Modeling and Security Analysis of Enterprise Network

Using Attack-defense Stochastic Game

Petri Nets

Presenter: Jen-Hua ChiAdvisor: Frank, Yeong-Sung Lin

2

Part I Introduction (Game Theory, Petri Net)Part II Model

Part III Enterprise Network

Part IV Analysis and Conclusion

Agenda

3

Introduction

Journal: Security and Communication NetworksSecurity Comm. Networks 2013 Impact Factor: 0.414Author: Yuanzhuo Wang( 王卓元 )

4

Enterprise networkfirewall, VPN, IDS/IPS, antivirus software,

content monitoring

prevent or to counteract attacks more effective

Introduction

5

Stochastic Game Net

Stochastic Petri Net

Introduction - ADSGN

ADSGN

Introduction - SGN

Game Theory ：Nash Equilibrium(NE)

Limitations:1. do not have enough modeling abilities to

describe interaction relations 2. existing modeling methods are nearly

impossible to model the dynamic behaviors because of the complexity of state transitions

3. the full state space can be extremely large

7

Stochastic Game Nets ： - use of the NE as part of the transition probabilities in SGN models - build player models => combine - backwards: attack and defense actions that are interrelated with one another

Introduction- SGN

8

Mathematical modeling languages directed bipartite graph nodes: transitions and places　 transitions : events that may occur places: conditionsThe directed arcs describe which places are

pre- and/or post conditions for which transitions occur.

Introduction- Stochastic Petri Net

9

Introduction- Stochastic Petri Net

P is a set of states, called places. P = {P1,P2,P3,P4} T is a set of transitions. T = {T1,T2} M represents the number of tokens m0 ={1,0,2,1} Transition firing rates

10

Introduction - ADSGNAccording to the characteristics of the

network attack and defense actions

suitable to investigate the complex and dynamic game-related issues in network attack

11

Part I Introduction

Part II Model

Part III Enterprise Network

Part IV Analysis and Conclusion

Agenda

12

Definition - Stochastic Game Nets Nine-tuple vector SGN ：

is the action set of player k

13

Nine-tuple vector SGN ：Definition1 - Stochastic Game Nets

14

Nine-tuple vector SGN ：Definition - Stochastic Game Nets

15

Definition - Stochastic Game Nets

Each token S is assigned a reward vector h(s) = (h1(s), h2(s),. . .,hn(s)),where hk(s) is the reward of player k in token s

Transition firing rates: consists of removing tokens from a subset of places and adding them to another subset

16

Definition - Stochastic Game Nets

a strategy for player k is described as a vector

17

(p denotes the initial state of player k)

Definition2 - Stochastic Game Nets

Player k’s utility is defined as ： An n-players game

18

Definition3 - Stochastic Game Nets

NE is a vector

such that

19

Definition3 - ADSGN

Players: n => 2 administrator, attacker

每個 player 只會有一個最佳策略 , 且此策略對另一 player 的效用較差 exist some transitions ti such that ti is no action

20

For an ADSGN, if the two sets P and T contain finite elements, then there exists an NE under the setting of mixed strategies.

P : places describe the states of the system

Theorem 1 - ADSGN

21

Modeling and analysis

Reward values R

represent the reward gained by the player when an action is completed

22

First:)Construction

Players model => combine the models

combining the places p that denote the same meanings in SGN models of different players:

- case1 - case2

23

Construction – case1

Inhibition type

24

Construction – case2

Termination type

25

Utilities of players

each players objective is to maximize the expected return

k = 1, 2 is the initial place of strategy is the discount index of place

26

Utilities of players

player k chooses an action using the probability distribution at place

In order to determine the optimal defense strategy, we must find the NE

27

Continuous ACO(CACO)Calculation of the Nash Equilibrium

For each place pi, the behavior is modeled as a matrix game Gi

action sets of the attacker action sets of the administrator

if an attack action is chosen in place pi , the intrusion is successful and undetected the system may transfer to another place pj

where the game can continue

28

Calculation of the Nash equilibrium

U(pi) to denote the expected utility at place pi

29

Calculation of the Nash equilibrium

30

objective function

Calculation of the Nash equilibrium

31

divide the place set into four parts, namely

MTFSB: mean time to first security breach

MTTSB: mean time to security breach

Evaluation and analysis

32

Part I Introduction

Part II Model

Part III Enterprise Network

Part IV Analysis and Conclusion

Agenda

33

Enterprise network

security process control structure

34

security process control structure

(1) Scan the weak ports (attacker)(2) IDS detects the attack (administrator)(3) Administrator server orders the firewall and

trap node(administrator)(4) The attacker enters the trap node(attacker)(5) The trap node returns the false information

to the attacker (administrator)(6) obtain the evidence of the attacker (administrator)

35

(7) cracks a common user’s user name and password (attacker)(8) The attacker gets the competence of root by handling the database (attacker)(9) The attacker installs the sniffer (attacker)(10) The administrator server orders the firewall and antivirus server to blockade the IP of the attacker and remove the sniffer (administrator)

security process control structure

36

we have two action sets

security process control structure

37

ADSGN model is based on the following three assumptions (1) the administrator does not know whether there is an attacker or not (2) the attacker may have several objectives and strategies that the defender does not know (3) not all of the attacker’s actions can be observe by the defender

security process control structure

38

在此 model 中有六個 places

ADSGN Model of Enterprise Network

{p(normal), p(web server with vulnerability), p(get general permission), p(get root permission), p(sniffer installing), p(information stolen)} = {p1, p2, p3, p4, p5, p6}

39

p2: web server with vulnerabilityP3: get general permissiona1:Scanvulnerability ; a2:CrackPassworda3:Attackdatabase ; a7:emptyd1: IDSscan ; d2: Cheatattacker ; d3:Getevidenced6: empty

ADSGN Model of Enterprise Network

40

ADSGN Model of Enterprise Network

p4: get root permissionP5:sniffer installinga4: Enhance permission ;a5:Installsniffera7:emptyd1:IDSscan ; d4: Blockade IPd5:Removesniffer ; d6:empty

41

ADSGN Model of Enterprise Network

p6:information stolen

a6:Installsniffer ; a7:emptyd1:IDSscan; d4:BlockadeIPd5: Remove sniffer ; d6: empty

42

Model-attacker

43

Model - administrator

44

Model - combine

45

Part I Introduction

Part II Model

Part III Enterprise Network

Part IV Analysis and Conclusion (MTTSB, MTTFB, attack rate)

Agenda

46

Experimental Security Analysis

47

Experimental Security Analysis

48

Experimental Security Analysis

49

Experimental Security Analysis

50

Experimental Security Analysis

51

Inherit the advantages of Petri nets and SGNinvestigate key factors of the attack and

defense models, trying to find the inherent rules and patterns

Conclusion

52

Thanks for your attention