Internet Cyber Attack Model Dr. Norman Schneidewind IEEE Congressional Fellow, US Senate, 2005 Fellow of the IEEE. Naval Postgraduate School Keywords: Internet Protocols, Internet Routing, Predicting Cyber Attack on Internet Routers Abstract Internet protocols (Internet Protocol (IP) and Transmission Control Protocol (TCP)) are evaluated from the standpoint of vulnerability to cyber attacks. Internet routing characteristics that lead to vulnerabilities are also examined. Models are developed that are focused on IP and TCP queue characteristics that serve as indicators of and an attack and Internet vulnerabilities. Flow characteristics that can be used to detect and mitigate cyber attacks are analyzed. A risk analysis shows how key Internet security control variables can be used to identify the threshold values for containing a cyber attack. Lastly, a linear program model is used to identify routes in an Internet router network that could be susceptible to malicious activity. Internet Characteristics that are Related to Cyber Security IP routing protocols are dynamic. Dynamic routing calls for routes to be calculated automatically at regular intervals by software in routing devices. This contrasts with static routing, where routers are established by the network administrator and do not change until the network administrator changes them. [CIS05] IP routing specifies that IP datagrams travel through internetworks one hop at a time. The entire route is not known at the onset of the journey, however. Instead, at each stop, the next destination is calculated by matching the destination address within the datagram with an entry in the current node's routing table. [CIS05] These dynamic properties of Internet data flow, varying with location and time of network activity, leads us to increase the nominal traffic flow rate as a function of these variables and Internet data (see Table 1) in order to correctly analyze the properties of the Internet router queues. The idea is to capture, in the model, the property of dynamic changes in the routing discipline at startup, eventually decreasing to steady state value as the network traffic stabilized. Other Security Modeling Approaches According to [MAD], systems should be architected for security and be able to recover from an intrusion. Such systems are known as intrusion tolerant systems. An attack graph models the ways in which an attacker can compromise the system. The graph enumerates the paths that can cause failed states. Our approach has some similarities, but we focus on the ability of an Internet Service Provider (ISP) to select safe routes for communicating customer data in the Internet. Whereas, [MAD], as part of its model recommends processes for recovering from an attack, we propose preventive medicine via proactive analysis of potential routes prior to committing to a route. Internet Cyber Attack Model In order that the Internet Service Provider (ISP) can anticipate and respond to cyber attacks, such as a Denial of Service (DoS) attack, predictions of vulnerability count Vi in time period i are made using a non-linear regression function Vi = beci , obtained in other research [SCH05], where b= 150.14 and c = .3952. Figure 1 shows the vulnerability count, which increases steeply as the time period of attack increases. In addition, it is important to predict the attack count Ai in time period i. This is obtained by assuming that the difference between the vulnerability count and attack count di is proportional to the rate of change of the vulnerability count. With some mathematical manipulation, we compute Ai = Vi * (1+c). The attack count is shown in Figure 1, where it is greater than the vulnerability count for all time periods, along with the difference between the two counts. This difference plus three standard deviations (150,000 count) provides a threshold for delineating the high risk region that occurs in the 16 – 17 month time period.. the policy implication for the ISP of this result is to be on high alwert for an attack during this period and to attempt mitigation of the risk by reducing vulnerabilities. This could take the form of detecting and controlling excessive router buffer traffic that may be the result of DoS flooding Table 1 summarizes the attack and vulnerability count data and computations. Table 1. Internet Cyber Attack and Vulnerability Data i Vi Ai (1+c) c Vi di=cVi 0 150 209 83 59 150232 1 223 311 123 88 150232 2 331 462 182 131 150232 3 491 686 271 194 150232 4 730 1018 402 288 150232 5 1083 1511 597 428 150232 6 1608 2244 887 635 150232 7 2387 3331 1316 944 150232 8 3545 4945 1954 1401 150232 9 5263 7342 2902 2080 150232 10 7813 10901 4308 3088 150232 11 11600 16184 6396 4584 150232 12 17222 24029 9496 6806 150232 13 25570 35675 14099 10105 150232 14 37963 52966 20932 15003 150232 15 56363 78638 31078 22275 150232 16 83681 116752 46140 33071 150232 17 124240 173339 68504 49100 150232 18 184456 257354 101706 72897 150232 19 273859 382088 151001 108229 150232 20 406593 567279 224189 160686 150232 mean di 23433 mean di + 3*stdev stdev di 42266 month vulnerability count attack count rate of change attack count - of attack count vulnerability count Figure 1. Vulnerability Count V i , Attack Count Ai , (Ai -Vi ) Limit, di , vs. Time Period i 600000 550000 500000 450000 attack count 400000 350000 vulnerability count Counts 300000 250000 high risk region 200000 di + 3 * stdev 150000 threshold 100000 limit 50000 0 0 5 10 15 20 25 Time Period i (month) Data Flow Model for Internet This model characterizes the Internet threat in terms of anomalous flow rates that may be indicative of a data flooding attack. This model uses the assumption that Internet flow into a device, such as a router, is governed by exponential service times and Poisson arrivals, based on the facts that the distribution of service times is skewed -- exponential (i.e., higher probability of short service times and lower probability of long service times). Additionally, packet arrivals are random and independent of packet arrival history (i.e., Poisson). Using these assumptions, we define the following quantities: I: (lambda) data flow rate into Internet Protocol router queue (packets per second) i: time period of data flow (months) I: service rate of Internet Protocol router queue (packets per second) I: utilization of Internet Protocol router queue = .5 (arbitrarily selected) nwI: mean number of packets waiting in Internet Protocol router queue twI: mean wait time in Internet Protocol router queue (seconds per packet) Figure 2. Mean Number of Packets Wating in the Internet Protocol queue, nwI, vs. Data Flow Rate, lambda 7.00 high risk area threshold = mean nw + 3 * stdev 6.00 5.00 safe area 4.00 nwI (packets) 3.00 2.00 1.00 0.00 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 2.2 lambda (packets per second) Having defined the key data flow quantities, we use queuing formulas that can be found in various texts, such as [HIL01]. The service rate I of the Internet Protocol (IP) is computed from I / I. Once I is available, the mean number of packets waiting in the Internet router queue = nwI = I2/ I(I-I) can be obtained and plotted in Figures 2 and 3. Figure 2 shows the delineation of the high risk area in contrast to the safe area, where the demarcation is based on the mean queue size plus three standard deviations. Of course, we realize that a large queue size might only represent a high load in the Internet. However, using a data flow monitor, we would sound an “alarm” under this condition to try to determine whether this is just a normal high load or a denial of service attack, attempting to flood the router. In Figure 3, we show the mean number of packets waiting, nwI and nwT, in the Internet Protocol (IP) and Transmission Control Protocol (TCP) queues, respectively, as a function of the time of input to the queue i. In addition, the diagram shows the control line, representing three standard deviations above the mean for the IP queue. The purpose of the control is to allow the cyber security decision maker to ascertain the risk of attack based on suspicious Internet router activity incurred by overload at the input queues of the router. Figure 3. Mean Number of Packets Waiting, nwI, in Internet Queue and in TCP Queue, nwT vs. Time Period, i 16.00 14.00 high risk region nWT 12.00 10.00 Mean Number of Packets Waiting control limit 8.00 6.00 4.00 safe region nWI 2.00 0.00 0 2 4 6 8 10 12 14 16 i (month) Figure 4. Mean Time Waiting in Internet Protocol Queue twI vs. Time Period i 0.160 high risk 0.140 0.120 0.100 twI 0.080 0.060 0.040 0.020 0.000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 i (month) In addition to the number of packets waiting for service at an Internet router queue, it is important to investigate the cyber attack risk represented by queue service times that may be indicative of a cyber attack. Figure 4 shows how waiting time in an Internet router queue varies with time i. The maximum value identifies the high risk situation for the cyber security analyst. The queue service time is obtained from the expression mean time a packet waits in Internet Protocol router queue = twI = I/ I(I-I). Analysis of Transmission Control Protocol (TCP) Host Input Queue In this section we analyze the IP router and TCP host queue characteristics in order to identify queue behavior that is abnormal and may be suggestive of Internet attacks. Because TCP incurs more overhead than the Internet Protocol (IP), the input rate I of the IP queue will need to be augmented by the factor 1 +I f, where f is the overhead factor, and I, the IP router service rate will be reduced by the factor 1 –I f for the TCP queue. Thus, the mean number of segments waiting in the TCP host queue is given below, where T is the input rate and T is the service rate of the TCP host queue, where nw is the original equation shown previously and nwT is the modified equation. An overhead factor of f = .20 is arbitrarily assigned. nwI = I2/ I(I-I) nwT = (I (1+ f))2 / (I (1–f) (I (1– f) - I (1+ f)) Similarly, the TCP queue service time twC, is obtained from the expression for the mean time a packet waits in Internet Protocol router queue = twI = I/ I(I-I). Again, the substitution 1 +I f is made for I and 1 –I f for I. Thus, the following transformation is used: twI = I / I(I-I) twT = I (1 + f) / (I (1 – f) (I (1 – f) - I (1 + f)) The time spent in the TCP queue servicing arriving packets is shown in Figure 4.1, where the values are much larger than was the case in Figure 4 for the IP queue, reflecting the fact that TCP incurs overhead in relation to IP. Again, the high risk area is delineated from the safe area. In this case, the mean value of twC is used to show this demarcation; the standard deviation is not used for this purpose because its high value would not provide a suitable control line. The values above the control line identify the high risk situation that could be caused by flooding of the TCP queue by virtue of a cyber attack Figure 4.1. Time in TCP Queue twC (seconds per packet) vs. Time Period i 60.000 50.000 40.000 high risk area twC 30.000 20.000 control line 10.000 safe area 0.000 0 2 4 6 8 10 12 i (m onths) . The TCP host queue characteristics, presented quantitatively above, are shown pictorially in Figure 0. This figure fleshes out the abstraction of the equations to show a real system: IP router queue feeding the TCP input queue. In addition, the figure shows a data congestion countermeasure and recovery in the form of the congestion monitor and feedback recovery loop designed to automatically check the router input for excessive data flow. The use of a monitor for data overflow detection and recovery was reported in [SUL05] Figure 0 . Analysis of Transmission Control Protocol (TCP) Host Input Queue λ T ,μ T : feedback loop to to higher level protocols correct for congestion Internet Protocol (IP) Router Output Queue λ I :IP input rate TCP Host Queue λ T :TCP input rate n wT : monitor for congestion μ :IP service rate t wT I μ T :TCP service rate n w I :IP number of packets waiting n w :TCP number of packets waiting T t wI :IPwaiting time t wT:TCP waiting time Internet – Local Network Packet Rate Evaluation Now, we take a look at how Internet traffic varies when the Internet is connected to a local area network (LAN) -- increases in the quantity and variation on the LAN, due to high data rate on the Internet router side, suggesting possible cyber attacks, as shown in Figure 5. The quantity Ri, the ratio between the Internet and LAN packet rate functions, is assumed to have the following form, for the purpose of illustrating the concept: Ri = 10* LN(Ii) / eLi, where Ii is the Internet packet rate (megabits per second) at time i Li is the LAN packet rate (megabits per second) at time i In order to investigate for a possible maximum of Ri with respect to i that might yield a value that could suggest a high risk of cyber attack, based on a disproportionate traffic relationship between the Internet and LAN, the rate of change of Ri is derived and the condition of its maximum determined as follows: dR i 1 =10( -LN(I i )/eLi di Ii Setting this to 0, we obtain: Ii LN (Ii) =1, as the condition of maximum Ri. This occurs at i = 5 and Ri 10, as shown in Figure 6, indicating the maximum risk from Internet traffic relative to that of the LAN, suggesting traffic overload due, for example, to Internet router flooding. Risk Analysis for Cyber Security Attacks The primary risk variables for a cyber security decision maker to use in deciding whether to mitigate vulnerabilities and, hence risk, are based on predicted key cyber security variable values that exceed control limits. For example, if the perceived threat is a Denial of Service attack (DoS), the decision maker may decide to install a filter to identify excessive flow rate d i and queue size nw and discard illegitimate packets, as shown in Figure 5. Figure 5. Internet Cyber Attack Environment Date Source Data Sink output excessive flow input queue DOS attack queue di local area Internet router control network limit data flow and queue size upper limit on flow rate= d i (mean) + 3 SD upper limit on queue size (nw )= nw (mean) + 3 SD Use Access Control Lists (ACLs) to filter packets and check for excessive flow rate and queue size: discard if packets deemed illegitimate Figure 6. Internet / Local Network Traffic Ratio Ri vs. Time of Traffic i 12.000 maximum Ri at i = 5 = maximum risk 10.000 8.000 Ri 6.000 4.000 2.000 0.000 0 2 4 6 8 10 12 14 16 18 i (m onth) Internet Cyber Attack Routing Process Denial of Service attacks have raised the level of concern that the next generation of attacks could make previous attacks look puny. Should someone exploit a Border Gateway Protocol- enabled router, network monitors, such as the one shown in Figure 0, seek out and discard the tidal wave of false messages. Let us see some of the ways that Internet routing can be compromised by malicious attacks. [MIS04] 1. When there are a number of unusual routing requests to the network nodes. 2. When a Denial of Service (DOS) is generating false control and data packets, causing significant traffic on proposed, but erroneous routes, as shown in Figure 7. 3. The source does not receive replies in the expected time because the attacker has flooded the network, as would occur if the proposed routes in Figure 7 are utilized. The operators of Internet Service Provider (ISP) facilities need to know which routers and routes under their control are safe from cyber attacks, such as router flooding. To do this, the operators can develop and implement a linear program model. Upon solving the model for the best route, the ISP uses that route to satisfy the customer computing demands, as shown in Figure 7. In the example solution, with pi = .1, there are four potential routes, as shown in the definitions below and in Figure 7. However, the solution to the linear program formulation indicates that only one route -- none of which was a potential route -- was chosen by the model! This route, then, is implemented by the ISP, as shown in Figure 7. Thus, the ISP has at its disposal a tool for avoiding cyber attacks, based on judicious route selection. In order to understand the model, the following definitions are needed: node i: Internet router di: data flow in node i (megabits per second) ti: time duration of data flow in node i (seconds) t1: 1, t2: 2, t3: 3, t4: 4, t5: 5, t6: 6, t7: 7, t8: 8, t9 : 9, t10 : 10 pi: probability of attack on Internet routers (.1, .2, .3, .4) 1 – pi: probability of no attack on Internet nodes ai : time duration of data flow in node i not attributed to cyber attack (seconds) rj: data flow requirement for potential route j (megabits) r1: 2, r2: 3, r3 : 2, r4: 2 Once terms have been defined, we can set up the model format: ai = ti (1 – pi) For pi = .1: a1= .9 x 1 = .9 a2= .9 x 2 = 1.8 a3= .9 x 3 = 2.7 a4= .9 x 4 = 3.6 a5= .9 x 5 = 4.5 a6= .9 x 6 = 5.4 a7= .9 x 7 = 6.3 a8= .9 x 8 = 7.2 a9= .9 x 9 = 8.1 a10= .9 x 10 = 9 Objective Function: Maximize di (1-pi )ai i Subject to: d1t1+d4t4+d6t 6+d8t8+d10t10 ≤ r1 d2t2+d4t4+d7t 7+d9t9+d10t10 ≤ r2 d3t3+d5t5+d7t 7+d6t6+d10t10 ≤ r3 d2t2+d7t7+d10t10 ≤ r4 d1 >0 (there must be positive data flow at node 1 (start node) and node 10 (end node) – customer node -- of the routes) d10 >0 The following is the solution obtained using the Lindo linear program software: Solution: d1 = 1.000 megabits per second d2 = 0 d3 = .333 megabits per second d4 = 0 d5 = 0 d6 = 0 d7 = 0 d8 = 0 d9 = .222 megabits per second d10 = .1000 megabits per second The properties of the solution are summarized in Figure 7, where the potential routes are shown, but these routes are overridden, based on the model solution, which selects an entirely different route, not subject to cyber attack! Figure 7. Internet Cyber Attack Routing Process d1 x a1 d3*a3 router 1.00x.9=.90 .333x2.7=.90 megabits megabits 1 2 3 (data flow not subject to cyber attack) potential route (example) 4 5 Ethernet (solution route) Internet Service Provider 6 7 customer host d 9* a 9 9 .222x8.1=1.8 megabits 8 d10 x a10 10 .100x9=.90 megabits potential route 1: 1,4,6,8,10: r1 = 2 megabits total data quantity = 2 + 3+2+2 potential route 2: 2,4,7,9,10: r2 = 3 megabits = 9 Megabits potential route 3: 3,5,7,6,10:r3 = 2 megabits potential route 4: 2,7,10: r4 = 2 megabits solution route: 1, 3,9,10 rj : route i data requirement ai : time duration of data flow in node i not attributed to cyber attack (seconds) References [CIS05] Cisco Web Site, 2005. [HIL01] Fredrick S. Hillier and Gerald J. Lieberman, Introduction to Operations Research, Seventh Edition, McGraw Hill, 2001. [MAD] B. B. Madden and K. S. Trivedi, Security Modeling and Quantification of Intrusion Tolerant Systems Using Attack-Response Graph, Department of Electrical and Computer Engineering, Duke University, Durham, North Carolina. [MIS04] Amitabh Mishra, et al. Al., “Intrusion Detection in Wireless Ad Hoc Networks”, Virginia Tech, IEEE Wireless Communication, February 2004. pp. 48-60. [SCH05] Norman F. Schneidewind, “Cyber Security Prediction Models”, The R & M Engineering Journal, American Society for Quality, December 2005. [SUL05] Florin Sultan, Aniruddha Bohra, Stephen Smaldone, and Yufei Pan Rutgers University, Pascal Gallard IRISA/INRIA, Iulian Neamtiu University of Maryland, College Park, Liviu Iftode Rutgers University, “Recovering Internet Service Sessions from Operating System Failures” IEEE INTERNET COMPUTING, MARCH • APRIL 2005, pp. 17-26.