- 學位論文
考量不完全資訊情況下多階段防禦資源分配以及防禦訊息策略選擇演算法以最大化網路存活度
Maximization of Multi-Round Network Survivability under Considerations of Defensive Messaging Strategies and Incomplete Information for Both the Attacker and the Defender
摘要
隨著網際網路的快速發展,我們隨時隨地都可以連上網路,網路帶來了許多商機,但也讓企業面對許多的挑戰。企業為了24小時都能服務顧客,它必須保持不間斷的系統服務,但是隨著網路攻擊工具包的取得越來越容易,網路攻擊不再是駭客的專利,讓企業面臨許多資訊安全的問題。因此,如何分配防禦資源以有效的減少攻擊者所帶來的傷害,以及如何評估系統存活度以幫助企業保持營運就成為了重要的議題。 在我們的攻防情境中,我們考慮攻防雙方並不完全了解對方擁有的資訊,也就是考慮不完全資訊,並建立一個最佳化資源配置目標之數學模型,且利用一個網路存活度的指標平均網路分割度(Average Degree of Disconnectivity)來衡量在多階段攻防情境下的網路存活度,以提供網路營運者預測攻防雙方可能採取的資源分配策略。在此情境的每一個階段裡,防禦者需要分配資源在不同的節點上,透過重新分配或回收資源做更好的防禦資源利用,使用防禦資源修復已被攻克的節點,以及修補漏洞或是利用滲透測試修補漏洞,另外防禦者還可以選擇是否要釋放訊息,其訊息可能為真實、欺騙或是保密的訊息來混淆攻擊者,藉此達到更好的防禦效率;而攻擊者則會利用資源對網路中的節點進行攻擊。在求解的過程中,我們採用「梯度法」與「賽局」技巧來協助找出攻防雙方最佳的資源分配策略。
並列摘要
With Internet rapidly expanding, we can connect to Internet at anytime in anywhere. Internet brings many businesses for enterprises, but Internet also lets enterprises face many challenges. In order to serve their customers at all day, enterprises should keep operation continuously. With attack toolkits become easily to obtain, cyber attacks are not hackers’ specialization. So, enterprises face many challenges of cyber security. Therefore, how to efficiently allocate defensive resources to reduce damages which was caused by cyber attackers and how to evaluate system survivability to help enterprises keeping operate became important issues. In this multi-round attack-defense model, both cyber attacker and network defender without completely understanding the information about each other is considered. In other words, incomplete information in this model is considered and we conduct a mathematical model for this problem. Besides, we use Average DOD to evaluate damage degree of network to help network operators to predict all possible strategies which both cyber attacker and network defender would take. In each round, network defender could allocate resources on each node, reallocate or recycle resources for better use. And network defender could also repair compromised nodes, patch system vulnerabilities or use penetration test to patch system vulnerabilities. Moreover, network defender could release message which might be doing nothing at all, truth, secrecy or deception to confuse cyber attacker to achieve better defense efficiency. In each round, cyber attacker would allocate resources to attack nodes of the network. In the process of problem solving, the "gradient method" and "game theory" would be used to obtain the optimal resource allocation strategies for both cyber attacker and network defender.
參考文獻
延伸閱讀
- Su, C. H. (2008). 考慮隨機錯誤與惡意攻擊下資訊洩漏程度最小化之近似最佳化防禦資源分配與資訊切割配置策略 [master's thesis, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU.2008.02281
- Lo, J. P. (2009). 考量自然災害與智慧型攻擊下確保服務持續性之冗餘及防禦資源配置演算法 [master's thesis, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU.2009.01303
- Lin, Y. L. (2006). 考慮單一核心節點攻擊下網路近似最佳化防護策略 [master's thesis, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU.2006.03069
- Chen, Q. T. (2011). 考量惡意攻擊情況下多階段防禦資源分配以最大化網路存活度之修復與資源重分配策略 [master's thesis, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU.2011.01515
- Wang, Y. S. (2016). An Optimization-based Methodology for Network Defense to Maximize Average System Survivability [doctoral dissertation, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU201600356