
decrease the number of GE and K/N, to
allocate more resource to protect some of
the GE.

Low attacker resource
◦ The defender benefits from high contest intensity

High attacker resource
◦ The defender benefits form small contest
intensity
◦ The attacker benefits from intermediate contest
intensity
31
Optimal defender’s minmax
strategies as a function of b

H = 10, g = 2, x= 3, y = 1, r = 30, R = 10
32
Optimal defender’s minmax
strategies as a function of b

With the growth of b, the importance of
protecting GE increases

Defender protect more GE
→ Limits the # of GE that can be deployed
→ Deploy more FE to compensate

K<N
→ The expected damage increases

K=N
→ No unprotected GE
→ b has no effect on expected damage
33
Considering Optimal FE

The number of FE, F, is most sensitive to
variation of the game parameter m, x, r,
and R.
◦ The cost of FE is lower than GE
◦ Balance?
34
Considering Optimal FE

F = 10, g = 2, y = 1, x = 3, b = 1, R = 10, 1 < m < 5
35
Considering Optimal FE
Consider a fixed and optimal number of
FE
 When r grows, the difference between D
corresponding to different fixed values of
F decreases.

◦ If the defender has enough resources, nonoptimal F can be compensated by other
defensive measures.
36
Agenda
Introduction
 The Model
 Determining the Optimal Strategies
 Considering Intervals of the Contest
Intensity
 Conclusions

37
Conclusions
Using a two-period minmax game to
analyze the defender’s strategy.
 Considering the system redundancy, # of
FEs, and protection resource

◦ Small m : high system redundancy with
minimum protection, low FE
◦ Intermediate m: redundancy decreased, FE
increased, invest more on protection
◦ High m: FE decreases (since attacker attacks
only part of the elements)
38
Conclusions

Considering non-certain determined
contest intensities, the influence on
defender’s increase of resource is similar
to the influence on decrease of the GE
cost.

Low GE cost/ High defender’s resource:
◦ The defender benefits from extremely low m

High GE cost/ Low defender’s resource:
◦ The attacker benefits from intermediate m
39
Conclusions
When the attacker’s resource is high, the
defender need to lower the ration of
protected GE and deployed GE to make
more effort on protecting them.
 Low attacker resource:

◦ Defender benefits from large m

High attacker resource:
◦ The defender benefits from low m
◦ The attacker benefits from intermediate m
40
Conclusions

The balance between deploying more FE,
spending more resources toward protection
of the GE, depends on the agents’ resources,
the contest intensity, and the relative cost of
deploying FE an GE.
◦ While the optimal # of FE provides lowest
possible expected damage, some other # of FE
may differ from the possible lowest one.

Future works can concern on cost and
budget issues
41
THANKS FOR YOUR LISTENING~!!!
42