考量惡意攻擊情況下最大化網路存活度之網路防護與修復策略

Abstract

由於近年來電腦軟、硬體以及通訊技術的發達，使得企業以及個人能夠使用輕巧、便宜且高效能的設備，因此加速了網際網路的發展，各式各樣的網路應用服務也如雨後春筍般相繼推出。然而，人們對於網際網路的依賴，也同時令連接至網路的電腦以及伺服器更容易受到攻擊，這些攻擊會讓個人以及企業遭受極大的損失。此外，新的威脅持續增加，惡意攻擊者的攻擊手法也不斷翻新，加上零時差攻擊的出現，使得我們幾乎無法確保網路或是系統隨時處在安全的狀態當中。因此網路在惡意攻擊下的存活度便成為一個極為重要的議題。 在這篇論文當中，採用了一個新的指標-網路分隔度（Degree of Separation，DOS）來評估網路的損壞程度以及存活度。我們將一個網路攻防情境轉換成多回合的數學規劃問題，其中每一回合包含了三個階段。第一階段描述一個網路營運者要如何部署有限的防禦資源在網路的節點上，藉此提高攻擊者的攻擊成本。而在第二階段當中，惡意攻擊者利用有限的攻擊預算，對網路中的節點發動攻擊，目標是最大化網路的損壞程度。而在最後的階段，網路營運者希望能有效配置其有限的修復預算，修復被攻擊者破壞的節點，以最小化網路的損壞程度。在求解的過程中，使用拉格蘭日鬆弛法來幫助我們求得最佳解。

Because of the rapid advancement of computer and telecommunication technologies in recent years, smaller, less expensive and high performance devices are available for companies and individuals, which accelerate the growth of the Internet and make available to users a variety of new network applications/services. However, our dependency on the Internet has made the PCs and servers connected to the network more vulnerable to attacks, causing great losses to enterprises and individuals. Moreover, an increasing number of new threats, evolution of attack tactics and the emergence of zero-day attacks make it almost impossible for a system or network to keep “safe” at any moment. Therefore, survivability of a network under malicious attacks has become an extremely important issue. In this thesis, we adopted a novel metric called Degree of Separation (DOS) to evaluate the damage level and survivability of a network. A network attack-defense scenario is converted to a multi-round mathematical programming problem. Each round contains three stages, in the first stage, the defender deploys his limited defense resources on the nodes in the network, in order to increase the attacker’s attack cost. In the second stage, the attacker uses his limited budget to launch attacks, trying to maximize the damage of the network. Finally, the defender tries to minimize network damage by repairing nodes compromised by the attacker, subject to his finite repair budget. The Lagrangean relaxation method is proposed here to obtain solutions for the problem.