1 / 27

Presented by Yu-Shun Wang Advisor: Frank, Yeong-Sung Lin

Near Optimal Defense Strategies to Minimize Attackers’ Success Probabilities for networks of Honeypots. Presented by Yu-Shun Wang Advisor: Frank, Yeong-Sung Lin. Agenda. Introduction Solution Approach Evaluation Process Policy enhancement Initial parameter configuration Experiment on M

theophilia-xylia
Download Presentation

Presented by Yu-Shun Wang Advisor: Frank, Yeong-Sung Lin

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Near Optimal Defense Strategies to Minimize Attackers’ Success Probabilities for networks of Honeypots Presented by Yu-Shun Wang Advisor: Frank, Yeong-Sung Lin

  2. Agenda • Introduction • Solution Approach • Evaluation Process • Policy enhancement • Initial parameter configuration • Experiment on M • Summary OP Lab @ IM, NTU

  3. Agenda • Introduction • Solution Approach • Evaluation Process • Policy enhancement • Initial parameter configuration • Experiment on M • Summary OP Lab @ IM, NTU

  4. Introduction • In order to make attack and defense behavior close to the real world, we add some new perspectives in this work. • For instance, due to the advent of new technology, defenders have different kind of solutions to deal with malicious attackers. • Therefore, in this work, we not only consider general defense resource but also another kind of defensive technology, honeypot, as a deceptive tool to distract attackers. OP Lab @ IM, NTU

  5. Introduction • For defense resource, we have two different types: honeypot, and non-honeypot. • Honeypot • The main objective of this kind of defense resource is to cheat attackers. Once attackers compromise these systems, they wasted their finite budget. • Learning attack tactic and wasting attack resource • False target • Non-honeypot • This kind of defense resource is allocated to nodes in the network. The purpose of this resource is to increase defense capability on nodes. OP Lab @ IM, NTU

  6. Introduction • For attackers, we also made a classification. The classifying criteria are : • Budget level • High, medium, and low • Capability • High, medium, and low • Next hop selecting criteria • Highest link utilization • Lowest link utilization • Lowest defense level • Random attack OP Lab @ IM, NTU

  7. Agenda • Introduction • Solution Approach • Evaluation Process • Policy enhancement • Initial parameter configuration • Experiment on M • Summary OP Lab @ IM, NTU

  8. Solution Approach • Evaluation Process • Since our scenario and environment are very dynamic, it is hard to solve the problem purely by mathematical programming. • For each attacker category, although attackers in it belong to the same type, there is still some randomness between each other. • This is caused by honeypots. if an attacker compromises a false target honeypot, there is a probability that he will believe the core node is compromised and terminate this attack. • Therefore, we can never guarantee the result of an attack is successful or failed until at the end of the evaluation. OP Lab @ IM, NTU

  9. Solution Approach • Evaluation Process Run evaluation with the 36 kinds of different attackers for M times and get the core node compromise frequency. Let the frequency divided by M to gather average core node compromised probability. Initial state Run another evaluation M times using adjusted defense parameters and get the corresponding probability N times Yes Adjust defense parameters by policy enhancement No Compare result with the initial one OP Lab @ IM, NTU

  10. Solution Approach • Evaluation Process • Parameter generation • M (Total evaluation frequency for one round) • First, we make an initial value, for example, 10 million. Then, we let 10 thousands as a chunk to summary the result and draw a diagram depicting the relationship between compromised frequency and number of chunks. • If the diagram shows a converging trend, it implies the value of M is an ideal one. • N (Total rounds for policy enhancement) • We set this value by resource constrained approach. OP Lab @ IM, NTU

  11. Agenda • Introduction • Solution Approach • Evaluation Process • Policy enhancement • Initial parameter configuration • Experiment on M • Summary OP Lab @ IM, NTU

  12. Solution Approach • Policy enhancement • The main concept of Policy enhancement can be summarized into the following parts. • Popularity Based Strategy • This strategy is focuses on those nodes are frequently attacked. Therefore, we let the total cost attackers spent on each node as the metric in the Policy enhancement. • Derivative • This concept is using to measure the marginal effectiveness of each defense resource allocation. OP Lab @ IM, NTU

  13. Solution Approach • Policy enhancement Calculate derivative of defense resource with one virtual positive unit resource Is it a honeypot No Highest group Yes Select the highest derivative from the two groups respectively and remove one unit resource from the lowest group to the highest group Calculate derivative of defense resource and link utilization with one virtual positive unit resource By the attack cost spent on each node, we chose first three of the highest (and lowest) nodes as two groups. Calculate derivative of defense resource and link utilization with one virtual negative unit resource Yes Calculate derivative of defense resource with one virtual negative unit resource Lowest group Is it a honeypot No OP Lab @ IM, NTU

  14. Solution Approach • The relationship between evaluation process and policy enhancement. Calculate derivative of defense resource with one virtual positive unit resource Is it a honeypot No Highest group Run evaluation with the 36 kinds of different attackers for M times and get the core node compromise frequency. Let the frequency divided by M to gather average core node compromised probability. Yes Initial state Select the highest derivative from the two groups respectively and remove one unit resource from the lowest group to the highest group Calculate derivative of defense resource and link utilization with one virtual positive unit resource By the attack cost spent on each node, we chose first three of the highest (and lowest) nodes as two groups. Run another evaluation M times using adjusted defense parameters and get the corresponding probability N times Yes Adjust defense parameters by improving procedure Calculate derivative of defense resource and link utilization with one virtual negative unit resource No Compare result with the initial one Yes Calculate derivative of defense resource with one virtual negative unit resource Lowest group Is it a honeypot No OP Lab @ IM, NTU

  15. Agenda • Introduction • Solution Approach • Evaluation Process • Policy enhancement • Initial parameter configuration • Experiment on M • Summary OP Lab @ IM, NTU

  16. t W F F W S Initial parameter configuration • Defender • Defense resource allocation • We allocate resource according to two major metrics: • Hop count to the core node • The larger hop count the lower defense level is • Number of out links of each node • The higher number of out links the higher defense level is. • Honeypot link utilization • Initial value is set to be 0.5. OP Lab @ IM, NTU

  17. Initial parameter configuration • Attacker • Budget level • Multiple of Minimum attack cost • Low level: 1~3 times of minimum attack cost • Medium level: 3~5 times of minimum attack cost • High level: over 5 times • Capability • High level: 30% deceived probability • Medium level: 50% deceived probability • High level: 70% deceived probability OP Lab @ IM, NTU

  18. Agenda • Introduction • Solution Approach • Evaluation Process • Policy enhancement • Initial parameter configuration • Experiment on M • Summary OP Lab @ IM, NTU

  19. Experiment on M • We run different number of chunks to discover which one is an ideal value for M. • 10 chunks • 100 chunks • 1,000 chunks • 10,000 chunks • Each chunk represents result of 10 thousand times evaluation, i.e., attacking. OP Lab @ IM, NTU

  20. Experiment on M • Result of 10 chunks OP Lab @ IM, NTU

  21. Experiment on M • Result of 100 chunks OP Lab @ IM, NTU

  22. Experiment on M • Result of 1,000 chunks OP Lab @ IM, NTU

  23. Experiment on M • Result of 10,000 chunks OP Lab @ IM, NTU

  24. Agenda • Introduction • Solution Approach • Evaluation Process • Policy enhancement • Initial parameter configuration • Experiment on M • Summary OP Lab @ IM, NTU

  25. Summary • According to the experiment result, we can discover the core node compromised frequency in 10 thousand (one chunk) attacks is only 3~4 thousand times. • Many attackers with high budget level is deceived by honeypots. OP Lab @ IM, NTU

  26. Thanks for Your Listening OP Lab @ IM, NTU

  27. Experiment data Total defense budget is set to be 100 • Information of attacker 3 is as follows: • Budget level is: 415.092896 • Capability is 0.500000 • Next hop selecting criteria is 4 • Round time is: 14 • compromising path is: • Path: 10 7 4 2 5 8 6 0 0 0 • Information of attacker 30 is as follows: • Budget level is: 364.396271 • Capability is 0.500000 • Next hop selecting criteria is 3 • Round time is: 58 • compromising path is: • Path: 10 9 6 0 0 0 0 0 0 0 • Information of attacker 6 is as follows: • Budget level is: 316.021667 • Capability is 0.700000(High level) • Next hop selecting criteria is 3 • Round time is: 7 • compromising path is: • Path: 10 9 6 0 0 0 0 0 0 0 • Information of attacker 18 is as follows: • Budget level is: 286.996918 • Capability is 0.300000(Low level) • Next hop selecting criteria is 3 • Round time is: 8 • compromising path is: • Path: 10 9 6 8 5 7 4 2 3 1 OP Lab @ IM, NTU

More Related