Ryan Washburn

SYSC 330 Models in Science

Modeling Paper Rough Draft

Modeling attack and defense scenarios over an Internet sub net

The Internet is a global system of interconnected computer networks, and along with its software
interface, the World Wide Web, it has become the largest information system mankind has ever
developed. Today, there are approximately 10 billion devices connected via the internet, and it is used
by nearly 40% of the worlds population for phone service, email, entertainment, and commerce. [1]
Through the availability of these services and information, the Internet has changed the landscape of
human interaction in profound ways. Organized crime, malicious software, and foreign actors have
adapted to this new landscape, which has now threatened to compromise the privacy and security of the
human race like never before. How can we understand the mechanisms which define this landscape?
How can we understand the behavior of software that attacks and defends our machines and our data,
and the network topology over which this software interacts? Answering these questions will help us
understand how both human and software agents may employ strategies to either keep or take away
security. Graphical security models provide us with many insights into these questions, and their attack
and defense modeling will be the subject of this paper.

In order to best understand how to model an Internet sub net, we will look at different types of
scientific modeling that are currently being used to study Intern attack and defense scenarios. Before
we discuss these modeling techniques, we need to understand what scientific modeling is. Scientific
modeling is a scientific activity which has the aim of making a particular feature of the world easier to
understand, define, quantify, visualize, or simulate by referencing it to our existing knowledge and
understanding of that feature. Scientific modeling is useful for studying networks of computers,
allowing for great insight even when peering at these complex systems through a small window. The

window through which we investigate these systems reveals a massive network of connections with as
many agents and possible events as grains of sand on a beach. How we construct this window
determines how well we can see what lies behind it. When a person models a door, they don't look at
the imperfections of the door at a molecular level, they want to make sure the door performs the basic
functions it is designed to do: Open and close. Perhaps insulate one from the elements. Lock, and
provide security between the inside and the outside of a building. This same type of abstraction can be
extended to modeling computer networks and network security. While the complexity of all agents
involved can be impossible to model, the behavioral characteristics can be well understood by
abstracting the system to a reasonable enough level of detail that it validates the model against the
target system. Computer simulations of networks give us the ability to study complex systems like
never before, as billions of scenarios can be filtered and analyzed within a matter of hours. This level
of analysis could not be performed by a team of humans in a thousand years without computers.

Even with the limitations inherent in any simulation of a complex system there are many questions that
can be addressed with different types of scientific modeling. Whether an agent-based, analytic, or
numeric model is used, the topology and structural properties of the Internet must be well defined
before we can try to build a realistic model. In computer science, data structures and networks are
physical representations of mathematical objects called graphs. These are not Cartesian graphs
representing the xy-plane, nor are they graphs used for charting data. The graphs we are referencing
here come from the branch of mathematics known as Graph Theory. A graph is an object defined by a
set of nodes with a set of relations between them. The Internet or any of its sub nets is structured as a
graph, with its topological properties defined by the distribution of its nodes (representing the Internet
routers), clustering coefficient, and network centrality measures. [4][5] This sub net is then treated as
an autonomous system whose topology forms the domain of the model. The topological properties
determine how the sub net and its agents interact, and many types of models have be developed to run

over a simulated framework of this topology. In a real world target system, for example, your personal
computer may be a host which is connected to the Internet through an Internet gateway server. This
server specifies the rules of access which allow you to request connections to other machines on the
Internet; whether it is to send email, transfer money to your bank account, browse social media, or
download a movie. Your computer, the Internet server, and all of its local network connections form a
sub net like those that our models are trying to simulate. The hardware and software relations over this
sub net have varying degrees of protection built in from malicious agents that try to compromise these
relations (often known as malware). One of the most important topics of study in network security is
understanding all of the different ways these agents can interact without compromising the security of
the system.

Route-Based Analysis models are a type of agent-based model that provides insight into the pathways
hardware and software agents can use, while Traffic-Based Analysis models demonstrate the changes in
agent behavior based on how much traffic is on any given route. [4] Agent-based models are a
computer simulation of agents interacting over a grid of cells, where the agents interact within a set of
rules constrained by these cells. Route and traffic based scenarios simulate the topology of the Internet
by breaking its pathways into cells, and its agents into packets which follow a set of rules that simulate
the interaction of Internet routers. These types of models help us understand the probability that an
attack will occur along any given pathway or node, and when combined with the network topology,
form the modeling criteria for the attack and defense scenarios we want to investigate.

One of the first numeric modeling techniques to emerge for investigating internet attack/defense
scenarios was the attack tree. The attack tree is based on the fault tree formalism, which combines
mathematical functions with Boolean expressions (true/false, if/and/or) to determine a-priori
probabilities of attack success at any given node along any given path. When dealing with changing

attack and defense pathways, the fault tree logic in the model is a massive function with a system of
variables representing the nodes for each pathway transition. This function then multiplies the
probability variables with coefficients used for each software agent that either increase or decrease their
probability of success based on their strengths and weaknesses. The attack tree formalism allows us to
model the dynamic interaction over time, and see what strategies both the attacking and defending
agents might employ in the target system, and how the entire system behaves in response.
In order to test that these models adequately represent their target systems, researchers must first verify
that the model represents the concept they are trying to model, then validate them against the target
system they are trying to simulate. Most of these simulations are re-coded so they can be run over a
small physical network. The results of the real-world test are then used to validate the model. For
example, in an experiment titled Collaborative detection of DDoS attacks over multiple network
domains, researchers built a test bed at the University of Southern California Information Sciences
Institute to validate their experiment.[6] This test bed consists of physical routers and a cluster of PCs
connected over a small local network, and it will be used to validate future experiments as well.

Computer simulations are very useful for exploring attack and defense scenarios over the internet. It is
both interesting and ironic that the simulation is actually simulating itself in this paradigm. One might
argue that this allows it to more closely abstract itself then it might abstract a rock or a rabbit. For all of
its strengths, however, there are weaknesses to be taken into account when using computer simulations
in this manner. In the early 21st century, human decisions are still very much involved in what a
software agent does and does not do over a network. The unpredictability of human goals and
motivations, let alone that of nation states, makes it more difficult to validate the most probable
scenarios. From a verification standpoint, the larger the model becomes, the more cumbersome it gets

to make sure the code is working as planned. One of the weaknesses of the attack-tree based formalism
is how it scales the larger the sub net gets in the model. In the case of attack trees using directed
acyclic graphs, the relationship between the number of pathways and the number of possible scenarios
can be of the order of magnitude 2n ,making the number of computations required grow exponentially
as the model increases in size. [9]

While scientific modeling is limited by the complexity of computer systems and network agents, it is
also limited by the fact that software agents themselves are evolving in the real world, using artificial
intelligence to figure out new ways of interacting over the network by developing their own simulation
programs and optimization algorithms. Because each agent is seeking the best way to carry out its
goals of attacking or defending a network, the best strategy becomes a game-theoretic problem running
over a complicated graph structure. In computer science, this is equivalent to the bottleneck traveling
salesman problem, which is classified as an NP-hard problem. This means the solution space cannot be
solved in a deterministic way in a finite amount of time; it can only be solved by brute-force and
probability based heuristics.[10] Programming computers with machine learning algorithms to find
heuristic solutions to this problem will define the future design of scientific models in this paradigm.

Today there are more than 30 different approaches for the analysis of attack and defense scenarios, each
with specific strengths and weaknesses and each tooled for more accurately analyzing and categorizing
different types of attack trees for different scenarios. These approaches can be divided into two main
classes: Formalisms derived from or extending threat logic trees (attack trees), and formalisms based
on Bayesian networks. [3][6][7][8] Along with categorizing these formalisms, two general trends can
be observed in the field of graphical security modeling, that of unification and specification. By
unifying existing approaches, we can develop a more concise set of general solutions for a broad

spectrum of security scenarios. These include reasoning about diversified aspects of a security
problem, where different hardware, software, and social motivations among agents interact
simultaneously. By developing specification based approaches, researchers can focus on modeling and
understanding specific security domains, which include intrusion detection and domain specific effects
on hardware and software. All of these approaches have helped researchers understand and categorize
existing security patterns, and motivate the search for new ones. [3]

References:
[1]
Very Large Graphs
Lovasz, Laslo
A Survey for Current Developments in Mathematics 2008
arXiv:0902.0132

[2]
World Stats. Internet World Stats
miniwatts Marketing Group. 30 June 2012.

[3]
DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees
Kordy, Barbara; Pietre-Cambacedes Ludovic; Schweitzer, Patrick
University of Luxembourg, 2EDF, France
arXiv:1303.7397v1 [cs.CR] 29 Mar 2013

[4]
Criticality analysis of Internet infrastructure
Yan, Guanhua; Eidenbenz, Stephan; Thulasidasan, Sunil; Datta, Pallab; Ramaswamy, Venkatesh
Computer Networks, 2010, Vol.54(7), pp.1169-1182

[5]
Weighted Spectral Distribution for Internet Topology Analysis: Theory and Applications
Fay, D; Haddadi, H; Thomason, A; Moore, Aw; Mortier, R; Jamakovic, A; Uhlig, S; Rio, M
IEEE/ACM Transactions on Networking, Feb. 2010, Vol.18(1), pp. 164-176

[6]
Collaborative detection of DDoS attacks over multiple network domains
Chen, Yu; Hwang, Kai; Ku, Wei-Shinn
IEEE Transactions on Parallel and Distributed Systems, Dec. 2007, Vol.18(12), pp.1649-1662

[7]
Graph Spectra in Computer Science

Cvetkovic, Dragos; Simic, Slobodan

Linear Algebra and Its Applications, 2011, Vol.434(6), pp.1545-1562

[8]
PENET: A practical method and tool for integrated modeling of security attacks and countermeasures
Pudar, Srdjan; Manimaran, G; Liu, Chen-Ching
Computers and Security, Nov. 2009, Vol.28(8), pp.754-771

[9]
Dynamic Security Risk Management Using Bayesian Attack Graphs
Poolsappasit, Nayot; Dewri, Rinku; Ray, Indrajit
IEEE Transactions on Dependable and Secure Computing, Jan-Feb. 2012, 9(1):61-74

[10]
Introduction to Algorithms
Cormen, Thomas; Leiserson, Charles; Rivest, Ronald; Stein, Clifford
pp.1112-1117