research article effective proactive and reactive defense...
TRANSCRIPT
Hindawi Publishing CorporationJournal of Applied MathematicsVolume 2013 Article ID 518213 11 pageshttpdxdoiorg1011552013518213
Research ArticleEffective Proactive and Reactive Defense Strategies againstMalicious Attacks in a Virtualized Honeynet
Frank Yeong-Sung Lin Yu-Shun Wang and Ming-Yang Huang
Department of Information Management National Taiwan University Taipei Taiwan
Correspondence should be addressed to Yu-Shun Wang yushunwangtwgmailcom
Received 11 April 2013 Accepted 22 July 2013
Academic Editor Anyi Chen
Copyright copy 2013 Frank Yeong-Sung Lin et al This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited
Virtualization plays an important role in the recent trend of cloud computing It allows the administrator to manage and allocatehardware resources flexibly However it also causes some security issues This is a critical problem for service providers whosimultaneously strive to defend against malicious attackers while providing legitimate users with high quality service In this paperthe attack-defense scenario is formulated as a mathematical model where the defender applies both proactive and reactive defensemechanisms against attackers with different attack strategies In order to simulate real-world conditions the attackers are assumedto have incomplete information and imperfect knowledge of the target network This raises the difficulty of solving the modelgreatly by turning the problem nondeterministic After examining the experiment results effective proactive and reactive defensestrategies are proposed This paper finds that a proactive defense strategy is suitable for dealing with aggressive attackers underldquowinner takes allrdquo circumstances while a reactive defense strategy works better in defending against less aggressive attackers underldquofight to win or dierdquo circumstances
1 Introduction
The vision for most service providers is to provide high-quality service and improve customer satisfaction thusmaximizing profit From an infrastructure perspective theevolution of computing architecture has shifted from main-frame cluster computing distributed computing and gridcomputing to cloud computing As a recent and increasinglynoteworthy trend in information technology (IT) cloudcomputing describes a new service model based on theInternet From a managerial perspective one of the keysuccess factors of cloud computing is its ability to promiseand achieve high quality and availability of service
Applying virtualization technology makes the job ofproviding enterprise security more difficult As observed inthe IBMX-ForceMid Year Trend and Risk Report conductedin August 2010 [1] attackers continue to take advantage ofsecurity flaws The rate of vulnerability disclosures in 2010is higher than any point from 2000 to 2009 The numberof virtualization vulnerability disclosures from 1999 throughthe end of 2009 ascended rapidly peaking in 2008 at 100
While this number fell by 12 percent to 88 in 2009 thisdrop indicates that virtualization vendors have recognizedthe threat these flaws pose and have increased their attentionto security Although the ratio of virtualization vulnerabilitydisclosures increased by only 1 percent from 2007 through2009 these vulnerabilities still represent a notable securitythreat Therefore it is increasingly important to understandthe security implications of virtualization technology
In addition to external malicious attackers another weakcomponent of networks is insidersThey insensibly assist peo-ple with bad intentions in their legal use of computer systemsor networks Such insider-assisted malicious attacks adoptsocial engineering as a method to exploit common humanbehavior These attacks require a lower degree of technicalability than standard malicious attacks but can cause higherdegrees of damage As a result organizations emphasize theimportance of policy enforcement and increase employeeeducation to mitigate the risks posed by social engineering
In response to these problems this paper considers bothproactive defense resources such as firewalls IDS IPS andreactive defense techniques All types of resources considered
2 Journal of Applied Mathematics
Table 1 Given parameters
Notation Description119873 The index set of all nodes119862 The index set of all core nodes119871 The index set of all links
119872The index set of all levels of virtual machine monitors(VMMs)
119867 The index set of all types of honeypots
119875The index set of candidate nodes equipped with falsetarget function
119876The index set of candidate nodes equipped with faketraffic generating function
119877The index set of candidate nodes equipped with falsetarget and fake traffic generating function
119878 The index set of all kinds of services119861 The defenderrsquos total budget119908 The cost of constructing one intermediate node119900 The cost of constructing one core node119875 The cost of each virtual machine (VM)
119896119894
Themaximum number of virtual machines on VMMlevel 119894 where 119894 isin 119872
120572119894 The weight of 119894th service where 119894 isin 119878
119864All possible defense configurations including resourcesallocation and defending strategies
119885All possible attack configurations including attackerattributes strategies and transition rules
997888997888119860119894119895
An attack configuration including the attributesstrategies and transition rules of the attacker launches119895th attack on 119894th service where 119894 isin 119878 1 le 119895 le 119865
119894
119865119894
The total attacking times on 119894th service for all attackerswhere 119894 isin 119878
120574The cost of constructing a reconfiguration function toone node
120582Theminimum number of hops from core nodeattackers can start to compromise
119888119894
The number of hops from core node category i attackersstarts to compromise where 119894 isin 119885
in this work one is quantified not only by monetary but alsoby time labor and other possible factors As defenders seekout an appropriate defense resource allocation within budgetlimitations and observe the Quality of Service (QoS) require-ment it becomes increasingly important to best determinehow to find a defense mechanism that can detect risky attackbehavior early and mislead attackers to routes distant fromthe server before attackers are at the gates
In this paper we assume that organizations mayencounter a great diversity of threats Whether these threatsare external or internal they can bring about vast loss tofinances and reputation However budgets for securityand training are often inadequate Hence it is much moreimportant for a system or network to enhance robustness inorder to satisfy QoS requirements for service users than toprevent all categories of malicious attacks This symbioticconcept to security is called survivability which is widelydefined and applied in previous works [2ndash6]
Table 2 Decision variables
Notation Description
997888119863119894
A defense configuration including resourceallocation and defending strategies on 119894th servicewhere 119894 isin 119878
119879119894119895(997888119863119894997888997888119860119894119895)
1 if the attacker achieves his goal successfully and0 otherwise where 119894 isin 119878 1 le 119895 le 119865
119894
119899119894
The proactive defense resource allocated to node 119894where 119894 isin 119873
119897119894
The number of VMM level 119894 purchased where119894 isin 119872
120575119894
The number of services that honeypot 119894 cansimulate where 119894 isin 119867
120576119894
The interactive capability of false target honeypot119894 where 119894 isin 119875
120579119894
Themaximum throughput of fake traffic ofhoneypot 119894 where 119894 isin 119876
119881(119897119894)
The cost of VMM level 119894 with 119897119894VMMs where
119894 isin 119872
ℎ(120575119894 120576119894)
The cost of constructing a false target honeypotwhere 119894 isin 119875
119891(120575119894 120579119894)
The cost of constructing a fake traffic generatorhoneypot where 119894 isin 119876
119905(120575119894 120576119894 120579119894)
The cost of constructing a honeypot equippedwith false target and fake traffic functions where119894 isin 119877
119861NL The budget of constructing nodes and links119861proactive The budget of proactive defense resource119861special The budget of reactive defense resource119861virtualized The budget of virtualization119861honeypot The budget of honeypots119861reconfig The budget of reconfiguration functions119890 The total number of intermediate nodes
119902119894119895
The capacity of direct link between nodes 119894 and 119895where 119894 isin 119873 119895 isin 119873
119892(119902119894119895)
The cost of constructing a link from node 119894 tonode 119895 with capacity 119902
119894119895 where 119894 isin 119873 119895 isin 119873
119909119894
1 if node 119894 is equipped with false target functionand 0 otherwise where 119894 isin 119873
119910119894
1 if node 119894 is equipped with fake traffic generatingfunction and 0 otherwise where 119894 isin 119873
119911119894
1 if node 119894 is equipped with reconfigurationfunction and 0 otherwise where 119894 isin 119873
Survivability is a typical metric that measures networkperformance under intentional attacks or other failures Tra-ditionally network security status is divided into two discretetypes compromised and safe Typically when providingservices the evaluation criterion is the quality of servicebut applying this dichotomy of compromise and safetyignores the intermediate status For instance while underan attack the performance level of each service continuallydeclines Therefore network status should be represented ina continuous form [2] Hence in this paper survivability ischosen as themetric for describing network status Accordingto [2] survivability is defined as ldquoThe capability of a systemto fulfill its mission in a timely manner in the presence of
Journal of Applied Mathematics 3
Table 3 Verbal notations
Notation Description119866core119894 Loading of each residual core node 119894 where 119894 isin 119862
119880link119894 Link utilization of each link 119894 where 119894 isin 119871
119870effectNegative effect caused by applying fake trafficadjustment
119868effectNegative effect caused by applying dynamictopology reconfiguration
119869effect Negative effect caused by applying local defense
119874tocoreThe number of hops legitimate users experiencedfrom one boundary node to core nodes
119884 The total compromise events119882threshold The predefined threshold about QoS119882final The QoS level at the end of attack
119882(sdot)The value of QoS determined by 119866core119894 119880link119895 119870effect 119868effect 119869effect and 119874tocore where 119894 isin 119862 119895 isin 119871
120588defense119894
The total defense resource of the shortest pathfrom compromised nodes detected to core node 119894
divided by total defense resource where 119894 isin 119862
120591hops119894
The number of hops from compromised nodesdetected to core node 119894 divided by the number ofhops from attackerrsquos starting point where 119894 isin 119862
120596degree119894
The linking number of core node 119894 divided by themaximum number in the topology where 119894 isin 119862
119904119894
priority119895
The priority of service 119895 provided by core node 119894
divided by the maximum service priority in thetopology where 119894 isin 119878 119895 isin 119862
120573threshold The risk threshold of core nodes
120573(sdot)
The risk status of each core node which is theaggregation of defense resource number of hopslink degree and service priority
Table 4 Environment Parameters
Testing platformProgramming language CCompiler GNU GCC 462Total evaluation times 60000Distributions applied to describe attackersrsquoattributes Normal distribution
attacks failure or accidents including networks and large-scale systems of systemsrdquo
Along with the concept of survivability the vulnerabilityof each node is determined by the Contest Success Function(CSF) which is also applied in [7ndash10] CSF originates fromthe economic rent seeking problem found in EconomicTheory This method also applies a continuous approach tothe problem The form of the CSF is success probability =
119879119898
(119879119898
+ 119905119898
) when applied to attack and defense scenarioswhere 119879 represents the resources invested by the attacker and119905 stands for resources deployed by the defender Further 119898
is known as contest intensity which illustrates the nature ofthe battle while success probability is the probability of anode being compromised When the value 119898 is between 0and 1 it represents ldquofight to win or dierdquo circumstance [11]
Table 5 Parameters for defender
Parameters ValueTopology type Scale-free networkNumber of nodes 49Number of core nodes (each service) 6 (1 2 3)Number of terminal nodes 5Number of services 3Weight of each service 1 2 3Number of users 30Defender total budget 1700000Topology construction budget 700000Proactive defense budget 400000Reactive defense budget 600000
Table 6 Parameters for attacker
Parameters Value
Total attack budget A normal distribution with lower bound300000 and upper bound 1500000
Capability A normal distribution with lower bound120576 and upper bound 1
Aggressiveness A normal distribution with lower bound01 and upper bound 09
Attackerrsquos objective Service disruption or steal confidentialinformation
which means the effectiveness of resources is insignificantFor 119898 ge 1 the effectiveness of resources invested by bothsides is exponentially increasing If 119898 closes to infin it standsfor a ldquowinner takes allrdquo circumstance significant advantage isgranted to the stronger side even if that side is stronger byonly one invested resource [12]
There are many popular methodologies applied for solv-ing survivability problems In recent years game theory is awidely used one Nevertheless in [3] the authors point outthat this solution approach is limited for deterministic sce-narios Even the emerging branch of game theory stochasticgame is still confined with this assumption that all valuesof probabilistic variables have to be determined before theattack and defense starts This feature has a negative effecton creating cyber attack and defense scenario since in realworld decisions made during attack and defense dependon current status Given all values of variables makes thescenario far from reality
For example when choosing a victim from candidatenodes an attacker should apply information like the loadingof each node traffic amount on each link andor number ofusers on each node to evaluate the importance of all candi-dates Then choosing the most appropriate one as the targetyet the restriction of game theory enforces the choosingprobability which should be determined at the beginning ofthe cyber warfare In other words those variations happenedduring attack and defense like traffic reroute link statusnode conditions are ignored Consequently in this workMonte Carlo simulation is applied to consider hopefully andcover every angle in the attack and defense scenario
4 Journal of Applied Mathematics
2 Problem Formulation
21 Problem Description In order to improve system sur-vivability the defender deploys both proactive and reactivedefense resources to confront different attacks Proactivedefense resources are deployed before an attack is launchedIn this paper proactive resources include a firewall systemantivirus software detection techniques such as IntrusionDetection System (IDS) and Intrusion Protection System(IPS)
Alternatively reactive defense resources are activatedduring an attack as an immediate action for the defenderThe mechanisms considered in this paper can strengthendefenses provide deception and provide resource concentra-tion
For strengthening defenses since the scenario consideredin this paper is constructed in a virtualized environment anumber of Virtual Machines (VMs) are governed by a Vir-tual Machine Monitor (VMM) that controls all informationdetails for all VMs When an attack event is detected localdefense functions for each VMM are activated automaticallyto raise the defense capability of the virtualized nodes belong-ing to the same VMM However this mechanism does notalways create positive effects Once an attacker determinesthat the target network is a virtualized environment anddiscovers the existence of a VMM he can compromise theVMM through vulnerabilities in APIs [13] If the VMMis compromised all VMs belonging to this VMM are alsocompromised
Deceptionmechanisms are widely applied in defense andin this paper honeypots are considered to distract attackersAccording to [14ndash17] honeypots not only serve as a passivedecoy fooling attackers into believing they have achievedtheir goal and preemptively terminating the attack but alsoas an active lure that acts as a service-providing node toattract attackers The former is known as a false target andthe latter can be implemented by a fake core node thatspreads service-like traffic to attract attackers When facingdifferent attackers the deceiving probability of each honeypotis differentThis probability is jointly determined by attackersrsquocapability and the interaction level of a honeypot
As for resource concentration by modifying the con-cept of ldquorotationrdquo discussed in [18ndash20] and adapting it toour scenario the defender can adopt dynamic responsivestrategies to improve system survivability Hence whileunder an attack the defender can apply dynamic topologyreconfiguration to exchange the neighbor of one core nodewhich has the strongest defensive resources with a node thatis close to the attackerrsquos current location
However since dynamic topology reconfigurationrequires node rotation it negatively impacts QoS Thereforeunless the risk level of a core node exceeds a predefinedthreshold the defender will not activate this mechanismFurthermore false positive and false negative situations forevery defense mechanism are considered
In addition to the defense mechanisms described abovethe following attributes are also considered for creating arealistic attack-defense scenario
211 Goal Generally attackers target a network to eitherdisrupt services or to compromise servers and steal sensitiveinformation Therefore in this paper an attackerrsquos goal maybe service disruption or the theft of confidential informationService disruption is achieved by ensuring that the minimallevel of service quality is not fulfilled In the case of infor-mation theft attackers usually establish their target beforelaunching an attack and once core nodes with the desiredinformation are compromised the defenders lose
212 Budget Budget stands for the primary resources for anattack including money manpower computing effort timeand other important factors Without sacrificing generalityan attackersrsquo budget follows a general distribution Whendetermining the result of a compromising event for exampleone attacker invests a certain amount of attack resources oncompromising the target node and the CSF is applied todecide the compromised probability In contrast with [21] and[22] if an attacker invests more resources than the defenderon a given target node it is not guaranteed that the attackerwins it only raises the compromised probability
213 Capability This criterion depicts an attackersrsquo profi-ciency and is also described by a general distribution Forhighly proficient attackers there is a high probability thatthey will see through reactive defense mechanisms such ashoneypots
214 Attack Type In general a malicious attacker launchesan attack from one of the boundary nodes which is com-monly considered an external attack In contrast otherattacks can be launched by malicious insiders and causemore severe consequences [13] Malicious insiders are ableto choose an internal node as their starting position forcompromising the network
In the real world external attackers may apply socialengineering to escalate their access privileges This mecha-nism allows the attacker to bypass some proactive defensefacilitates like a firewall As a result attackers have an edgeon compromising the network
In order to best mimic real-world conditions all attacktypes discussed above are considered in this paper
215 Aggressiveness This metric describes the preferredcompromised probability of an attacker when attacking atarget node This attribute is highly dependent on budgetsince the compromised probability is the left-hand side of theCSF In other words the attack resources required for com-promising a target node are calculated by the given defenseresources contest intensity (119898) and attackerrsquos aggressivenessHighly aggressive attackers prefer a high success probabilityand like to spend a larger amount of resources to compromisethe target node than less aggressive attackers An attackerrsquosaggressiveness is determined by a general distribution
216 NextHop SelectionCriterion In this paper the attackersare assumed to have incomplete information and imperfectknowledge Since they can only gather local information
Journal of Applied Mathematics 5
(1) Attackers only have incomplete information(2) The defender only has incomplete information regarding the network since there are unaware vulnerabilities(3) A service is provided by multiple core nodes(4) Each service has different weights(5) One virtual machine only provides one service(6) Only malicious nodal attacks are considered(7) The compromise probability of a target node is determined by the Contest Success Function (CSF)
Box 1 Problem assumptions
such as the defense level of one hop neighbors link trafficor link utilization attackers must use available informationwisely to choose a proper strategy to select the next victimInspired by the seminal work of [23] possible attack strategiesmay be developed based on the quantity of proactive defenseresources link utilization or a portion of the target servicetraffic of each candidate node Additionally this paper alsoconsiders a more irrational strategy of a blind attack
By applying general distributions to describe attacker-related attributes the total number of attacker categories isnearly infinite This feature increases the generalizability ofour model The detailed assumptions are described in Box 1
To describe the attack procedures in more detail wedevelop the following idea to explain the interaction betweenthe defender and attackers The following figures are drawnfrom the attackerrsquos view for clarity In other words all figuresare a logical topology that has been already virtualizedsince one physical machine may represent many VMs Theexplanations of components are listed in Figure 1
First the defender deploys proactive defense resource oneach node and the attacker starts to compromise the networkfrom the edge nodes (119878) Before launching an attack theattacker probes all the candidate nodes to gather sufficientinformation and determine the next hop selection criterionfor this compromise event By applying the next hop selectioncriterion the victim is chosen The result of this compromiseevent is determined by the CSF If the target is compromisedit becomes a spring board for attackers to assault otheruncompromised neighbors Corresponding information isshown in Figure 2 The topology demonstrated in Figures 2and 3 for presentation purposes the topology structureimplemented in the simulations is a scale-free network
The risk level of each core node is evaluated by minimumdefense resources the number of hops the link degree andservice priority Minimum defense resource stands for theshortest path from compromised nodes to one core nodedivided by total defense resources The number of hops isdetermined by the minimum number of hops from com-promised nodes to one core node divided by the maximumnumber of hops from the attackersrsquo starting point to one corenode Link degree is the linking number of each core nodedivided by the maximum linking number in the topologyService priority is the weight of the service that is providedby the target core node divided by the highest weight ofservice in the topology If any of the core nodes is in dangerthe defender can activate defense mechanisms such as afake traffic generator and a dynamic topology reconfigurationunder QoS limitations
S
Reconfiguration
Reconfiguration
Reconfiguration
VM
Reconfiguration
VM
Figure 1 Explanations of Components
Reconfiguration
VMReconfiguration iiiiiiionnoooooooooonnnooooonnn
S
Reconfiguration
Reconfiguration
VM
Figure 2 Sample network and resource allocation scheme
When the defender activates a dynamic topology recon-figuration only nodes implemented with the reconfigurationfunction are considered First the defender chooses theleast proactively defended neighbor with the reconfigurationfunction of a risky core node The defender then selectsanother node that is both not a neighbor of the core nodeand the most proactively defended nearby the node selectedfrom the previous step If there is a fake traffic generatinghoneypot the defender is also able to activate the mechanismfor influencing an attackerrsquos next hop selecting criterion
In the event that attackers attack the virtualized nodesand this malicious event is detected by the defender the local
6 Journal of Applied Mathematics
Given(1) all possible defense configurations set including defense resource allocation and defending strategies(2) all possible attack configurations set including attacker attributes strategies and selection criterion(3) the total attack times on each serviceObjectiveto minimize the service compromised probability of the target networkSubject to(1) budget constrain for both the defender and attackers(2) the minimum QoS requirement for legitimate usersTo determinethe effective defense strategies to allocate resources
Box 2 Problem description
078
079
08
081
082
083
084
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Serv
ice c
ompr
omise
d pr
obab
ility
Evaluation times
m = 01
m = 03
m = 05
m contest intensity
Figure 3 A possible result of an attack and defense scenario
defense mechanism is activated automatically Consequentlythe defense level increases for the attacked node the VMMand the rest of this virtualized group If attackers see that thenode is under a virtualized environment they may continueto compromise the VMM
When a core node is compromised the defender mustevaluate whether the performance level still fulfills theminimum QoS requirement and update the degree of riskregarding each core node If an attacker targets multipleservices once they compromise a false target honeypot andare deceived by it they will change their target to the nextservice Finally if attackers exhaust their budget the attackis terminated and the defender wins the battle One possibleresult is shown in Figure 3 A structural description of theproblem is presented in Box 2
22 Mathematical Formulation The scenario discussed pre-viously is modeled as a minimization problem given theparameters and decision variables shown in Tables 1 and2 respectively Furthermore since the high amount ofrandomness involved renders the nature of this problemnondeterministic it is quite difficult to formulate this prob-lem purely through mathematics To explain the nondeter-ministic nature the following example is used considering
two adversaries with the same attack strategy since theproblem is nondeterministic the consequences can be totallydifferent One may be distracted by a honeypot and the othermay successfully achieve the goal This feature dramaticallyexpands the width in survivability studies Further the sce-nario considered in this work gives the defender the averagesurvivability analysis of a network
There are three major reasons that an average surviv-ability analysis is more meaningful for the defender Firstin the real world there are only few adversaries holdingldquocompleterdquo information regarding the target network Thiskind of ldquoworst caserdquo rarely happen Secondly analyzing theworst case though gives a defender the lower bound of net-work survivability Nevertheless it overestimates the budgetrequired for defending a network An average survivabilityanalysis makes conclusions closer to reality Last but not theleast in average case analysis if the defenderwants to evaluatethe survivability when facing a stronger adversary it canbe achieved by simply tuning the parameter Average caseanalysis is flexible and adjustable according to the demandof a defender
Thus to well describe the problem some verbal notationsand constraints are included which are shown in Table 3
Objective function
min997888119863119894
sum119894isin119878
[120572119894times sum119865119894
119895=1119879119894119895
(997888119863119894997888997888119860119894119895)]
sum119894isin119878
(120572119894times 119865119894)
(IP 1)
subject tomathematical constraints
997888119863119894isin 119864 forall119894 isin 119878 (IP 11)
997888997888119860119894119895
isin 119885 forall119894 isin 119878 1 le 119895 le 119865119894 (IP 12)
119902119894119895
ge 0 forall119894 119895 isin 119873 (IP 13)
119909119894+ 119910119895
ge 1 forall119894 119895 isin 119867 (IP 14)
119888119894ge 120582 forall119894 isin 119885 (IP 15)
119861NL + 119861proactive + 119861reactive le 119861 (IP 16)
119861virtualized + 119861honeypot + 119861reconfig le 119861reactive (IP 17)
Journal of Applied Mathematics 7
119908 times 119890 + 119900 times 119862 +
sum119894isin119873
sum119895isin119873
119892 (119902119894119895)
2le 119861NL (IP 18)
sum
119894isin119873
119899119894le 119861proactive (IP 19)
sum
119894isin119872
V (119897119894) + 119901 times sum
119894isin119872
119897119894times 119896119894le 119861virtualized (IP 110)
sum
119894isin119875
119909119894times ℎ (120575
119894 120576119894) + sum
119895isin119876
119910119895
times 119891 (120575119895 120579119895)
+ sum
119894isin119873
sum
119895isin119873
119909119894times 119910119895
times 119905 (120575119894 120576119894 120579119895) le 119861honeypot
(IP 111)
sum
119894isin119873
119911119894times 119903 le 119861reconfig (IP 112)
119908 times 119890 ge 0 (IP 113)
119892 (119902119894119895) ge 0 forall119894 119895 isin 119873 (IP 114)
119899119894ge 0 forall119894 isin 119873 (IP 115)
V (119897119894) ge 0 forall119894 isin 119872 (IP 116)
ℎ (120575119894 120576119894) ge 0 forall119894 isin 119875 (IP 117)
119891 (120575119895 120579119895) ge 0 forall119895 isin 119876 (IP 118)
119905 (120575119894 120576119894 120579119895) ge 0 forall119894 isin 119873 (IP 119)
119909119894= 0 or 1 forall119894 isin 119873 (IP 120)
119910119894= 0 or 1 forall119894 isin 119873 (IP 121)
119911119894= 0 or 1 forall119894 isin 119873 (IP 122)
verbal constraints
int119884
119910=1[119882 (119866core119894 119880link119895 119870effect 119868effect 119869effect 119874tocore)] 119889119910
119884
ge 119882threshold where 119894 isin 119862 119895 isin 119871
(IP 123)
119882final ge 119882threshold (IP 124)
For each core node when
120573 (120588defense 120591hops 120596degree 119904priority119894
) ge 120573threshold
where 119894 isin 119878
(IP 125)
the defender can activate the reactive defense mechanismsThe goal of the objective function is to minimize the
compromised service probability which is modeled as theweighted total of successful attacks divided by the totalweighted number of attacks The result of an attack is deter-mined by 119879
119894119895(997888119863119894997888997888119860119894119895) For each service the defender con-
structs a defense configuration including defense resource
allocation anddefending strategies to oppose attackers target-ing the service with different attack configurations includingattacker attributes strategies and transition rules Not onlymalicious attacks but also QoS issues are taken into consider-ation
Equation (IP 11) stands for the feasibility of the defenseconfiguration of each service For the attacking side (IP 12)
denotes that the attack configuration should be feasibleEquation (IP 16) denotes that the summation of defenseresources spent should not exceed total budget 119861 Equations(IP 17)sim(IP 119) jointly restrain the budget of each type ofdefense resource individually Equations (IP 120)sim(IP 122)
impose binary restrictions on decision variables Finally(IP 123)sim(IP 125) jointly represent that the performancereduction caused by either malicious attacks or activatingreactive defense mechanisms should not violate the QoSrequirement
3 Numerical Analysis
In this paper a scale-free network is constructed for evalua-tion since this structure is similar to real-world forms suchas the Internet The implementation algorithm is referencedfrom [24]
31 Simulation Environment Table 4 presents the systemexperiment parameters Defender-related parameters areillustrated in Table 5 The unit of budget is dollar Forattackers the parameters are shown in Table 6
The value of each attackerrsquos budget capability and aggres-siveness is governed by a normal distribution with differentlower and upper bounds
32 Numerical Result As mentioned previously the ContestSuccess Function is applied for quantifying vulnerabilityThevalue of contest intensity is classified into two groups scoresgreater than 1 and scores smaller than 1
321 Convergence The first issue to address before con-structing meaningful simulations is convergence In thispaper the convergence of data is considered as numericalstability While the magnitude of data vibrations is withinthe acceptable interval for example 02 the correspondingnumber of simulation times (119872) is set as the number ofevaluations for each attack and defense scenario
For rigorousness in convergence experiments the effectof contest intensity is jointly consideredThree different mag-nitudes are simulated on a 49 node scale-free network Forthe following experiments in this subsection the horizontalaxis represents the evaluation of the number of attacks andthe vertical axis stands for the network system compromisedprobability which is the objective function of the proposedmathematical model
Figures 4 and 5 show the result of 10000 simulations withdifferent contest intensity Here it is clear that the value ofservice compromised probability is unstable In Figures 6 and7 the vibration becomes alleviative but is still not convergentWhen the number of simulations is raised to 100000 as
8 Journal of Applied Mathematics
078
079
08
081
082
083
084
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 4 Convergence test on 119898 lt 1 group for 10000 simulations
075076077078079
08081082083084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 5 Convergence test on 119898 gt 1 group for 10000 simulations
shown in Figures 8 and 9 there is a stable trend after 60000among all different values of contest intensity
From Figures 4 to 9 it is clear that the 60000 simulationsare a large enough number to give converging results amongall values of contest intensityTherefore 119872 is set to be 60000
322 Analysis of Key Factors Influencing Service CompromisedProbability Contest intensity has great influence on thenature of network attack and defense However as shown inFigure 10 there is no consistent tendency between contestintensity and service compromised probability The sameconclusions also appear in [8ndash10]
If the effects of contest intensity and attackerrsquos aggressive-ness are jointly considered there are some meaningful andexplainable results
In Figure 11 three value intervals of aggressivenessincluding 01 to 09 (average) 01 to 05 (less aggressive) and05 to 09 (aggressive) are simulated among different values ofcontest intensity It is clear that when both the effect of contestintensity and an attackrsquos aggressiveness are considered thereare consistent trends For aggressive attackers it is more
078
079
08
081
082
083
084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 6 Convergence test on 119898 lt 1 group for 50000 simulations
075076077078079
08081082
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 7 Convergence test on 119898 gt 1 group for 50000 simulations
advantageous to have higher values of contest intensityAlternatively less aggressive attackers have leverage whenthe value of contest intensity is small However for averageattacks there is no clear tendency
The value of contest intensity is separated into high-valueand low-value groups Here Figure 12 illustrates the variationof service compromised probability in low-level contestintensity groups when facing less aggressive attackers Whilein Figure 12 the objective function value presents a lineardecreasing form Figure 13 demonstrates an exponentiallydecreasing from
Figures 14 and 15 also present a similar phenomenonwhen facing aggressive attackers the variation of servicecompromised probability shows an exponentially increasingtrend for contest intensity belonging to the low-level groupFor the high-level group the tendency is more linear
According to the previous results the key factors influ-encing service compromised probability include contestintensity and attack aggressivenessThese results are summa-rized in Figure 16
Journal of Applied Mathematics 9
075076077078079
08081082083
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 8 Convergence test on119898 lt 1 group for 100000 simulations
076
077
078
079
08
081
082
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m = 01
m = 03
m = 05
Aggressiveness = 01sim09
m contest intensity
Figure 9 Convergence test on 119898 gt 1 group for 100000 simula-tions
4 Discussion of Results
Based on the simulation results some interesting and mean-ingful arguments are presented in this section
41 The Effectiveness of Resources Invested by the Defenderand Attackers Is Highly Dependent on the Nature of BattleThe objective function value shown in Figure 12 presents alinear decreasing form when the contest intensity belongsto a low-level group and the defender is dealing with lessaggressive attackers The reason is that the effectiveness ofresources invested by both players is insignificant Thus theservice compromised probability is less sensitive with contestintensity under ldquofight to win or dierdquo circumstances
Furthermore less aggressive attackers only invest fewresources into compromising a target With the same totalbudget they are capable of launching more attacks thanaggressive attackers Therefore the service compromisedprobability of less aggressive attackers is much higher thanmore aggressive attackers
00102030405
06
07
0809
1
Contest intensity m
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15 m = 17 m = 19m = 01 m = 03 m = 05
Aggressiveness = 01sim09Aggressiveness = 05sim09Aggressiveness = 01sim05
Figure 10 Service compromised probability under different contestintensity
075076077078079
08081082083084085086087
m = 01
m = 03
m = 05
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 11 Effect of Aggressiveness among Different Contest Inten-sity
In the case of ldquowinner takes allrdquo Figure 13 illustrates anexponentially decreasing trend among service compromisedprobability this is because the effectiveness of resourcesinvested is significant to the result of a battle With a largervalue of contest intensity the vantage of a defender againstless aggressive attackers is more obvious
On the contrary for aggressive attackers there is anexponentially increasing tendency under ldquofight to win ordierdquo circumstances Since the contest intensity serves asthe exponent of the Contest Success Function when thevalue increases the effectiveness of resources invested growsexponentially This is further shown in Figure 14
Nevertheless the exponential tendency does not appearthrough all values of contest intensity For the ldquowinner takesallrdquo circumstance in Figure 15 the increasing rate of service
10 Journal of Applied Mathematics
063064065066067068069
07071072073074075
m = 15
m = 17
m = 19
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 12 Service compromised probability of less aggressive at-tacker under 119898 lt 1 circumstance
0
01
02
03
04
05
06
07
m = 01
m = 03
m = 05
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 13 Service compromised probability of less aggressive at-tacker under 119898 gt 1 circumstance
085
086
087
088
089
09
m = 15
m = 17
m = 19
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 14 Service compromised probability of aggressive attackerunder 119898 lt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 15 Service compromised probability of aggressive attackerunder 119898 gt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 16 Comparison of service compromised probability underdiverse contest intensity and aggressiveness
compromised probability slows down when contest intensitybecomes higherThis is because although aggressive attackersprefer to gain an edge by spending more attack resourcesto compromise a target each compromise costs significantresources Thus aggressive attackers run out of budget veryquickly and the increasing trend is not exponential
42 Proactive Defense Is Advantageous under ldquoWinner TakesAllrdquo Circumstance According to previous discussions theeffectiveness of resources invested is significant under ldquowin-ner takes allrdquo circumstances For less aggressive attackers theperformance is poor since they only invest few resources onan attack Aggressive attackers tend to spend a larger quantityto compromise a target If a defender raises the quantity ofdefense resources on important nodes it effectively weakensattackers
Consequently regardless of whether defenders face eitheraggressive or less aggressive attackers a proactive defenseperforms better in deterring attackers
43 Reactive Defense Is Advantageous under ldquoFight to Winor Dierdquo Circumstance Similarly under the ldquofight to win
Journal of Applied Mathematics 11
or dierdquo circumstance the effectiveness of defense resourcesis insignificant No matter how many proactive defenseresources are invested there is only limited influence onthe objective function value In other words less aggressiveattackers can compromise a target even by only investingscarce attack resources For aggressive attackers since theyprefer spending a large quantity of resources on compromis-ing a victim they easily run out of resources before a targetservice is compromised
Based on this analysis it is advantageous for the defenderto apply reactive defense mechanisms against maliciousattackers under ldquofight to win or dierdquo circumstance
5 Conclusions
This paper models an attack and defense scenario thatinvolves high amounts of randomness as mathematical for-mulations where attackers are assumed to have incompleteinformation It further considers a virtualization environ-ment for helping relate these results to recent trends in cloudcomputing
According to the simulation results the outcome of acontest is influenced not only by the quantity of defenseresources invested on each node but also by the contestintensity An attackerrsquos aggressiveness is introduced as a newdimension and meaningful results are discovered Effectivedefense strategies are proposed in the discussion of theresults
For future works collaborative attacks should be takeninto consideration since the attack strategy discussed in thispaper is for individual attacks In other words there is onlyone attack targeting a victimrsquos network at a time Thus nosynergy is considered A more complicated collaborativeattack pattern is worth further study
Acknowledgment
This work was supported by the National Science CouncilTaiwan (Grant nos NSC 102-2221-E-002-104 and NSC 101-2218-E-011-009)
References
[1] IBM Internet Security Systems X-Force research and devel-opment team ldquoIBM X-Force 2010 Mid-Year Trend and RiskReportrdquo IBM August 2010
[2] R J Ellison D A Fisher R C Linger H F Lipson T Longstaffand N R Mead ldquoSurvivable network systems an emergingdisciplinerdquo Tech Rep CMUSEI-97-TR-013 1997
[3] S Roy C Ellis S Shiva D Dasgupta V Shandilya and Q WuldquoA survey of game theory as applied to network securityrdquo inProceedings of the 43rd Annual Hawaii International Conferenceon System Sciences (HICSS rsquo10) January 2010
[4] M N Lima A L D Santos and G Pujolle ldquoA survey of sur-vivability in mobile Ad hoc Networksrdquo IEEE CommunicationsSurveys and Tutorials vol 11 no 1 pp 66ndash77 2009
[5] Z Ma ldquoTowards a unified definition for reliability survivabilityand resilience (I) the conceptual framework inspired by thehandicap principle and ecological stabilityrdquo in Proceedings of theIEEE Aerospace Conference pp 1ndash12 March 2010
[6] F Xing and W Wang ldquoOn the survivability of wireless adHOC networks with node misbehaviors and failuresrdquo IEEETransactions on Dependable and Secure Computing vol 7 no3 pp 284ndash299 2010
[7] S Skaperdas ldquoContest success functionsrdquo EconomicTheory vol7 no 2 pp 283ndash290 1996
[8] G Levitin and K Hausken ldquoFalse targets efficiency in defensestrategyrdquo European Journal of Operational Research vol 194 no1 pp 155ndash162 2009
[9] K Hausken and G Levitin ldquoProtection vs false targets in seriessystemsrdquo Reliability Engineering and System Safety vol 94 no5 pp 973ndash981 2009
[10] G Levitin and K Hausken ldquoPreventive strike vs false targetsand protection in defense strategyrdquo Reliability Engineering andSystem Safety vol 96 no 8 pp 912ndash924 2011
[11] J Hirshleifer ldquoConflict and rent-seeking success functions ratiovs difference models of relative successrdquo Public Choice vol 63no 2 pp 101ndash112 1989
[12] J Hirshleifer ldquoThe paradox of powerrdquo Economics and Politicsvol 3 pp 177ndash200 1993
[13] J Archer A Boehme D Cullinane P Kurtz N Puhlmannand J Reavis ldquoTop Threats to Cloud Computing V 10rdquo CloudSecurity Alliance March 2010
[14] H Debar F Pouget and M Dacier ldquoWhite paper lsquoHoney-pot Honeynet Honeytoken Terminological issuesrsquordquo InstitutEurecom Research Report RR-03-081 2003
[15] B Cheswick ldquoAn evening with berferd in which a cracker islured endured and studiedrdquo in Proceedings of the USENIXConference pp 163ndash174 USENIX 1992
[16] C Seifert I Welch and P Komisarczuk ldquoTaxonomy of honey-potsrdquo Tech Rep CS-TR-0612 2006
[17] M H y Lopez and C F L Resendez ldquoHoneypots basicconcepts classification and educational use as resources ininformation security education and coursesrdquo in Proceedings ofthe Informing Science and IT Education Conference 2008
[18] Y Huang D Arsenault and A Sood ldquoClosing cluster attackwindows through server redundancy and rotationsrdquo in Pro-ceedings of the 6th IEEE International Symposium on ClusterComputing and the Grid (CCGRID rsquo06) May 2006
[19] YHuang D Arsenault andA Sood ldquoIncorruptible self-cleans-ing intrusion tolerance and its application to DNS securityrdquoJournal of Networks vol 1 no 5 pp 21ndash30 2006
[20] M Smith C Schridde and B Freisleben ldquoSecuring stateful gridservers through virtual server rotationrdquo in Proceedings of the17th International Symposium on High Performance DistributedComputing (HPDC rsquo08) pp 11ndash22 June 2008
[21] F Y-S Lin Y-S Wang and P-H Tsang ldquoEfficient defensestrategies to minimize attackersrsquo success probabilities in hon-eynetrdquo in Proceedings of the 6th International Conference onInformation Assurance and Security (IAS rsquo10) pp 80ndash85 August2010
[22] F Y-S Lin Y-S Wang P-H Tsang and J-P Lo ldquoRedundancyand defense resource allocation algorithms to assure servicecontinuity against natural disasters and intelligent attacksrdquo inProceedings of the 5th International Conference on BroadbandWireless Computing Communication andApplications (BWCCArsquo10) pp 206ndash213 November 2010
[23] F Cohen ldquoManaging network security attack and defencestrategiesrdquo Network Security vol 1999 no 7 pp 7ndash11 1999
[24] S Nagaraja and R Anderson ldquoDynamic topologies for robustscale-free networksrdquo Bio-Inspired Computing and Communica-tion vol 5151 pp 411ndash426 2008
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
2 Journal of Applied Mathematics
Table 1 Given parameters
Notation Description119873 The index set of all nodes119862 The index set of all core nodes119871 The index set of all links
119872The index set of all levels of virtual machine monitors(VMMs)
119867 The index set of all types of honeypots
119875The index set of candidate nodes equipped with falsetarget function
119876The index set of candidate nodes equipped with faketraffic generating function
119877The index set of candidate nodes equipped with falsetarget and fake traffic generating function
119878 The index set of all kinds of services119861 The defenderrsquos total budget119908 The cost of constructing one intermediate node119900 The cost of constructing one core node119875 The cost of each virtual machine (VM)
119896119894
Themaximum number of virtual machines on VMMlevel 119894 where 119894 isin 119872
120572119894 The weight of 119894th service where 119894 isin 119878
119864All possible defense configurations including resourcesallocation and defending strategies
119885All possible attack configurations including attackerattributes strategies and transition rules
997888997888119860119894119895
An attack configuration including the attributesstrategies and transition rules of the attacker launches119895th attack on 119894th service where 119894 isin 119878 1 le 119895 le 119865
119894
119865119894
The total attacking times on 119894th service for all attackerswhere 119894 isin 119878
120574The cost of constructing a reconfiguration function toone node
120582Theminimum number of hops from core nodeattackers can start to compromise
119888119894
The number of hops from core node category i attackersstarts to compromise where 119894 isin 119885
in this work one is quantified not only by monetary but alsoby time labor and other possible factors As defenders seekout an appropriate defense resource allocation within budgetlimitations and observe the Quality of Service (QoS) require-ment it becomes increasingly important to best determinehow to find a defense mechanism that can detect risky attackbehavior early and mislead attackers to routes distant fromthe server before attackers are at the gates
In this paper we assume that organizations mayencounter a great diversity of threats Whether these threatsare external or internal they can bring about vast loss tofinances and reputation However budgets for securityand training are often inadequate Hence it is much moreimportant for a system or network to enhance robustness inorder to satisfy QoS requirements for service users than toprevent all categories of malicious attacks This symbioticconcept to security is called survivability which is widelydefined and applied in previous works [2ndash6]
Table 2 Decision variables
Notation Description
997888119863119894
A defense configuration including resourceallocation and defending strategies on 119894th servicewhere 119894 isin 119878
119879119894119895(997888119863119894997888997888119860119894119895)
1 if the attacker achieves his goal successfully and0 otherwise where 119894 isin 119878 1 le 119895 le 119865
119894
119899119894
The proactive defense resource allocated to node 119894where 119894 isin 119873
119897119894
The number of VMM level 119894 purchased where119894 isin 119872
120575119894
The number of services that honeypot 119894 cansimulate where 119894 isin 119867
120576119894
The interactive capability of false target honeypot119894 where 119894 isin 119875
120579119894
Themaximum throughput of fake traffic ofhoneypot 119894 where 119894 isin 119876
119881(119897119894)
The cost of VMM level 119894 with 119897119894VMMs where
119894 isin 119872
ℎ(120575119894 120576119894)
The cost of constructing a false target honeypotwhere 119894 isin 119875
119891(120575119894 120579119894)
The cost of constructing a fake traffic generatorhoneypot where 119894 isin 119876
119905(120575119894 120576119894 120579119894)
The cost of constructing a honeypot equippedwith false target and fake traffic functions where119894 isin 119877
119861NL The budget of constructing nodes and links119861proactive The budget of proactive defense resource119861special The budget of reactive defense resource119861virtualized The budget of virtualization119861honeypot The budget of honeypots119861reconfig The budget of reconfiguration functions119890 The total number of intermediate nodes
119902119894119895
The capacity of direct link between nodes 119894 and 119895where 119894 isin 119873 119895 isin 119873
119892(119902119894119895)
The cost of constructing a link from node 119894 tonode 119895 with capacity 119902
119894119895 where 119894 isin 119873 119895 isin 119873
119909119894
1 if node 119894 is equipped with false target functionand 0 otherwise where 119894 isin 119873
119910119894
1 if node 119894 is equipped with fake traffic generatingfunction and 0 otherwise where 119894 isin 119873
119911119894
1 if node 119894 is equipped with reconfigurationfunction and 0 otherwise where 119894 isin 119873
Survivability is a typical metric that measures networkperformance under intentional attacks or other failures Tra-ditionally network security status is divided into two discretetypes compromised and safe Typically when providingservices the evaluation criterion is the quality of servicebut applying this dichotomy of compromise and safetyignores the intermediate status For instance while underan attack the performance level of each service continuallydeclines Therefore network status should be represented ina continuous form [2] Hence in this paper survivability ischosen as themetric for describing network status Accordingto [2] survivability is defined as ldquoThe capability of a systemto fulfill its mission in a timely manner in the presence of
Journal of Applied Mathematics 3
Table 3 Verbal notations
Notation Description119866core119894 Loading of each residual core node 119894 where 119894 isin 119862
119880link119894 Link utilization of each link 119894 where 119894 isin 119871
119870effectNegative effect caused by applying fake trafficadjustment
119868effectNegative effect caused by applying dynamictopology reconfiguration
119869effect Negative effect caused by applying local defense
119874tocoreThe number of hops legitimate users experiencedfrom one boundary node to core nodes
119884 The total compromise events119882threshold The predefined threshold about QoS119882final The QoS level at the end of attack
119882(sdot)The value of QoS determined by 119866core119894 119880link119895 119870effect 119868effect 119869effect and 119874tocore where 119894 isin 119862 119895 isin 119871
120588defense119894
The total defense resource of the shortest pathfrom compromised nodes detected to core node 119894
divided by total defense resource where 119894 isin 119862
120591hops119894
The number of hops from compromised nodesdetected to core node 119894 divided by the number ofhops from attackerrsquos starting point where 119894 isin 119862
120596degree119894
The linking number of core node 119894 divided by themaximum number in the topology where 119894 isin 119862
119904119894
priority119895
The priority of service 119895 provided by core node 119894
divided by the maximum service priority in thetopology where 119894 isin 119878 119895 isin 119862
120573threshold The risk threshold of core nodes
120573(sdot)
The risk status of each core node which is theaggregation of defense resource number of hopslink degree and service priority
Table 4 Environment Parameters
Testing platformProgramming language CCompiler GNU GCC 462Total evaluation times 60000Distributions applied to describe attackersrsquoattributes Normal distribution
attacks failure or accidents including networks and large-scale systems of systemsrdquo
Along with the concept of survivability the vulnerabilityof each node is determined by the Contest Success Function(CSF) which is also applied in [7ndash10] CSF originates fromthe economic rent seeking problem found in EconomicTheory This method also applies a continuous approach tothe problem The form of the CSF is success probability =
119879119898
(119879119898
+ 119905119898
) when applied to attack and defense scenarioswhere 119879 represents the resources invested by the attacker and119905 stands for resources deployed by the defender Further 119898
is known as contest intensity which illustrates the nature ofthe battle while success probability is the probability of anode being compromised When the value 119898 is between 0and 1 it represents ldquofight to win or dierdquo circumstance [11]
Table 5 Parameters for defender
Parameters ValueTopology type Scale-free networkNumber of nodes 49Number of core nodes (each service) 6 (1 2 3)Number of terminal nodes 5Number of services 3Weight of each service 1 2 3Number of users 30Defender total budget 1700000Topology construction budget 700000Proactive defense budget 400000Reactive defense budget 600000
Table 6 Parameters for attacker
Parameters Value
Total attack budget A normal distribution with lower bound300000 and upper bound 1500000
Capability A normal distribution with lower bound120576 and upper bound 1
Aggressiveness A normal distribution with lower bound01 and upper bound 09
Attackerrsquos objective Service disruption or steal confidentialinformation
which means the effectiveness of resources is insignificantFor 119898 ge 1 the effectiveness of resources invested by bothsides is exponentially increasing If 119898 closes to infin it standsfor a ldquowinner takes allrdquo circumstance significant advantage isgranted to the stronger side even if that side is stronger byonly one invested resource [12]
There are many popular methodologies applied for solv-ing survivability problems In recent years game theory is awidely used one Nevertheless in [3] the authors point outthat this solution approach is limited for deterministic sce-narios Even the emerging branch of game theory stochasticgame is still confined with this assumption that all valuesof probabilistic variables have to be determined before theattack and defense starts This feature has a negative effecton creating cyber attack and defense scenario since in realworld decisions made during attack and defense dependon current status Given all values of variables makes thescenario far from reality
For example when choosing a victim from candidatenodes an attacker should apply information like the loadingof each node traffic amount on each link andor number ofusers on each node to evaluate the importance of all candi-dates Then choosing the most appropriate one as the targetyet the restriction of game theory enforces the choosingprobability which should be determined at the beginning ofthe cyber warfare In other words those variations happenedduring attack and defense like traffic reroute link statusnode conditions are ignored Consequently in this workMonte Carlo simulation is applied to consider hopefully andcover every angle in the attack and defense scenario
4 Journal of Applied Mathematics
2 Problem Formulation
21 Problem Description In order to improve system sur-vivability the defender deploys both proactive and reactivedefense resources to confront different attacks Proactivedefense resources are deployed before an attack is launchedIn this paper proactive resources include a firewall systemantivirus software detection techniques such as IntrusionDetection System (IDS) and Intrusion Protection System(IPS)
Alternatively reactive defense resources are activatedduring an attack as an immediate action for the defenderThe mechanisms considered in this paper can strengthendefenses provide deception and provide resource concentra-tion
For strengthening defenses since the scenario consideredin this paper is constructed in a virtualized environment anumber of Virtual Machines (VMs) are governed by a Vir-tual Machine Monitor (VMM) that controls all informationdetails for all VMs When an attack event is detected localdefense functions for each VMM are activated automaticallyto raise the defense capability of the virtualized nodes belong-ing to the same VMM However this mechanism does notalways create positive effects Once an attacker determinesthat the target network is a virtualized environment anddiscovers the existence of a VMM he can compromise theVMM through vulnerabilities in APIs [13] If the VMMis compromised all VMs belonging to this VMM are alsocompromised
Deceptionmechanisms are widely applied in defense andin this paper honeypots are considered to distract attackersAccording to [14ndash17] honeypots not only serve as a passivedecoy fooling attackers into believing they have achievedtheir goal and preemptively terminating the attack but alsoas an active lure that acts as a service-providing node toattract attackers The former is known as a false target andthe latter can be implemented by a fake core node thatspreads service-like traffic to attract attackers When facingdifferent attackers the deceiving probability of each honeypotis differentThis probability is jointly determined by attackersrsquocapability and the interaction level of a honeypot
As for resource concentration by modifying the con-cept of ldquorotationrdquo discussed in [18ndash20] and adapting it toour scenario the defender can adopt dynamic responsivestrategies to improve system survivability Hence whileunder an attack the defender can apply dynamic topologyreconfiguration to exchange the neighbor of one core nodewhich has the strongest defensive resources with a node thatis close to the attackerrsquos current location
However since dynamic topology reconfigurationrequires node rotation it negatively impacts QoS Thereforeunless the risk level of a core node exceeds a predefinedthreshold the defender will not activate this mechanismFurthermore false positive and false negative situations forevery defense mechanism are considered
In addition to the defense mechanisms described abovethe following attributes are also considered for creating arealistic attack-defense scenario
211 Goal Generally attackers target a network to eitherdisrupt services or to compromise servers and steal sensitiveinformation Therefore in this paper an attackerrsquos goal maybe service disruption or the theft of confidential informationService disruption is achieved by ensuring that the minimallevel of service quality is not fulfilled In the case of infor-mation theft attackers usually establish their target beforelaunching an attack and once core nodes with the desiredinformation are compromised the defenders lose
212 Budget Budget stands for the primary resources for anattack including money manpower computing effort timeand other important factors Without sacrificing generalityan attackersrsquo budget follows a general distribution Whendetermining the result of a compromising event for exampleone attacker invests a certain amount of attack resources oncompromising the target node and the CSF is applied todecide the compromised probability In contrast with [21] and[22] if an attacker invests more resources than the defenderon a given target node it is not guaranteed that the attackerwins it only raises the compromised probability
213 Capability This criterion depicts an attackersrsquo profi-ciency and is also described by a general distribution Forhighly proficient attackers there is a high probability thatthey will see through reactive defense mechanisms such ashoneypots
214 Attack Type In general a malicious attacker launchesan attack from one of the boundary nodes which is com-monly considered an external attack In contrast otherattacks can be launched by malicious insiders and causemore severe consequences [13] Malicious insiders are ableto choose an internal node as their starting position forcompromising the network
In the real world external attackers may apply socialengineering to escalate their access privileges This mecha-nism allows the attacker to bypass some proactive defensefacilitates like a firewall As a result attackers have an edgeon compromising the network
In order to best mimic real-world conditions all attacktypes discussed above are considered in this paper
215 Aggressiveness This metric describes the preferredcompromised probability of an attacker when attacking atarget node This attribute is highly dependent on budgetsince the compromised probability is the left-hand side of theCSF In other words the attack resources required for com-promising a target node are calculated by the given defenseresources contest intensity (119898) and attackerrsquos aggressivenessHighly aggressive attackers prefer a high success probabilityand like to spend a larger amount of resources to compromisethe target node than less aggressive attackers An attackerrsquosaggressiveness is determined by a general distribution
216 NextHop SelectionCriterion In this paper the attackersare assumed to have incomplete information and imperfectknowledge Since they can only gather local information
Journal of Applied Mathematics 5
(1) Attackers only have incomplete information(2) The defender only has incomplete information regarding the network since there are unaware vulnerabilities(3) A service is provided by multiple core nodes(4) Each service has different weights(5) One virtual machine only provides one service(6) Only malicious nodal attacks are considered(7) The compromise probability of a target node is determined by the Contest Success Function (CSF)
Box 1 Problem assumptions
such as the defense level of one hop neighbors link trafficor link utilization attackers must use available informationwisely to choose a proper strategy to select the next victimInspired by the seminal work of [23] possible attack strategiesmay be developed based on the quantity of proactive defenseresources link utilization or a portion of the target servicetraffic of each candidate node Additionally this paper alsoconsiders a more irrational strategy of a blind attack
By applying general distributions to describe attacker-related attributes the total number of attacker categories isnearly infinite This feature increases the generalizability ofour model The detailed assumptions are described in Box 1
To describe the attack procedures in more detail wedevelop the following idea to explain the interaction betweenthe defender and attackers The following figures are drawnfrom the attackerrsquos view for clarity In other words all figuresare a logical topology that has been already virtualizedsince one physical machine may represent many VMs Theexplanations of components are listed in Figure 1
First the defender deploys proactive defense resource oneach node and the attacker starts to compromise the networkfrom the edge nodes (119878) Before launching an attack theattacker probes all the candidate nodes to gather sufficientinformation and determine the next hop selection criterionfor this compromise event By applying the next hop selectioncriterion the victim is chosen The result of this compromiseevent is determined by the CSF If the target is compromisedit becomes a spring board for attackers to assault otheruncompromised neighbors Corresponding information isshown in Figure 2 The topology demonstrated in Figures 2and 3 for presentation purposes the topology structureimplemented in the simulations is a scale-free network
The risk level of each core node is evaluated by minimumdefense resources the number of hops the link degree andservice priority Minimum defense resource stands for theshortest path from compromised nodes to one core nodedivided by total defense resources The number of hops isdetermined by the minimum number of hops from com-promised nodes to one core node divided by the maximumnumber of hops from the attackersrsquo starting point to one corenode Link degree is the linking number of each core nodedivided by the maximum linking number in the topologyService priority is the weight of the service that is providedby the target core node divided by the highest weight ofservice in the topology If any of the core nodes is in dangerthe defender can activate defense mechanisms such as afake traffic generator and a dynamic topology reconfigurationunder QoS limitations
S
Reconfiguration
Reconfiguration
Reconfiguration
VM
Reconfiguration
VM
Figure 1 Explanations of Components
Reconfiguration
VMReconfiguration iiiiiiionnoooooooooonnnooooonnn
S
Reconfiguration
Reconfiguration
VM
Figure 2 Sample network and resource allocation scheme
When the defender activates a dynamic topology recon-figuration only nodes implemented with the reconfigurationfunction are considered First the defender chooses theleast proactively defended neighbor with the reconfigurationfunction of a risky core node The defender then selectsanother node that is both not a neighbor of the core nodeand the most proactively defended nearby the node selectedfrom the previous step If there is a fake traffic generatinghoneypot the defender is also able to activate the mechanismfor influencing an attackerrsquos next hop selecting criterion
In the event that attackers attack the virtualized nodesand this malicious event is detected by the defender the local
6 Journal of Applied Mathematics
Given(1) all possible defense configurations set including defense resource allocation and defending strategies(2) all possible attack configurations set including attacker attributes strategies and selection criterion(3) the total attack times on each serviceObjectiveto minimize the service compromised probability of the target networkSubject to(1) budget constrain for both the defender and attackers(2) the minimum QoS requirement for legitimate usersTo determinethe effective defense strategies to allocate resources
Box 2 Problem description
078
079
08
081
082
083
084
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Serv
ice c
ompr
omise
d pr
obab
ility
Evaluation times
m = 01
m = 03
m = 05
m contest intensity
Figure 3 A possible result of an attack and defense scenario
defense mechanism is activated automatically Consequentlythe defense level increases for the attacked node the VMMand the rest of this virtualized group If attackers see that thenode is under a virtualized environment they may continueto compromise the VMM
When a core node is compromised the defender mustevaluate whether the performance level still fulfills theminimum QoS requirement and update the degree of riskregarding each core node If an attacker targets multipleservices once they compromise a false target honeypot andare deceived by it they will change their target to the nextservice Finally if attackers exhaust their budget the attackis terminated and the defender wins the battle One possibleresult is shown in Figure 3 A structural description of theproblem is presented in Box 2
22 Mathematical Formulation The scenario discussed pre-viously is modeled as a minimization problem given theparameters and decision variables shown in Tables 1 and2 respectively Furthermore since the high amount ofrandomness involved renders the nature of this problemnondeterministic it is quite difficult to formulate this prob-lem purely through mathematics To explain the nondeter-ministic nature the following example is used considering
two adversaries with the same attack strategy since theproblem is nondeterministic the consequences can be totallydifferent One may be distracted by a honeypot and the othermay successfully achieve the goal This feature dramaticallyexpands the width in survivability studies Further the sce-nario considered in this work gives the defender the averagesurvivability analysis of a network
There are three major reasons that an average surviv-ability analysis is more meaningful for the defender Firstin the real world there are only few adversaries holdingldquocompleterdquo information regarding the target network Thiskind of ldquoworst caserdquo rarely happen Secondly analyzing theworst case though gives a defender the lower bound of net-work survivability Nevertheless it overestimates the budgetrequired for defending a network An average survivabilityanalysis makes conclusions closer to reality Last but not theleast in average case analysis if the defenderwants to evaluatethe survivability when facing a stronger adversary it canbe achieved by simply tuning the parameter Average caseanalysis is flexible and adjustable according to the demandof a defender
Thus to well describe the problem some verbal notationsand constraints are included which are shown in Table 3
Objective function
min997888119863119894
sum119894isin119878
[120572119894times sum119865119894
119895=1119879119894119895
(997888119863119894997888997888119860119894119895)]
sum119894isin119878
(120572119894times 119865119894)
(IP 1)
subject tomathematical constraints
997888119863119894isin 119864 forall119894 isin 119878 (IP 11)
997888997888119860119894119895
isin 119885 forall119894 isin 119878 1 le 119895 le 119865119894 (IP 12)
119902119894119895
ge 0 forall119894 119895 isin 119873 (IP 13)
119909119894+ 119910119895
ge 1 forall119894 119895 isin 119867 (IP 14)
119888119894ge 120582 forall119894 isin 119885 (IP 15)
119861NL + 119861proactive + 119861reactive le 119861 (IP 16)
119861virtualized + 119861honeypot + 119861reconfig le 119861reactive (IP 17)
Journal of Applied Mathematics 7
119908 times 119890 + 119900 times 119862 +
sum119894isin119873
sum119895isin119873
119892 (119902119894119895)
2le 119861NL (IP 18)
sum
119894isin119873
119899119894le 119861proactive (IP 19)
sum
119894isin119872
V (119897119894) + 119901 times sum
119894isin119872
119897119894times 119896119894le 119861virtualized (IP 110)
sum
119894isin119875
119909119894times ℎ (120575
119894 120576119894) + sum
119895isin119876
119910119895
times 119891 (120575119895 120579119895)
+ sum
119894isin119873
sum
119895isin119873
119909119894times 119910119895
times 119905 (120575119894 120576119894 120579119895) le 119861honeypot
(IP 111)
sum
119894isin119873
119911119894times 119903 le 119861reconfig (IP 112)
119908 times 119890 ge 0 (IP 113)
119892 (119902119894119895) ge 0 forall119894 119895 isin 119873 (IP 114)
119899119894ge 0 forall119894 isin 119873 (IP 115)
V (119897119894) ge 0 forall119894 isin 119872 (IP 116)
ℎ (120575119894 120576119894) ge 0 forall119894 isin 119875 (IP 117)
119891 (120575119895 120579119895) ge 0 forall119895 isin 119876 (IP 118)
119905 (120575119894 120576119894 120579119895) ge 0 forall119894 isin 119873 (IP 119)
119909119894= 0 or 1 forall119894 isin 119873 (IP 120)
119910119894= 0 or 1 forall119894 isin 119873 (IP 121)
119911119894= 0 or 1 forall119894 isin 119873 (IP 122)
verbal constraints
int119884
119910=1[119882 (119866core119894 119880link119895 119870effect 119868effect 119869effect 119874tocore)] 119889119910
119884
ge 119882threshold where 119894 isin 119862 119895 isin 119871
(IP 123)
119882final ge 119882threshold (IP 124)
For each core node when
120573 (120588defense 120591hops 120596degree 119904priority119894
) ge 120573threshold
where 119894 isin 119878
(IP 125)
the defender can activate the reactive defense mechanismsThe goal of the objective function is to minimize the
compromised service probability which is modeled as theweighted total of successful attacks divided by the totalweighted number of attacks The result of an attack is deter-mined by 119879
119894119895(997888119863119894997888997888119860119894119895) For each service the defender con-
structs a defense configuration including defense resource
allocation anddefending strategies to oppose attackers target-ing the service with different attack configurations includingattacker attributes strategies and transition rules Not onlymalicious attacks but also QoS issues are taken into consider-ation
Equation (IP 11) stands for the feasibility of the defenseconfiguration of each service For the attacking side (IP 12)
denotes that the attack configuration should be feasibleEquation (IP 16) denotes that the summation of defenseresources spent should not exceed total budget 119861 Equations(IP 17)sim(IP 119) jointly restrain the budget of each type ofdefense resource individually Equations (IP 120)sim(IP 122)
impose binary restrictions on decision variables Finally(IP 123)sim(IP 125) jointly represent that the performancereduction caused by either malicious attacks or activatingreactive defense mechanisms should not violate the QoSrequirement
3 Numerical Analysis
In this paper a scale-free network is constructed for evalua-tion since this structure is similar to real-world forms suchas the Internet The implementation algorithm is referencedfrom [24]
31 Simulation Environment Table 4 presents the systemexperiment parameters Defender-related parameters areillustrated in Table 5 The unit of budget is dollar Forattackers the parameters are shown in Table 6
The value of each attackerrsquos budget capability and aggres-siveness is governed by a normal distribution with differentlower and upper bounds
32 Numerical Result As mentioned previously the ContestSuccess Function is applied for quantifying vulnerabilityThevalue of contest intensity is classified into two groups scoresgreater than 1 and scores smaller than 1
321 Convergence The first issue to address before con-structing meaningful simulations is convergence In thispaper the convergence of data is considered as numericalstability While the magnitude of data vibrations is withinthe acceptable interval for example 02 the correspondingnumber of simulation times (119872) is set as the number ofevaluations for each attack and defense scenario
For rigorousness in convergence experiments the effectof contest intensity is jointly consideredThree different mag-nitudes are simulated on a 49 node scale-free network Forthe following experiments in this subsection the horizontalaxis represents the evaluation of the number of attacks andthe vertical axis stands for the network system compromisedprobability which is the objective function of the proposedmathematical model
Figures 4 and 5 show the result of 10000 simulations withdifferent contest intensity Here it is clear that the value ofservice compromised probability is unstable In Figures 6 and7 the vibration becomes alleviative but is still not convergentWhen the number of simulations is raised to 100000 as
8 Journal of Applied Mathematics
078
079
08
081
082
083
084
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 4 Convergence test on 119898 lt 1 group for 10000 simulations
075076077078079
08081082083084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 5 Convergence test on 119898 gt 1 group for 10000 simulations
shown in Figures 8 and 9 there is a stable trend after 60000among all different values of contest intensity
From Figures 4 to 9 it is clear that the 60000 simulationsare a large enough number to give converging results amongall values of contest intensityTherefore 119872 is set to be 60000
322 Analysis of Key Factors Influencing Service CompromisedProbability Contest intensity has great influence on thenature of network attack and defense However as shown inFigure 10 there is no consistent tendency between contestintensity and service compromised probability The sameconclusions also appear in [8ndash10]
If the effects of contest intensity and attackerrsquos aggressive-ness are jointly considered there are some meaningful andexplainable results
In Figure 11 three value intervals of aggressivenessincluding 01 to 09 (average) 01 to 05 (less aggressive) and05 to 09 (aggressive) are simulated among different values ofcontest intensity It is clear that when both the effect of contestintensity and an attackrsquos aggressiveness are considered thereare consistent trends For aggressive attackers it is more
078
079
08
081
082
083
084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 6 Convergence test on 119898 lt 1 group for 50000 simulations
075076077078079
08081082
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 7 Convergence test on 119898 gt 1 group for 50000 simulations
advantageous to have higher values of contest intensityAlternatively less aggressive attackers have leverage whenthe value of contest intensity is small However for averageattacks there is no clear tendency
The value of contest intensity is separated into high-valueand low-value groups Here Figure 12 illustrates the variationof service compromised probability in low-level contestintensity groups when facing less aggressive attackers Whilein Figure 12 the objective function value presents a lineardecreasing form Figure 13 demonstrates an exponentiallydecreasing from
Figures 14 and 15 also present a similar phenomenonwhen facing aggressive attackers the variation of servicecompromised probability shows an exponentially increasingtrend for contest intensity belonging to the low-level groupFor the high-level group the tendency is more linear
According to the previous results the key factors influ-encing service compromised probability include contestintensity and attack aggressivenessThese results are summa-rized in Figure 16
Journal of Applied Mathematics 9
075076077078079
08081082083
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 8 Convergence test on119898 lt 1 group for 100000 simulations
076
077
078
079
08
081
082
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m = 01
m = 03
m = 05
Aggressiveness = 01sim09
m contest intensity
Figure 9 Convergence test on 119898 gt 1 group for 100000 simula-tions
4 Discussion of Results
Based on the simulation results some interesting and mean-ingful arguments are presented in this section
41 The Effectiveness of Resources Invested by the Defenderand Attackers Is Highly Dependent on the Nature of BattleThe objective function value shown in Figure 12 presents alinear decreasing form when the contest intensity belongsto a low-level group and the defender is dealing with lessaggressive attackers The reason is that the effectiveness ofresources invested by both players is insignificant Thus theservice compromised probability is less sensitive with contestintensity under ldquofight to win or dierdquo circumstances
Furthermore less aggressive attackers only invest fewresources into compromising a target With the same totalbudget they are capable of launching more attacks thanaggressive attackers Therefore the service compromisedprobability of less aggressive attackers is much higher thanmore aggressive attackers
00102030405
06
07
0809
1
Contest intensity m
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15 m = 17 m = 19m = 01 m = 03 m = 05
Aggressiveness = 01sim09Aggressiveness = 05sim09Aggressiveness = 01sim05
Figure 10 Service compromised probability under different contestintensity
075076077078079
08081082083084085086087
m = 01
m = 03
m = 05
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 11 Effect of Aggressiveness among Different Contest Inten-sity
In the case of ldquowinner takes allrdquo Figure 13 illustrates anexponentially decreasing trend among service compromisedprobability this is because the effectiveness of resourcesinvested is significant to the result of a battle With a largervalue of contest intensity the vantage of a defender againstless aggressive attackers is more obvious
On the contrary for aggressive attackers there is anexponentially increasing tendency under ldquofight to win ordierdquo circumstances Since the contest intensity serves asthe exponent of the Contest Success Function when thevalue increases the effectiveness of resources invested growsexponentially This is further shown in Figure 14
Nevertheless the exponential tendency does not appearthrough all values of contest intensity For the ldquowinner takesallrdquo circumstance in Figure 15 the increasing rate of service
10 Journal of Applied Mathematics
063064065066067068069
07071072073074075
m = 15
m = 17
m = 19
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 12 Service compromised probability of less aggressive at-tacker under 119898 lt 1 circumstance
0
01
02
03
04
05
06
07
m = 01
m = 03
m = 05
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 13 Service compromised probability of less aggressive at-tacker under 119898 gt 1 circumstance
085
086
087
088
089
09
m = 15
m = 17
m = 19
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 14 Service compromised probability of aggressive attackerunder 119898 lt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 15 Service compromised probability of aggressive attackerunder 119898 gt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 16 Comparison of service compromised probability underdiverse contest intensity and aggressiveness
compromised probability slows down when contest intensitybecomes higherThis is because although aggressive attackersprefer to gain an edge by spending more attack resourcesto compromise a target each compromise costs significantresources Thus aggressive attackers run out of budget veryquickly and the increasing trend is not exponential
42 Proactive Defense Is Advantageous under ldquoWinner TakesAllrdquo Circumstance According to previous discussions theeffectiveness of resources invested is significant under ldquowin-ner takes allrdquo circumstances For less aggressive attackers theperformance is poor since they only invest few resources onan attack Aggressive attackers tend to spend a larger quantityto compromise a target If a defender raises the quantity ofdefense resources on important nodes it effectively weakensattackers
Consequently regardless of whether defenders face eitheraggressive or less aggressive attackers a proactive defenseperforms better in deterring attackers
43 Reactive Defense Is Advantageous under ldquoFight to Winor Dierdquo Circumstance Similarly under the ldquofight to win
Journal of Applied Mathematics 11
or dierdquo circumstance the effectiveness of defense resourcesis insignificant No matter how many proactive defenseresources are invested there is only limited influence onthe objective function value In other words less aggressiveattackers can compromise a target even by only investingscarce attack resources For aggressive attackers since theyprefer spending a large quantity of resources on compromis-ing a victim they easily run out of resources before a targetservice is compromised
Based on this analysis it is advantageous for the defenderto apply reactive defense mechanisms against maliciousattackers under ldquofight to win or dierdquo circumstance
5 Conclusions
This paper models an attack and defense scenario thatinvolves high amounts of randomness as mathematical for-mulations where attackers are assumed to have incompleteinformation It further considers a virtualization environ-ment for helping relate these results to recent trends in cloudcomputing
According to the simulation results the outcome of acontest is influenced not only by the quantity of defenseresources invested on each node but also by the contestintensity An attackerrsquos aggressiveness is introduced as a newdimension and meaningful results are discovered Effectivedefense strategies are proposed in the discussion of theresults
For future works collaborative attacks should be takeninto consideration since the attack strategy discussed in thispaper is for individual attacks In other words there is onlyone attack targeting a victimrsquos network at a time Thus nosynergy is considered A more complicated collaborativeattack pattern is worth further study
Acknowledgment
This work was supported by the National Science CouncilTaiwan (Grant nos NSC 102-2221-E-002-104 and NSC 101-2218-E-011-009)
References
[1] IBM Internet Security Systems X-Force research and devel-opment team ldquoIBM X-Force 2010 Mid-Year Trend and RiskReportrdquo IBM August 2010
[2] R J Ellison D A Fisher R C Linger H F Lipson T Longstaffand N R Mead ldquoSurvivable network systems an emergingdisciplinerdquo Tech Rep CMUSEI-97-TR-013 1997
[3] S Roy C Ellis S Shiva D Dasgupta V Shandilya and Q WuldquoA survey of game theory as applied to network securityrdquo inProceedings of the 43rd Annual Hawaii International Conferenceon System Sciences (HICSS rsquo10) January 2010
[4] M N Lima A L D Santos and G Pujolle ldquoA survey of sur-vivability in mobile Ad hoc Networksrdquo IEEE CommunicationsSurveys and Tutorials vol 11 no 1 pp 66ndash77 2009
[5] Z Ma ldquoTowards a unified definition for reliability survivabilityand resilience (I) the conceptual framework inspired by thehandicap principle and ecological stabilityrdquo in Proceedings of theIEEE Aerospace Conference pp 1ndash12 March 2010
[6] F Xing and W Wang ldquoOn the survivability of wireless adHOC networks with node misbehaviors and failuresrdquo IEEETransactions on Dependable and Secure Computing vol 7 no3 pp 284ndash299 2010
[7] S Skaperdas ldquoContest success functionsrdquo EconomicTheory vol7 no 2 pp 283ndash290 1996
[8] G Levitin and K Hausken ldquoFalse targets efficiency in defensestrategyrdquo European Journal of Operational Research vol 194 no1 pp 155ndash162 2009
[9] K Hausken and G Levitin ldquoProtection vs false targets in seriessystemsrdquo Reliability Engineering and System Safety vol 94 no5 pp 973ndash981 2009
[10] G Levitin and K Hausken ldquoPreventive strike vs false targetsand protection in defense strategyrdquo Reliability Engineering andSystem Safety vol 96 no 8 pp 912ndash924 2011
[11] J Hirshleifer ldquoConflict and rent-seeking success functions ratiovs difference models of relative successrdquo Public Choice vol 63no 2 pp 101ndash112 1989
[12] J Hirshleifer ldquoThe paradox of powerrdquo Economics and Politicsvol 3 pp 177ndash200 1993
[13] J Archer A Boehme D Cullinane P Kurtz N Puhlmannand J Reavis ldquoTop Threats to Cloud Computing V 10rdquo CloudSecurity Alliance March 2010
[14] H Debar F Pouget and M Dacier ldquoWhite paper lsquoHoney-pot Honeynet Honeytoken Terminological issuesrsquordquo InstitutEurecom Research Report RR-03-081 2003
[15] B Cheswick ldquoAn evening with berferd in which a cracker islured endured and studiedrdquo in Proceedings of the USENIXConference pp 163ndash174 USENIX 1992
[16] C Seifert I Welch and P Komisarczuk ldquoTaxonomy of honey-potsrdquo Tech Rep CS-TR-0612 2006
[17] M H y Lopez and C F L Resendez ldquoHoneypots basicconcepts classification and educational use as resources ininformation security education and coursesrdquo in Proceedings ofthe Informing Science and IT Education Conference 2008
[18] Y Huang D Arsenault and A Sood ldquoClosing cluster attackwindows through server redundancy and rotationsrdquo in Pro-ceedings of the 6th IEEE International Symposium on ClusterComputing and the Grid (CCGRID rsquo06) May 2006
[19] YHuang D Arsenault andA Sood ldquoIncorruptible self-cleans-ing intrusion tolerance and its application to DNS securityrdquoJournal of Networks vol 1 no 5 pp 21ndash30 2006
[20] M Smith C Schridde and B Freisleben ldquoSecuring stateful gridservers through virtual server rotationrdquo in Proceedings of the17th International Symposium on High Performance DistributedComputing (HPDC rsquo08) pp 11ndash22 June 2008
[21] F Y-S Lin Y-S Wang and P-H Tsang ldquoEfficient defensestrategies to minimize attackersrsquo success probabilities in hon-eynetrdquo in Proceedings of the 6th International Conference onInformation Assurance and Security (IAS rsquo10) pp 80ndash85 August2010
[22] F Y-S Lin Y-S Wang P-H Tsang and J-P Lo ldquoRedundancyand defense resource allocation algorithms to assure servicecontinuity against natural disasters and intelligent attacksrdquo inProceedings of the 5th International Conference on BroadbandWireless Computing Communication andApplications (BWCCArsquo10) pp 206ndash213 November 2010
[23] F Cohen ldquoManaging network security attack and defencestrategiesrdquo Network Security vol 1999 no 7 pp 7ndash11 1999
[24] S Nagaraja and R Anderson ldquoDynamic topologies for robustscale-free networksrdquo Bio-Inspired Computing and Communica-tion vol 5151 pp 411ndash426 2008
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 3
Table 3 Verbal notations
Notation Description119866core119894 Loading of each residual core node 119894 where 119894 isin 119862
119880link119894 Link utilization of each link 119894 where 119894 isin 119871
119870effectNegative effect caused by applying fake trafficadjustment
119868effectNegative effect caused by applying dynamictopology reconfiguration
119869effect Negative effect caused by applying local defense
119874tocoreThe number of hops legitimate users experiencedfrom one boundary node to core nodes
119884 The total compromise events119882threshold The predefined threshold about QoS119882final The QoS level at the end of attack
119882(sdot)The value of QoS determined by 119866core119894 119880link119895 119870effect 119868effect 119869effect and 119874tocore where 119894 isin 119862 119895 isin 119871
120588defense119894
The total defense resource of the shortest pathfrom compromised nodes detected to core node 119894
divided by total defense resource where 119894 isin 119862
120591hops119894
The number of hops from compromised nodesdetected to core node 119894 divided by the number ofhops from attackerrsquos starting point where 119894 isin 119862
120596degree119894
The linking number of core node 119894 divided by themaximum number in the topology where 119894 isin 119862
119904119894
priority119895
The priority of service 119895 provided by core node 119894
divided by the maximum service priority in thetopology where 119894 isin 119878 119895 isin 119862
120573threshold The risk threshold of core nodes
120573(sdot)
The risk status of each core node which is theaggregation of defense resource number of hopslink degree and service priority
Table 4 Environment Parameters
Testing platformProgramming language CCompiler GNU GCC 462Total evaluation times 60000Distributions applied to describe attackersrsquoattributes Normal distribution
attacks failure or accidents including networks and large-scale systems of systemsrdquo
Along with the concept of survivability the vulnerabilityof each node is determined by the Contest Success Function(CSF) which is also applied in [7ndash10] CSF originates fromthe economic rent seeking problem found in EconomicTheory This method also applies a continuous approach tothe problem The form of the CSF is success probability =
119879119898
(119879119898
+ 119905119898
) when applied to attack and defense scenarioswhere 119879 represents the resources invested by the attacker and119905 stands for resources deployed by the defender Further 119898
is known as contest intensity which illustrates the nature ofthe battle while success probability is the probability of anode being compromised When the value 119898 is between 0and 1 it represents ldquofight to win or dierdquo circumstance [11]
Table 5 Parameters for defender
Parameters ValueTopology type Scale-free networkNumber of nodes 49Number of core nodes (each service) 6 (1 2 3)Number of terminal nodes 5Number of services 3Weight of each service 1 2 3Number of users 30Defender total budget 1700000Topology construction budget 700000Proactive defense budget 400000Reactive defense budget 600000
Table 6 Parameters for attacker
Parameters Value
Total attack budget A normal distribution with lower bound300000 and upper bound 1500000
Capability A normal distribution with lower bound120576 and upper bound 1
Aggressiveness A normal distribution with lower bound01 and upper bound 09
Attackerrsquos objective Service disruption or steal confidentialinformation
which means the effectiveness of resources is insignificantFor 119898 ge 1 the effectiveness of resources invested by bothsides is exponentially increasing If 119898 closes to infin it standsfor a ldquowinner takes allrdquo circumstance significant advantage isgranted to the stronger side even if that side is stronger byonly one invested resource [12]
There are many popular methodologies applied for solv-ing survivability problems In recent years game theory is awidely used one Nevertheless in [3] the authors point outthat this solution approach is limited for deterministic sce-narios Even the emerging branch of game theory stochasticgame is still confined with this assumption that all valuesof probabilistic variables have to be determined before theattack and defense starts This feature has a negative effecton creating cyber attack and defense scenario since in realworld decisions made during attack and defense dependon current status Given all values of variables makes thescenario far from reality
For example when choosing a victim from candidatenodes an attacker should apply information like the loadingof each node traffic amount on each link andor number ofusers on each node to evaluate the importance of all candi-dates Then choosing the most appropriate one as the targetyet the restriction of game theory enforces the choosingprobability which should be determined at the beginning ofthe cyber warfare In other words those variations happenedduring attack and defense like traffic reroute link statusnode conditions are ignored Consequently in this workMonte Carlo simulation is applied to consider hopefully andcover every angle in the attack and defense scenario
4 Journal of Applied Mathematics
2 Problem Formulation
21 Problem Description In order to improve system sur-vivability the defender deploys both proactive and reactivedefense resources to confront different attacks Proactivedefense resources are deployed before an attack is launchedIn this paper proactive resources include a firewall systemantivirus software detection techniques such as IntrusionDetection System (IDS) and Intrusion Protection System(IPS)
Alternatively reactive defense resources are activatedduring an attack as an immediate action for the defenderThe mechanisms considered in this paper can strengthendefenses provide deception and provide resource concentra-tion
For strengthening defenses since the scenario consideredin this paper is constructed in a virtualized environment anumber of Virtual Machines (VMs) are governed by a Vir-tual Machine Monitor (VMM) that controls all informationdetails for all VMs When an attack event is detected localdefense functions for each VMM are activated automaticallyto raise the defense capability of the virtualized nodes belong-ing to the same VMM However this mechanism does notalways create positive effects Once an attacker determinesthat the target network is a virtualized environment anddiscovers the existence of a VMM he can compromise theVMM through vulnerabilities in APIs [13] If the VMMis compromised all VMs belonging to this VMM are alsocompromised
Deceptionmechanisms are widely applied in defense andin this paper honeypots are considered to distract attackersAccording to [14ndash17] honeypots not only serve as a passivedecoy fooling attackers into believing they have achievedtheir goal and preemptively terminating the attack but alsoas an active lure that acts as a service-providing node toattract attackers The former is known as a false target andthe latter can be implemented by a fake core node thatspreads service-like traffic to attract attackers When facingdifferent attackers the deceiving probability of each honeypotis differentThis probability is jointly determined by attackersrsquocapability and the interaction level of a honeypot
As for resource concentration by modifying the con-cept of ldquorotationrdquo discussed in [18ndash20] and adapting it toour scenario the defender can adopt dynamic responsivestrategies to improve system survivability Hence whileunder an attack the defender can apply dynamic topologyreconfiguration to exchange the neighbor of one core nodewhich has the strongest defensive resources with a node thatis close to the attackerrsquos current location
However since dynamic topology reconfigurationrequires node rotation it negatively impacts QoS Thereforeunless the risk level of a core node exceeds a predefinedthreshold the defender will not activate this mechanismFurthermore false positive and false negative situations forevery defense mechanism are considered
In addition to the defense mechanisms described abovethe following attributes are also considered for creating arealistic attack-defense scenario
211 Goal Generally attackers target a network to eitherdisrupt services or to compromise servers and steal sensitiveinformation Therefore in this paper an attackerrsquos goal maybe service disruption or the theft of confidential informationService disruption is achieved by ensuring that the minimallevel of service quality is not fulfilled In the case of infor-mation theft attackers usually establish their target beforelaunching an attack and once core nodes with the desiredinformation are compromised the defenders lose
212 Budget Budget stands for the primary resources for anattack including money manpower computing effort timeand other important factors Without sacrificing generalityan attackersrsquo budget follows a general distribution Whendetermining the result of a compromising event for exampleone attacker invests a certain amount of attack resources oncompromising the target node and the CSF is applied todecide the compromised probability In contrast with [21] and[22] if an attacker invests more resources than the defenderon a given target node it is not guaranteed that the attackerwins it only raises the compromised probability
213 Capability This criterion depicts an attackersrsquo profi-ciency and is also described by a general distribution Forhighly proficient attackers there is a high probability thatthey will see through reactive defense mechanisms such ashoneypots
214 Attack Type In general a malicious attacker launchesan attack from one of the boundary nodes which is com-monly considered an external attack In contrast otherattacks can be launched by malicious insiders and causemore severe consequences [13] Malicious insiders are ableto choose an internal node as their starting position forcompromising the network
In the real world external attackers may apply socialengineering to escalate their access privileges This mecha-nism allows the attacker to bypass some proactive defensefacilitates like a firewall As a result attackers have an edgeon compromising the network
In order to best mimic real-world conditions all attacktypes discussed above are considered in this paper
215 Aggressiveness This metric describes the preferredcompromised probability of an attacker when attacking atarget node This attribute is highly dependent on budgetsince the compromised probability is the left-hand side of theCSF In other words the attack resources required for com-promising a target node are calculated by the given defenseresources contest intensity (119898) and attackerrsquos aggressivenessHighly aggressive attackers prefer a high success probabilityand like to spend a larger amount of resources to compromisethe target node than less aggressive attackers An attackerrsquosaggressiveness is determined by a general distribution
216 NextHop SelectionCriterion In this paper the attackersare assumed to have incomplete information and imperfectknowledge Since they can only gather local information
Journal of Applied Mathematics 5
(1) Attackers only have incomplete information(2) The defender only has incomplete information regarding the network since there are unaware vulnerabilities(3) A service is provided by multiple core nodes(4) Each service has different weights(5) One virtual machine only provides one service(6) Only malicious nodal attacks are considered(7) The compromise probability of a target node is determined by the Contest Success Function (CSF)
Box 1 Problem assumptions
such as the defense level of one hop neighbors link trafficor link utilization attackers must use available informationwisely to choose a proper strategy to select the next victimInspired by the seminal work of [23] possible attack strategiesmay be developed based on the quantity of proactive defenseresources link utilization or a portion of the target servicetraffic of each candidate node Additionally this paper alsoconsiders a more irrational strategy of a blind attack
By applying general distributions to describe attacker-related attributes the total number of attacker categories isnearly infinite This feature increases the generalizability ofour model The detailed assumptions are described in Box 1
To describe the attack procedures in more detail wedevelop the following idea to explain the interaction betweenthe defender and attackers The following figures are drawnfrom the attackerrsquos view for clarity In other words all figuresare a logical topology that has been already virtualizedsince one physical machine may represent many VMs Theexplanations of components are listed in Figure 1
First the defender deploys proactive defense resource oneach node and the attacker starts to compromise the networkfrom the edge nodes (119878) Before launching an attack theattacker probes all the candidate nodes to gather sufficientinformation and determine the next hop selection criterionfor this compromise event By applying the next hop selectioncriterion the victim is chosen The result of this compromiseevent is determined by the CSF If the target is compromisedit becomes a spring board for attackers to assault otheruncompromised neighbors Corresponding information isshown in Figure 2 The topology demonstrated in Figures 2and 3 for presentation purposes the topology structureimplemented in the simulations is a scale-free network
The risk level of each core node is evaluated by minimumdefense resources the number of hops the link degree andservice priority Minimum defense resource stands for theshortest path from compromised nodes to one core nodedivided by total defense resources The number of hops isdetermined by the minimum number of hops from com-promised nodes to one core node divided by the maximumnumber of hops from the attackersrsquo starting point to one corenode Link degree is the linking number of each core nodedivided by the maximum linking number in the topologyService priority is the weight of the service that is providedby the target core node divided by the highest weight ofservice in the topology If any of the core nodes is in dangerthe defender can activate defense mechanisms such as afake traffic generator and a dynamic topology reconfigurationunder QoS limitations
S
Reconfiguration
Reconfiguration
Reconfiguration
VM
Reconfiguration
VM
Figure 1 Explanations of Components
Reconfiguration
VMReconfiguration iiiiiiionnoooooooooonnnooooonnn
S
Reconfiguration
Reconfiguration
VM
Figure 2 Sample network and resource allocation scheme
When the defender activates a dynamic topology recon-figuration only nodes implemented with the reconfigurationfunction are considered First the defender chooses theleast proactively defended neighbor with the reconfigurationfunction of a risky core node The defender then selectsanother node that is both not a neighbor of the core nodeand the most proactively defended nearby the node selectedfrom the previous step If there is a fake traffic generatinghoneypot the defender is also able to activate the mechanismfor influencing an attackerrsquos next hop selecting criterion
In the event that attackers attack the virtualized nodesand this malicious event is detected by the defender the local
6 Journal of Applied Mathematics
Given(1) all possible defense configurations set including defense resource allocation and defending strategies(2) all possible attack configurations set including attacker attributes strategies and selection criterion(3) the total attack times on each serviceObjectiveto minimize the service compromised probability of the target networkSubject to(1) budget constrain for both the defender and attackers(2) the minimum QoS requirement for legitimate usersTo determinethe effective defense strategies to allocate resources
Box 2 Problem description
078
079
08
081
082
083
084
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Serv
ice c
ompr
omise
d pr
obab
ility
Evaluation times
m = 01
m = 03
m = 05
m contest intensity
Figure 3 A possible result of an attack and defense scenario
defense mechanism is activated automatically Consequentlythe defense level increases for the attacked node the VMMand the rest of this virtualized group If attackers see that thenode is under a virtualized environment they may continueto compromise the VMM
When a core node is compromised the defender mustevaluate whether the performance level still fulfills theminimum QoS requirement and update the degree of riskregarding each core node If an attacker targets multipleservices once they compromise a false target honeypot andare deceived by it they will change their target to the nextservice Finally if attackers exhaust their budget the attackis terminated and the defender wins the battle One possibleresult is shown in Figure 3 A structural description of theproblem is presented in Box 2
22 Mathematical Formulation The scenario discussed pre-viously is modeled as a minimization problem given theparameters and decision variables shown in Tables 1 and2 respectively Furthermore since the high amount ofrandomness involved renders the nature of this problemnondeterministic it is quite difficult to formulate this prob-lem purely through mathematics To explain the nondeter-ministic nature the following example is used considering
two adversaries with the same attack strategy since theproblem is nondeterministic the consequences can be totallydifferent One may be distracted by a honeypot and the othermay successfully achieve the goal This feature dramaticallyexpands the width in survivability studies Further the sce-nario considered in this work gives the defender the averagesurvivability analysis of a network
There are three major reasons that an average surviv-ability analysis is more meaningful for the defender Firstin the real world there are only few adversaries holdingldquocompleterdquo information regarding the target network Thiskind of ldquoworst caserdquo rarely happen Secondly analyzing theworst case though gives a defender the lower bound of net-work survivability Nevertheless it overestimates the budgetrequired for defending a network An average survivabilityanalysis makes conclusions closer to reality Last but not theleast in average case analysis if the defenderwants to evaluatethe survivability when facing a stronger adversary it canbe achieved by simply tuning the parameter Average caseanalysis is flexible and adjustable according to the demandof a defender
Thus to well describe the problem some verbal notationsand constraints are included which are shown in Table 3
Objective function
min997888119863119894
sum119894isin119878
[120572119894times sum119865119894
119895=1119879119894119895
(997888119863119894997888997888119860119894119895)]
sum119894isin119878
(120572119894times 119865119894)
(IP 1)
subject tomathematical constraints
997888119863119894isin 119864 forall119894 isin 119878 (IP 11)
997888997888119860119894119895
isin 119885 forall119894 isin 119878 1 le 119895 le 119865119894 (IP 12)
119902119894119895
ge 0 forall119894 119895 isin 119873 (IP 13)
119909119894+ 119910119895
ge 1 forall119894 119895 isin 119867 (IP 14)
119888119894ge 120582 forall119894 isin 119885 (IP 15)
119861NL + 119861proactive + 119861reactive le 119861 (IP 16)
119861virtualized + 119861honeypot + 119861reconfig le 119861reactive (IP 17)
Journal of Applied Mathematics 7
119908 times 119890 + 119900 times 119862 +
sum119894isin119873
sum119895isin119873
119892 (119902119894119895)
2le 119861NL (IP 18)
sum
119894isin119873
119899119894le 119861proactive (IP 19)
sum
119894isin119872
V (119897119894) + 119901 times sum
119894isin119872
119897119894times 119896119894le 119861virtualized (IP 110)
sum
119894isin119875
119909119894times ℎ (120575
119894 120576119894) + sum
119895isin119876
119910119895
times 119891 (120575119895 120579119895)
+ sum
119894isin119873
sum
119895isin119873
119909119894times 119910119895
times 119905 (120575119894 120576119894 120579119895) le 119861honeypot
(IP 111)
sum
119894isin119873
119911119894times 119903 le 119861reconfig (IP 112)
119908 times 119890 ge 0 (IP 113)
119892 (119902119894119895) ge 0 forall119894 119895 isin 119873 (IP 114)
119899119894ge 0 forall119894 isin 119873 (IP 115)
V (119897119894) ge 0 forall119894 isin 119872 (IP 116)
ℎ (120575119894 120576119894) ge 0 forall119894 isin 119875 (IP 117)
119891 (120575119895 120579119895) ge 0 forall119895 isin 119876 (IP 118)
119905 (120575119894 120576119894 120579119895) ge 0 forall119894 isin 119873 (IP 119)
119909119894= 0 or 1 forall119894 isin 119873 (IP 120)
119910119894= 0 or 1 forall119894 isin 119873 (IP 121)
119911119894= 0 or 1 forall119894 isin 119873 (IP 122)
verbal constraints
int119884
119910=1[119882 (119866core119894 119880link119895 119870effect 119868effect 119869effect 119874tocore)] 119889119910
119884
ge 119882threshold where 119894 isin 119862 119895 isin 119871
(IP 123)
119882final ge 119882threshold (IP 124)
For each core node when
120573 (120588defense 120591hops 120596degree 119904priority119894
) ge 120573threshold
where 119894 isin 119878
(IP 125)
the defender can activate the reactive defense mechanismsThe goal of the objective function is to minimize the
compromised service probability which is modeled as theweighted total of successful attacks divided by the totalweighted number of attacks The result of an attack is deter-mined by 119879
119894119895(997888119863119894997888997888119860119894119895) For each service the defender con-
structs a defense configuration including defense resource
allocation anddefending strategies to oppose attackers target-ing the service with different attack configurations includingattacker attributes strategies and transition rules Not onlymalicious attacks but also QoS issues are taken into consider-ation
Equation (IP 11) stands for the feasibility of the defenseconfiguration of each service For the attacking side (IP 12)
denotes that the attack configuration should be feasibleEquation (IP 16) denotes that the summation of defenseresources spent should not exceed total budget 119861 Equations(IP 17)sim(IP 119) jointly restrain the budget of each type ofdefense resource individually Equations (IP 120)sim(IP 122)
impose binary restrictions on decision variables Finally(IP 123)sim(IP 125) jointly represent that the performancereduction caused by either malicious attacks or activatingreactive defense mechanisms should not violate the QoSrequirement
3 Numerical Analysis
In this paper a scale-free network is constructed for evalua-tion since this structure is similar to real-world forms suchas the Internet The implementation algorithm is referencedfrom [24]
31 Simulation Environment Table 4 presents the systemexperiment parameters Defender-related parameters areillustrated in Table 5 The unit of budget is dollar Forattackers the parameters are shown in Table 6
The value of each attackerrsquos budget capability and aggres-siveness is governed by a normal distribution with differentlower and upper bounds
32 Numerical Result As mentioned previously the ContestSuccess Function is applied for quantifying vulnerabilityThevalue of contest intensity is classified into two groups scoresgreater than 1 and scores smaller than 1
321 Convergence The first issue to address before con-structing meaningful simulations is convergence In thispaper the convergence of data is considered as numericalstability While the magnitude of data vibrations is withinthe acceptable interval for example 02 the correspondingnumber of simulation times (119872) is set as the number ofevaluations for each attack and defense scenario
For rigorousness in convergence experiments the effectof contest intensity is jointly consideredThree different mag-nitudes are simulated on a 49 node scale-free network Forthe following experiments in this subsection the horizontalaxis represents the evaluation of the number of attacks andthe vertical axis stands for the network system compromisedprobability which is the objective function of the proposedmathematical model
Figures 4 and 5 show the result of 10000 simulations withdifferent contest intensity Here it is clear that the value ofservice compromised probability is unstable In Figures 6 and7 the vibration becomes alleviative but is still not convergentWhen the number of simulations is raised to 100000 as
8 Journal of Applied Mathematics
078
079
08
081
082
083
084
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 4 Convergence test on 119898 lt 1 group for 10000 simulations
075076077078079
08081082083084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 5 Convergence test on 119898 gt 1 group for 10000 simulations
shown in Figures 8 and 9 there is a stable trend after 60000among all different values of contest intensity
From Figures 4 to 9 it is clear that the 60000 simulationsare a large enough number to give converging results amongall values of contest intensityTherefore 119872 is set to be 60000
322 Analysis of Key Factors Influencing Service CompromisedProbability Contest intensity has great influence on thenature of network attack and defense However as shown inFigure 10 there is no consistent tendency between contestintensity and service compromised probability The sameconclusions also appear in [8ndash10]
If the effects of contest intensity and attackerrsquos aggressive-ness are jointly considered there are some meaningful andexplainable results
In Figure 11 three value intervals of aggressivenessincluding 01 to 09 (average) 01 to 05 (less aggressive) and05 to 09 (aggressive) are simulated among different values ofcontest intensity It is clear that when both the effect of contestintensity and an attackrsquos aggressiveness are considered thereare consistent trends For aggressive attackers it is more
078
079
08
081
082
083
084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 6 Convergence test on 119898 lt 1 group for 50000 simulations
075076077078079
08081082
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 7 Convergence test on 119898 gt 1 group for 50000 simulations
advantageous to have higher values of contest intensityAlternatively less aggressive attackers have leverage whenthe value of contest intensity is small However for averageattacks there is no clear tendency
The value of contest intensity is separated into high-valueand low-value groups Here Figure 12 illustrates the variationof service compromised probability in low-level contestintensity groups when facing less aggressive attackers Whilein Figure 12 the objective function value presents a lineardecreasing form Figure 13 demonstrates an exponentiallydecreasing from
Figures 14 and 15 also present a similar phenomenonwhen facing aggressive attackers the variation of servicecompromised probability shows an exponentially increasingtrend for contest intensity belonging to the low-level groupFor the high-level group the tendency is more linear
According to the previous results the key factors influ-encing service compromised probability include contestintensity and attack aggressivenessThese results are summa-rized in Figure 16
Journal of Applied Mathematics 9
075076077078079
08081082083
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 8 Convergence test on119898 lt 1 group for 100000 simulations
076
077
078
079
08
081
082
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m = 01
m = 03
m = 05
Aggressiveness = 01sim09
m contest intensity
Figure 9 Convergence test on 119898 gt 1 group for 100000 simula-tions
4 Discussion of Results
Based on the simulation results some interesting and mean-ingful arguments are presented in this section
41 The Effectiveness of Resources Invested by the Defenderand Attackers Is Highly Dependent on the Nature of BattleThe objective function value shown in Figure 12 presents alinear decreasing form when the contest intensity belongsto a low-level group and the defender is dealing with lessaggressive attackers The reason is that the effectiveness ofresources invested by both players is insignificant Thus theservice compromised probability is less sensitive with contestintensity under ldquofight to win or dierdquo circumstances
Furthermore less aggressive attackers only invest fewresources into compromising a target With the same totalbudget they are capable of launching more attacks thanaggressive attackers Therefore the service compromisedprobability of less aggressive attackers is much higher thanmore aggressive attackers
00102030405
06
07
0809
1
Contest intensity m
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15 m = 17 m = 19m = 01 m = 03 m = 05
Aggressiveness = 01sim09Aggressiveness = 05sim09Aggressiveness = 01sim05
Figure 10 Service compromised probability under different contestintensity
075076077078079
08081082083084085086087
m = 01
m = 03
m = 05
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 11 Effect of Aggressiveness among Different Contest Inten-sity
In the case of ldquowinner takes allrdquo Figure 13 illustrates anexponentially decreasing trend among service compromisedprobability this is because the effectiveness of resourcesinvested is significant to the result of a battle With a largervalue of contest intensity the vantage of a defender againstless aggressive attackers is more obvious
On the contrary for aggressive attackers there is anexponentially increasing tendency under ldquofight to win ordierdquo circumstances Since the contest intensity serves asthe exponent of the Contest Success Function when thevalue increases the effectiveness of resources invested growsexponentially This is further shown in Figure 14
Nevertheless the exponential tendency does not appearthrough all values of contest intensity For the ldquowinner takesallrdquo circumstance in Figure 15 the increasing rate of service
10 Journal of Applied Mathematics
063064065066067068069
07071072073074075
m = 15
m = 17
m = 19
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 12 Service compromised probability of less aggressive at-tacker under 119898 lt 1 circumstance
0
01
02
03
04
05
06
07
m = 01
m = 03
m = 05
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 13 Service compromised probability of less aggressive at-tacker under 119898 gt 1 circumstance
085
086
087
088
089
09
m = 15
m = 17
m = 19
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 14 Service compromised probability of aggressive attackerunder 119898 lt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 15 Service compromised probability of aggressive attackerunder 119898 gt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 16 Comparison of service compromised probability underdiverse contest intensity and aggressiveness
compromised probability slows down when contest intensitybecomes higherThis is because although aggressive attackersprefer to gain an edge by spending more attack resourcesto compromise a target each compromise costs significantresources Thus aggressive attackers run out of budget veryquickly and the increasing trend is not exponential
42 Proactive Defense Is Advantageous under ldquoWinner TakesAllrdquo Circumstance According to previous discussions theeffectiveness of resources invested is significant under ldquowin-ner takes allrdquo circumstances For less aggressive attackers theperformance is poor since they only invest few resources onan attack Aggressive attackers tend to spend a larger quantityto compromise a target If a defender raises the quantity ofdefense resources on important nodes it effectively weakensattackers
Consequently regardless of whether defenders face eitheraggressive or less aggressive attackers a proactive defenseperforms better in deterring attackers
43 Reactive Defense Is Advantageous under ldquoFight to Winor Dierdquo Circumstance Similarly under the ldquofight to win
Journal of Applied Mathematics 11
or dierdquo circumstance the effectiveness of defense resourcesis insignificant No matter how many proactive defenseresources are invested there is only limited influence onthe objective function value In other words less aggressiveattackers can compromise a target even by only investingscarce attack resources For aggressive attackers since theyprefer spending a large quantity of resources on compromis-ing a victim they easily run out of resources before a targetservice is compromised
Based on this analysis it is advantageous for the defenderto apply reactive defense mechanisms against maliciousattackers under ldquofight to win or dierdquo circumstance
5 Conclusions
This paper models an attack and defense scenario thatinvolves high amounts of randomness as mathematical for-mulations where attackers are assumed to have incompleteinformation It further considers a virtualization environ-ment for helping relate these results to recent trends in cloudcomputing
According to the simulation results the outcome of acontest is influenced not only by the quantity of defenseresources invested on each node but also by the contestintensity An attackerrsquos aggressiveness is introduced as a newdimension and meaningful results are discovered Effectivedefense strategies are proposed in the discussion of theresults
For future works collaborative attacks should be takeninto consideration since the attack strategy discussed in thispaper is for individual attacks In other words there is onlyone attack targeting a victimrsquos network at a time Thus nosynergy is considered A more complicated collaborativeattack pattern is worth further study
Acknowledgment
This work was supported by the National Science CouncilTaiwan (Grant nos NSC 102-2221-E-002-104 and NSC 101-2218-E-011-009)
References
[1] IBM Internet Security Systems X-Force research and devel-opment team ldquoIBM X-Force 2010 Mid-Year Trend and RiskReportrdquo IBM August 2010
[2] R J Ellison D A Fisher R C Linger H F Lipson T Longstaffand N R Mead ldquoSurvivable network systems an emergingdisciplinerdquo Tech Rep CMUSEI-97-TR-013 1997
[3] S Roy C Ellis S Shiva D Dasgupta V Shandilya and Q WuldquoA survey of game theory as applied to network securityrdquo inProceedings of the 43rd Annual Hawaii International Conferenceon System Sciences (HICSS rsquo10) January 2010
[4] M N Lima A L D Santos and G Pujolle ldquoA survey of sur-vivability in mobile Ad hoc Networksrdquo IEEE CommunicationsSurveys and Tutorials vol 11 no 1 pp 66ndash77 2009
[5] Z Ma ldquoTowards a unified definition for reliability survivabilityand resilience (I) the conceptual framework inspired by thehandicap principle and ecological stabilityrdquo in Proceedings of theIEEE Aerospace Conference pp 1ndash12 March 2010
[6] F Xing and W Wang ldquoOn the survivability of wireless adHOC networks with node misbehaviors and failuresrdquo IEEETransactions on Dependable and Secure Computing vol 7 no3 pp 284ndash299 2010
[7] S Skaperdas ldquoContest success functionsrdquo EconomicTheory vol7 no 2 pp 283ndash290 1996
[8] G Levitin and K Hausken ldquoFalse targets efficiency in defensestrategyrdquo European Journal of Operational Research vol 194 no1 pp 155ndash162 2009
[9] K Hausken and G Levitin ldquoProtection vs false targets in seriessystemsrdquo Reliability Engineering and System Safety vol 94 no5 pp 973ndash981 2009
[10] G Levitin and K Hausken ldquoPreventive strike vs false targetsand protection in defense strategyrdquo Reliability Engineering andSystem Safety vol 96 no 8 pp 912ndash924 2011
[11] J Hirshleifer ldquoConflict and rent-seeking success functions ratiovs difference models of relative successrdquo Public Choice vol 63no 2 pp 101ndash112 1989
[12] J Hirshleifer ldquoThe paradox of powerrdquo Economics and Politicsvol 3 pp 177ndash200 1993
[13] J Archer A Boehme D Cullinane P Kurtz N Puhlmannand J Reavis ldquoTop Threats to Cloud Computing V 10rdquo CloudSecurity Alliance March 2010
[14] H Debar F Pouget and M Dacier ldquoWhite paper lsquoHoney-pot Honeynet Honeytoken Terminological issuesrsquordquo InstitutEurecom Research Report RR-03-081 2003
[15] B Cheswick ldquoAn evening with berferd in which a cracker islured endured and studiedrdquo in Proceedings of the USENIXConference pp 163ndash174 USENIX 1992
[16] C Seifert I Welch and P Komisarczuk ldquoTaxonomy of honey-potsrdquo Tech Rep CS-TR-0612 2006
[17] M H y Lopez and C F L Resendez ldquoHoneypots basicconcepts classification and educational use as resources ininformation security education and coursesrdquo in Proceedings ofthe Informing Science and IT Education Conference 2008
[18] Y Huang D Arsenault and A Sood ldquoClosing cluster attackwindows through server redundancy and rotationsrdquo in Pro-ceedings of the 6th IEEE International Symposium on ClusterComputing and the Grid (CCGRID rsquo06) May 2006
[19] YHuang D Arsenault andA Sood ldquoIncorruptible self-cleans-ing intrusion tolerance and its application to DNS securityrdquoJournal of Networks vol 1 no 5 pp 21ndash30 2006
[20] M Smith C Schridde and B Freisleben ldquoSecuring stateful gridservers through virtual server rotationrdquo in Proceedings of the17th International Symposium on High Performance DistributedComputing (HPDC rsquo08) pp 11ndash22 June 2008
[21] F Y-S Lin Y-S Wang and P-H Tsang ldquoEfficient defensestrategies to minimize attackersrsquo success probabilities in hon-eynetrdquo in Proceedings of the 6th International Conference onInformation Assurance and Security (IAS rsquo10) pp 80ndash85 August2010
[22] F Y-S Lin Y-S Wang P-H Tsang and J-P Lo ldquoRedundancyand defense resource allocation algorithms to assure servicecontinuity against natural disasters and intelligent attacksrdquo inProceedings of the 5th International Conference on BroadbandWireless Computing Communication andApplications (BWCCArsquo10) pp 206ndash213 November 2010
[23] F Cohen ldquoManaging network security attack and defencestrategiesrdquo Network Security vol 1999 no 7 pp 7ndash11 1999
[24] S Nagaraja and R Anderson ldquoDynamic topologies for robustscale-free networksrdquo Bio-Inspired Computing and Communica-tion vol 5151 pp 411ndash426 2008
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
4 Journal of Applied Mathematics
2 Problem Formulation
21 Problem Description In order to improve system sur-vivability the defender deploys both proactive and reactivedefense resources to confront different attacks Proactivedefense resources are deployed before an attack is launchedIn this paper proactive resources include a firewall systemantivirus software detection techniques such as IntrusionDetection System (IDS) and Intrusion Protection System(IPS)
Alternatively reactive defense resources are activatedduring an attack as an immediate action for the defenderThe mechanisms considered in this paper can strengthendefenses provide deception and provide resource concentra-tion
For strengthening defenses since the scenario consideredin this paper is constructed in a virtualized environment anumber of Virtual Machines (VMs) are governed by a Vir-tual Machine Monitor (VMM) that controls all informationdetails for all VMs When an attack event is detected localdefense functions for each VMM are activated automaticallyto raise the defense capability of the virtualized nodes belong-ing to the same VMM However this mechanism does notalways create positive effects Once an attacker determinesthat the target network is a virtualized environment anddiscovers the existence of a VMM he can compromise theVMM through vulnerabilities in APIs [13] If the VMMis compromised all VMs belonging to this VMM are alsocompromised
Deceptionmechanisms are widely applied in defense andin this paper honeypots are considered to distract attackersAccording to [14ndash17] honeypots not only serve as a passivedecoy fooling attackers into believing they have achievedtheir goal and preemptively terminating the attack but alsoas an active lure that acts as a service-providing node toattract attackers The former is known as a false target andthe latter can be implemented by a fake core node thatspreads service-like traffic to attract attackers When facingdifferent attackers the deceiving probability of each honeypotis differentThis probability is jointly determined by attackersrsquocapability and the interaction level of a honeypot
As for resource concentration by modifying the con-cept of ldquorotationrdquo discussed in [18ndash20] and adapting it toour scenario the defender can adopt dynamic responsivestrategies to improve system survivability Hence whileunder an attack the defender can apply dynamic topologyreconfiguration to exchange the neighbor of one core nodewhich has the strongest defensive resources with a node thatis close to the attackerrsquos current location
However since dynamic topology reconfigurationrequires node rotation it negatively impacts QoS Thereforeunless the risk level of a core node exceeds a predefinedthreshold the defender will not activate this mechanismFurthermore false positive and false negative situations forevery defense mechanism are considered
In addition to the defense mechanisms described abovethe following attributes are also considered for creating arealistic attack-defense scenario
211 Goal Generally attackers target a network to eitherdisrupt services or to compromise servers and steal sensitiveinformation Therefore in this paper an attackerrsquos goal maybe service disruption or the theft of confidential informationService disruption is achieved by ensuring that the minimallevel of service quality is not fulfilled In the case of infor-mation theft attackers usually establish their target beforelaunching an attack and once core nodes with the desiredinformation are compromised the defenders lose
212 Budget Budget stands for the primary resources for anattack including money manpower computing effort timeand other important factors Without sacrificing generalityan attackersrsquo budget follows a general distribution Whendetermining the result of a compromising event for exampleone attacker invests a certain amount of attack resources oncompromising the target node and the CSF is applied todecide the compromised probability In contrast with [21] and[22] if an attacker invests more resources than the defenderon a given target node it is not guaranteed that the attackerwins it only raises the compromised probability
213 Capability This criterion depicts an attackersrsquo profi-ciency and is also described by a general distribution Forhighly proficient attackers there is a high probability thatthey will see through reactive defense mechanisms such ashoneypots
214 Attack Type In general a malicious attacker launchesan attack from one of the boundary nodes which is com-monly considered an external attack In contrast otherattacks can be launched by malicious insiders and causemore severe consequences [13] Malicious insiders are ableto choose an internal node as their starting position forcompromising the network
In the real world external attackers may apply socialengineering to escalate their access privileges This mecha-nism allows the attacker to bypass some proactive defensefacilitates like a firewall As a result attackers have an edgeon compromising the network
In order to best mimic real-world conditions all attacktypes discussed above are considered in this paper
215 Aggressiveness This metric describes the preferredcompromised probability of an attacker when attacking atarget node This attribute is highly dependent on budgetsince the compromised probability is the left-hand side of theCSF In other words the attack resources required for com-promising a target node are calculated by the given defenseresources contest intensity (119898) and attackerrsquos aggressivenessHighly aggressive attackers prefer a high success probabilityand like to spend a larger amount of resources to compromisethe target node than less aggressive attackers An attackerrsquosaggressiveness is determined by a general distribution
216 NextHop SelectionCriterion In this paper the attackersare assumed to have incomplete information and imperfectknowledge Since they can only gather local information
Journal of Applied Mathematics 5
(1) Attackers only have incomplete information(2) The defender only has incomplete information regarding the network since there are unaware vulnerabilities(3) A service is provided by multiple core nodes(4) Each service has different weights(5) One virtual machine only provides one service(6) Only malicious nodal attacks are considered(7) The compromise probability of a target node is determined by the Contest Success Function (CSF)
Box 1 Problem assumptions
such as the defense level of one hop neighbors link trafficor link utilization attackers must use available informationwisely to choose a proper strategy to select the next victimInspired by the seminal work of [23] possible attack strategiesmay be developed based on the quantity of proactive defenseresources link utilization or a portion of the target servicetraffic of each candidate node Additionally this paper alsoconsiders a more irrational strategy of a blind attack
By applying general distributions to describe attacker-related attributes the total number of attacker categories isnearly infinite This feature increases the generalizability ofour model The detailed assumptions are described in Box 1
To describe the attack procedures in more detail wedevelop the following idea to explain the interaction betweenthe defender and attackers The following figures are drawnfrom the attackerrsquos view for clarity In other words all figuresare a logical topology that has been already virtualizedsince one physical machine may represent many VMs Theexplanations of components are listed in Figure 1
First the defender deploys proactive defense resource oneach node and the attacker starts to compromise the networkfrom the edge nodes (119878) Before launching an attack theattacker probes all the candidate nodes to gather sufficientinformation and determine the next hop selection criterionfor this compromise event By applying the next hop selectioncriterion the victim is chosen The result of this compromiseevent is determined by the CSF If the target is compromisedit becomes a spring board for attackers to assault otheruncompromised neighbors Corresponding information isshown in Figure 2 The topology demonstrated in Figures 2and 3 for presentation purposes the topology structureimplemented in the simulations is a scale-free network
The risk level of each core node is evaluated by minimumdefense resources the number of hops the link degree andservice priority Minimum defense resource stands for theshortest path from compromised nodes to one core nodedivided by total defense resources The number of hops isdetermined by the minimum number of hops from com-promised nodes to one core node divided by the maximumnumber of hops from the attackersrsquo starting point to one corenode Link degree is the linking number of each core nodedivided by the maximum linking number in the topologyService priority is the weight of the service that is providedby the target core node divided by the highest weight ofservice in the topology If any of the core nodes is in dangerthe defender can activate defense mechanisms such as afake traffic generator and a dynamic topology reconfigurationunder QoS limitations
S
Reconfiguration
Reconfiguration
Reconfiguration
VM
Reconfiguration
VM
Figure 1 Explanations of Components
Reconfiguration
VMReconfiguration iiiiiiionnoooooooooonnnooooonnn
S
Reconfiguration
Reconfiguration
VM
Figure 2 Sample network and resource allocation scheme
When the defender activates a dynamic topology recon-figuration only nodes implemented with the reconfigurationfunction are considered First the defender chooses theleast proactively defended neighbor with the reconfigurationfunction of a risky core node The defender then selectsanother node that is both not a neighbor of the core nodeand the most proactively defended nearby the node selectedfrom the previous step If there is a fake traffic generatinghoneypot the defender is also able to activate the mechanismfor influencing an attackerrsquos next hop selecting criterion
In the event that attackers attack the virtualized nodesand this malicious event is detected by the defender the local
6 Journal of Applied Mathematics
Given(1) all possible defense configurations set including defense resource allocation and defending strategies(2) all possible attack configurations set including attacker attributes strategies and selection criterion(3) the total attack times on each serviceObjectiveto minimize the service compromised probability of the target networkSubject to(1) budget constrain for both the defender and attackers(2) the minimum QoS requirement for legitimate usersTo determinethe effective defense strategies to allocate resources
Box 2 Problem description
078
079
08
081
082
083
084
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Serv
ice c
ompr
omise
d pr
obab
ility
Evaluation times
m = 01
m = 03
m = 05
m contest intensity
Figure 3 A possible result of an attack and defense scenario
defense mechanism is activated automatically Consequentlythe defense level increases for the attacked node the VMMand the rest of this virtualized group If attackers see that thenode is under a virtualized environment they may continueto compromise the VMM
When a core node is compromised the defender mustevaluate whether the performance level still fulfills theminimum QoS requirement and update the degree of riskregarding each core node If an attacker targets multipleservices once they compromise a false target honeypot andare deceived by it they will change their target to the nextservice Finally if attackers exhaust their budget the attackis terminated and the defender wins the battle One possibleresult is shown in Figure 3 A structural description of theproblem is presented in Box 2
22 Mathematical Formulation The scenario discussed pre-viously is modeled as a minimization problem given theparameters and decision variables shown in Tables 1 and2 respectively Furthermore since the high amount ofrandomness involved renders the nature of this problemnondeterministic it is quite difficult to formulate this prob-lem purely through mathematics To explain the nondeter-ministic nature the following example is used considering
two adversaries with the same attack strategy since theproblem is nondeterministic the consequences can be totallydifferent One may be distracted by a honeypot and the othermay successfully achieve the goal This feature dramaticallyexpands the width in survivability studies Further the sce-nario considered in this work gives the defender the averagesurvivability analysis of a network
There are three major reasons that an average surviv-ability analysis is more meaningful for the defender Firstin the real world there are only few adversaries holdingldquocompleterdquo information regarding the target network Thiskind of ldquoworst caserdquo rarely happen Secondly analyzing theworst case though gives a defender the lower bound of net-work survivability Nevertheless it overestimates the budgetrequired for defending a network An average survivabilityanalysis makes conclusions closer to reality Last but not theleast in average case analysis if the defenderwants to evaluatethe survivability when facing a stronger adversary it canbe achieved by simply tuning the parameter Average caseanalysis is flexible and adjustable according to the demandof a defender
Thus to well describe the problem some verbal notationsand constraints are included which are shown in Table 3
Objective function
min997888119863119894
sum119894isin119878
[120572119894times sum119865119894
119895=1119879119894119895
(997888119863119894997888997888119860119894119895)]
sum119894isin119878
(120572119894times 119865119894)
(IP 1)
subject tomathematical constraints
997888119863119894isin 119864 forall119894 isin 119878 (IP 11)
997888997888119860119894119895
isin 119885 forall119894 isin 119878 1 le 119895 le 119865119894 (IP 12)
119902119894119895
ge 0 forall119894 119895 isin 119873 (IP 13)
119909119894+ 119910119895
ge 1 forall119894 119895 isin 119867 (IP 14)
119888119894ge 120582 forall119894 isin 119885 (IP 15)
119861NL + 119861proactive + 119861reactive le 119861 (IP 16)
119861virtualized + 119861honeypot + 119861reconfig le 119861reactive (IP 17)
Journal of Applied Mathematics 7
119908 times 119890 + 119900 times 119862 +
sum119894isin119873
sum119895isin119873
119892 (119902119894119895)
2le 119861NL (IP 18)
sum
119894isin119873
119899119894le 119861proactive (IP 19)
sum
119894isin119872
V (119897119894) + 119901 times sum
119894isin119872
119897119894times 119896119894le 119861virtualized (IP 110)
sum
119894isin119875
119909119894times ℎ (120575
119894 120576119894) + sum
119895isin119876
119910119895
times 119891 (120575119895 120579119895)
+ sum
119894isin119873
sum
119895isin119873
119909119894times 119910119895
times 119905 (120575119894 120576119894 120579119895) le 119861honeypot
(IP 111)
sum
119894isin119873
119911119894times 119903 le 119861reconfig (IP 112)
119908 times 119890 ge 0 (IP 113)
119892 (119902119894119895) ge 0 forall119894 119895 isin 119873 (IP 114)
119899119894ge 0 forall119894 isin 119873 (IP 115)
V (119897119894) ge 0 forall119894 isin 119872 (IP 116)
ℎ (120575119894 120576119894) ge 0 forall119894 isin 119875 (IP 117)
119891 (120575119895 120579119895) ge 0 forall119895 isin 119876 (IP 118)
119905 (120575119894 120576119894 120579119895) ge 0 forall119894 isin 119873 (IP 119)
119909119894= 0 or 1 forall119894 isin 119873 (IP 120)
119910119894= 0 or 1 forall119894 isin 119873 (IP 121)
119911119894= 0 or 1 forall119894 isin 119873 (IP 122)
verbal constraints
int119884
119910=1[119882 (119866core119894 119880link119895 119870effect 119868effect 119869effect 119874tocore)] 119889119910
119884
ge 119882threshold where 119894 isin 119862 119895 isin 119871
(IP 123)
119882final ge 119882threshold (IP 124)
For each core node when
120573 (120588defense 120591hops 120596degree 119904priority119894
) ge 120573threshold
where 119894 isin 119878
(IP 125)
the defender can activate the reactive defense mechanismsThe goal of the objective function is to minimize the
compromised service probability which is modeled as theweighted total of successful attacks divided by the totalweighted number of attacks The result of an attack is deter-mined by 119879
119894119895(997888119863119894997888997888119860119894119895) For each service the defender con-
structs a defense configuration including defense resource
allocation anddefending strategies to oppose attackers target-ing the service with different attack configurations includingattacker attributes strategies and transition rules Not onlymalicious attacks but also QoS issues are taken into consider-ation
Equation (IP 11) stands for the feasibility of the defenseconfiguration of each service For the attacking side (IP 12)
denotes that the attack configuration should be feasibleEquation (IP 16) denotes that the summation of defenseresources spent should not exceed total budget 119861 Equations(IP 17)sim(IP 119) jointly restrain the budget of each type ofdefense resource individually Equations (IP 120)sim(IP 122)
impose binary restrictions on decision variables Finally(IP 123)sim(IP 125) jointly represent that the performancereduction caused by either malicious attacks or activatingreactive defense mechanisms should not violate the QoSrequirement
3 Numerical Analysis
In this paper a scale-free network is constructed for evalua-tion since this structure is similar to real-world forms suchas the Internet The implementation algorithm is referencedfrom [24]
31 Simulation Environment Table 4 presents the systemexperiment parameters Defender-related parameters areillustrated in Table 5 The unit of budget is dollar Forattackers the parameters are shown in Table 6
The value of each attackerrsquos budget capability and aggres-siveness is governed by a normal distribution with differentlower and upper bounds
32 Numerical Result As mentioned previously the ContestSuccess Function is applied for quantifying vulnerabilityThevalue of contest intensity is classified into two groups scoresgreater than 1 and scores smaller than 1
321 Convergence The first issue to address before con-structing meaningful simulations is convergence In thispaper the convergence of data is considered as numericalstability While the magnitude of data vibrations is withinthe acceptable interval for example 02 the correspondingnumber of simulation times (119872) is set as the number ofevaluations for each attack and defense scenario
For rigorousness in convergence experiments the effectof contest intensity is jointly consideredThree different mag-nitudes are simulated on a 49 node scale-free network Forthe following experiments in this subsection the horizontalaxis represents the evaluation of the number of attacks andthe vertical axis stands for the network system compromisedprobability which is the objective function of the proposedmathematical model
Figures 4 and 5 show the result of 10000 simulations withdifferent contest intensity Here it is clear that the value ofservice compromised probability is unstable In Figures 6 and7 the vibration becomes alleviative but is still not convergentWhen the number of simulations is raised to 100000 as
8 Journal of Applied Mathematics
078
079
08
081
082
083
084
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 4 Convergence test on 119898 lt 1 group for 10000 simulations
075076077078079
08081082083084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 5 Convergence test on 119898 gt 1 group for 10000 simulations
shown in Figures 8 and 9 there is a stable trend after 60000among all different values of contest intensity
From Figures 4 to 9 it is clear that the 60000 simulationsare a large enough number to give converging results amongall values of contest intensityTherefore 119872 is set to be 60000
322 Analysis of Key Factors Influencing Service CompromisedProbability Contest intensity has great influence on thenature of network attack and defense However as shown inFigure 10 there is no consistent tendency between contestintensity and service compromised probability The sameconclusions also appear in [8ndash10]
If the effects of contest intensity and attackerrsquos aggressive-ness are jointly considered there are some meaningful andexplainable results
In Figure 11 three value intervals of aggressivenessincluding 01 to 09 (average) 01 to 05 (less aggressive) and05 to 09 (aggressive) are simulated among different values ofcontest intensity It is clear that when both the effect of contestintensity and an attackrsquos aggressiveness are considered thereare consistent trends For aggressive attackers it is more
078
079
08
081
082
083
084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 6 Convergence test on 119898 lt 1 group for 50000 simulations
075076077078079
08081082
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 7 Convergence test on 119898 gt 1 group for 50000 simulations
advantageous to have higher values of contest intensityAlternatively less aggressive attackers have leverage whenthe value of contest intensity is small However for averageattacks there is no clear tendency
The value of contest intensity is separated into high-valueand low-value groups Here Figure 12 illustrates the variationof service compromised probability in low-level contestintensity groups when facing less aggressive attackers Whilein Figure 12 the objective function value presents a lineardecreasing form Figure 13 demonstrates an exponentiallydecreasing from
Figures 14 and 15 also present a similar phenomenonwhen facing aggressive attackers the variation of servicecompromised probability shows an exponentially increasingtrend for contest intensity belonging to the low-level groupFor the high-level group the tendency is more linear
According to the previous results the key factors influ-encing service compromised probability include contestintensity and attack aggressivenessThese results are summa-rized in Figure 16
Journal of Applied Mathematics 9
075076077078079
08081082083
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 8 Convergence test on119898 lt 1 group for 100000 simulations
076
077
078
079
08
081
082
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m = 01
m = 03
m = 05
Aggressiveness = 01sim09
m contest intensity
Figure 9 Convergence test on 119898 gt 1 group for 100000 simula-tions
4 Discussion of Results
Based on the simulation results some interesting and mean-ingful arguments are presented in this section
41 The Effectiveness of Resources Invested by the Defenderand Attackers Is Highly Dependent on the Nature of BattleThe objective function value shown in Figure 12 presents alinear decreasing form when the contest intensity belongsto a low-level group and the defender is dealing with lessaggressive attackers The reason is that the effectiveness ofresources invested by both players is insignificant Thus theservice compromised probability is less sensitive with contestintensity under ldquofight to win or dierdquo circumstances
Furthermore less aggressive attackers only invest fewresources into compromising a target With the same totalbudget they are capable of launching more attacks thanaggressive attackers Therefore the service compromisedprobability of less aggressive attackers is much higher thanmore aggressive attackers
00102030405
06
07
0809
1
Contest intensity m
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15 m = 17 m = 19m = 01 m = 03 m = 05
Aggressiveness = 01sim09Aggressiveness = 05sim09Aggressiveness = 01sim05
Figure 10 Service compromised probability under different contestintensity
075076077078079
08081082083084085086087
m = 01
m = 03
m = 05
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 11 Effect of Aggressiveness among Different Contest Inten-sity
In the case of ldquowinner takes allrdquo Figure 13 illustrates anexponentially decreasing trend among service compromisedprobability this is because the effectiveness of resourcesinvested is significant to the result of a battle With a largervalue of contest intensity the vantage of a defender againstless aggressive attackers is more obvious
On the contrary for aggressive attackers there is anexponentially increasing tendency under ldquofight to win ordierdquo circumstances Since the contest intensity serves asthe exponent of the Contest Success Function when thevalue increases the effectiveness of resources invested growsexponentially This is further shown in Figure 14
Nevertheless the exponential tendency does not appearthrough all values of contest intensity For the ldquowinner takesallrdquo circumstance in Figure 15 the increasing rate of service
10 Journal of Applied Mathematics
063064065066067068069
07071072073074075
m = 15
m = 17
m = 19
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 12 Service compromised probability of less aggressive at-tacker under 119898 lt 1 circumstance
0
01
02
03
04
05
06
07
m = 01
m = 03
m = 05
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 13 Service compromised probability of less aggressive at-tacker under 119898 gt 1 circumstance
085
086
087
088
089
09
m = 15
m = 17
m = 19
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 14 Service compromised probability of aggressive attackerunder 119898 lt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 15 Service compromised probability of aggressive attackerunder 119898 gt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 16 Comparison of service compromised probability underdiverse contest intensity and aggressiveness
compromised probability slows down when contest intensitybecomes higherThis is because although aggressive attackersprefer to gain an edge by spending more attack resourcesto compromise a target each compromise costs significantresources Thus aggressive attackers run out of budget veryquickly and the increasing trend is not exponential
42 Proactive Defense Is Advantageous under ldquoWinner TakesAllrdquo Circumstance According to previous discussions theeffectiveness of resources invested is significant under ldquowin-ner takes allrdquo circumstances For less aggressive attackers theperformance is poor since they only invest few resources onan attack Aggressive attackers tend to spend a larger quantityto compromise a target If a defender raises the quantity ofdefense resources on important nodes it effectively weakensattackers
Consequently regardless of whether defenders face eitheraggressive or less aggressive attackers a proactive defenseperforms better in deterring attackers
43 Reactive Defense Is Advantageous under ldquoFight to Winor Dierdquo Circumstance Similarly under the ldquofight to win
Journal of Applied Mathematics 11
or dierdquo circumstance the effectiveness of defense resourcesis insignificant No matter how many proactive defenseresources are invested there is only limited influence onthe objective function value In other words less aggressiveattackers can compromise a target even by only investingscarce attack resources For aggressive attackers since theyprefer spending a large quantity of resources on compromis-ing a victim they easily run out of resources before a targetservice is compromised
Based on this analysis it is advantageous for the defenderto apply reactive defense mechanisms against maliciousattackers under ldquofight to win or dierdquo circumstance
5 Conclusions
This paper models an attack and defense scenario thatinvolves high amounts of randomness as mathematical for-mulations where attackers are assumed to have incompleteinformation It further considers a virtualization environ-ment for helping relate these results to recent trends in cloudcomputing
According to the simulation results the outcome of acontest is influenced not only by the quantity of defenseresources invested on each node but also by the contestintensity An attackerrsquos aggressiveness is introduced as a newdimension and meaningful results are discovered Effectivedefense strategies are proposed in the discussion of theresults
For future works collaborative attacks should be takeninto consideration since the attack strategy discussed in thispaper is for individual attacks In other words there is onlyone attack targeting a victimrsquos network at a time Thus nosynergy is considered A more complicated collaborativeattack pattern is worth further study
Acknowledgment
This work was supported by the National Science CouncilTaiwan (Grant nos NSC 102-2221-E-002-104 and NSC 101-2218-E-011-009)
References
[1] IBM Internet Security Systems X-Force research and devel-opment team ldquoIBM X-Force 2010 Mid-Year Trend and RiskReportrdquo IBM August 2010
[2] R J Ellison D A Fisher R C Linger H F Lipson T Longstaffand N R Mead ldquoSurvivable network systems an emergingdisciplinerdquo Tech Rep CMUSEI-97-TR-013 1997
[3] S Roy C Ellis S Shiva D Dasgupta V Shandilya and Q WuldquoA survey of game theory as applied to network securityrdquo inProceedings of the 43rd Annual Hawaii International Conferenceon System Sciences (HICSS rsquo10) January 2010
[4] M N Lima A L D Santos and G Pujolle ldquoA survey of sur-vivability in mobile Ad hoc Networksrdquo IEEE CommunicationsSurveys and Tutorials vol 11 no 1 pp 66ndash77 2009
[5] Z Ma ldquoTowards a unified definition for reliability survivabilityand resilience (I) the conceptual framework inspired by thehandicap principle and ecological stabilityrdquo in Proceedings of theIEEE Aerospace Conference pp 1ndash12 March 2010
[6] F Xing and W Wang ldquoOn the survivability of wireless adHOC networks with node misbehaviors and failuresrdquo IEEETransactions on Dependable and Secure Computing vol 7 no3 pp 284ndash299 2010
[7] S Skaperdas ldquoContest success functionsrdquo EconomicTheory vol7 no 2 pp 283ndash290 1996
[8] G Levitin and K Hausken ldquoFalse targets efficiency in defensestrategyrdquo European Journal of Operational Research vol 194 no1 pp 155ndash162 2009
[9] K Hausken and G Levitin ldquoProtection vs false targets in seriessystemsrdquo Reliability Engineering and System Safety vol 94 no5 pp 973ndash981 2009
[10] G Levitin and K Hausken ldquoPreventive strike vs false targetsand protection in defense strategyrdquo Reliability Engineering andSystem Safety vol 96 no 8 pp 912ndash924 2011
[11] J Hirshleifer ldquoConflict and rent-seeking success functions ratiovs difference models of relative successrdquo Public Choice vol 63no 2 pp 101ndash112 1989
[12] J Hirshleifer ldquoThe paradox of powerrdquo Economics and Politicsvol 3 pp 177ndash200 1993
[13] J Archer A Boehme D Cullinane P Kurtz N Puhlmannand J Reavis ldquoTop Threats to Cloud Computing V 10rdquo CloudSecurity Alliance March 2010
[14] H Debar F Pouget and M Dacier ldquoWhite paper lsquoHoney-pot Honeynet Honeytoken Terminological issuesrsquordquo InstitutEurecom Research Report RR-03-081 2003
[15] B Cheswick ldquoAn evening with berferd in which a cracker islured endured and studiedrdquo in Proceedings of the USENIXConference pp 163ndash174 USENIX 1992
[16] C Seifert I Welch and P Komisarczuk ldquoTaxonomy of honey-potsrdquo Tech Rep CS-TR-0612 2006
[17] M H y Lopez and C F L Resendez ldquoHoneypots basicconcepts classification and educational use as resources ininformation security education and coursesrdquo in Proceedings ofthe Informing Science and IT Education Conference 2008
[18] Y Huang D Arsenault and A Sood ldquoClosing cluster attackwindows through server redundancy and rotationsrdquo in Pro-ceedings of the 6th IEEE International Symposium on ClusterComputing and the Grid (CCGRID rsquo06) May 2006
[19] YHuang D Arsenault andA Sood ldquoIncorruptible self-cleans-ing intrusion tolerance and its application to DNS securityrdquoJournal of Networks vol 1 no 5 pp 21ndash30 2006
[20] M Smith C Schridde and B Freisleben ldquoSecuring stateful gridservers through virtual server rotationrdquo in Proceedings of the17th International Symposium on High Performance DistributedComputing (HPDC rsquo08) pp 11ndash22 June 2008
[21] F Y-S Lin Y-S Wang and P-H Tsang ldquoEfficient defensestrategies to minimize attackersrsquo success probabilities in hon-eynetrdquo in Proceedings of the 6th International Conference onInformation Assurance and Security (IAS rsquo10) pp 80ndash85 August2010
[22] F Y-S Lin Y-S Wang P-H Tsang and J-P Lo ldquoRedundancyand defense resource allocation algorithms to assure servicecontinuity against natural disasters and intelligent attacksrdquo inProceedings of the 5th International Conference on BroadbandWireless Computing Communication andApplications (BWCCArsquo10) pp 206ndash213 November 2010
[23] F Cohen ldquoManaging network security attack and defencestrategiesrdquo Network Security vol 1999 no 7 pp 7ndash11 1999
[24] S Nagaraja and R Anderson ldquoDynamic topologies for robustscale-free networksrdquo Bio-Inspired Computing and Communica-tion vol 5151 pp 411ndash426 2008
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 5
(1) Attackers only have incomplete information(2) The defender only has incomplete information regarding the network since there are unaware vulnerabilities(3) A service is provided by multiple core nodes(4) Each service has different weights(5) One virtual machine only provides one service(6) Only malicious nodal attacks are considered(7) The compromise probability of a target node is determined by the Contest Success Function (CSF)
Box 1 Problem assumptions
such as the defense level of one hop neighbors link trafficor link utilization attackers must use available informationwisely to choose a proper strategy to select the next victimInspired by the seminal work of [23] possible attack strategiesmay be developed based on the quantity of proactive defenseresources link utilization or a portion of the target servicetraffic of each candidate node Additionally this paper alsoconsiders a more irrational strategy of a blind attack
By applying general distributions to describe attacker-related attributes the total number of attacker categories isnearly infinite This feature increases the generalizability ofour model The detailed assumptions are described in Box 1
To describe the attack procedures in more detail wedevelop the following idea to explain the interaction betweenthe defender and attackers The following figures are drawnfrom the attackerrsquos view for clarity In other words all figuresare a logical topology that has been already virtualizedsince one physical machine may represent many VMs Theexplanations of components are listed in Figure 1
First the defender deploys proactive defense resource oneach node and the attacker starts to compromise the networkfrom the edge nodes (119878) Before launching an attack theattacker probes all the candidate nodes to gather sufficientinformation and determine the next hop selection criterionfor this compromise event By applying the next hop selectioncriterion the victim is chosen The result of this compromiseevent is determined by the CSF If the target is compromisedit becomes a spring board for attackers to assault otheruncompromised neighbors Corresponding information isshown in Figure 2 The topology demonstrated in Figures 2and 3 for presentation purposes the topology structureimplemented in the simulations is a scale-free network
The risk level of each core node is evaluated by minimumdefense resources the number of hops the link degree andservice priority Minimum defense resource stands for theshortest path from compromised nodes to one core nodedivided by total defense resources The number of hops isdetermined by the minimum number of hops from com-promised nodes to one core node divided by the maximumnumber of hops from the attackersrsquo starting point to one corenode Link degree is the linking number of each core nodedivided by the maximum linking number in the topologyService priority is the weight of the service that is providedby the target core node divided by the highest weight ofservice in the topology If any of the core nodes is in dangerthe defender can activate defense mechanisms such as afake traffic generator and a dynamic topology reconfigurationunder QoS limitations
S
Reconfiguration
Reconfiguration
Reconfiguration
VM
Reconfiguration
VM
Figure 1 Explanations of Components
Reconfiguration
VMReconfiguration iiiiiiionnoooooooooonnnooooonnn
S
Reconfiguration
Reconfiguration
VM
Figure 2 Sample network and resource allocation scheme
When the defender activates a dynamic topology recon-figuration only nodes implemented with the reconfigurationfunction are considered First the defender chooses theleast proactively defended neighbor with the reconfigurationfunction of a risky core node The defender then selectsanother node that is both not a neighbor of the core nodeand the most proactively defended nearby the node selectedfrom the previous step If there is a fake traffic generatinghoneypot the defender is also able to activate the mechanismfor influencing an attackerrsquos next hop selecting criterion
In the event that attackers attack the virtualized nodesand this malicious event is detected by the defender the local
6 Journal of Applied Mathematics
Given(1) all possible defense configurations set including defense resource allocation and defending strategies(2) all possible attack configurations set including attacker attributes strategies and selection criterion(3) the total attack times on each serviceObjectiveto minimize the service compromised probability of the target networkSubject to(1) budget constrain for both the defender and attackers(2) the minimum QoS requirement for legitimate usersTo determinethe effective defense strategies to allocate resources
Box 2 Problem description
078
079
08
081
082
083
084
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Serv
ice c
ompr
omise
d pr
obab
ility
Evaluation times
m = 01
m = 03
m = 05
m contest intensity
Figure 3 A possible result of an attack and defense scenario
defense mechanism is activated automatically Consequentlythe defense level increases for the attacked node the VMMand the rest of this virtualized group If attackers see that thenode is under a virtualized environment they may continueto compromise the VMM
When a core node is compromised the defender mustevaluate whether the performance level still fulfills theminimum QoS requirement and update the degree of riskregarding each core node If an attacker targets multipleservices once they compromise a false target honeypot andare deceived by it they will change their target to the nextservice Finally if attackers exhaust their budget the attackis terminated and the defender wins the battle One possibleresult is shown in Figure 3 A structural description of theproblem is presented in Box 2
22 Mathematical Formulation The scenario discussed pre-viously is modeled as a minimization problem given theparameters and decision variables shown in Tables 1 and2 respectively Furthermore since the high amount ofrandomness involved renders the nature of this problemnondeterministic it is quite difficult to formulate this prob-lem purely through mathematics To explain the nondeter-ministic nature the following example is used considering
two adversaries with the same attack strategy since theproblem is nondeterministic the consequences can be totallydifferent One may be distracted by a honeypot and the othermay successfully achieve the goal This feature dramaticallyexpands the width in survivability studies Further the sce-nario considered in this work gives the defender the averagesurvivability analysis of a network
There are three major reasons that an average surviv-ability analysis is more meaningful for the defender Firstin the real world there are only few adversaries holdingldquocompleterdquo information regarding the target network Thiskind of ldquoworst caserdquo rarely happen Secondly analyzing theworst case though gives a defender the lower bound of net-work survivability Nevertheless it overestimates the budgetrequired for defending a network An average survivabilityanalysis makes conclusions closer to reality Last but not theleast in average case analysis if the defenderwants to evaluatethe survivability when facing a stronger adversary it canbe achieved by simply tuning the parameter Average caseanalysis is flexible and adjustable according to the demandof a defender
Thus to well describe the problem some verbal notationsand constraints are included which are shown in Table 3
Objective function
min997888119863119894
sum119894isin119878
[120572119894times sum119865119894
119895=1119879119894119895
(997888119863119894997888997888119860119894119895)]
sum119894isin119878
(120572119894times 119865119894)
(IP 1)
subject tomathematical constraints
997888119863119894isin 119864 forall119894 isin 119878 (IP 11)
997888997888119860119894119895
isin 119885 forall119894 isin 119878 1 le 119895 le 119865119894 (IP 12)
119902119894119895
ge 0 forall119894 119895 isin 119873 (IP 13)
119909119894+ 119910119895
ge 1 forall119894 119895 isin 119867 (IP 14)
119888119894ge 120582 forall119894 isin 119885 (IP 15)
119861NL + 119861proactive + 119861reactive le 119861 (IP 16)
119861virtualized + 119861honeypot + 119861reconfig le 119861reactive (IP 17)
Journal of Applied Mathematics 7
119908 times 119890 + 119900 times 119862 +
sum119894isin119873
sum119895isin119873
119892 (119902119894119895)
2le 119861NL (IP 18)
sum
119894isin119873
119899119894le 119861proactive (IP 19)
sum
119894isin119872
V (119897119894) + 119901 times sum
119894isin119872
119897119894times 119896119894le 119861virtualized (IP 110)
sum
119894isin119875
119909119894times ℎ (120575
119894 120576119894) + sum
119895isin119876
119910119895
times 119891 (120575119895 120579119895)
+ sum
119894isin119873
sum
119895isin119873
119909119894times 119910119895
times 119905 (120575119894 120576119894 120579119895) le 119861honeypot
(IP 111)
sum
119894isin119873
119911119894times 119903 le 119861reconfig (IP 112)
119908 times 119890 ge 0 (IP 113)
119892 (119902119894119895) ge 0 forall119894 119895 isin 119873 (IP 114)
119899119894ge 0 forall119894 isin 119873 (IP 115)
V (119897119894) ge 0 forall119894 isin 119872 (IP 116)
ℎ (120575119894 120576119894) ge 0 forall119894 isin 119875 (IP 117)
119891 (120575119895 120579119895) ge 0 forall119895 isin 119876 (IP 118)
119905 (120575119894 120576119894 120579119895) ge 0 forall119894 isin 119873 (IP 119)
119909119894= 0 or 1 forall119894 isin 119873 (IP 120)
119910119894= 0 or 1 forall119894 isin 119873 (IP 121)
119911119894= 0 or 1 forall119894 isin 119873 (IP 122)
verbal constraints
int119884
119910=1[119882 (119866core119894 119880link119895 119870effect 119868effect 119869effect 119874tocore)] 119889119910
119884
ge 119882threshold where 119894 isin 119862 119895 isin 119871
(IP 123)
119882final ge 119882threshold (IP 124)
For each core node when
120573 (120588defense 120591hops 120596degree 119904priority119894
) ge 120573threshold
where 119894 isin 119878
(IP 125)
the defender can activate the reactive defense mechanismsThe goal of the objective function is to minimize the
compromised service probability which is modeled as theweighted total of successful attacks divided by the totalweighted number of attacks The result of an attack is deter-mined by 119879
119894119895(997888119863119894997888997888119860119894119895) For each service the defender con-
structs a defense configuration including defense resource
allocation anddefending strategies to oppose attackers target-ing the service with different attack configurations includingattacker attributes strategies and transition rules Not onlymalicious attacks but also QoS issues are taken into consider-ation
Equation (IP 11) stands for the feasibility of the defenseconfiguration of each service For the attacking side (IP 12)
denotes that the attack configuration should be feasibleEquation (IP 16) denotes that the summation of defenseresources spent should not exceed total budget 119861 Equations(IP 17)sim(IP 119) jointly restrain the budget of each type ofdefense resource individually Equations (IP 120)sim(IP 122)
impose binary restrictions on decision variables Finally(IP 123)sim(IP 125) jointly represent that the performancereduction caused by either malicious attacks or activatingreactive defense mechanisms should not violate the QoSrequirement
3 Numerical Analysis
In this paper a scale-free network is constructed for evalua-tion since this structure is similar to real-world forms suchas the Internet The implementation algorithm is referencedfrom [24]
31 Simulation Environment Table 4 presents the systemexperiment parameters Defender-related parameters areillustrated in Table 5 The unit of budget is dollar Forattackers the parameters are shown in Table 6
The value of each attackerrsquos budget capability and aggres-siveness is governed by a normal distribution with differentlower and upper bounds
32 Numerical Result As mentioned previously the ContestSuccess Function is applied for quantifying vulnerabilityThevalue of contest intensity is classified into two groups scoresgreater than 1 and scores smaller than 1
321 Convergence The first issue to address before con-structing meaningful simulations is convergence In thispaper the convergence of data is considered as numericalstability While the magnitude of data vibrations is withinthe acceptable interval for example 02 the correspondingnumber of simulation times (119872) is set as the number ofevaluations for each attack and defense scenario
For rigorousness in convergence experiments the effectof contest intensity is jointly consideredThree different mag-nitudes are simulated on a 49 node scale-free network Forthe following experiments in this subsection the horizontalaxis represents the evaluation of the number of attacks andthe vertical axis stands for the network system compromisedprobability which is the objective function of the proposedmathematical model
Figures 4 and 5 show the result of 10000 simulations withdifferent contest intensity Here it is clear that the value ofservice compromised probability is unstable In Figures 6 and7 the vibration becomes alleviative but is still not convergentWhen the number of simulations is raised to 100000 as
8 Journal of Applied Mathematics
078
079
08
081
082
083
084
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 4 Convergence test on 119898 lt 1 group for 10000 simulations
075076077078079
08081082083084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 5 Convergence test on 119898 gt 1 group for 10000 simulations
shown in Figures 8 and 9 there is a stable trend after 60000among all different values of contest intensity
From Figures 4 to 9 it is clear that the 60000 simulationsare a large enough number to give converging results amongall values of contest intensityTherefore 119872 is set to be 60000
322 Analysis of Key Factors Influencing Service CompromisedProbability Contest intensity has great influence on thenature of network attack and defense However as shown inFigure 10 there is no consistent tendency between contestintensity and service compromised probability The sameconclusions also appear in [8ndash10]
If the effects of contest intensity and attackerrsquos aggressive-ness are jointly considered there are some meaningful andexplainable results
In Figure 11 three value intervals of aggressivenessincluding 01 to 09 (average) 01 to 05 (less aggressive) and05 to 09 (aggressive) are simulated among different values ofcontest intensity It is clear that when both the effect of contestintensity and an attackrsquos aggressiveness are considered thereare consistent trends For aggressive attackers it is more
078
079
08
081
082
083
084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 6 Convergence test on 119898 lt 1 group for 50000 simulations
075076077078079
08081082
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 7 Convergence test on 119898 gt 1 group for 50000 simulations
advantageous to have higher values of contest intensityAlternatively less aggressive attackers have leverage whenthe value of contest intensity is small However for averageattacks there is no clear tendency
The value of contest intensity is separated into high-valueand low-value groups Here Figure 12 illustrates the variationof service compromised probability in low-level contestintensity groups when facing less aggressive attackers Whilein Figure 12 the objective function value presents a lineardecreasing form Figure 13 demonstrates an exponentiallydecreasing from
Figures 14 and 15 also present a similar phenomenonwhen facing aggressive attackers the variation of servicecompromised probability shows an exponentially increasingtrend for contest intensity belonging to the low-level groupFor the high-level group the tendency is more linear
According to the previous results the key factors influ-encing service compromised probability include contestintensity and attack aggressivenessThese results are summa-rized in Figure 16
Journal of Applied Mathematics 9
075076077078079
08081082083
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 8 Convergence test on119898 lt 1 group for 100000 simulations
076
077
078
079
08
081
082
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m = 01
m = 03
m = 05
Aggressiveness = 01sim09
m contest intensity
Figure 9 Convergence test on 119898 gt 1 group for 100000 simula-tions
4 Discussion of Results
Based on the simulation results some interesting and mean-ingful arguments are presented in this section
41 The Effectiveness of Resources Invested by the Defenderand Attackers Is Highly Dependent on the Nature of BattleThe objective function value shown in Figure 12 presents alinear decreasing form when the contest intensity belongsto a low-level group and the defender is dealing with lessaggressive attackers The reason is that the effectiveness ofresources invested by both players is insignificant Thus theservice compromised probability is less sensitive with contestintensity under ldquofight to win or dierdquo circumstances
Furthermore less aggressive attackers only invest fewresources into compromising a target With the same totalbudget they are capable of launching more attacks thanaggressive attackers Therefore the service compromisedprobability of less aggressive attackers is much higher thanmore aggressive attackers
00102030405
06
07
0809
1
Contest intensity m
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15 m = 17 m = 19m = 01 m = 03 m = 05
Aggressiveness = 01sim09Aggressiveness = 05sim09Aggressiveness = 01sim05
Figure 10 Service compromised probability under different contestintensity
075076077078079
08081082083084085086087
m = 01
m = 03
m = 05
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 11 Effect of Aggressiveness among Different Contest Inten-sity
In the case of ldquowinner takes allrdquo Figure 13 illustrates anexponentially decreasing trend among service compromisedprobability this is because the effectiveness of resourcesinvested is significant to the result of a battle With a largervalue of contest intensity the vantage of a defender againstless aggressive attackers is more obvious
On the contrary for aggressive attackers there is anexponentially increasing tendency under ldquofight to win ordierdquo circumstances Since the contest intensity serves asthe exponent of the Contest Success Function when thevalue increases the effectiveness of resources invested growsexponentially This is further shown in Figure 14
Nevertheless the exponential tendency does not appearthrough all values of contest intensity For the ldquowinner takesallrdquo circumstance in Figure 15 the increasing rate of service
10 Journal of Applied Mathematics
063064065066067068069
07071072073074075
m = 15
m = 17
m = 19
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 12 Service compromised probability of less aggressive at-tacker under 119898 lt 1 circumstance
0
01
02
03
04
05
06
07
m = 01
m = 03
m = 05
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 13 Service compromised probability of less aggressive at-tacker under 119898 gt 1 circumstance
085
086
087
088
089
09
m = 15
m = 17
m = 19
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 14 Service compromised probability of aggressive attackerunder 119898 lt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 15 Service compromised probability of aggressive attackerunder 119898 gt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 16 Comparison of service compromised probability underdiverse contest intensity and aggressiveness
compromised probability slows down when contest intensitybecomes higherThis is because although aggressive attackersprefer to gain an edge by spending more attack resourcesto compromise a target each compromise costs significantresources Thus aggressive attackers run out of budget veryquickly and the increasing trend is not exponential
42 Proactive Defense Is Advantageous under ldquoWinner TakesAllrdquo Circumstance According to previous discussions theeffectiveness of resources invested is significant under ldquowin-ner takes allrdquo circumstances For less aggressive attackers theperformance is poor since they only invest few resources onan attack Aggressive attackers tend to spend a larger quantityto compromise a target If a defender raises the quantity ofdefense resources on important nodes it effectively weakensattackers
Consequently regardless of whether defenders face eitheraggressive or less aggressive attackers a proactive defenseperforms better in deterring attackers
43 Reactive Defense Is Advantageous under ldquoFight to Winor Dierdquo Circumstance Similarly under the ldquofight to win
Journal of Applied Mathematics 11
or dierdquo circumstance the effectiveness of defense resourcesis insignificant No matter how many proactive defenseresources are invested there is only limited influence onthe objective function value In other words less aggressiveattackers can compromise a target even by only investingscarce attack resources For aggressive attackers since theyprefer spending a large quantity of resources on compromis-ing a victim they easily run out of resources before a targetservice is compromised
Based on this analysis it is advantageous for the defenderto apply reactive defense mechanisms against maliciousattackers under ldquofight to win or dierdquo circumstance
5 Conclusions
This paper models an attack and defense scenario thatinvolves high amounts of randomness as mathematical for-mulations where attackers are assumed to have incompleteinformation It further considers a virtualization environ-ment for helping relate these results to recent trends in cloudcomputing
According to the simulation results the outcome of acontest is influenced not only by the quantity of defenseresources invested on each node but also by the contestintensity An attackerrsquos aggressiveness is introduced as a newdimension and meaningful results are discovered Effectivedefense strategies are proposed in the discussion of theresults
For future works collaborative attacks should be takeninto consideration since the attack strategy discussed in thispaper is for individual attacks In other words there is onlyone attack targeting a victimrsquos network at a time Thus nosynergy is considered A more complicated collaborativeattack pattern is worth further study
Acknowledgment
This work was supported by the National Science CouncilTaiwan (Grant nos NSC 102-2221-E-002-104 and NSC 101-2218-E-011-009)
References
[1] IBM Internet Security Systems X-Force research and devel-opment team ldquoIBM X-Force 2010 Mid-Year Trend and RiskReportrdquo IBM August 2010
[2] R J Ellison D A Fisher R C Linger H F Lipson T Longstaffand N R Mead ldquoSurvivable network systems an emergingdisciplinerdquo Tech Rep CMUSEI-97-TR-013 1997
[3] S Roy C Ellis S Shiva D Dasgupta V Shandilya and Q WuldquoA survey of game theory as applied to network securityrdquo inProceedings of the 43rd Annual Hawaii International Conferenceon System Sciences (HICSS rsquo10) January 2010
[4] M N Lima A L D Santos and G Pujolle ldquoA survey of sur-vivability in mobile Ad hoc Networksrdquo IEEE CommunicationsSurveys and Tutorials vol 11 no 1 pp 66ndash77 2009
[5] Z Ma ldquoTowards a unified definition for reliability survivabilityand resilience (I) the conceptual framework inspired by thehandicap principle and ecological stabilityrdquo in Proceedings of theIEEE Aerospace Conference pp 1ndash12 March 2010
[6] F Xing and W Wang ldquoOn the survivability of wireless adHOC networks with node misbehaviors and failuresrdquo IEEETransactions on Dependable and Secure Computing vol 7 no3 pp 284ndash299 2010
[7] S Skaperdas ldquoContest success functionsrdquo EconomicTheory vol7 no 2 pp 283ndash290 1996
[8] G Levitin and K Hausken ldquoFalse targets efficiency in defensestrategyrdquo European Journal of Operational Research vol 194 no1 pp 155ndash162 2009
[9] K Hausken and G Levitin ldquoProtection vs false targets in seriessystemsrdquo Reliability Engineering and System Safety vol 94 no5 pp 973ndash981 2009
[10] G Levitin and K Hausken ldquoPreventive strike vs false targetsand protection in defense strategyrdquo Reliability Engineering andSystem Safety vol 96 no 8 pp 912ndash924 2011
[11] J Hirshleifer ldquoConflict and rent-seeking success functions ratiovs difference models of relative successrdquo Public Choice vol 63no 2 pp 101ndash112 1989
[12] J Hirshleifer ldquoThe paradox of powerrdquo Economics and Politicsvol 3 pp 177ndash200 1993
[13] J Archer A Boehme D Cullinane P Kurtz N Puhlmannand J Reavis ldquoTop Threats to Cloud Computing V 10rdquo CloudSecurity Alliance March 2010
[14] H Debar F Pouget and M Dacier ldquoWhite paper lsquoHoney-pot Honeynet Honeytoken Terminological issuesrsquordquo InstitutEurecom Research Report RR-03-081 2003
[15] B Cheswick ldquoAn evening with berferd in which a cracker islured endured and studiedrdquo in Proceedings of the USENIXConference pp 163ndash174 USENIX 1992
[16] C Seifert I Welch and P Komisarczuk ldquoTaxonomy of honey-potsrdquo Tech Rep CS-TR-0612 2006
[17] M H y Lopez and C F L Resendez ldquoHoneypots basicconcepts classification and educational use as resources ininformation security education and coursesrdquo in Proceedings ofthe Informing Science and IT Education Conference 2008
[18] Y Huang D Arsenault and A Sood ldquoClosing cluster attackwindows through server redundancy and rotationsrdquo in Pro-ceedings of the 6th IEEE International Symposium on ClusterComputing and the Grid (CCGRID rsquo06) May 2006
[19] YHuang D Arsenault andA Sood ldquoIncorruptible self-cleans-ing intrusion tolerance and its application to DNS securityrdquoJournal of Networks vol 1 no 5 pp 21ndash30 2006
[20] M Smith C Schridde and B Freisleben ldquoSecuring stateful gridservers through virtual server rotationrdquo in Proceedings of the17th International Symposium on High Performance DistributedComputing (HPDC rsquo08) pp 11ndash22 June 2008
[21] F Y-S Lin Y-S Wang and P-H Tsang ldquoEfficient defensestrategies to minimize attackersrsquo success probabilities in hon-eynetrdquo in Proceedings of the 6th International Conference onInformation Assurance and Security (IAS rsquo10) pp 80ndash85 August2010
[22] F Y-S Lin Y-S Wang P-H Tsang and J-P Lo ldquoRedundancyand defense resource allocation algorithms to assure servicecontinuity against natural disasters and intelligent attacksrdquo inProceedings of the 5th International Conference on BroadbandWireless Computing Communication andApplications (BWCCArsquo10) pp 206ndash213 November 2010
[23] F Cohen ldquoManaging network security attack and defencestrategiesrdquo Network Security vol 1999 no 7 pp 7ndash11 1999
[24] S Nagaraja and R Anderson ldquoDynamic topologies for robustscale-free networksrdquo Bio-Inspired Computing and Communica-tion vol 5151 pp 411ndash426 2008
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
6 Journal of Applied Mathematics
Given(1) all possible defense configurations set including defense resource allocation and defending strategies(2) all possible attack configurations set including attacker attributes strategies and selection criterion(3) the total attack times on each serviceObjectiveto minimize the service compromised probability of the target networkSubject to(1) budget constrain for both the defender and attackers(2) the minimum QoS requirement for legitimate usersTo determinethe effective defense strategies to allocate resources
Box 2 Problem description
078
079
08
081
082
083
084
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Serv
ice c
ompr
omise
d pr
obab
ility
Evaluation times
m = 01
m = 03
m = 05
m contest intensity
Figure 3 A possible result of an attack and defense scenario
defense mechanism is activated automatically Consequentlythe defense level increases for the attacked node the VMMand the rest of this virtualized group If attackers see that thenode is under a virtualized environment they may continueto compromise the VMM
When a core node is compromised the defender mustevaluate whether the performance level still fulfills theminimum QoS requirement and update the degree of riskregarding each core node If an attacker targets multipleservices once they compromise a false target honeypot andare deceived by it they will change their target to the nextservice Finally if attackers exhaust their budget the attackis terminated and the defender wins the battle One possibleresult is shown in Figure 3 A structural description of theproblem is presented in Box 2
22 Mathematical Formulation The scenario discussed pre-viously is modeled as a minimization problem given theparameters and decision variables shown in Tables 1 and2 respectively Furthermore since the high amount ofrandomness involved renders the nature of this problemnondeterministic it is quite difficult to formulate this prob-lem purely through mathematics To explain the nondeter-ministic nature the following example is used considering
two adversaries with the same attack strategy since theproblem is nondeterministic the consequences can be totallydifferent One may be distracted by a honeypot and the othermay successfully achieve the goal This feature dramaticallyexpands the width in survivability studies Further the sce-nario considered in this work gives the defender the averagesurvivability analysis of a network
There are three major reasons that an average surviv-ability analysis is more meaningful for the defender Firstin the real world there are only few adversaries holdingldquocompleterdquo information regarding the target network Thiskind of ldquoworst caserdquo rarely happen Secondly analyzing theworst case though gives a defender the lower bound of net-work survivability Nevertheless it overestimates the budgetrequired for defending a network An average survivabilityanalysis makes conclusions closer to reality Last but not theleast in average case analysis if the defenderwants to evaluatethe survivability when facing a stronger adversary it canbe achieved by simply tuning the parameter Average caseanalysis is flexible and adjustable according to the demandof a defender
Thus to well describe the problem some verbal notationsand constraints are included which are shown in Table 3
Objective function
min997888119863119894
sum119894isin119878
[120572119894times sum119865119894
119895=1119879119894119895
(997888119863119894997888997888119860119894119895)]
sum119894isin119878
(120572119894times 119865119894)
(IP 1)
subject tomathematical constraints
997888119863119894isin 119864 forall119894 isin 119878 (IP 11)
997888997888119860119894119895
isin 119885 forall119894 isin 119878 1 le 119895 le 119865119894 (IP 12)
119902119894119895
ge 0 forall119894 119895 isin 119873 (IP 13)
119909119894+ 119910119895
ge 1 forall119894 119895 isin 119867 (IP 14)
119888119894ge 120582 forall119894 isin 119885 (IP 15)
119861NL + 119861proactive + 119861reactive le 119861 (IP 16)
119861virtualized + 119861honeypot + 119861reconfig le 119861reactive (IP 17)
Journal of Applied Mathematics 7
119908 times 119890 + 119900 times 119862 +
sum119894isin119873
sum119895isin119873
119892 (119902119894119895)
2le 119861NL (IP 18)
sum
119894isin119873
119899119894le 119861proactive (IP 19)
sum
119894isin119872
V (119897119894) + 119901 times sum
119894isin119872
119897119894times 119896119894le 119861virtualized (IP 110)
sum
119894isin119875
119909119894times ℎ (120575
119894 120576119894) + sum
119895isin119876
119910119895
times 119891 (120575119895 120579119895)
+ sum
119894isin119873
sum
119895isin119873
119909119894times 119910119895
times 119905 (120575119894 120576119894 120579119895) le 119861honeypot
(IP 111)
sum
119894isin119873
119911119894times 119903 le 119861reconfig (IP 112)
119908 times 119890 ge 0 (IP 113)
119892 (119902119894119895) ge 0 forall119894 119895 isin 119873 (IP 114)
119899119894ge 0 forall119894 isin 119873 (IP 115)
V (119897119894) ge 0 forall119894 isin 119872 (IP 116)
ℎ (120575119894 120576119894) ge 0 forall119894 isin 119875 (IP 117)
119891 (120575119895 120579119895) ge 0 forall119895 isin 119876 (IP 118)
119905 (120575119894 120576119894 120579119895) ge 0 forall119894 isin 119873 (IP 119)
119909119894= 0 or 1 forall119894 isin 119873 (IP 120)
119910119894= 0 or 1 forall119894 isin 119873 (IP 121)
119911119894= 0 or 1 forall119894 isin 119873 (IP 122)
verbal constraints
int119884
119910=1[119882 (119866core119894 119880link119895 119870effect 119868effect 119869effect 119874tocore)] 119889119910
119884
ge 119882threshold where 119894 isin 119862 119895 isin 119871
(IP 123)
119882final ge 119882threshold (IP 124)
For each core node when
120573 (120588defense 120591hops 120596degree 119904priority119894
) ge 120573threshold
where 119894 isin 119878
(IP 125)
the defender can activate the reactive defense mechanismsThe goal of the objective function is to minimize the
compromised service probability which is modeled as theweighted total of successful attacks divided by the totalweighted number of attacks The result of an attack is deter-mined by 119879
119894119895(997888119863119894997888997888119860119894119895) For each service the defender con-
structs a defense configuration including defense resource
allocation anddefending strategies to oppose attackers target-ing the service with different attack configurations includingattacker attributes strategies and transition rules Not onlymalicious attacks but also QoS issues are taken into consider-ation
Equation (IP 11) stands for the feasibility of the defenseconfiguration of each service For the attacking side (IP 12)
denotes that the attack configuration should be feasibleEquation (IP 16) denotes that the summation of defenseresources spent should not exceed total budget 119861 Equations(IP 17)sim(IP 119) jointly restrain the budget of each type ofdefense resource individually Equations (IP 120)sim(IP 122)
impose binary restrictions on decision variables Finally(IP 123)sim(IP 125) jointly represent that the performancereduction caused by either malicious attacks or activatingreactive defense mechanisms should not violate the QoSrequirement
3 Numerical Analysis
In this paper a scale-free network is constructed for evalua-tion since this structure is similar to real-world forms suchas the Internet The implementation algorithm is referencedfrom [24]
31 Simulation Environment Table 4 presents the systemexperiment parameters Defender-related parameters areillustrated in Table 5 The unit of budget is dollar Forattackers the parameters are shown in Table 6
The value of each attackerrsquos budget capability and aggres-siveness is governed by a normal distribution with differentlower and upper bounds
32 Numerical Result As mentioned previously the ContestSuccess Function is applied for quantifying vulnerabilityThevalue of contest intensity is classified into two groups scoresgreater than 1 and scores smaller than 1
321 Convergence The first issue to address before con-structing meaningful simulations is convergence In thispaper the convergence of data is considered as numericalstability While the magnitude of data vibrations is withinthe acceptable interval for example 02 the correspondingnumber of simulation times (119872) is set as the number ofevaluations for each attack and defense scenario
For rigorousness in convergence experiments the effectof contest intensity is jointly consideredThree different mag-nitudes are simulated on a 49 node scale-free network Forthe following experiments in this subsection the horizontalaxis represents the evaluation of the number of attacks andthe vertical axis stands for the network system compromisedprobability which is the objective function of the proposedmathematical model
Figures 4 and 5 show the result of 10000 simulations withdifferent contest intensity Here it is clear that the value ofservice compromised probability is unstable In Figures 6 and7 the vibration becomes alleviative but is still not convergentWhen the number of simulations is raised to 100000 as
8 Journal of Applied Mathematics
078
079
08
081
082
083
084
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 4 Convergence test on 119898 lt 1 group for 10000 simulations
075076077078079
08081082083084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 5 Convergence test on 119898 gt 1 group for 10000 simulations
shown in Figures 8 and 9 there is a stable trend after 60000among all different values of contest intensity
From Figures 4 to 9 it is clear that the 60000 simulationsare a large enough number to give converging results amongall values of contest intensityTherefore 119872 is set to be 60000
322 Analysis of Key Factors Influencing Service CompromisedProbability Contest intensity has great influence on thenature of network attack and defense However as shown inFigure 10 there is no consistent tendency between contestintensity and service compromised probability The sameconclusions also appear in [8ndash10]
If the effects of contest intensity and attackerrsquos aggressive-ness are jointly considered there are some meaningful andexplainable results
In Figure 11 three value intervals of aggressivenessincluding 01 to 09 (average) 01 to 05 (less aggressive) and05 to 09 (aggressive) are simulated among different values ofcontest intensity It is clear that when both the effect of contestintensity and an attackrsquos aggressiveness are considered thereare consistent trends For aggressive attackers it is more
078
079
08
081
082
083
084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 6 Convergence test on 119898 lt 1 group for 50000 simulations
075076077078079
08081082
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 7 Convergence test on 119898 gt 1 group for 50000 simulations
advantageous to have higher values of contest intensityAlternatively less aggressive attackers have leverage whenthe value of contest intensity is small However for averageattacks there is no clear tendency
The value of contest intensity is separated into high-valueand low-value groups Here Figure 12 illustrates the variationof service compromised probability in low-level contestintensity groups when facing less aggressive attackers Whilein Figure 12 the objective function value presents a lineardecreasing form Figure 13 demonstrates an exponentiallydecreasing from
Figures 14 and 15 also present a similar phenomenonwhen facing aggressive attackers the variation of servicecompromised probability shows an exponentially increasingtrend for contest intensity belonging to the low-level groupFor the high-level group the tendency is more linear
According to the previous results the key factors influ-encing service compromised probability include contestintensity and attack aggressivenessThese results are summa-rized in Figure 16
Journal of Applied Mathematics 9
075076077078079
08081082083
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 8 Convergence test on119898 lt 1 group for 100000 simulations
076
077
078
079
08
081
082
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m = 01
m = 03
m = 05
Aggressiveness = 01sim09
m contest intensity
Figure 9 Convergence test on 119898 gt 1 group for 100000 simula-tions
4 Discussion of Results
Based on the simulation results some interesting and mean-ingful arguments are presented in this section
41 The Effectiveness of Resources Invested by the Defenderand Attackers Is Highly Dependent on the Nature of BattleThe objective function value shown in Figure 12 presents alinear decreasing form when the contest intensity belongsto a low-level group and the defender is dealing with lessaggressive attackers The reason is that the effectiveness ofresources invested by both players is insignificant Thus theservice compromised probability is less sensitive with contestintensity under ldquofight to win or dierdquo circumstances
Furthermore less aggressive attackers only invest fewresources into compromising a target With the same totalbudget they are capable of launching more attacks thanaggressive attackers Therefore the service compromisedprobability of less aggressive attackers is much higher thanmore aggressive attackers
00102030405
06
07
0809
1
Contest intensity m
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15 m = 17 m = 19m = 01 m = 03 m = 05
Aggressiveness = 01sim09Aggressiveness = 05sim09Aggressiveness = 01sim05
Figure 10 Service compromised probability under different contestintensity
075076077078079
08081082083084085086087
m = 01
m = 03
m = 05
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 11 Effect of Aggressiveness among Different Contest Inten-sity
In the case of ldquowinner takes allrdquo Figure 13 illustrates anexponentially decreasing trend among service compromisedprobability this is because the effectiveness of resourcesinvested is significant to the result of a battle With a largervalue of contest intensity the vantage of a defender againstless aggressive attackers is more obvious
On the contrary for aggressive attackers there is anexponentially increasing tendency under ldquofight to win ordierdquo circumstances Since the contest intensity serves asthe exponent of the Contest Success Function when thevalue increases the effectiveness of resources invested growsexponentially This is further shown in Figure 14
Nevertheless the exponential tendency does not appearthrough all values of contest intensity For the ldquowinner takesallrdquo circumstance in Figure 15 the increasing rate of service
10 Journal of Applied Mathematics
063064065066067068069
07071072073074075
m = 15
m = 17
m = 19
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 12 Service compromised probability of less aggressive at-tacker under 119898 lt 1 circumstance
0
01
02
03
04
05
06
07
m = 01
m = 03
m = 05
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 13 Service compromised probability of less aggressive at-tacker under 119898 gt 1 circumstance
085
086
087
088
089
09
m = 15
m = 17
m = 19
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 14 Service compromised probability of aggressive attackerunder 119898 lt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 15 Service compromised probability of aggressive attackerunder 119898 gt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 16 Comparison of service compromised probability underdiverse contest intensity and aggressiveness
compromised probability slows down when contest intensitybecomes higherThis is because although aggressive attackersprefer to gain an edge by spending more attack resourcesto compromise a target each compromise costs significantresources Thus aggressive attackers run out of budget veryquickly and the increasing trend is not exponential
42 Proactive Defense Is Advantageous under ldquoWinner TakesAllrdquo Circumstance According to previous discussions theeffectiveness of resources invested is significant under ldquowin-ner takes allrdquo circumstances For less aggressive attackers theperformance is poor since they only invest few resources onan attack Aggressive attackers tend to spend a larger quantityto compromise a target If a defender raises the quantity ofdefense resources on important nodes it effectively weakensattackers
Consequently regardless of whether defenders face eitheraggressive or less aggressive attackers a proactive defenseperforms better in deterring attackers
43 Reactive Defense Is Advantageous under ldquoFight to Winor Dierdquo Circumstance Similarly under the ldquofight to win
Journal of Applied Mathematics 11
or dierdquo circumstance the effectiveness of defense resourcesis insignificant No matter how many proactive defenseresources are invested there is only limited influence onthe objective function value In other words less aggressiveattackers can compromise a target even by only investingscarce attack resources For aggressive attackers since theyprefer spending a large quantity of resources on compromis-ing a victim they easily run out of resources before a targetservice is compromised
Based on this analysis it is advantageous for the defenderto apply reactive defense mechanisms against maliciousattackers under ldquofight to win or dierdquo circumstance
5 Conclusions
This paper models an attack and defense scenario thatinvolves high amounts of randomness as mathematical for-mulations where attackers are assumed to have incompleteinformation It further considers a virtualization environ-ment for helping relate these results to recent trends in cloudcomputing
According to the simulation results the outcome of acontest is influenced not only by the quantity of defenseresources invested on each node but also by the contestintensity An attackerrsquos aggressiveness is introduced as a newdimension and meaningful results are discovered Effectivedefense strategies are proposed in the discussion of theresults
For future works collaborative attacks should be takeninto consideration since the attack strategy discussed in thispaper is for individual attacks In other words there is onlyone attack targeting a victimrsquos network at a time Thus nosynergy is considered A more complicated collaborativeattack pattern is worth further study
Acknowledgment
This work was supported by the National Science CouncilTaiwan (Grant nos NSC 102-2221-E-002-104 and NSC 101-2218-E-011-009)
References
[1] IBM Internet Security Systems X-Force research and devel-opment team ldquoIBM X-Force 2010 Mid-Year Trend and RiskReportrdquo IBM August 2010
[2] R J Ellison D A Fisher R C Linger H F Lipson T Longstaffand N R Mead ldquoSurvivable network systems an emergingdisciplinerdquo Tech Rep CMUSEI-97-TR-013 1997
[3] S Roy C Ellis S Shiva D Dasgupta V Shandilya and Q WuldquoA survey of game theory as applied to network securityrdquo inProceedings of the 43rd Annual Hawaii International Conferenceon System Sciences (HICSS rsquo10) January 2010
[4] M N Lima A L D Santos and G Pujolle ldquoA survey of sur-vivability in mobile Ad hoc Networksrdquo IEEE CommunicationsSurveys and Tutorials vol 11 no 1 pp 66ndash77 2009
[5] Z Ma ldquoTowards a unified definition for reliability survivabilityand resilience (I) the conceptual framework inspired by thehandicap principle and ecological stabilityrdquo in Proceedings of theIEEE Aerospace Conference pp 1ndash12 March 2010
[6] F Xing and W Wang ldquoOn the survivability of wireless adHOC networks with node misbehaviors and failuresrdquo IEEETransactions on Dependable and Secure Computing vol 7 no3 pp 284ndash299 2010
[7] S Skaperdas ldquoContest success functionsrdquo EconomicTheory vol7 no 2 pp 283ndash290 1996
[8] G Levitin and K Hausken ldquoFalse targets efficiency in defensestrategyrdquo European Journal of Operational Research vol 194 no1 pp 155ndash162 2009
[9] K Hausken and G Levitin ldquoProtection vs false targets in seriessystemsrdquo Reliability Engineering and System Safety vol 94 no5 pp 973ndash981 2009
[10] G Levitin and K Hausken ldquoPreventive strike vs false targetsand protection in defense strategyrdquo Reliability Engineering andSystem Safety vol 96 no 8 pp 912ndash924 2011
[11] J Hirshleifer ldquoConflict and rent-seeking success functions ratiovs difference models of relative successrdquo Public Choice vol 63no 2 pp 101ndash112 1989
[12] J Hirshleifer ldquoThe paradox of powerrdquo Economics and Politicsvol 3 pp 177ndash200 1993
[13] J Archer A Boehme D Cullinane P Kurtz N Puhlmannand J Reavis ldquoTop Threats to Cloud Computing V 10rdquo CloudSecurity Alliance March 2010
[14] H Debar F Pouget and M Dacier ldquoWhite paper lsquoHoney-pot Honeynet Honeytoken Terminological issuesrsquordquo InstitutEurecom Research Report RR-03-081 2003
[15] B Cheswick ldquoAn evening with berferd in which a cracker islured endured and studiedrdquo in Proceedings of the USENIXConference pp 163ndash174 USENIX 1992
[16] C Seifert I Welch and P Komisarczuk ldquoTaxonomy of honey-potsrdquo Tech Rep CS-TR-0612 2006
[17] M H y Lopez and C F L Resendez ldquoHoneypots basicconcepts classification and educational use as resources ininformation security education and coursesrdquo in Proceedings ofthe Informing Science and IT Education Conference 2008
[18] Y Huang D Arsenault and A Sood ldquoClosing cluster attackwindows through server redundancy and rotationsrdquo in Pro-ceedings of the 6th IEEE International Symposium on ClusterComputing and the Grid (CCGRID rsquo06) May 2006
[19] YHuang D Arsenault andA Sood ldquoIncorruptible self-cleans-ing intrusion tolerance and its application to DNS securityrdquoJournal of Networks vol 1 no 5 pp 21ndash30 2006
[20] M Smith C Schridde and B Freisleben ldquoSecuring stateful gridservers through virtual server rotationrdquo in Proceedings of the17th International Symposium on High Performance DistributedComputing (HPDC rsquo08) pp 11ndash22 June 2008
[21] F Y-S Lin Y-S Wang and P-H Tsang ldquoEfficient defensestrategies to minimize attackersrsquo success probabilities in hon-eynetrdquo in Proceedings of the 6th International Conference onInformation Assurance and Security (IAS rsquo10) pp 80ndash85 August2010
[22] F Y-S Lin Y-S Wang P-H Tsang and J-P Lo ldquoRedundancyand defense resource allocation algorithms to assure servicecontinuity against natural disasters and intelligent attacksrdquo inProceedings of the 5th International Conference on BroadbandWireless Computing Communication andApplications (BWCCArsquo10) pp 206ndash213 November 2010
[23] F Cohen ldquoManaging network security attack and defencestrategiesrdquo Network Security vol 1999 no 7 pp 7ndash11 1999
[24] S Nagaraja and R Anderson ldquoDynamic topologies for robustscale-free networksrdquo Bio-Inspired Computing and Communica-tion vol 5151 pp 411ndash426 2008
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 7
119908 times 119890 + 119900 times 119862 +
sum119894isin119873
sum119895isin119873
119892 (119902119894119895)
2le 119861NL (IP 18)
sum
119894isin119873
119899119894le 119861proactive (IP 19)
sum
119894isin119872
V (119897119894) + 119901 times sum
119894isin119872
119897119894times 119896119894le 119861virtualized (IP 110)
sum
119894isin119875
119909119894times ℎ (120575
119894 120576119894) + sum
119895isin119876
119910119895
times 119891 (120575119895 120579119895)
+ sum
119894isin119873
sum
119895isin119873
119909119894times 119910119895
times 119905 (120575119894 120576119894 120579119895) le 119861honeypot
(IP 111)
sum
119894isin119873
119911119894times 119903 le 119861reconfig (IP 112)
119908 times 119890 ge 0 (IP 113)
119892 (119902119894119895) ge 0 forall119894 119895 isin 119873 (IP 114)
119899119894ge 0 forall119894 isin 119873 (IP 115)
V (119897119894) ge 0 forall119894 isin 119872 (IP 116)
ℎ (120575119894 120576119894) ge 0 forall119894 isin 119875 (IP 117)
119891 (120575119895 120579119895) ge 0 forall119895 isin 119876 (IP 118)
119905 (120575119894 120576119894 120579119895) ge 0 forall119894 isin 119873 (IP 119)
119909119894= 0 or 1 forall119894 isin 119873 (IP 120)
119910119894= 0 or 1 forall119894 isin 119873 (IP 121)
119911119894= 0 or 1 forall119894 isin 119873 (IP 122)
verbal constraints
int119884
119910=1[119882 (119866core119894 119880link119895 119870effect 119868effect 119869effect 119874tocore)] 119889119910
119884
ge 119882threshold where 119894 isin 119862 119895 isin 119871
(IP 123)
119882final ge 119882threshold (IP 124)
For each core node when
120573 (120588defense 120591hops 120596degree 119904priority119894
) ge 120573threshold
where 119894 isin 119878
(IP 125)
the defender can activate the reactive defense mechanismsThe goal of the objective function is to minimize the
compromised service probability which is modeled as theweighted total of successful attacks divided by the totalweighted number of attacks The result of an attack is deter-mined by 119879
119894119895(997888119863119894997888997888119860119894119895) For each service the defender con-
structs a defense configuration including defense resource
allocation anddefending strategies to oppose attackers target-ing the service with different attack configurations includingattacker attributes strategies and transition rules Not onlymalicious attacks but also QoS issues are taken into consider-ation
Equation (IP 11) stands for the feasibility of the defenseconfiguration of each service For the attacking side (IP 12)
denotes that the attack configuration should be feasibleEquation (IP 16) denotes that the summation of defenseresources spent should not exceed total budget 119861 Equations(IP 17)sim(IP 119) jointly restrain the budget of each type ofdefense resource individually Equations (IP 120)sim(IP 122)
impose binary restrictions on decision variables Finally(IP 123)sim(IP 125) jointly represent that the performancereduction caused by either malicious attacks or activatingreactive defense mechanisms should not violate the QoSrequirement
3 Numerical Analysis
In this paper a scale-free network is constructed for evalua-tion since this structure is similar to real-world forms suchas the Internet The implementation algorithm is referencedfrom [24]
31 Simulation Environment Table 4 presents the systemexperiment parameters Defender-related parameters areillustrated in Table 5 The unit of budget is dollar Forattackers the parameters are shown in Table 6
The value of each attackerrsquos budget capability and aggres-siveness is governed by a normal distribution with differentlower and upper bounds
32 Numerical Result As mentioned previously the ContestSuccess Function is applied for quantifying vulnerabilityThevalue of contest intensity is classified into two groups scoresgreater than 1 and scores smaller than 1
321 Convergence The first issue to address before con-structing meaningful simulations is convergence In thispaper the convergence of data is considered as numericalstability While the magnitude of data vibrations is withinthe acceptable interval for example 02 the correspondingnumber of simulation times (119872) is set as the number ofevaluations for each attack and defense scenario
For rigorousness in convergence experiments the effectof contest intensity is jointly consideredThree different mag-nitudes are simulated on a 49 node scale-free network Forthe following experiments in this subsection the horizontalaxis represents the evaluation of the number of attacks andthe vertical axis stands for the network system compromisedprobability which is the objective function of the proposedmathematical model
Figures 4 and 5 show the result of 10000 simulations withdifferent contest intensity Here it is clear that the value ofservice compromised probability is unstable In Figures 6 and7 the vibration becomes alleviative but is still not convergentWhen the number of simulations is raised to 100000 as
8 Journal of Applied Mathematics
078
079
08
081
082
083
084
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 4 Convergence test on 119898 lt 1 group for 10000 simulations
075076077078079
08081082083084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 5 Convergence test on 119898 gt 1 group for 10000 simulations
shown in Figures 8 and 9 there is a stable trend after 60000among all different values of contest intensity
From Figures 4 to 9 it is clear that the 60000 simulationsare a large enough number to give converging results amongall values of contest intensityTherefore 119872 is set to be 60000
322 Analysis of Key Factors Influencing Service CompromisedProbability Contest intensity has great influence on thenature of network attack and defense However as shown inFigure 10 there is no consistent tendency between contestintensity and service compromised probability The sameconclusions also appear in [8ndash10]
If the effects of contest intensity and attackerrsquos aggressive-ness are jointly considered there are some meaningful andexplainable results
In Figure 11 three value intervals of aggressivenessincluding 01 to 09 (average) 01 to 05 (less aggressive) and05 to 09 (aggressive) are simulated among different values ofcontest intensity It is clear that when both the effect of contestintensity and an attackrsquos aggressiveness are considered thereare consistent trends For aggressive attackers it is more
078
079
08
081
082
083
084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 6 Convergence test on 119898 lt 1 group for 50000 simulations
075076077078079
08081082
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 7 Convergence test on 119898 gt 1 group for 50000 simulations
advantageous to have higher values of contest intensityAlternatively less aggressive attackers have leverage whenthe value of contest intensity is small However for averageattacks there is no clear tendency
The value of contest intensity is separated into high-valueand low-value groups Here Figure 12 illustrates the variationof service compromised probability in low-level contestintensity groups when facing less aggressive attackers Whilein Figure 12 the objective function value presents a lineardecreasing form Figure 13 demonstrates an exponentiallydecreasing from
Figures 14 and 15 also present a similar phenomenonwhen facing aggressive attackers the variation of servicecompromised probability shows an exponentially increasingtrend for contest intensity belonging to the low-level groupFor the high-level group the tendency is more linear
According to the previous results the key factors influ-encing service compromised probability include contestintensity and attack aggressivenessThese results are summa-rized in Figure 16
Journal of Applied Mathematics 9
075076077078079
08081082083
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 8 Convergence test on119898 lt 1 group for 100000 simulations
076
077
078
079
08
081
082
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m = 01
m = 03
m = 05
Aggressiveness = 01sim09
m contest intensity
Figure 9 Convergence test on 119898 gt 1 group for 100000 simula-tions
4 Discussion of Results
Based on the simulation results some interesting and mean-ingful arguments are presented in this section
41 The Effectiveness of Resources Invested by the Defenderand Attackers Is Highly Dependent on the Nature of BattleThe objective function value shown in Figure 12 presents alinear decreasing form when the contest intensity belongsto a low-level group and the defender is dealing with lessaggressive attackers The reason is that the effectiveness ofresources invested by both players is insignificant Thus theservice compromised probability is less sensitive with contestintensity under ldquofight to win or dierdquo circumstances
Furthermore less aggressive attackers only invest fewresources into compromising a target With the same totalbudget they are capable of launching more attacks thanaggressive attackers Therefore the service compromisedprobability of less aggressive attackers is much higher thanmore aggressive attackers
00102030405
06
07
0809
1
Contest intensity m
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15 m = 17 m = 19m = 01 m = 03 m = 05
Aggressiveness = 01sim09Aggressiveness = 05sim09Aggressiveness = 01sim05
Figure 10 Service compromised probability under different contestintensity
075076077078079
08081082083084085086087
m = 01
m = 03
m = 05
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 11 Effect of Aggressiveness among Different Contest Inten-sity
In the case of ldquowinner takes allrdquo Figure 13 illustrates anexponentially decreasing trend among service compromisedprobability this is because the effectiveness of resourcesinvested is significant to the result of a battle With a largervalue of contest intensity the vantage of a defender againstless aggressive attackers is more obvious
On the contrary for aggressive attackers there is anexponentially increasing tendency under ldquofight to win ordierdquo circumstances Since the contest intensity serves asthe exponent of the Contest Success Function when thevalue increases the effectiveness of resources invested growsexponentially This is further shown in Figure 14
Nevertheless the exponential tendency does not appearthrough all values of contest intensity For the ldquowinner takesallrdquo circumstance in Figure 15 the increasing rate of service
10 Journal of Applied Mathematics
063064065066067068069
07071072073074075
m = 15
m = 17
m = 19
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 12 Service compromised probability of less aggressive at-tacker under 119898 lt 1 circumstance
0
01
02
03
04
05
06
07
m = 01
m = 03
m = 05
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 13 Service compromised probability of less aggressive at-tacker under 119898 gt 1 circumstance
085
086
087
088
089
09
m = 15
m = 17
m = 19
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 14 Service compromised probability of aggressive attackerunder 119898 lt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 15 Service compromised probability of aggressive attackerunder 119898 gt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 16 Comparison of service compromised probability underdiverse contest intensity and aggressiveness
compromised probability slows down when contest intensitybecomes higherThis is because although aggressive attackersprefer to gain an edge by spending more attack resourcesto compromise a target each compromise costs significantresources Thus aggressive attackers run out of budget veryquickly and the increasing trend is not exponential
42 Proactive Defense Is Advantageous under ldquoWinner TakesAllrdquo Circumstance According to previous discussions theeffectiveness of resources invested is significant under ldquowin-ner takes allrdquo circumstances For less aggressive attackers theperformance is poor since they only invest few resources onan attack Aggressive attackers tend to spend a larger quantityto compromise a target If a defender raises the quantity ofdefense resources on important nodes it effectively weakensattackers
Consequently regardless of whether defenders face eitheraggressive or less aggressive attackers a proactive defenseperforms better in deterring attackers
43 Reactive Defense Is Advantageous under ldquoFight to Winor Dierdquo Circumstance Similarly under the ldquofight to win
Journal of Applied Mathematics 11
or dierdquo circumstance the effectiveness of defense resourcesis insignificant No matter how many proactive defenseresources are invested there is only limited influence onthe objective function value In other words less aggressiveattackers can compromise a target even by only investingscarce attack resources For aggressive attackers since theyprefer spending a large quantity of resources on compromis-ing a victim they easily run out of resources before a targetservice is compromised
Based on this analysis it is advantageous for the defenderto apply reactive defense mechanisms against maliciousattackers under ldquofight to win or dierdquo circumstance
5 Conclusions
This paper models an attack and defense scenario thatinvolves high amounts of randomness as mathematical for-mulations where attackers are assumed to have incompleteinformation It further considers a virtualization environ-ment for helping relate these results to recent trends in cloudcomputing
According to the simulation results the outcome of acontest is influenced not only by the quantity of defenseresources invested on each node but also by the contestintensity An attackerrsquos aggressiveness is introduced as a newdimension and meaningful results are discovered Effectivedefense strategies are proposed in the discussion of theresults
For future works collaborative attacks should be takeninto consideration since the attack strategy discussed in thispaper is for individual attacks In other words there is onlyone attack targeting a victimrsquos network at a time Thus nosynergy is considered A more complicated collaborativeattack pattern is worth further study
Acknowledgment
This work was supported by the National Science CouncilTaiwan (Grant nos NSC 102-2221-E-002-104 and NSC 101-2218-E-011-009)
References
[1] IBM Internet Security Systems X-Force research and devel-opment team ldquoIBM X-Force 2010 Mid-Year Trend and RiskReportrdquo IBM August 2010
[2] R J Ellison D A Fisher R C Linger H F Lipson T Longstaffand N R Mead ldquoSurvivable network systems an emergingdisciplinerdquo Tech Rep CMUSEI-97-TR-013 1997
[3] S Roy C Ellis S Shiva D Dasgupta V Shandilya and Q WuldquoA survey of game theory as applied to network securityrdquo inProceedings of the 43rd Annual Hawaii International Conferenceon System Sciences (HICSS rsquo10) January 2010
[4] M N Lima A L D Santos and G Pujolle ldquoA survey of sur-vivability in mobile Ad hoc Networksrdquo IEEE CommunicationsSurveys and Tutorials vol 11 no 1 pp 66ndash77 2009
[5] Z Ma ldquoTowards a unified definition for reliability survivabilityand resilience (I) the conceptual framework inspired by thehandicap principle and ecological stabilityrdquo in Proceedings of theIEEE Aerospace Conference pp 1ndash12 March 2010
[6] F Xing and W Wang ldquoOn the survivability of wireless adHOC networks with node misbehaviors and failuresrdquo IEEETransactions on Dependable and Secure Computing vol 7 no3 pp 284ndash299 2010
[7] S Skaperdas ldquoContest success functionsrdquo EconomicTheory vol7 no 2 pp 283ndash290 1996
[8] G Levitin and K Hausken ldquoFalse targets efficiency in defensestrategyrdquo European Journal of Operational Research vol 194 no1 pp 155ndash162 2009
[9] K Hausken and G Levitin ldquoProtection vs false targets in seriessystemsrdquo Reliability Engineering and System Safety vol 94 no5 pp 973ndash981 2009
[10] G Levitin and K Hausken ldquoPreventive strike vs false targetsand protection in defense strategyrdquo Reliability Engineering andSystem Safety vol 96 no 8 pp 912ndash924 2011
[11] J Hirshleifer ldquoConflict and rent-seeking success functions ratiovs difference models of relative successrdquo Public Choice vol 63no 2 pp 101ndash112 1989
[12] J Hirshleifer ldquoThe paradox of powerrdquo Economics and Politicsvol 3 pp 177ndash200 1993
[13] J Archer A Boehme D Cullinane P Kurtz N Puhlmannand J Reavis ldquoTop Threats to Cloud Computing V 10rdquo CloudSecurity Alliance March 2010
[14] H Debar F Pouget and M Dacier ldquoWhite paper lsquoHoney-pot Honeynet Honeytoken Terminological issuesrsquordquo InstitutEurecom Research Report RR-03-081 2003
[15] B Cheswick ldquoAn evening with berferd in which a cracker islured endured and studiedrdquo in Proceedings of the USENIXConference pp 163ndash174 USENIX 1992
[16] C Seifert I Welch and P Komisarczuk ldquoTaxonomy of honey-potsrdquo Tech Rep CS-TR-0612 2006
[17] M H y Lopez and C F L Resendez ldquoHoneypots basicconcepts classification and educational use as resources ininformation security education and coursesrdquo in Proceedings ofthe Informing Science and IT Education Conference 2008
[18] Y Huang D Arsenault and A Sood ldquoClosing cluster attackwindows through server redundancy and rotationsrdquo in Pro-ceedings of the 6th IEEE International Symposium on ClusterComputing and the Grid (CCGRID rsquo06) May 2006
[19] YHuang D Arsenault andA Sood ldquoIncorruptible self-cleans-ing intrusion tolerance and its application to DNS securityrdquoJournal of Networks vol 1 no 5 pp 21ndash30 2006
[20] M Smith C Schridde and B Freisleben ldquoSecuring stateful gridservers through virtual server rotationrdquo in Proceedings of the17th International Symposium on High Performance DistributedComputing (HPDC rsquo08) pp 11ndash22 June 2008
[21] F Y-S Lin Y-S Wang and P-H Tsang ldquoEfficient defensestrategies to minimize attackersrsquo success probabilities in hon-eynetrdquo in Proceedings of the 6th International Conference onInformation Assurance and Security (IAS rsquo10) pp 80ndash85 August2010
[22] F Y-S Lin Y-S Wang P-H Tsang and J-P Lo ldquoRedundancyand defense resource allocation algorithms to assure servicecontinuity against natural disasters and intelligent attacksrdquo inProceedings of the 5th International Conference on BroadbandWireless Computing Communication andApplications (BWCCArsquo10) pp 206ndash213 November 2010
[23] F Cohen ldquoManaging network security attack and defencestrategiesrdquo Network Security vol 1999 no 7 pp 7ndash11 1999
[24] S Nagaraja and R Anderson ldquoDynamic topologies for robustscale-free networksrdquo Bio-Inspired Computing and Communica-tion vol 5151 pp 411ndash426 2008
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
8 Journal of Applied Mathematics
078
079
08
081
082
083
084
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 4 Convergence test on 119898 lt 1 group for 10000 simulations
075076077078079
08081082083084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 5 Convergence test on 119898 gt 1 group for 10000 simulations
shown in Figures 8 and 9 there is a stable trend after 60000among all different values of contest intensity
From Figures 4 to 9 it is clear that the 60000 simulationsare a large enough number to give converging results amongall values of contest intensityTherefore 119872 is set to be 60000
322 Analysis of Key Factors Influencing Service CompromisedProbability Contest intensity has great influence on thenature of network attack and defense However as shown inFigure 10 there is no consistent tendency between contestintensity and service compromised probability The sameconclusions also appear in [8ndash10]
If the effects of contest intensity and attackerrsquos aggressive-ness are jointly considered there are some meaningful andexplainable results
In Figure 11 three value intervals of aggressivenessincluding 01 to 09 (average) 01 to 05 (less aggressive) and05 to 09 (aggressive) are simulated among different values ofcontest intensity It is clear that when both the effect of contestintensity and an attackrsquos aggressiveness are considered thereare consistent trends For aggressive attackers it is more
078
079
08
081
082
083
084
1000
4000
7000
1000
013
000
1600
019
000
2200
025
000
2800
031
000
3400
037
000
4000
043
000
4600
049
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 6 Convergence test on 119898 lt 1 group for 50000 simulations
075076077078079
08081082
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 01
m = 03
m = 05
m contest intensity
Figure 7 Convergence test on 119898 gt 1 group for 50000 simulations
advantageous to have higher values of contest intensityAlternatively less aggressive attackers have leverage whenthe value of contest intensity is small However for averageattacks there is no clear tendency
The value of contest intensity is separated into high-valueand low-value groups Here Figure 12 illustrates the variationof service compromised probability in low-level contestintensity groups when facing less aggressive attackers Whilein Figure 12 the objective function value presents a lineardecreasing form Figure 13 demonstrates an exponentiallydecreasing from
Figures 14 and 15 also present a similar phenomenonwhen facing aggressive attackers the variation of servicecompromised probability shows an exponentially increasingtrend for contest intensity belonging to the low-level groupFor the high-level group the tendency is more linear
According to the previous results the key factors influ-encing service compromised probability include contestintensity and attack aggressivenessThese results are summa-rized in Figure 16
Journal of Applied Mathematics 9
075076077078079
08081082083
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 8 Convergence test on119898 lt 1 group for 100000 simulations
076
077
078
079
08
081
082
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m = 01
m = 03
m = 05
Aggressiveness = 01sim09
m contest intensity
Figure 9 Convergence test on 119898 gt 1 group for 100000 simula-tions
4 Discussion of Results
Based on the simulation results some interesting and mean-ingful arguments are presented in this section
41 The Effectiveness of Resources Invested by the Defenderand Attackers Is Highly Dependent on the Nature of BattleThe objective function value shown in Figure 12 presents alinear decreasing form when the contest intensity belongsto a low-level group and the defender is dealing with lessaggressive attackers The reason is that the effectiveness ofresources invested by both players is insignificant Thus theservice compromised probability is less sensitive with contestintensity under ldquofight to win or dierdquo circumstances
Furthermore less aggressive attackers only invest fewresources into compromising a target With the same totalbudget they are capable of launching more attacks thanaggressive attackers Therefore the service compromisedprobability of less aggressive attackers is much higher thanmore aggressive attackers
00102030405
06
07
0809
1
Contest intensity m
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15 m = 17 m = 19m = 01 m = 03 m = 05
Aggressiveness = 01sim09Aggressiveness = 05sim09Aggressiveness = 01sim05
Figure 10 Service compromised probability under different contestintensity
075076077078079
08081082083084085086087
m = 01
m = 03
m = 05
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 11 Effect of Aggressiveness among Different Contest Inten-sity
In the case of ldquowinner takes allrdquo Figure 13 illustrates anexponentially decreasing trend among service compromisedprobability this is because the effectiveness of resourcesinvested is significant to the result of a battle With a largervalue of contest intensity the vantage of a defender againstless aggressive attackers is more obvious
On the contrary for aggressive attackers there is anexponentially increasing tendency under ldquofight to win ordierdquo circumstances Since the contest intensity serves asthe exponent of the Contest Success Function when thevalue increases the effectiveness of resources invested growsexponentially This is further shown in Figure 14
Nevertheless the exponential tendency does not appearthrough all values of contest intensity For the ldquowinner takesallrdquo circumstance in Figure 15 the increasing rate of service
10 Journal of Applied Mathematics
063064065066067068069
07071072073074075
m = 15
m = 17
m = 19
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 12 Service compromised probability of less aggressive at-tacker under 119898 lt 1 circumstance
0
01
02
03
04
05
06
07
m = 01
m = 03
m = 05
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 13 Service compromised probability of less aggressive at-tacker under 119898 gt 1 circumstance
085
086
087
088
089
09
m = 15
m = 17
m = 19
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 14 Service compromised probability of aggressive attackerunder 119898 lt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 15 Service compromised probability of aggressive attackerunder 119898 gt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 16 Comparison of service compromised probability underdiverse contest intensity and aggressiveness
compromised probability slows down when contest intensitybecomes higherThis is because although aggressive attackersprefer to gain an edge by spending more attack resourcesto compromise a target each compromise costs significantresources Thus aggressive attackers run out of budget veryquickly and the increasing trend is not exponential
42 Proactive Defense Is Advantageous under ldquoWinner TakesAllrdquo Circumstance According to previous discussions theeffectiveness of resources invested is significant under ldquowin-ner takes allrdquo circumstances For less aggressive attackers theperformance is poor since they only invest few resources onan attack Aggressive attackers tend to spend a larger quantityto compromise a target If a defender raises the quantity ofdefense resources on important nodes it effectively weakensattackers
Consequently regardless of whether defenders face eitheraggressive or less aggressive attackers a proactive defenseperforms better in deterring attackers
43 Reactive Defense Is Advantageous under ldquoFight to Winor Dierdquo Circumstance Similarly under the ldquofight to win
Journal of Applied Mathematics 11
or dierdquo circumstance the effectiveness of defense resourcesis insignificant No matter how many proactive defenseresources are invested there is only limited influence onthe objective function value In other words less aggressiveattackers can compromise a target even by only investingscarce attack resources For aggressive attackers since theyprefer spending a large quantity of resources on compromis-ing a victim they easily run out of resources before a targetservice is compromised
Based on this analysis it is advantageous for the defenderto apply reactive defense mechanisms against maliciousattackers under ldquofight to win or dierdquo circumstance
5 Conclusions
This paper models an attack and defense scenario thatinvolves high amounts of randomness as mathematical for-mulations where attackers are assumed to have incompleteinformation It further considers a virtualization environ-ment for helping relate these results to recent trends in cloudcomputing
According to the simulation results the outcome of acontest is influenced not only by the quantity of defenseresources invested on each node but also by the contestintensity An attackerrsquos aggressiveness is introduced as a newdimension and meaningful results are discovered Effectivedefense strategies are proposed in the discussion of theresults
For future works collaborative attacks should be takeninto consideration since the attack strategy discussed in thispaper is for individual attacks In other words there is onlyone attack targeting a victimrsquos network at a time Thus nosynergy is considered A more complicated collaborativeattack pattern is worth further study
Acknowledgment
This work was supported by the National Science CouncilTaiwan (Grant nos NSC 102-2221-E-002-104 and NSC 101-2218-E-011-009)
References
[1] IBM Internet Security Systems X-Force research and devel-opment team ldquoIBM X-Force 2010 Mid-Year Trend and RiskReportrdquo IBM August 2010
[2] R J Ellison D A Fisher R C Linger H F Lipson T Longstaffand N R Mead ldquoSurvivable network systems an emergingdisciplinerdquo Tech Rep CMUSEI-97-TR-013 1997
[3] S Roy C Ellis S Shiva D Dasgupta V Shandilya and Q WuldquoA survey of game theory as applied to network securityrdquo inProceedings of the 43rd Annual Hawaii International Conferenceon System Sciences (HICSS rsquo10) January 2010
[4] M N Lima A L D Santos and G Pujolle ldquoA survey of sur-vivability in mobile Ad hoc Networksrdquo IEEE CommunicationsSurveys and Tutorials vol 11 no 1 pp 66ndash77 2009
[5] Z Ma ldquoTowards a unified definition for reliability survivabilityand resilience (I) the conceptual framework inspired by thehandicap principle and ecological stabilityrdquo in Proceedings of theIEEE Aerospace Conference pp 1ndash12 March 2010
[6] F Xing and W Wang ldquoOn the survivability of wireless adHOC networks with node misbehaviors and failuresrdquo IEEETransactions on Dependable and Secure Computing vol 7 no3 pp 284ndash299 2010
[7] S Skaperdas ldquoContest success functionsrdquo EconomicTheory vol7 no 2 pp 283ndash290 1996
[8] G Levitin and K Hausken ldquoFalse targets efficiency in defensestrategyrdquo European Journal of Operational Research vol 194 no1 pp 155ndash162 2009
[9] K Hausken and G Levitin ldquoProtection vs false targets in seriessystemsrdquo Reliability Engineering and System Safety vol 94 no5 pp 973ndash981 2009
[10] G Levitin and K Hausken ldquoPreventive strike vs false targetsand protection in defense strategyrdquo Reliability Engineering andSystem Safety vol 96 no 8 pp 912ndash924 2011
[11] J Hirshleifer ldquoConflict and rent-seeking success functions ratiovs difference models of relative successrdquo Public Choice vol 63no 2 pp 101ndash112 1989
[12] J Hirshleifer ldquoThe paradox of powerrdquo Economics and Politicsvol 3 pp 177ndash200 1993
[13] J Archer A Boehme D Cullinane P Kurtz N Puhlmannand J Reavis ldquoTop Threats to Cloud Computing V 10rdquo CloudSecurity Alliance March 2010
[14] H Debar F Pouget and M Dacier ldquoWhite paper lsquoHoney-pot Honeynet Honeytoken Terminological issuesrsquordquo InstitutEurecom Research Report RR-03-081 2003
[15] B Cheswick ldquoAn evening with berferd in which a cracker islured endured and studiedrdquo in Proceedings of the USENIXConference pp 163ndash174 USENIX 1992
[16] C Seifert I Welch and P Komisarczuk ldquoTaxonomy of honey-potsrdquo Tech Rep CS-TR-0612 2006
[17] M H y Lopez and C F L Resendez ldquoHoneypots basicconcepts classification and educational use as resources ininformation security education and coursesrdquo in Proceedings ofthe Informing Science and IT Education Conference 2008
[18] Y Huang D Arsenault and A Sood ldquoClosing cluster attackwindows through server redundancy and rotationsrdquo in Pro-ceedings of the 6th IEEE International Symposium on ClusterComputing and the Grid (CCGRID rsquo06) May 2006
[19] YHuang D Arsenault andA Sood ldquoIncorruptible self-cleans-ing intrusion tolerance and its application to DNS securityrdquoJournal of Networks vol 1 no 5 pp 21ndash30 2006
[20] M Smith C Schridde and B Freisleben ldquoSecuring stateful gridservers through virtual server rotationrdquo in Proceedings of the17th International Symposium on High Performance DistributedComputing (HPDC rsquo08) pp 11ndash22 June 2008
[21] F Y-S Lin Y-S Wang and P-H Tsang ldquoEfficient defensestrategies to minimize attackersrsquo success probabilities in hon-eynetrdquo in Proceedings of the 6th International Conference onInformation Assurance and Security (IAS rsquo10) pp 80ndash85 August2010
[22] F Y-S Lin Y-S Wang P-H Tsang and J-P Lo ldquoRedundancyand defense resource allocation algorithms to assure servicecontinuity against natural disasters and intelligent attacksrdquo inProceedings of the 5th International Conference on BroadbandWireless Computing Communication andApplications (BWCCArsquo10) pp 206ndash213 November 2010
[23] F Cohen ldquoManaging network security attack and defencestrategiesrdquo Network Security vol 1999 no 7 pp 7ndash11 1999
[24] S Nagaraja and R Anderson ldquoDynamic topologies for robustscale-free networksrdquo Bio-Inspired Computing and Communica-tion vol 5151 pp 411ndash426 2008
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 9
075076077078079
08081082083
1000
6000
1100
016
000
2100
026
000
3100
036
000
4100
046
000
5100
056
000
6100
066
000
7100
076
000
8100
086
000
9100
096
000
Evaluation times
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m contest intensity
Figure 8 Convergence test on119898 lt 1 group for 100000 simulations
076
077
078
079
08
081
082
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15
m = 17
m = 19
m = 01
m = 03
m = 05
Aggressiveness = 01sim09
m contest intensity
Figure 9 Convergence test on 119898 gt 1 group for 100000 simula-tions
4 Discussion of Results
Based on the simulation results some interesting and mean-ingful arguments are presented in this section
41 The Effectiveness of Resources Invested by the Defenderand Attackers Is Highly Dependent on the Nature of BattleThe objective function value shown in Figure 12 presents alinear decreasing form when the contest intensity belongsto a low-level group and the defender is dealing with lessaggressive attackers The reason is that the effectiveness ofresources invested by both players is insignificant Thus theservice compromised probability is less sensitive with contestintensity under ldquofight to win or dierdquo circumstances
Furthermore less aggressive attackers only invest fewresources into compromising a target With the same totalbudget they are capable of launching more attacks thanaggressive attackers Therefore the service compromisedprobability of less aggressive attackers is much higher thanmore aggressive attackers
00102030405
06
07
0809
1
Contest intensity m
Serv
ice c
ompr
omise
d pr
obab
ility
m = 15 m = 17 m = 19m = 01 m = 03 m = 05
Aggressiveness = 01sim09Aggressiveness = 05sim09Aggressiveness = 01sim05
Figure 10 Service compromised probability under different contestintensity
075076077078079
08081082083084085086087
m = 01
m = 03
m = 05
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 11 Effect of Aggressiveness among Different Contest Inten-sity
In the case of ldquowinner takes allrdquo Figure 13 illustrates anexponentially decreasing trend among service compromisedprobability this is because the effectiveness of resourcesinvested is significant to the result of a battle With a largervalue of contest intensity the vantage of a defender againstless aggressive attackers is more obvious
On the contrary for aggressive attackers there is anexponentially increasing tendency under ldquofight to win ordierdquo circumstances Since the contest intensity serves asthe exponent of the Contest Success Function when thevalue increases the effectiveness of resources invested growsexponentially This is further shown in Figure 14
Nevertheless the exponential tendency does not appearthrough all values of contest intensity For the ldquowinner takesallrdquo circumstance in Figure 15 the increasing rate of service
10 Journal of Applied Mathematics
063064065066067068069
07071072073074075
m = 15
m = 17
m = 19
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 12 Service compromised probability of less aggressive at-tacker under 119898 lt 1 circumstance
0
01
02
03
04
05
06
07
m = 01
m = 03
m = 05
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 13 Service compromised probability of less aggressive at-tacker under 119898 gt 1 circumstance
085
086
087
088
089
09
m = 15
m = 17
m = 19
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 14 Service compromised probability of aggressive attackerunder 119898 lt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 15 Service compromised probability of aggressive attackerunder 119898 gt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 16 Comparison of service compromised probability underdiverse contest intensity and aggressiveness
compromised probability slows down when contest intensitybecomes higherThis is because although aggressive attackersprefer to gain an edge by spending more attack resourcesto compromise a target each compromise costs significantresources Thus aggressive attackers run out of budget veryquickly and the increasing trend is not exponential
42 Proactive Defense Is Advantageous under ldquoWinner TakesAllrdquo Circumstance According to previous discussions theeffectiveness of resources invested is significant under ldquowin-ner takes allrdquo circumstances For less aggressive attackers theperformance is poor since they only invest few resources onan attack Aggressive attackers tend to spend a larger quantityto compromise a target If a defender raises the quantity ofdefense resources on important nodes it effectively weakensattackers
Consequently regardless of whether defenders face eitheraggressive or less aggressive attackers a proactive defenseperforms better in deterring attackers
43 Reactive Defense Is Advantageous under ldquoFight to Winor Dierdquo Circumstance Similarly under the ldquofight to win
Journal of Applied Mathematics 11
or dierdquo circumstance the effectiveness of defense resourcesis insignificant No matter how many proactive defenseresources are invested there is only limited influence onthe objective function value In other words less aggressiveattackers can compromise a target even by only investingscarce attack resources For aggressive attackers since theyprefer spending a large quantity of resources on compromis-ing a victim they easily run out of resources before a targetservice is compromised
Based on this analysis it is advantageous for the defenderto apply reactive defense mechanisms against maliciousattackers under ldquofight to win or dierdquo circumstance
5 Conclusions
This paper models an attack and defense scenario thatinvolves high amounts of randomness as mathematical for-mulations where attackers are assumed to have incompleteinformation It further considers a virtualization environ-ment for helping relate these results to recent trends in cloudcomputing
According to the simulation results the outcome of acontest is influenced not only by the quantity of defenseresources invested on each node but also by the contestintensity An attackerrsquos aggressiveness is introduced as a newdimension and meaningful results are discovered Effectivedefense strategies are proposed in the discussion of theresults
For future works collaborative attacks should be takeninto consideration since the attack strategy discussed in thispaper is for individual attacks In other words there is onlyone attack targeting a victimrsquos network at a time Thus nosynergy is considered A more complicated collaborativeattack pattern is worth further study
Acknowledgment
This work was supported by the National Science CouncilTaiwan (Grant nos NSC 102-2221-E-002-104 and NSC 101-2218-E-011-009)
References
[1] IBM Internet Security Systems X-Force research and devel-opment team ldquoIBM X-Force 2010 Mid-Year Trend and RiskReportrdquo IBM August 2010
[2] R J Ellison D A Fisher R C Linger H F Lipson T Longstaffand N R Mead ldquoSurvivable network systems an emergingdisciplinerdquo Tech Rep CMUSEI-97-TR-013 1997
[3] S Roy C Ellis S Shiva D Dasgupta V Shandilya and Q WuldquoA survey of game theory as applied to network securityrdquo inProceedings of the 43rd Annual Hawaii International Conferenceon System Sciences (HICSS rsquo10) January 2010
[4] M N Lima A L D Santos and G Pujolle ldquoA survey of sur-vivability in mobile Ad hoc Networksrdquo IEEE CommunicationsSurveys and Tutorials vol 11 no 1 pp 66ndash77 2009
[5] Z Ma ldquoTowards a unified definition for reliability survivabilityand resilience (I) the conceptual framework inspired by thehandicap principle and ecological stabilityrdquo in Proceedings of theIEEE Aerospace Conference pp 1ndash12 March 2010
[6] F Xing and W Wang ldquoOn the survivability of wireless adHOC networks with node misbehaviors and failuresrdquo IEEETransactions on Dependable and Secure Computing vol 7 no3 pp 284ndash299 2010
[7] S Skaperdas ldquoContest success functionsrdquo EconomicTheory vol7 no 2 pp 283ndash290 1996
[8] G Levitin and K Hausken ldquoFalse targets efficiency in defensestrategyrdquo European Journal of Operational Research vol 194 no1 pp 155ndash162 2009
[9] K Hausken and G Levitin ldquoProtection vs false targets in seriessystemsrdquo Reliability Engineering and System Safety vol 94 no5 pp 973ndash981 2009
[10] G Levitin and K Hausken ldquoPreventive strike vs false targetsand protection in defense strategyrdquo Reliability Engineering andSystem Safety vol 96 no 8 pp 912ndash924 2011
[11] J Hirshleifer ldquoConflict and rent-seeking success functions ratiovs difference models of relative successrdquo Public Choice vol 63no 2 pp 101ndash112 1989
[12] J Hirshleifer ldquoThe paradox of powerrdquo Economics and Politicsvol 3 pp 177ndash200 1993
[13] J Archer A Boehme D Cullinane P Kurtz N Puhlmannand J Reavis ldquoTop Threats to Cloud Computing V 10rdquo CloudSecurity Alliance March 2010
[14] H Debar F Pouget and M Dacier ldquoWhite paper lsquoHoney-pot Honeynet Honeytoken Terminological issuesrsquordquo InstitutEurecom Research Report RR-03-081 2003
[15] B Cheswick ldquoAn evening with berferd in which a cracker islured endured and studiedrdquo in Proceedings of the USENIXConference pp 163ndash174 USENIX 1992
[16] C Seifert I Welch and P Komisarczuk ldquoTaxonomy of honey-potsrdquo Tech Rep CS-TR-0612 2006
[17] M H y Lopez and C F L Resendez ldquoHoneypots basicconcepts classification and educational use as resources ininformation security education and coursesrdquo in Proceedings ofthe Informing Science and IT Education Conference 2008
[18] Y Huang D Arsenault and A Sood ldquoClosing cluster attackwindows through server redundancy and rotationsrdquo in Pro-ceedings of the 6th IEEE International Symposium on ClusterComputing and the Grid (CCGRID rsquo06) May 2006
[19] YHuang D Arsenault andA Sood ldquoIncorruptible self-cleans-ing intrusion tolerance and its application to DNS securityrdquoJournal of Networks vol 1 no 5 pp 21ndash30 2006
[20] M Smith C Schridde and B Freisleben ldquoSecuring stateful gridservers through virtual server rotationrdquo in Proceedings of the17th International Symposium on High Performance DistributedComputing (HPDC rsquo08) pp 11ndash22 June 2008
[21] F Y-S Lin Y-S Wang and P-H Tsang ldquoEfficient defensestrategies to minimize attackersrsquo success probabilities in hon-eynetrdquo in Proceedings of the 6th International Conference onInformation Assurance and Security (IAS rsquo10) pp 80ndash85 August2010
[22] F Y-S Lin Y-S Wang P-H Tsang and J-P Lo ldquoRedundancyand defense resource allocation algorithms to assure servicecontinuity against natural disasters and intelligent attacksrdquo inProceedings of the 5th International Conference on BroadbandWireless Computing Communication andApplications (BWCCArsquo10) pp 206ndash213 November 2010
[23] F Cohen ldquoManaging network security attack and defencestrategiesrdquo Network Security vol 1999 no 7 pp 7ndash11 1999
[24] S Nagaraja and R Anderson ldquoDynamic topologies for robustscale-free networksrdquo Bio-Inspired Computing and Communica-tion vol 5151 pp 411ndash426 2008
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
10 Journal of Applied Mathematics
063064065066067068069
07071072073074075
m = 15
m = 17
m = 19
Aggressiveness = 01sim05
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 12 Service compromised probability of less aggressive at-tacker under 119898 lt 1 circumstance
0
01
02
03
04
05
06
07
m = 01
m = 03
m = 05
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 13 Service compromised probability of less aggressive at-tacker under 119898 gt 1 circumstance
085
086
087
088
089
09
m = 15
m = 17
m = 19
Aggressiveness = 05sim09
Serv
ice c
ompr
omise
d pr
obab
ility
m contest intensity
Figure 14 Service compromised probability of aggressive attackerunder 119898 lt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 15 Service compromised probability of aggressive attackerunder 119898 gt 1 circumstance
0
02
04
06
08
1
Prob
abili
ty
Contest intensity mm = 15 m = 17 m = 19
m = 01 m = 03 m = 05
Aggressiveness = 01sim05Aggressiveness = 05sim09
Figure 16 Comparison of service compromised probability underdiverse contest intensity and aggressiveness
compromised probability slows down when contest intensitybecomes higherThis is because although aggressive attackersprefer to gain an edge by spending more attack resourcesto compromise a target each compromise costs significantresources Thus aggressive attackers run out of budget veryquickly and the increasing trend is not exponential
42 Proactive Defense Is Advantageous under ldquoWinner TakesAllrdquo Circumstance According to previous discussions theeffectiveness of resources invested is significant under ldquowin-ner takes allrdquo circumstances For less aggressive attackers theperformance is poor since they only invest few resources onan attack Aggressive attackers tend to spend a larger quantityto compromise a target If a defender raises the quantity ofdefense resources on important nodes it effectively weakensattackers
Consequently regardless of whether defenders face eitheraggressive or less aggressive attackers a proactive defenseperforms better in deterring attackers
43 Reactive Defense Is Advantageous under ldquoFight to Winor Dierdquo Circumstance Similarly under the ldquofight to win
Journal of Applied Mathematics 11
or dierdquo circumstance the effectiveness of defense resourcesis insignificant No matter how many proactive defenseresources are invested there is only limited influence onthe objective function value In other words less aggressiveattackers can compromise a target even by only investingscarce attack resources For aggressive attackers since theyprefer spending a large quantity of resources on compromis-ing a victim they easily run out of resources before a targetservice is compromised
Based on this analysis it is advantageous for the defenderto apply reactive defense mechanisms against maliciousattackers under ldquofight to win or dierdquo circumstance
5 Conclusions
This paper models an attack and defense scenario thatinvolves high amounts of randomness as mathematical for-mulations where attackers are assumed to have incompleteinformation It further considers a virtualization environ-ment for helping relate these results to recent trends in cloudcomputing
According to the simulation results the outcome of acontest is influenced not only by the quantity of defenseresources invested on each node but also by the contestintensity An attackerrsquos aggressiveness is introduced as a newdimension and meaningful results are discovered Effectivedefense strategies are proposed in the discussion of theresults
For future works collaborative attacks should be takeninto consideration since the attack strategy discussed in thispaper is for individual attacks In other words there is onlyone attack targeting a victimrsquos network at a time Thus nosynergy is considered A more complicated collaborativeattack pattern is worth further study
Acknowledgment
This work was supported by the National Science CouncilTaiwan (Grant nos NSC 102-2221-E-002-104 and NSC 101-2218-E-011-009)
References
[1] IBM Internet Security Systems X-Force research and devel-opment team ldquoIBM X-Force 2010 Mid-Year Trend and RiskReportrdquo IBM August 2010
[2] R J Ellison D A Fisher R C Linger H F Lipson T Longstaffand N R Mead ldquoSurvivable network systems an emergingdisciplinerdquo Tech Rep CMUSEI-97-TR-013 1997
[3] S Roy C Ellis S Shiva D Dasgupta V Shandilya and Q WuldquoA survey of game theory as applied to network securityrdquo inProceedings of the 43rd Annual Hawaii International Conferenceon System Sciences (HICSS rsquo10) January 2010
[4] M N Lima A L D Santos and G Pujolle ldquoA survey of sur-vivability in mobile Ad hoc Networksrdquo IEEE CommunicationsSurveys and Tutorials vol 11 no 1 pp 66ndash77 2009
[5] Z Ma ldquoTowards a unified definition for reliability survivabilityand resilience (I) the conceptual framework inspired by thehandicap principle and ecological stabilityrdquo in Proceedings of theIEEE Aerospace Conference pp 1ndash12 March 2010
[6] F Xing and W Wang ldquoOn the survivability of wireless adHOC networks with node misbehaviors and failuresrdquo IEEETransactions on Dependable and Secure Computing vol 7 no3 pp 284ndash299 2010
[7] S Skaperdas ldquoContest success functionsrdquo EconomicTheory vol7 no 2 pp 283ndash290 1996
[8] G Levitin and K Hausken ldquoFalse targets efficiency in defensestrategyrdquo European Journal of Operational Research vol 194 no1 pp 155ndash162 2009
[9] K Hausken and G Levitin ldquoProtection vs false targets in seriessystemsrdquo Reliability Engineering and System Safety vol 94 no5 pp 973ndash981 2009
[10] G Levitin and K Hausken ldquoPreventive strike vs false targetsand protection in defense strategyrdquo Reliability Engineering andSystem Safety vol 96 no 8 pp 912ndash924 2011
[11] J Hirshleifer ldquoConflict and rent-seeking success functions ratiovs difference models of relative successrdquo Public Choice vol 63no 2 pp 101ndash112 1989
[12] J Hirshleifer ldquoThe paradox of powerrdquo Economics and Politicsvol 3 pp 177ndash200 1993
[13] J Archer A Boehme D Cullinane P Kurtz N Puhlmannand J Reavis ldquoTop Threats to Cloud Computing V 10rdquo CloudSecurity Alliance March 2010
[14] H Debar F Pouget and M Dacier ldquoWhite paper lsquoHoney-pot Honeynet Honeytoken Terminological issuesrsquordquo InstitutEurecom Research Report RR-03-081 2003
[15] B Cheswick ldquoAn evening with berferd in which a cracker islured endured and studiedrdquo in Proceedings of the USENIXConference pp 163ndash174 USENIX 1992
[16] C Seifert I Welch and P Komisarczuk ldquoTaxonomy of honey-potsrdquo Tech Rep CS-TR-0612 2006
[17] M H y Lopez and C F L Resendez ldquoHoneypots basicconcepts classification and educational use as resources ininformation security education and coursesrdquo in Proceedings ofthe Informing Science and IT Education Conference 2008
[18] Y Huang D Arsenault and A Sood ldquoClosing cluster attackwindows through server redundancy and rotationsrdquo in Pro-ceedings of the 6th IEEE International Symposium on ClusterComputing and the Grid (CCGRID rsquo06) May 2006
[19] YHuang D Arsenault andA Sood ldquoIncorruptible self-cleans-ing intrusion tolerance and its application to DNS securityrdquoJournal of Networks vol 1 no 5 pp 21ndash30 2006
[20] M Smith C Schridde and B Freisleben ldquoSecuring stateful gridservers through virtual server rotationrdquo in Proceedings of the17th International Symposium on High Performance DistributedComputing (HPDC rsquo08) pp 11ndash22 June 2008
[21] F Y-S Lin Y-S Wang and P-H Tsang ldquoEfficient defensestrategies to minimize attackersrsquo success probabilities in hon-eynetrdquo in Proceedings of the 6th International Conference onInformation Assurance and Security (IAS rsquo10) pp 80ndash85 August2010
[22] F Y-S Lin Y-S Wang P-H Tsang and J-P Lo ldquoRedundancyand defense resource allocation algorithms to assure servicecontinuity against natural disasters and intelligent attacksrdquo inProceedings of the 5th International Conference on BroadbandWireless Computing Communication andApplications (BWCCArsquo10) pp 206ndash213 November 2010
[23] F Cohen ldquoManaging network security attack and defencestrategiesrdquo Network Security vol 1999 no 7 pp 7ndash11 1999
[24] S Nagaraja and R Anderson ldquoDynamic topologies for robustscale-free networksrdquo Bio-Inspired Computing and Communica-tion vol 5151 pp 411ndash426 2008
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 11
or dierdquo circumstance the effectiveness of defense resourcesis insignificant No matter how many proactive defenseresources are invested there is only limited influence onthe objective function value In other words less aggressiveattackers can compromise a target even by only investingscarce attack resources For aggressive attackers since theyprefer spending a large quantity of resources on compromis-ing a victim they easily run out of resources before a targetservice is compromised
Based on this analysis it is advantageous for the defenderto apply reactive defense mechanisms against maliciousattackers under ldquofight to win or dierdquo circumstance
5 Conclusions
This paper models an attack and defense scenario thatinvolves high amounts of randomness as mathematical for-mulations where attackers are assumed to have incompleteinformation It further considers a virtualization environ-ment for helping relate these results to recent trends in cloudcomputing
According to the simulation results the outcome of acontest is influenced not only by the quantity of defenseresources invested on each node but also by the contestintensity An attackerrsquos aggressiveness is introduced as a newdimension and meaningful results are discovered Effectivedefense strategies are proposed in the discussion of theresults
For future works collaborative attacks should be takeninto consideration since the attack strategy discussed in thispaper is for individual attacks In other words there is onlyone attack targeting a victimrsquos network at a time Thus nosynergy is considered A more complicated collaborativeattack pattern is worth further study
Acknowledgment
This work was supported by the National Science CouncilTaiwan (Grant nos NSC 102-2221-E-002-104 and NSC 101-2218-E-011-009)
References
[1] IBM Internet Security Systems X-Force research and devel-opment team ldquoIBM X-Force 2010 Mid-Year Trend and RiskReportrdquo IBM August 2010
[2] R J Ellison D A Fisher R C Linger H F Lipson T Longstaffand N R Mead ldquoSurvivable network systems an emergingdisciplinerdquo Tech Rep CMUSEI-97-TR-013 1997
[3] S Roy C Ellis S Shiva D Dasgupta V Shandilya and Q WuldquoA survey of game theory as applied to network securityrdquo inProceedings of the 43rd Annual Hawaii International Conferenceon System Sciences (HICSS rsquo10) January 2010
[4] M N Lima A L D Santos and G Pujolle ldquoA survey of sur-vivability in mobile Ad hoc Networksrdquo IEEE CommunicationsSurveys and Tutorials vol 11 no 1 pp 66ndash77 2009
[5] Z Ma ldquoTowards a unified definition for reliability survivabilityand resilience (I) the conceptual framework inspired by thehandicap principle and ecological stabilityrdquo in Proceedings of theIEEE Aerospace Conference pp 1ndash12 March 2010
[6] F Xing and W Wang ldquoOn the survivability of wireless adHOC networks with node misbehaviors and failuresrdquo IEEETransactions on Dependable and Secure Computing vol 7 no3 pp 284ndash299 2010
[7] S Skaperdas ldquoContest success functionsrdquo EconomicTheory vol7 no 2 pp 283ndash290 1996
[8] G Levitin and K Hausken ldquoFalse targets efficiency in defensestrategyrdquo European Journal of Operational Research vol 194 no1 pp 155ndash162 2009
[9] K Hausken and G Levitin ldquoProtection vs false targets in seriessystemsrdquo Reliability Engineering and System Safety vol 94 no5 pp 973ndash981 2009
[10] G Levitin and K Hausken ldquoPreventive strike vs false targetsand protection in defense strategyrdquo Reliability Engineering andSystem Safety vol 96 no 8 pp 912ndash924 2011
[11] J Hirshleifer ldquoConflict and rent-seeking success functions ratiovs difference models of relative successrdquo Public Choice vol 63no 2 pp 101ndash112 1989
[12] J Hirshleifer ldquoThe paradox of powerrdquo Economics and Politicsvol 3 pp 177ndash200 1993
[13] J Archer A Boehme D Cullinane P Kurtz N Puhlmannand J Reavis ldquoTop Threats to Cloud Computing V 10rdquo CloudSecurity Alliance March 2010
[14] H Debar F Pouget and M Dacier ldquoWhite paper lsquoHoney-pot Honeynet Honeytoken Terminological issuesrsquordquo InstitutEurecom Research Report RR-03-081 2003
[15] B Cheswick ldquoAn evening with berferd in which a cracker islured endured and studiedrdquo in Proceedings of the USENIXConference pp 163ndash174 USENIX 1992
[16] C Seifert I Welch and P Komisarczuk ldquoTaxonomy of honey-potsrdquo Tech Rep CS-TR-0612 2006
[17] M H y Lopez and C F L Resendez ldquoHoneypots basicconcepts classification and educational use as resources ininformation security education and coursesrdquo in Proceedings ofthe Informing Science and IT Education Conference 2008
[18] Y Huang D Arsenault and A Sood ldquoClosing cluster attackwindows through server redundancy and rotationsrdquo in Pro-ceedings of the 6th IEEE International Symposium on ClusterComputing and the Grid (CCGRID rsquo06) May 2006
[19] YHuang D Arsenault andA Sood ldquoIncorruptible self-cleans-ing intrusion tolerance and its application to DNS securityrdquoJournal of Networks vol 1 no 5 pp 21ndash30 2006
[20] M Smith C Schridde and B Freisleben ldquoSecuring stateful gridservers through virtual server rotationrdquo in Proceedings of the17th International Symposium on High Performance DistributedComputing (HPDC rsquo08) pp 11ndash22 June 2008
[21] F Y-S Lin Y-S Wang and P-H Tsang ldquoEfficient defensestrategies to minimize attackersrsquo success probabilities in hon-eynetrdquo in Proceedings of the 6th International Conference onInformation Assurance and Security (IAS rsquo10) pp 80ndash85 August2010
[22] F Y-S Lin Y-S Wang P-H Tsang and J-P Lo ldquoRedundancyand defense resource allocation algorithms to assure servicecontinuity against natural disasters and intelligent attacksrdquo inProceedings of the 5th International Conference on BroadbandWireless Computing Communication andApplications (BWCCArsquo10) pp 206ndash213 November 2010
[23] F Cohen ldquoManaging network security attack and defencestrategiesrdquo Network Security vol 1999 no 7 pp 7ndash11 1999
[24] S Nagaraja and R Anderson ldquoDynamic topologies for robustscale-free networksrdquo Bio-Inspired Computing and Communica-tion vol 5151 pp 411ndash426 2008
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of