運用最佳化技術決定多階段網路攻防情境中之防禦資源分配策略以優化系統之存活度

隨著科技與網路的發展，駭客的惡意攻擊 (Malicious Attacks)手法持續演進著，近年來廣為討論的雲端運算，亦被攻擊者所應用。對國家或企業組織而言，惡意攻擊除了造成名譽受損之外，隱私資料外洩更會重創國家或企業組織，因此，資訊安全 (Information Security)的議題備受重視。網路存活性 (Survivability)便是其中一個重要的研究領域，本研究規劃以存活度指標衡量方式，提出並優化該指標的準確性。除了最基本的網路連結度外，本研究亦延伸此指標之概念，提出一更優化之存活度指標為平均網路分隔度 (Average Degree of Disconnectivity, Average DOD)。傳統的網路分隔度指標假設攻擊者進行攻擊時，其結果非成功即失敗，屬二元的離散概念，較不符合現實的情況。故本研究引入機率的概念，透過競爭成功函數 (Contest Success Function)計算攻擊者成功攻克各個節點的機率，考量所有可能發生之情境機率，所形成之新型網路存活度指標即為Average DOD。對於防禦者而言，為了保護其所管控之網路，投資一筆有限的預算 (例如：金錢、時間、人力)，並妥善地加以配置。另一方面，攻擊者所擁有的資源亦是有限的，故無法攻擊所需成本超過自身能負擔的網路。為了達到攻擊目的，攻擊者也會因應網路營運者所採用的資源配置策略 (Resource Allocation Strategies)，調整其攻擊策略 (Attack Strategies)，充分應用有限的資源達成目標。由於考量的問題，需運用數學規劃技巧轉為數學模型，加上問題具高度複雜性與困難度，為求最佳化決策之時效與品質，特採最佳化技巧為基礎方略；考量在攻防雙方各自具有不同的目標或利益，在多階段的攻防下，雙方必須考慮對手的各種可能的行動方案，並力圖選取對自己最為有利或最為合理的方案，因此本研究預計運用數學分析求解，已求解問題中是否存在著最合理的行為解決方案，以及如何找到這個合理的行為方案的高效率之研究方法。透過本研究結合數學規劃法中最佳化的技術，預測攻防情境模擬，可有效提供國家或企業組織之防禦者角色在防禦資源配置上的準則與參考依據。

關鍵字

平均網路分隔度；競爭函數；網路存活度；最佳化；資源分配；多階段網路攻防

並列摘要

Internet has become worldwide, publicly accessible network of interconnected computer networks. Specifically, it becomes the tools that terrorists can use to attack the nations and their economy or enterprises. Thus, it becomes an important and critical issue about how to efficiently evaluate network survivability for any network operator in a nation or an enterprise. We intent to proposed an effective and accurate network survivability metric to provide some engineering guidelines to improve network security. In this research, an innovative metric called Average Degree of Disconnectivity (Average DOD) is proposed. It combining the concept of the probability calculated by contest success function with the DOD metric would be used to evaluate the damage degree of network. The larger value of the Average DOD, the more damage degree of the network would be. A multi-stage network attack-defense scenario as a mathematical model is used to support network operators to predict that all the likelihood strategies both cyber attacker and network defender would take in this research. In addition, the Average DOD would be used to evaluate damage degree of network. In each stage, the attacker could use the attack resources to launch attack on the nodes of the target network. On the other hand, the network defender could reallocate existed resources of defender to recover compromised nodes and allocate defense resources to protect survival nodes of network. In the process of problem solving, the optimization techniques is adopted to find the optimal resource allocation strategies for both cyber attacker and mobile network defender.

並列關鍵字

Average Degree of Disconnectivity ； Average DOD ； Contest Success Function ； Network Survivability ； Optimization ； Resource Allocation ； Resource Reallocation ； Network Recovery ； Multi-Stage Network Attack and Defense

參考文獻

[1] R.J. Ellison, D.A. Fisher, R.C. Linger, H.F. Lipson, T. Longstaff, and N.R. Mead, “Survivable Network Systems: An Emerging Discipline,” Technical Report CMU/SEI-97-TR-013, November 1997.

[2] A.T Murray. T.C. Matisziw, T. H. Grubesic, “Critical network infrastructure analysis: interdiction and system flow,” Journal of Geographical Systems. Vol. 9, No. 2, pp. 103-117, June, 2007.

[3] J.C. Smith, C. Lim, F. Sudargho, “Survivable network design under optimal and heuristic interdiction scenarios,” Journal of Global Optimization. Vol. 38, No. 2, pp. 181-199, June, 2007.

[4] E.Jonsson and T. Olovsson, “A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior,” IEEE Transactions of Software Engineering, Vol. 23, No. 4, pp. 235-245, April 1997.

[5] R. Ortalo, Y. Deswarte, and M. Kaふaniche, “Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security,” IEEE Transactions on Software Engineering, Vol. 25, Vol. 5, pp. 633-650, September 1999.

國際替代計量

運用最佳化技術決定多階段網路攻防情境中之防禦資源分配策略以優化系統之存活度

主題瀏覽