Nonlinear Resoure Alloation in Restoration of Compromised Systems Qunwei Zheng *, Xiaoyan Hong *, Sibabrata Ray * Computer Siene Department, Uniersity of Alabama, Tusaloosa, AL 35487 Google In. 64 Arizona Bld. Santa Monia, CA 941 Abstrat Under seurity threats, today s networks are being made to be intrusion tolerant. In a large sale, series are ontinuing (at a degraded leel) while ompromising and reoering are both progressing. One of the key problems in the restoration proedure regards to the resoure alloation strategies, typially a minimized total ost onerning both serie loss and resoure epense. In this paper, we inestigate the ahieable minimal total ost and orresponding resoure alloation strategy for different situations. The situations inlude nonlinear relationship between resoure alloation rate and the restoration rate, and its ariant when time fator is onerned. We present ost models and numerial results. The results show the impat from arious system parameters on the ritial onditions for a suessful system restoration and the minimal ost. An important result of our study suggests that tight operational region eists under ertain onditions. I. INTRODUCTION Despite the large amount of network seurity methods deployed oer the world, it is highly desired that today s networks, be it Internet, Ad ho networks, or sensor networks, are intrusion tolerant [3] [8], i.e., the systems are able to ontinue its operation een under attaks. When this happens, the performane of the system might degrade due to intrusion but the serie it proides must neer stop. In the meantime, the system s owners will typially use large amount of resoures to restore the ompromised system. Let us take an Internet worm attak for eample. Fig. 1 shows the spread of Internet worm named Code Red in 21. It infeted hundreds of thousands of mahines and aused a huge damage [6]. The figure shows that the infetion rate was low at the beginning. Then during a ertain period the rate beame ery high. The number of infeted mahines inreased quikly. Eentually, the infetion stopped when people learned how to defend the worm, and more and more mahines were restored. The worm finally died out and all mahines beame normal again. Clearly, restoration of the system (here all the mahines that ould be infeted) started at a ertain time and the effort leaded to final reoery of the whole system. One of the key problems in the restoration proedure regards to the resoure alloation strategies, typially a minimized total ost onerning both serie loss and resoure epense. In the area of network seurity, ost has been used as a fator in analyzing the damage resulting from denial of serie attaks [5], in suggesting inestment strategies of seurity solutions [2], and in serer repliation strategies [7]. But none of these work nor other publiations hae studied resoure alloation problem in restoration proedure and the ost inurred in that proedure. In this paper, we present ost analysis on resoure alloation for the restoration proedure. We fous ourseles on abstrat systems instead of studying a partiular attaking eent like Code Red. We assume a system is omprised of a large number of mahines (nodes) whih hae same restoration properties, e.g., reoery speed and restoration ost. And the owner has only limited resoure. We will inestigate the ahieable minimal total ost and orresponding resoure alloation strategy for different situations. These situations inlude nonlinear relationship between resoure alloation and the outome - restoration rate, and its ariant when time fator is onerned. In the analysis, we model the total ost as a sum of serie loss and resoure epense. In laking of losed form solutions, we present numerial results showing impat from arious system parameters, e.g, the ompromise rate, the initial system damage perentage, et., on the ritial onditions for suessful system restoration, the time ahieing total restoration, the minimum ost, et.. An important result of our study suggests that tight operational region eists under ertain onditions. One unsoled problem, though, is the alidation of the model. Currently we are searhing for real resoure usage data from arious soures, e.g., worm spread study. Neertheless, the analysis and the results presented in the paper sheds a light on optimal usage of resoures in ombating network seurity breahes. The rest of the paper is organized as follows. Setion II desribes the system model and the ost model. Setion III introdues nonlinear funtions for the restoration rates in terms of the resoure alloation rate, with time-ariable and time-inariable features. We then present ost analysis based on the time-ariable nonlinear funtion and time-inariable nonlinear funtion in Setion IV. Numerial results are gien in Setion V. Setion VI onludes the paper. II. THE SYSTEM MODEL When a system is in a restoration proedure, the state of a system is deided by the rates of two opposite parties: the ompromise rate of the attaker and the restoration rate u of the owner. If the ompromise rate of the attaker is larger than the restoration rate u of the owner, more and more nodes in the system will be ompromised. On the ontrary, if restoration rate u is larger, inreasing number of nodes will turn bak to normal. The system is illustrated in Fig. 2 as a retangle, where the shaded area represents the unompromised part of the system, i.e., the serie is still aailable. Partiularly, the left retangle in the figure is a normal system and the right one is a partially ompromised system. In Fig. 2, l is the full serie ability of the system, for eample, the total number of nodes in the system. is the portion of the system that has been ompromised, e.g., the number of infeted nodes. The attaker and the owner ompete with eah other in order to hae full ontrol oer the system. The rate of ompromise is deided by the attaker. But the owner an adjust her restoration rate u whih in turn is onstrained by the amount of resoure that she alloates, for
eample, budget, or manpower. Howeer, if u <, the system will eentually be totally ompromised by the attaker. We identify two types of ost in the restoration proedure. The first type is a serie loss ost C 1. It omes from the fat that the ompromised system an only proide a degraded serie to its lients. The seond type is a restoration epense ost C 2. It omes from the fat that the system owner must utilize all possible resoures she possesses to put the system bak to work. These inlude manpower, inestment on new seurity software and hardware, the ost of reourse to seurity ompanies, et. The total ost C is the sum of the loss and the epense: C = C 1 + C 2. granularity and thus is regarded as a ontinuous ariable. A good approimation is ahieable if the amount of resoure is large. Otherwise, one the optimal alloation is found in ontinuous ase, a brute fore searh in the neighborhood will gie optimal or near optimal integer solution. III. RESOURCE ALLOCATION In this setion we define the nonlinear relationship between the resoure usage and the restoration rate. Let be the rate of resoure spent for restoration, the restoration rate u is thus a funtion of, denoted as u(). The relationship should satisfy the law of diminishing marginal utility [1]. In addition, the relationship ould be onstant or ariable oer the time. We present funtions apturing these features in this setion. Analysis on minimal ost will be presented in the net setion (Setion IV) for both time-inariable and time-ariable ases. Fig. 1. Cumulatie total mahines infeted by Code Red worm (from www.aida.org) Fig. 2. Normal (left) and partially ompromised system (right) The total ost is affeted by the two losely related omponents. If the system owner onsumes more resoures, that is, inreases the epense C 2, the system will be restored faster and the loss C 1 will be smaller. If, on the ontrary, the system owner onsumes less resoures, that is, the epense C 2 is small, the system will be restored slower and the loss C 1 will be large. Compleities ome from many aspets: ompromise rate ould be onstant or time-arying, the usage of resoures is not neessarily ontributing to the restoration linearly, or the rate of restoration u ould also be onstant or time-arying. In this researh, we will inestigate the ahieable minimal ost for the situations that the usage of resoures ontributes to the restoration not linearly. In addition, the nonlinear relationship ould be onstant or ariable oer the time. For simpliity, we assume the ompromise rate is onstant oer time. This implies that the restoration is quik in the sense that it reoers the whole system before it is fully ompromised. Or, it implies that the system is large so that the attaker ould not attak all nodes before the total reoery. In our analysis, we will use a ontinuous model to approimate the disrete number of omputers ompromised, gien that the auray is ahieable when the system ontains a large number of omputers. Suh assumption is ommon in worm spread researh, for eample, the modelling of Code Red worm [9]. We also assume that resoure an be spent at arbitrary A. Neessary Conditions Spending resoures has seeral limitations, so to the restoration. There are seeral onditions that the relationship of the two, u() and, should satisfy. First, the restoration rate u should be when no resoure is alloated. That is u() =. Seond, the relation between the restoration rate and the amount of resoures alloated should obey a general eonomis rule alled the law of diminishing marginal utility [1]. The law of diminishing marginal utility states that as the indiidual s onsumption inreases, the marginal utility of eah additional unit delines. In our ases, as the amount of alloated resoures inreases, the restoration rate inreases but the amount of this inrease delines. Aording to definition, the law of diminishing marginal utility requires that du() d >, d 2 u() d 2 < Third, there is an upper bound for the restoration rate, i.e., the rate of restoration an not be arbitrarily large een if the resoure alloation ould be infinitely large. This is true that a single reoery ation has to spend a minimum amount of time. For eample, when a mahine is ompromised by an Internet worm, a minimum time must be spent before it an be reoered. The time is needed for figuring out the problem, installing a solution, et. Thus we hae lim u() = A, where A is the upper bound. B. Time-inariable Restoration Rate One lass of funtion that satisfy the aboe three neessary onditions is: u() = A(1 ρ δ ), < δ 1, < ρ < 1 (1) where ρ and δ are parameters that ontrol the effetieness in using resoure. This lass of funtion is widely used by eonomists [2] in modeling the relationship between the inestment and the outome. Fig. 3 shows how the restoration rate hanges when alloation inreases. Clearly, the three onditions are all satisfied. The time-inariable feature says that the restoration rate neer hanges during the whole period of restoration, gien a speifi.
u restoration rate u rate limit Fig. 3. Funtion for Time-inariable Restoration Rate C. Time-ariable Restoration Rate In addition to nonlinearly relating to the resoure alloation, the restoration rate u an also hange oer the time in some senarios. Suh a funtion is denoted as u(, t), where parameter t is for time. For eample, gien a group of persons fiing a worm attak, when time goes by, the inreased eperiene would result in quiker restoration rate. In addition to the three neessary onditions, the time-ariable restoration rate should satisfy u(, ) =. Here we propose to use the following time-ariable funtion: u() = A(1 ρ (1 rθt ) ), < θ 1, < ρ < 1, < r < 1 (2) where ρ, θ and r are parameters that ontrol the influene of resoure and time t. Fig. 4 shows the relationship. Clearly, the same upper bound eists sine eah restoration ation needs at least a minimum time. The funtion also aptures the feature that the more the resoures alloated, the higher the restoration rate. But there eist an effiient zone where inreasing the resoure usage ontributes greatly towards the restoration rate. restoration rate It is easy to see that the loss rate at time t is (u() )t m l So the loss in this period is C 1 = u() (u() )t m dt l = m 2 2l(u() ) The epense for restoring the system during the time ( 3), is C 2 = u() (5) Then the total ost for the restoration is (4) C = C 1 + C 2 m 2 = 2l(u() ) + u() (6) The onstraints are: first, u() > must be satisfied, sine this is neessary for a suessful restoration; seond, the owner s resoures are limited, we must hae u() R where R is the upper bound of owner s resoures. The problem of how to alloate resoures so that the total ost is minimum an be formulated as: minimize subjet to f() = m 2 2l(u() ) + u() (7) u() R (8) u() > (9) u(,t) t 1 2 3 rate limit Fig. 4. Funtion for Time-ariable Restoration Rate, here 1 < 2 < 3. IV. COST ANALYSIS In this setion we present analysis on minimum ost for systems that the restoration rate u has the aforementioned funtion in relating to the resoure usage and time. In the general disussion, we use u() for simpliity. We assume the time that the system starts reoery is time t =. The system state is illustrated at the right side of Fig. 2. Thus, total restoration of the system needs time: (3) u() Let the maimum loss rate to be m when the system is totally ompromised. When the system is partially ompromised, the loss rate is proportional to the perentage of system ompromised. Thus at time, the loss rate is l m. A. Cost Analysis for Time-inariable Restoration Rate For time-inariable restoration rate u() with funtion (1), the minimum ost problem an be rewritten to minimize f() = subjet to + (m 2 )/(2l) (A(1 ρ δ ) ) A(1 ρ δ ) (1) A(1 ρ δ ) R (11) A(1 ρ δ ) > (12) No losed form solutions an be obtained diretly. Numerial results will be presented in the net setion. On the other hand, we gie further analysis on onstraint (11), whih is ritial for a suessful restoration. The onstraint (11) an be rewritten as R + A Aρδ (13) Let θ() = R + and u() = A Aρδ. The two ures ould hae zero, one, or two interseting points (Fig.
y 5) depending on the alues of,, and R. When /R or is too large, there is no intersetion. For θ() u() (so to satisfy onstraint 11), these two ures must hae at least one interseting point. The interal between the two intersetion points a and b gies the operational region for resoure alloation for a speifi senario where the system has gien, and R. On the other hand, the least ondition for a possible restoration operation ours when the two ures are tangent. At that point, we are able to study the relations among system onditions,, and R. The results are ritial whih diretly indiate whether a restoration is feasible before the system is totally ompromised. We sole the problem by taking deriatie of both sides of (13) R = Aδρδ ln ρ Then we get the boundary ondition for onstraint (11): δr(a ) ln ρ + 1 = ln ln( ARδ ln ρ) (14) Studying the relations of,, and R depited by Condition (14) leads to important results. For eamples, we an obtain the minimum resoure required for a suess restoration gien and ; We an also alulate the latest time (the maimum portion ) that the owner has to start restoration gien the and R. These results are shown in Setion V. Fig. 6. System with u(, t) Let the time that the system is totally restored be τ(), the total ost inurred during this restoration proedure is then f(, τ()). For eah possible, there is a orresponding ost f. Our task is to find the (denoted as ) where the orresponding ost f is minimum. The problem is formulated as follows: minimize f(, τ()) subjet to h(, τ()) R (19) We will gie numerial solutions in the net setion. a Fig. 5. u() b θ () Constraint θ() u() B. Cost Analysis for Time-ariable Restoration Rate The restoration rate u is now a funtion of both and time t as represented by Formula( 2), i.e., u(, t) = A(1 ρ (1 rθt ) ). In soling the minimum ost problem, we use differential equations. Fig. 6 shows a partially ompromised system at time t (time is the time that the restoration begins, with portion of the system ompromised). Thus the light shaded part represents the restoration effort sine t =. This portion is denoted as s(, t), gien the resoure alloation rate. Note that s(, t) ould be positie or negatie. If s(, t) is negatie, it means that after restoration begins, more mahines are ompromised (sine the initial restoration rate ould be small). Let f(, t) be the total ost inurred till time t, h(, t) be the epense until time t, then we hae the following deriatie equations: ds(, t) = u(, t) dt (15) df(, t) s(, t) = m + dt l (16) dh(, t) = dt (17) s(, ) =, f(, ) =, h(, ) = (18) V. NUMERICAL RESULTS In preious setions we hae introdued our ost models for two restoration rates, one is resoure-bounded and the other has a time onstraint in addition. The minimal ost solutions for the two ases an not be soled in the losed forms. In this setion we proide numerial results. All the numerial solutions are obtained through Maple [4]. For the purpose of easy illustration, we use and present integer numbers in the results. These numbers allow us to show the relations among the ariables in question and the sale of hanging trends. Howeer these numbers by no means reflet any real senarios in pratie. To make the model useful for a partiular real world eent, estimations of the parameters must be onduted. The speifi system parameters are: The network is omposed of l = 5, nodes; the maimum loss rate is m = 1, if the system is totally ompromised; The maimum possible restoration rate is A = 1. The following parameters are aried for the different results we show. But when not aried, they take the following default alues: The maimum resoures is R = 5, ; The ompromise rate is = 5; Initial ompromised system is = 5. A. Time-inariable Restoration Rate For time-inariable restoration rate u() with funtion (1), we use parameters ρ =.996 and δ =.9. The ure is illustrated in Fig. 3. 1) restoration s. resoure alloation: Fig. 7 shows the inrease and derease trends of the total ost, epense and loss when the resoure alloation rate () inreases. The figure shows that as inreases, epense inreases but loss dereases. As a result, total ost first dereases then inreases. At one speifi point, total ost reahes its minimum alue.
ost 11 1 9 8 7 6 5 4 3 2 1 Fig. 7. influene of on ost loss epense total ost 4 6 8 1 12 14 16 18 2 Total ost hanges as inreases tau 35 3 25 2 15 1 tau for different =4 =5 =6 5 4 6 8 1 12 14 16 18 2 Fig. 8. τ hanges as inreases. minimum ost 4 35 3 25 2 15 1 5 Fig. 9. ost. =2 =5 =1 influene of and on minimum ost 4 45 5 55 6 65 7 75 8 Influenes of and on minimum * 14 13 12 11 1 influene of and on * 9 =2 =5 =1 8 4 45 5 55 6 65 7 75 8 R Minimum R required 5 45 4 35 3 25 2 =5 15 =6 =7 1 5 1 15 2 25 3 5 45 4 35 3 25 2 15 1 Maimum allowed R=5 R=1 R=5 5 1 2 3 4 5 6 7 8 Fig. 1. Influenes of and on. Fig. 11. Resoure for a suessful restoration Fig. 12. Restoration onstrained by R. Our other results also indiate that a larger ompromise rate will inur larger total ost, but minimum ost is ahieable. On the other hand, when resoure alloation rate inreases, time spent for reoery dereases. We hae used τ to denote the time needed for total restoration. The result is shown in Fig. 8. Clearly, when more resoure an be alloated, it is not neessary that the time needed to restore the whole system redues proportionally, sine the usage of the resoure beomes less effetie. When the ompromise rate inreases, τ inreases as epeted. 2) Ahieing minimum ost: We hae seen that for eah speifi and, there eists a at whih the ost is minimal. The Figures 9 and 1 show how the minimum ost C and are influened by arious and. The obseration is that as or inreases, minimum ost C and the assoiated inrease. The figures also show that when and are too large (here when > 7 at = 1), the minimum ost is not ahieable. 3) The ritial ondition: The relationship among,, and R is epressed in Equation (14). It proides us opportunities to illustrate onstraints from system parameters on a suessful restoration. For eample, Fig. 11 shows the minimum total resoure required for a suessful restoration under arious and. A later start of restoration (larger ) or a stronger attak (larger ) all require larger amount of aailable resoures. Less total resoure will lead to a failure of restoration. Fig. 12 shows the operational region when the total resoure is gien. The figure suggests that for a speifi, the restoration must start no later than the presented alue of. Otherwise, no matter how the alloation rate will be, total restoration is impossible. The figure also shows that the larger the R, the wider the operational region, whih tolerates larger ranges of and. B. Time-ariable Restoration Rate The time-ariable restoration rate u(, t) has a funtion in the form of Equation (2). We use parameters ρ =.996, θ =.993 and r =.9 here. The ure is illustrated in Fig. 4. The solutions towards the minimum ost rely on soling equations (15) to (18) (Setion IV-B). With the help from Maple, we are able to get the alues of osts for arious system ariables, and to draw the arious ost ures. Fig. 13 shows how a ost alue an be alulated. Gien an, ures s(, t), h(, t) and f(, t) are generated by Maple. At the time of s(, t) =, the whole system is restored. Reall the time is denoted as τ. Thus the alue of f(, t) at t = τ is the total ost spent for reoery. The alue of h(, t) at τ is the epense. We use this method to ompute the ost for eah and the minimum ost is the minimum alue ross all the s. ost Fig. 13. t t f(,t): total ost s(,t) h(,t): epense Calulating the ost. 1) restoration s. resoure alloation: Fig. 14 shows the ost, epense and loss as the funtions of the resoure alloation rate. Here = 5 and = 5. The figure shows the same ost hange trends as Fig. 7 where u() does not hange oer time. The similarity of the two figures is epeted sine u(, t) should only affet the alue of the ost, but not the relation between the ost and the resoure alloation rate. The minimum ost eists at.
ost 22 2 18 16 14 12 1 8 6 4 2 influene of on ost 5 1 15 2 25 3 35 4 45 ost loss epense * 28 26 24 22 2 18 16 Influene of and on * 14 =2 12 =5 =1 1 4 45 5 55 6 65 7 75 8 Fig. 14. ost 6 5 4 3 2 1 The ost hanges as inreases for u(, t). ost for different 5 1 15 2 25 3 35 4 45 5 55 Fig. 15. =4 =5 =6 =7 =8 Cost s., for u(, t). Fig. 15 then shows how the ost hanges with inreasing at different ompromise rate. It is lear that as inreases, the ost inreases. The figure also suggests that minimum osts eist. Howeer, the figure reports early terminations of the ost ures for some large. For eample, the ure for = 8 ends before reahes 15 while the ure for = 4 etends well beyond = 5. This phenomenon indiates the failures of total reoery at these non-data points beause of the ehaustion of the resoures. On the other hand, the figure suggests that when the ompromise rate is high and the resoure is limited, a smaller rate of resoure alloation, whih possibly produes more effiient restoration, ould yield a better result, i.e, a omplete restoration. Our other results also show that orresponding ures of τ reeal the same phenomenon. minimum ost 6 5 4 3 2 1 =2 =5 =1 Influene of and on minimum ost 4 45 5 55 6 65 7 75 8 Fig. 16. Influenes of and on minimum ost, for time-arying rate. Fig. 17. rate. Influenes of and on, for time-arying figure also suggests that when and/or is too large, no total restoration is possible. Thus the minimal ost an not be ahieed. Or, say, the minimal ost ours at the largest suessful alloation rate. This eplains Fig. 17 where dereases when inreases. Those are the points that restoration is possible, but not minimum. VI. CONCLUSIONS In this paper, we proide analysis on the ost inurred when restoring ompromised systems. Resoure alloation is the major influential fator in our analysis. Typially the usage of the resoure ontributes to the restoration nonlinearly, following the law of diminishing marginal utility. We study both time-ariable and time-inariable behaiors. Our results are presented using numerial methods. The results suggest that the minimal ost is ahieable for many onditions, but tight optional regions also eist. Our future work is searhing data to estimate the parameters for pratial senarios and alidating the models. REFERENCES [1] W. J. Baumol and A. S. Blinder. Eonomis: Priniples and Poliy. South-Western College Pub, 24. [2] L. A. Gordon and M. P. Loeb. The eonomis of information seurity inestment. ACM Transations on Information and System Seurity, 5(4):438 457, Noember 22. [3] J. H. Lala. Introdution. In Proeedings of the Foundations of Intrusion Tolerant Systems (OASIS 3), pages i. IEEE, 23. [4] MapleSoft. Maple. In http://www.maplesoft.om/. [5] C. Meadows. A ost-based framework for analysis of denial of serie in networks. Journal of Computer Seurity, 9(1-2):143 164, January 21. [6] D. Moore, C. Shannon, and J. Brown. Code-red: a ase study on the spread and itims of an internet worm. In Proeedings of the ACM SIGCOMM/USENIX Internet Measurement Workshop, pages 273 284. ACM, Noember 22. [7] S. Ray, Q. Zheng, X. Hong, and K. Kwiat. Integrity funtion - a framework for serer repliation and plaement in adersarial enironment. In submitted to IEEE Transations on Parallel and Distributed Systems. [8] P. E. Verissimo, N. F. Nees, and M. P. Correia. Intrusion tolerant arhitetures: Conepts and design. Arhiteting Dependable System, Leture Notes in Computer Siene, 2677(44):3 36, May 23. [9] C. Zou, W. Gong, and D. Towsley. Code red worm propagation modeling and analysis. In Proeedings of the 9th ACM onferene on Computer and ommuniations seurity, pages 138 147. ACM, Noember 22. 2) Ahieing minimum ost: Figures 16 and 17 show how and influene the minimum ost C and the orresponding alues. Fig. 16 shows that inreasing and inur higher C, similar to the trends obsered in Fig. 9. The