Internet Cyber Attack Model - DOC

Document Sample
Internet Cyber Attack Model - DOC Powered By Docstoc
					                                  Internet Cyber Attack Model

                                   Dr. Norman Schneidewind
                         IEEE Congressional Fellow, US Senate, 2005
                        Fellow of the IEEE. Naval Postgraduate School

Keywords: Internet Protocols, Internet Routing, Predicting Cyber Attack on Internet Routers


    Internet protocols (Internet Protocol (IP) and Transmission Control Protocol (TCP)) are
evaluated from the standpoint of vulnerability to cyber attacks. Internet routing characteristics
that lead to vulnerabilities are also examined. Models are developed that are focused on IP and
TCP queue characteristics that serve as indicators of and an attack and Internet vulnerabilities.
Flow characteristics that can be used to detect and mitigate cyber attacks are analyzed. A risk
analysis shows how key Internet security control variables can be used to identify the threshold
values for containing a cyber attack. Lastly, a linear program model is used to identify routes in
an Internet router network that could be susceptible to malicious activity.

Internet Characteristics that are Related to Cyber Security

    IP routing protocols are dynamic. Dynamic routing calls for routes to be calculated
automatically at regular intervals by software in routing devices. This contrasts with static
routing, where routers are established by the network administrator and do not change until the
network administrator changes them. [CIS05]

    IP routing specifies that IP datagrams travel through internetworks one hop at a time. The
entire route is not known at the onset of the journey, however. Instead, at each stop, the next
destination is calculated by matching the destination address within the datagram with an entry in
the current node's routing table. [CIS05]

    These dynamic properties of Internet data flow, varying with location and time of network
activity, leads us to increase the nominal traffic flow rate as a function of these variables and
Internet data (see Table 1) in order to correctly analyze the properties of the Internet router
queues. The idea is to capture, in the model, the property of dynamic changes in the routing
discipline at startup, eventually decreasing to steady state value as the network traffic stabilized.

Other Security Modeling Approaches

    According to [MAD], systems should be architected for security and be able to recover from
an intrusion. Such systems are known as intrusion tolerant systems. An attack graph models the
ways in which an attacker can compromise the system. The graph enumerates the paths that can
cause failed states. Our approach has some similarities, but we focus on the ability of an Internet
Service Provider (ISP) to select safe routes for communicating customer data in the Internet.
Whereas, [MAD], as part of its model recommends processes for recovering from an attack, we
propose preventive medicine via proactive analysis of potential routes prior to committing to a

Internet Cyber Attack Model

    In order that the Internet Service Provider (ISP) can anticipate and respond to cyber attacks,
such as a Denial of Service (DoS) attack, predictions of vulnerability count Vi in time period i
are made using a non-linear regression function Vi = beci , obtained in other research [SCH05],
where b= 150.14 and c = .3952. Figure 1 shows the vulnerability count, which increases steeply
as the time period of attack increases. In addition, it is important to predict the attack count Ai in
time period i. This is obtained by assuming that the difference between the vulnerability count
and attack count di is proportional to the rate of change of the vulnerability count. With some
mathematical manipulation, we compute Ai = Vi * (1+c). The attack count is shown in Figure 1,
where it is greater than the vulnerability count for all time periods, along with the difference
between the two counts. This difference plus three standard deviations (150,000 count) provides
a threshold for delineating the high risk region that occurs in the 16 – 17 month time period.. the
policy implication for the ISP of this result is to be on high alwert for an attack during this period
and to attempt mitigation of the risk by reducing vulnerabilities. This could take the form of
detecting and controlling excessive router buffer traffic that may be the result of DoS flooding

   Table 1 summarizes the attack and vulnerability count data and computations.
                             Table 1. Internet Cyber Attack and Vulnerability Data
  i                 Vi                  Ai                (1+c) c Vi               di=cVi
        0                  150                 209                      83                     59           150232
        1                  223                 311                  123                        88           150232
        2                  331                 462                  182                       131           150232
        3                  491                 686                  271                       194           150232
        4                  730                1018                  402                       288           150232
        5                 1083                1511                  597                       428           150232
        6                 1608                2244                  887                       635           150232
        7                 2387                3331                 1316                       944           150232
        8                 3545                4945                 1954                      1401           150232
        9                 5263                7342                 2902                      2080           150232
      10                   7813               10901                4308                   3088              150232
      11                  11600               16184                6396                   4584              150232
      12                  17222               24029                9496                   6806              150232
      13                  25570               35675               14099                  10105              150232
      14                  37963               52966               20932                  15003              150232
      15                  56363               78638               31078                  22275              150232
      16                  83681              116752               46140                  33071              150232
      17                 124240              173339               68504                  49100              150232
      18                 184456              257354              101706                  72897              150232
      19                 273859              382088              151001                 108229              150232
      20                 406593              567279              224189                 160686              150232

                                                                mean di                     23433 mean di + 3*stdev
                                                                 stdev di                   42266

month       vulnerability count    attack count       rate of change         attack count -
                                                      of attack count        vulnerability count
                                  Figure 1. Vulnerability Count V i , Attack Count Ai , (Ai -Vi ) Limit, di , vs. Time Period i




         450000                                                                                          attack count


                                                                                                                                    vulnerability count


                                                                                                                           high risk region
                                           di + 3 * stdev
         150000                                                                                                    threshold


                  0                        5                          10                           15                          20                         25
                                                                           Time Period i (month)

                      Data Flow Model for Internet

                          This model characterizes the Internet threat in terms of anomalous flow rates that may be
                      indicative of a data flooding attack. This model uses the assumption that Internet flow into a
                      device, such as a router, is governed by exponential service times and Poisson arrivals, based on
                      the facts that the distribution of service times is skewed -- exponential (i.e., higher probability of
                      short service times and lower probability of long service times). Additionally, packet arrivals are
                      random and independent of packet arrival history (i.e., Poisson). Using these assumptions, we
                      define the following quantities:

                      I: (lambda) data flow rate into Internet Protocol router queue (packets per second)

                      i: time period of data flow (months)

                      I: service rate of Internet Protocol router queue (packets per second)

                      I: utilization of Internet Protocol router queue = .5 (arbitrarily selected)

                      nwI: mean number of packets waiting in Internet Protocol router queue

                      twI: mean wait time in Internet Protocol router queue (seconds per packet)
                           Figure 2. Mean Number of Packets Wating in the Internet Protocol queue, nwI, vs. Data Flow
                                                               Rate, lambda

                            high risk area
                              threshold = mean nw + 3 * stdev

                                safe area

nwI (packets)




                       0       0.2       0.4       0.6      0.8          1         1.2          1.4   1.6    1.8        2       2.2
                                                                  lambda (packets per second)

                                Having defined the key data flow quantities, we use queuing formulas that can be found in
                           various texts, such as [HIL01]. The service rate I of the Internet Protocol (IP) is computed from
                           I / I. Once I is available, the mean number of packets waiting in the Internet router queue =
                           nwI = I2/ I(I-I) can be obtained and plotted in Figures 2 and 3.

                               Figure 2 shows the delineation of the high risk area in contrast to the safe area, where the
                           demarcation is based on the mean queue size plus three standard deviations. Of course, we
                           realize that a large queue size might only represent a high load in the Internet. However, using a
                           data flow monitor, we would sound an “alarm” under this condition to try to determine whether
                           this is just a normal high load or a denial of service attack, attempting to flood the router.

                               In Figure 3, we show the mean number of packets waiting, nwI and nwT, in the Internet
                           Protocol (IP) and Transmission Control Protocol (TCP) queues, respectively, as a function of the
                           time of input to the queue i. In addition, the diagram shows the control line, representing three
                           standard deviations above the mean for the IP queue. The purpose of the control is to allow the
                           cyber security decision maker to ascertain the risk of attack based on suspicious Internet router
                           activity incurred by overload at the input queues of the router.
                                             Figure 3. Mean Number of Packets Waiting, nwI, in Internet Queue and in TCP Queue, nwT vs.
                                                                                   Time Period, i



                                                              high risk region                   nWT

Mean Number of Packets Waiting

                                                           control limit




                                                    safe region                                                nWI


                                         0             2                   4     6           8           10           12          14      16
                                                                                          i (month)
                          Figure 4. Mean Time Waiting in Internet Protocol Queue twI vs. Time Period i

      0.160                                     high risk








              0     1       2    3     4    5       6       7   8      9        10   11   12   13   14   15   16   17   18
                                                                    i (month)

                      In addition to the number of packets waiting for service at an Internet router queue, it is
                  important to investigate the cyber attack risk represented by queue service times that may be
                  indicative of a cyber attack. Figure 4 shows how waiting time in an Internet router queue varies
                  with time i. The maximum value identifies the high risk situation for the cyber security analyst.
                  The queue service time is obtained from the expression mean time a packet waits in Internet
                  Protocol router queue = twI = I/ I(I-I).

                        Analysis of Transmission Control Protocol (TCP) Host Input Queue

                      In this section we analyze the IP router and TCP host queue characteristics in order to
                  identify queue behavior that is abnormal and may be suggestive of Internet attacks.

                      Because TCP incurs more overhead than the Internet Protocol (IP), the input rate I of the IP
                  queue will need to be augmented by the factor 1 +I f, where f is the overhead factor, and I, the
                  IP router service rate will be reduced by the factor 1 –I f for the TCP queue. Thus, the mean
                  number of segments waiting in the TCP host queue is given below, where T is the input rate and
T is the service rate of the TCP host queue, where nw is the original equation shown previously
and nwT is the modified equation. An overhead factor of f = .20 is arbitrarily assigned.

   nwI = I2/ I(I-I)

   nwT = (I (1+ f))2 / (I (1–f) (I (1– f) - I (1+ f))

   Similarly, the TCP queue service time twC, is obtained from the expression for the mean time
a packet waits in Internet Protocol router queue = twI = I/ I(I-I). Again, the substitution 1
+I f is made for I and 1 –I f for I. Thus, the following transformation is used:

   twI = I / I(I-I)

   twT = I (1 + f) / (I (1 – f) (I (1 – f) - I (1 + f))

    The time spent in the TCP queue servicing arriving packets is shown in Figure 4.1, where the
values are much larger than was the case in Figure 4 for the IP queue, reflecting the fact that TCP
incurs overhead in relation to IP. Again, the high risk area is delineated from the safe area. In this
case, the mean value of twC is used to show this demarcation; the standard deviation is not used
for this purpose because its high value would not provide a suitable control line. The values
above the control line identify the high risk situation that could be caused by flooding of the TCP
queue by virtue of a cyber attack
                            Figure 4.1. Time in TCP Queue twC (seconds per packet) vs. Time Period i






                                control line

                                      safe area

               0                  2                4                  6               8                10                12
                                                                 i (m onths)


                       The TCP host queue characteristics, presented quantitatively above, are shown pictorially in
                   Figure 0. This figure fleshes out the abstraction of the equations to show a real system: IP router
                   queue feeding the TCP input queue. In addition, the figure shows a data congestion
                   countermeasure and recovery in the form of the congestion monitor and feedback recovery loop
                   designed to automatically check the router input for excessive data flow. The use of a monitor
                   for data overflow detection and recovery was reported in [SUL05]
    Figure 0 . Analysis of Transmission Control Protocol (TCP) Host Input Queue

                                        λ T ,μ T : feedback loop to                            to higher level
                                        correct for congestion

Internet Protocol (IP) Router
         Output Queue
   λ I :IP input rate                                                     TCP Host Queue
  λ T :TCP input rate                                                 n wT : monitor for congestion
  μ :IP service rate                                                    t wT
  μ T :TCP service rate
  n w I :IP number of packets waiting
    n w :TCP number of packets waiting
      t wI :IPwaiting time
      t wT:TCP waiting time

        Internet – Local Network Packet Rate Evaluation

        Now, we take a look at how Internet traffic varies when the Internet is connected to a local
    area network (LAN) -- increases in the quantity and variation on the LAN, due to high data rate
    on the Internet router side, suggesting possible cyber attacks, as shown in Figure 5.

       The quantity Ri, the ratio between the Internet and LAN packet rate functions, is assumed to
    have the following form, for the purpose of illustrating the concept:

        Ri = 10* LN(Ii) / eLi, where

        Ii is the Internet packet rate (megabits per second) at time i

        Li is the LAN packet rate (megabits per second) at time i

        In order to investigate for a possible maximum of Ri with respect to i that might yield a value
    that could suggest a high risk of cyber attack, based on a disproportionate traffic relationship
    between the Internet and LAN, the rate of change of Ri is derived and the condition of its
    maximum determined as follows:

        dR i     1
             =10( -LN(I i )/eLi
         di      Ii

        Setting this to 0, we obtain:

        Ii LN (Ii) =1, as the condition of maximum Ri.
    This occurs at i = 5 and Ri  10, as shown in Figure 6, indicating the maximum risk from
Internet traffic relative to that of the LAN, suggesting traffic overload due, for example, to
Internet router flooding.

Risk Analysis for Cyber Security Attacks

    The primary risk variables for a cyber security decision maker to use in deciding whether to
mitigate vulnerabilities and, hence risk, are based on predicted key cyber security variable values
that exceed control limits. For example, if the perceived threat is a Denial of Service attack
(DoS), the decision maker may decide to install a filter to identify excessive flow rate d i and
queue size nw and discard illegitimate packets, as shown in Figure 5.

                     Figure 5. Internet Cyber Attack Environment

    Date Source                                                            Data Sink

       output                                     excessive flow             input
       queue              DOS attack

                                                                            local area
        Internet router
                                              control                        network
                                                           data flow
                                                          and queue
                      upper limit on flow rate=     d i (mean) + 3 SD

                           upper limit on queue size (nw )= nw (mean) + 3 SD

                       Use Access Control Lists (ACLs) to filter packets and check for
                       excessive flow rate and queue size: discard if packets deemed
                            Figure 6. Internet / Local Network Traffic Ratio Ri vs. Time of Traffic i


                      maximum Ri at i = 5 = maximum risk





              0   2     4             6            8           10                12     14              16   18
                                                                    i (m onth)
Internet Cyber Attack Routing Process

    Denial of Service attacks have raised the level of concern that the next generation of attacks
could make previous attacks look puny. Should someone exploit a Border Gateway Protocol-
enabled router, network monitors, such as the one shown in Figure 0, seek out and discard the
tidal wave of false messages.

   Let us see some of the ways that Internet routing can be compromised by malicious attacks.

    1. When there are a number of unusual routing requests to the network nodes.
    2. When a Denial of Service (DOS) is generating false control and data packets, causing
       significant traffic on proposed, but erroneous routes, as shown in Figure 7.
    3. The source does not receive replies in the expected time because the attacker has flooded
       the network, as would occur if the proposed routes in Figure 7 are utilized.

    The operators of Internet Service Provider (ISP) facilities need to know which routers and
routes under their control are safe from cyber attacks, such as router flooding. To do this, the
operators can develop and implement a linear program model. Upon solving the model for the
best route, the ISP uses that route to satisfy the customer computing demands, as shown in
Figure 7.

    In the example solution, with pi = .1, there are four potential routes, as shown in the
definitions below and in Figure 7. However, the solution to the linear program formulation
indicates that only one route -- none of which was a potential route -- was chosen by the model!
This route, then, is implemented by the ISP, as shown in Figure 7. Thus, the ISP has at its
disposal a tool for avoiding cyber attacks, based on judicious route selection.

    In order to understand the model, the following definitions are needed:

node i: Internet router

di: data flow in node i (megabits per second)

ti: time duration of data flow in node i (seconds)

t1: 1, t2: 2, t3: 3, t4: 4, t5: 5, t6: 6, t7: 7, t8: 8, t9 : 9, t10 : 10

pi: probability of attack on Internet routers (.1, .2, .3, .4)

1 – pi: probability of no attack on Internet nodes

ai : time duration of data flow in node i not attributed to cyber attack (seconds)

rj: data flow requirement for potential route j (megabits)
r1: 2, r2: 3, r3 : 2, r4: 2

    Once terms have been defined, we can set up the model format:

ai = ti (1 – pi)

For pi = .1:

a1= .9 x 1 = .9

a2= .9 x 2 = 1.8

a3= .9 x 3 = 2.7

a4= .9 x 4 = 3.6

a5= .9 x 5 = 4.5

a6= .9 x 6 = 5.4

a7= .9 x 7 = 6.3

a8= .9 x 8 = 7.2

a9= .9 x 9 = 8.1

a10= .9 x 10 = 9

Objective Function:

Maximize  di (1-pi )ai

Subject to:

d1t1+d4t4+d6t 6+d8t8+d10t10 ≤ r1

d2t2+d4t4+d7t 7+d9t9+d10t10 ≤ r2

d3t3+d5t5+d7t 7+d6t6+d10t10 ≤ r3

d2t2+d7t7+d10t10 ≤ r4

d1 >0 (there must be positive data flow at node 1 (start node) and node 10 (end node) –
customer node -- of the routes)
d10 >0

   The following is the solution obtained using the Lindo linear program software:


d1 = 1.000 megabits per second
d2 = 0
d3 = .333 megabits per second
d4 = 0
d5 = 0
d6 = 0
d7 = 0
d8 = 0
d9 = .222 megabits per second
d10 = .1000 megabits per second

    The properties of the solution are summarized in Figure 7, where the potential routes are
shown, but these routes are overridden, based on the model solution, which selects an entirely
different route, not subject to cyber attack!
                    Figure 7. Internet Cyber Attack Routing Process
                    d1 x a1                                                                  d3*a3
                  1.00x.9=.90                                                              .333x2.7=.90
                  megabits                                                                   megabits
          1                                  2                               3
                                                                                        (data flow not subject to
                                                                                             cyber attack)
potential route

                              4                                      5                      Ethernet

                                                  (solution route)                 Internet Service Provider

              6                                                          7                                   customer host

                                                                                                          d 9* a 9
                                                                                       9               .222x8.1=1.8

                                                                         d10 x a10
                                                                .100x9=.90 megabits
                    potential route 1: 1,4,6,8,10: r1 = 2 megabits               total data quantity = 2 + 3+2+2
                    potential route 2: 2,4,7,9,10: r2 = 3 megabits                         = 9 Megabits
                    potential route 3: 3,5,7,6,10:r3 = 2 megabits
                      potential route 4: 2,7,10: r4 = 2 megabits
                              solution route: 1, 3,9,10              rj : route i data requirement

  ai : time duration of data flow in node i not attributed to cyber attack (seconds)

[CIS05] Cisco Web Site, 2005.

[HIL01] Fredrick S. Hillier and Gerald J. Lieberman, Introduction to Operations Research,
Seventh Edition, McGraw Hill, 2001.

[MAD] B. B. Madden and K. S. Trivedi, Security Modeling and Quantification of Intrusion
Tolerant Systems Using Attack-Response Graph, Department of Electrical and Computer
Engineering, Duke University, Durham, North Carolina.

[MIS04] Amitabh Mishra, et al. Al., “Intrusion Detection in Wireless Ad Hoc Networks”,
Virginia Tech, IEEE Wireless Communication, February 2004. pp. 48-60.

[SCH05] Norman F. Schneidewind, “Cyber Security Prediction Models”, The R & M
Engineering Journal, American Society for Quality, December 2005.

[SUL05] Florin Sultan, Aniruddha Bohra, Stephen Smaldone, and Yufei Pan Rutgers University,
Pascal Gallard IRISA/INRIA, Iulian Neamtiu University of Maryland, College Park, Liviu Iftode
Rutgers University, “Recovering Internet Service Sessions from Operating System Failures”

Shared By: