ebook img

The topology of covert conflict PDF

0.17 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The topology of covert conflict

The topology of covert conflict Shishir Nagaraja, Ross Anderson Computer Laboratory JJ Thomson Avenue,Cambridge CB3 0FD, UK forename.surname @ cl.cam.ac.uk Abstract. Often an attacker tries to on disrupting the other side’s command, 6 0 disconnect a network by destroying control and communications by jamming or 0 nodes or edges, while the defender destroying his facilities. Counterterrorism 2 counters using various resilience operations involve a similar effort but with mechanisms. Examples include a music n industry body attempting to close down different tools: traffic analysis to trace a J a peer-to-peer file-sharing network; communications, coupled with surveillance of medics attempting to halt the spread of 3 the flows of money, material and recruits, 2 an infectious disease by selective followed by the arrest and interrogation of vaccination; and a police agency trying ] to decapitate a terrorist organisation. individuals who appear to be significant I Albert, Jeong and Barab´asi famously nodes. Terrorists are aware of this, and take N analysed the static case, and showed measures to prevent their networks being . s that vertex traced. Usama bin Laden described his c -order attacks are effective against [ strategy on the videotape captured in scale-free networks. We extend this work 1 to the dynamic case by developing a Afghanistan as ‘Those who were trained to fly v framework based on evolutionary game didn’t know the others. One group of people 1 theory to explore the interaction of didn’t know the other group’ (see [14], which 0 attack and defence strategies. We show, 1 first, that naive defences don’t work describes the hijackers’ networks). 1 against vertex-order attack; second, that Connectivity matters for social dominance 0 defences based on simple redundancy 6 too,asahandfulofleadingindividualsdomuch don’t work much better, but that 0 of the work of holding a society together. Sub- defences based on cliques work well; / s third, that attacks based on centrality verting or killing these leaders is likely to be c work better against clique defences than the cheapest way to make an invaded coun- : v vertex-orderattacks do; and fourth, that try submit. When the Norman French invaded i defences based on complex strategies X England in the eleventh century, they killed or such as delegation plus clique resist ar centrality attacks better than simple impoverished most of the indigenous landown- clique defences. Our models thus build a ers; when the Turks, and then the Mongols, in- bridge between network analysis and vaded India, they killed both landowners and evolutionary game theory, and provide a priests; when England suppressed the Scottish framework for analysing defence and highlands after the 1745 uprising, landowners attack in networks where topology matters. They suggest definitions of wereinducedtomove to Edinburghor London; efficiencyofattackanddefence,andmay and in many of the dreadful events of the last even explain the evolution of insurgent century, rulers targeted the elite (Russian ku- organisations from networks of cells to a laks, Polish officers, Tutsi schoolteachers, ...). more virtual leadership that facilitates operations rather than directing them. Moving from politics to commerce, the mu- Finally, we draw some conclusions and sic industry spends a lot of money attempting present possible directions for future to disrupt peer-to-peer file-sharing networks. research. Techniques range from technical attacks to ag- gressive litigation against individuals believed 1 Introduction to have been running major nodes. Many modern conflicts turn on connectivity. Networks of personal contacts are In conventional war, much effort is expended important in other applications too. In public health, for example, it often happens that a is concealed from outsiders, with the result small number of individuals account for much that the participants appear to be ‘ordinary’ of the transmission of a disease. Thus Senegal nodes making a modest contribution in the has been more effective at tackling the spread network, rather than important nodes that of HIV/AIDS than other African countries, as should be targeted for close inspection and/or they targeted prostitutes [19]. In fact, interest destruction? in social networks has grown greatly over the last 15 years in the humanities and social 2 Previous Work sciences [20,9]. There has been rapid progress in recent years Recent advances in the theory of networks in understanding how networks can develop have provided us with the mathematical and organically, how their growth influences their computational tools to understand such topology, and how the topology in turn affects phenomena better. One striking result is that both their capacity and their robustness. a network much of whose connectivity comes There is now a substantial literature: for a from a small number of highly-connected book-length introduction, see Watts [21], nodes can be very efficient, but at the cost of while literature surveys are [1,17] extreme vulnerability. As a simple example, if Early work by Erd¨os and Renyi modelled everyone in the county communicates using networks as random graphs [11,7]; this is one telephone exchange, and that burns down, mathematically interesting but does not then everyone is isolated. model most real-world networks accurately. In This paper starts to explore the tactical real networks, path lengths are generally and strategic options open to combatants in shorter; it is well known that any two people such conflicts. What strategies can one adopt, are linked by a chain of maybe half a dozen when building a network, to provide good others who are pairwise acquainted – known trade-offs between efficiency and resilience? as the ‘small-world’ phenomenon. This idea We are particularly interested in complex was popularised by Milgram in the 60s [16]. networks, involving thousands or millions of An explanation started to emerge in 1998 nodes, which are so complicated (or under when Watts and Strogatz produced the alpha such dispersed control) that the resilience model. Alpha is a parameter that expresses rules can only be implemented locally, rather the tendency of nodes to introduce their than by a central planner who deliberately neighbours to each other; with α = 0, each designs a network with multiple redundant node is connected to its neighbours’ backbones. neighbours, so the network is a set of Is it possible, for example, to create a disconnected cliques, while with α = ∞, we virtual high-degree node, by combining a have a random graph. They discovered that, number of nodes which appear on external for critical values of α, a small-world network inspection to have lower degree? For example, resulted. The alpha model is rather complex a number of individuals might join together in to analyse, so they next introduced the beta a ring, and use some covert communications network: this is constructed by arranging channel to route sensitive information round nodes in a ring, each node being connected to the ring in a manner shielded from casual its r neighbours on either side, then replacing external inspection. There is a loose precedent existing links with random links according to in Chaum’s ‘dining cryptographers’ a parameter β; for β = 0 no links are replaced, construction [10], in which a number of and for β = 1 all links have been replaced, so cryptographers pass messages round a ring in that the network has again become a random such a way as to mask, from insiders, the graph [22]. The effect is to provide a mix of source and destination of encrypted traffic. local and long-distance links that models Can we build a similar construction, but in observed phenomena in social and other which the fact of systematic message routing networks. 2 How do networks with short path lengths jamming a further third, and hoping that the come about in the real world? The simplest remaining third would collapse under the in- explanation involves preferential attachment. creased weight of traffic. Baraba´si and Albert showed in 1999 how, if new nodes in a network prefer to attach to 3 Naive Defences Don’t Work nodes that already have many edges, this leads to a power-law distribution of vertex Given the obvious importance of the subject, order which in turn gives rise to a scale-free and the fact that the Albert-Jeong-Barab´asi network [6], which turns out to be a more paper appeared in 2000, one obvious question common type of network than the alpha or is why there has been no published work since beta types. In a social network, for example, on how a network can defend itself against a people who already have many friends are decapitation attack. Here is onepossibleexpla- nation: the two obvious defences don’t work. useful to know, so their friendship is One of these is simply to replenish particularly sought by newcomers. In destroyed nodes with new nodes, and furnish friendship terms, the rich get richer. There are them with edges according to the same many economic contexts in which such scale-free rule that was used to generate the dynamics are also of interest [13]. network initially. One might hope that some Thekey paperforourpurposeswas written equilibrium would be found between attack by Albert, Jeong, and Baraba´si in 2000. They and defence. observedthattheconnectivity ofscale-freenet- The other obvious defence is to replenish works, which depends on the highly-connected destroyed nodes, but to wire their edges nodes,comesataprice:thedestructionofthese according to a random graph model. In this nodes will disconnect the network. If an at- way, we might hope that, under attack, a tacker removes the best-connected nodes one network would evolve from an efficient after another, then past some threshold point scale-free structure into a less efficient but the size of the largest component of the graph more resilient random structure. In a real collapses [2]. application, this might happen either as a Later work by Holme, Kim, Yoon and Han result of nodes learning new behaviour, or by in 2002 extended this from attacks on vertices selective pressure on a node population with to attacks on edges; here, the attacker removes heterogeneous connectivity preferences: in edges connectinghigh-degree nodes,andagain, peacetime the nodes with higher degree would past some critical point, the network becomes become hubs, while in wartime they would be disconnected [15]. They also suggested using early casualties. centrality – technically, this is the‘betweenness Nice as these ideas may seem in theory, centrality’ of Freeman [12] – as an alternative they do not work at all well in practice. to degree for attack targeting. (A node’s cen- Figure 1 shows first (solid line) how the trality is, roughly speaking, the proportion of vertex-order attack of Albert, Jeong and paths on which it lies.) Computing centrality Baraba´si works against a simulated is harder work for the attacker than observing network with no replenishment, then with vertex degree, butit enables him to attack net- random replenishment, then with scalefree works (such as beta networks) where there is replenishment. In the vanilla case the attack little or no variability in vertex order. Finally, takes two rounds to disconnect the network; in 2004, Zhao, Park and Lai modelled the cir- with random replenishment it takes three, and cumstances in which a scale-free network can with scale-free replenishment it takes four. suffercascadingbreakdownfrom thesuccessive It seems that, to defend against these failure of high-connectivity nodes [23]. These kinds of decapitation attacks on networks, we ideas find some resonance in the field of strate- will need smarter defence strategies. But how gic studies: for example, Soviet doctrine called should these be evolved, and what sort of for destroying a third of the enemy’s network, framework should we use to evaluate them? 3 We now formalise a model in which a game Vertex−order attack with naive replenishment is played with a number of rounds.Each round consists of attack followed by recovery. Recov- 0 40 ery in turn consists of two phases: replenish- No replenishment Random replenishment ment and adaptation. Scalefree replenishment 00 In the attack phase, the attacker destroys 3 a number of nodes (or, in a variant, of edges); nt ne this number is his budget. He selects nodes for o 0 mp 20 destructionaccordingtosomerule,whichishis o C strategy. For example, he might at each round 0 destroy the ten nodes with the largest number 0 1 of edges connected to them. He executes this strategy on the basis of information about the 0 network topology. 0 5 10 15 20 25 30 In the replenishment phase, the defend- ing nodes recruit a number of new nodes, and Rounds go through a phase of establishing connections No replenishment – again, according to given strategies and in- Random replenishment Scalefree replenishment formation. In the adaptation phase, the defending Fig.1. Naive defences against vertex-order de- nodes may rewire links within each connected capitation attack component of the network, in accordance with some defensive strategy. The adaptation phase is applied once at the start of the game, 4 A Model from Evolutionary Game before the first round of attack; thereafter the Theory game proceeds attack – replenish – adapt. An attack strategy is more efficient, for a Previous researchers considered disruptive at- given defense strategy, if an attacker using it tacks on networks to be a single-round game. requires a smaller budget to disrupt the net- Such a model is suitable for applications such work. Similarly, a defense strategy is more ef- asaconventionalwar,inwhichtheattacker has ficient if, for a given attack strategy, it com- to expend a certain amount of effort to destroy pels the attacker to expend a higher budget thedefender’scommand,controlandcommuni- to achieve network disruption. (We will clarify cations, and one wishes to estimate how much; thislater oncewehave presentedanddiscussed or a single epidemic in which a certain amount a few simulations.) of resource must be spent to bring the disease We assume initially that the attacker has under control. perfect information about the network topol- However, there are many applications in ogy, and that her goal is simply to partition which attack and defense evolve through the network – that is, divide it into two or multiple rounds: terrorism and music-sharing more nontrivial disjoint components. We as- are only two examples. We now develop a sume that the defender has only local informa- framework for considering this more general tion, that it, each node shares the information case. We apply ideas from evolutionary game available to those nodes with which it is con- theory developed by Axelrod and others [3,4]. nected. Thus,for example, if the attacker man- This theory studies how games of multiple ages to split the network into two components, rounds differ from single-round games, and it there is no way for them to reconnect. We also has turned out to have significant explanatory start off by assuming that the defence strategy power in applications from ethology to affects only the adaptation phase, as only once economics. nodes have connected to a network can they be 4 programmed to follow it; so the replenishment simulation, while p increases from k/(N − r) phase is exogenous. to k/(N −1) as the replenishment proceeds. In A further initial assumption is that the at- this strategy, the defender does nothing in the tack anddefencebudgetsareroughlyequal.By adaptation phase. this we will mean that for each node destroyed This models the case where new recruits to intheattackphase,onenodewillbereplacedin a subversive network simply contact any other the resource addition phase. Thus the network subversives they can find; no attempt is made will neither grow or shrink in absolute size and to reshape the network in response to the cap- we can concentrate on connectivity effects. We ture of leaders but the network is simply al- will discuss other possible assumptions later, lowed to become more amorphous. but the static budgets and global attack / lo- cal defence assumptions will get us started. 5.2 Defense strategy 2 – dining steganographers 5 Defence Evolution – First Round Our second defensive strategy is more To analyse the vulnerability of a network, the sophisticated, and is inspired by the theory of selection of network elements (nodes or edges) anonymous communication as developed by destroyed in each round is the attacker’s computer scientists, most notably Chaum [10]. choice and constitutes her strategy. The A node that acquires a high vertex order, and attacker wishes to maximize the network thus could be threatened by a vertex-order damage caused per unit of work. attack, splits itself into n nodes, arranged in a We will start off by considering a static at- ring. The rings have two functions. First, they tacker, using what we know to be a reason- provide resilience: a ring broken at one point able attack (vertex-order), and examine how still supports communications between all its the defence strategy can adapt. Then we will surviving nodes, and it is the simplest such see what better attacks can be found against structure. Second, nodes can route covert the best defence we found. Then we will look traffic between appropriate input and output for a defence against the best attack we found links, and use encryption and other in the last round, and so on. There is no guar- information-hiding mechanisms to conceal the antee that the process converges – there may traffic. This model was originally presented in be a specialised attack that works well against Chaum’s seminal ‘dining cryptographers’ each defence, and vice versa – but if evolution- paper cited above, so we might refer to it ary games on networks behave like more tra- as the ‘dining steganographers’. The ditional evolutionary games, we may expect to collaborating nodes in each ring cannot find some strategies that do well overall, as ‘tit conceal the existence of communication fortat’doesinmulti-roundprisoners’dilemma. between them, as the cover traffic is visible to We may also expect to gain useful insights in the attacker. However, from the attacker’s the process. viewpoint it is not obvious that these n nodes are acting as a virtual supernode. 5.1 Defense strategy 1 – random Our focus here is on the effects of network replenishment topology,ratherthanonthehigher-layermech- Our first defensive strategy is the simplest of anisms that actually implement the covertness all, and is one of the naive defences introduced property and that provide any confidentiality in the above section. New nodes are joined to of content or of routing data. We assume a the graph at random. We assume that each at- worldinwhichthereissufficientencryptedtraf- tack round removes r nodes, and the replenish- fic(SSL,SSH,DRM,...)thatencryptedtraffic mentroundaddsexactlyrnodes,eachofwhich isnotofitselfsuspicioussolongasitiswrapped is joined to the surviving vertices with proba- in a common ciphertext type. The attacker’s bility p. r remains constant for each run of the input consists of traffic data collected from the 5 backbone or from ISPs, and her output con- 2. Preferential Attachment: The probability sists of decisions to send police officers to raid that a new node connects to node i is the premises associated with particular IP ad- Π(k ) = k /P k where k is the degree i i j j i dresses. Her problem is this: given an observed of node i. pattern of communications, whom should she investigate first? Having created the scalefree network, we Theprecisemechanism of ringformation in then ran each of the above defensive strategies our simulation is as follows. A vulnerable node against a vertex-order attack. decides to create a ring and recruits for the purpose a further n − 1 nodes from the new Results The results of the initial three simu- nodes introduced in the most recent replenish- lations are given in Figure 2. ment round, or, if they are inadequate, from among its immediate neighbours. Existing ring members cannot be recruited, so rings may not Vertex−order attack overlap. Finally, recruits to a ring relinquish with Rings and Cliques any existing links with the rest of the network, alinndkstuhneifroinrmg-lfyoramminogngnoaldlethsheamreesmibtseresxotefrtnhael 400 ox^x^x^x^x^^^^^^^^^^^^^^^^^^^^^^^^^^^^ x x ring. 0 xx 0 x nt 3 xx e n x 5.3 Defense strategy 3 – revolutionary o 0 p 0 o cells m 2 o x C 0 Our third defensive strategy is inspired by 0 1 cells of revolutionaries, along the model o x favoured historically by a number of insurgent 0 oooooooooooooxoxoxoxoxoxoxoxoxoxoxoxoxoxoxoxox organisations. A node that acquires a high 0 5 10 15 20 25 30 vertex order splits itself into n nodes, all linked with each other, with the previous Rounds outside connections split uniformly between them. In graph-theoretic language, each o vertex order attack, No adaptation supernode is a clique. + vertex order attack, Rings As in ring formation, a node that considers ^ vertex order attack, Cliques itself vulnerable is allowed to split itself into a cliqueofnodes.Thenewnodesaredrawneither fromthepoolofnewnodes,or,iftheyareinsuf- Fig.2. Vertex order decapitation attack in ficient,fromlow-vertex-order neighboursof the rings, cliques and with no adaptation clique-forming node. As before, this node’s ex- ternal edges are distributed uniformly among members, while other member nodes’ former The red graph in Figure 2 provides a cali- external edges are deleted. bration baseline. As seen in the above section, random replenishment without adaptation is ineffective: within three rounds the size of the Simulations – first set For our first set of largest connected component has fallen by a simulations, we consider a scalefree network of half, from 400 nodes to well under 200. N = 400 nodes. We use a Baraba´si-Albert net- The green graph shows that rings give work created by the following algorithm: only a surprisingly short-term defence benefit. 1. Growth: Starting with m0 = 40 nodes, at They postpone network collapse from about each roundwe add m = 10 new nodes,each two rounds qto about a dozen rounds. with 3 edges. Thereafter, the network is almost completely 6 disconnected. In fact, the outcome is even worse than with random replenishment. Cliques, on the other hand, work well. A few vertices are disconnected at each attack round, but as the cyan graph shows, the net- work itself remains robustly connected. This may provide some insight into why, although rings have seemed attractive to theoreticians, those real revolutionary movements that have left some trace in the history books have used a cell structure instead. 6 Attack Evolution – First Round Vertex−order and Centrality attack with Rings and Cliques Havingtriedanumberofdefencestrategiesand ftohuenndetxhtatstoenpeiosfttohetmry–ocultiquaesnu–misbeerffeocftivaet-, 400 ox^x^x^x^x^x^^^^^^^^^^^^^^^^^^^^^^^^^^^ x tack strategies to see if any of them is effective 00 xxx against our defences, and in particular against nt 3 xx e n x cliques. o 0 p 0 o Of the attack strategies we tried against a m 2 o x clique defence, the best performer is an attack C 0 0 based on centrality. We used the centrality 1 o x algorithm of Brandes [8] to select the 0 oooooooooooooxoxoxoxoxoxoxoxoxoxoxoxoxoxoxoxox highest-centrality nodes for destruction at each round. As before, our calibration baseline 0 5 10 15 20 25 30 is random replenishment. For this, the red and black graphs show performance against Rounds vertex-order and centrality attacks o vertex order attack, No adaptation respectively. Both are equally effective; within + vertex order attack, Rings two or three rounds the size of the largest ^ vertex order attack, Cliques connected component has been halved. centrality attack, Rings The green and blue graphs show that the centrality attack, Cliques same holds for rings: the network collapses completely after about a dozen rounds. Fig.3. Rings and Cliques defense undervertex Centrality attacks are very slightly more order and centrality attacks effective but there is not much in it. The most interesting results from these simulations come from the magenta and cyan graphs, which show how cliques behave. Cyan shows, as before, a vertex-order attack with severity m = 10 being ineffective against a clique defence. Magenta shows the effect on such a network of a centrality attack. Here the largest connected component retains about 400 nodes until the network suddenly partitions at 14 rounds, whereafter a largest-component size of about 200 is maintained stably. 7 Some insight into the internal mechanics can be gleaned from Figure 4. This shows the average inverse geodesic length. For each node, we find the length of the shortest path to each other node, and take the inverse (we take the length to be infinite, and thus the inverse to be zero, if the nodes are in disjoint components). We average this value over all n(n − 1)/2 pairs of nodes. This value falls sharply for defense without adaptation, and falls steadily for defense with rings. These falls reflect increasing difficulty in internode communication. With cliques, the vertex-order Centrality attack attack has little effect, while the centrality with Rings and Cliques attack makes steadily increasing progress on a o graph of 400 vertices, until it achieves partition and reduces the largest component 4 eh 0. to about 200 vertices. But it makes only slow sgt ern 3 progress thereafter. nvLe 0. erage Iodesic 0.2 6.1 Clique sizes AvGe 1 We next ran a simulation comparing how well 0. defenseworkswhenusingdifferentsizesofrings o 0 oooooooooooooooooooooooooooooo andcliques.Ringsizeappearstomakelittledif- 0. ference; rings are just not an effective defence 0 5 10 15 20 25 30 other than in the very short term. However, varying the clique size yields the results dis- Rounds played in Figure 5. o Centrality attack, No adaptation This shows that under a centrality attack, Centrality attack, Rings the performance of the defense increases Centrality attack, Cliques steadily with the size of the clique. There is still a phase transition after about 14 rounds or so after which the largest connected component becomes significantly smaller, but Fig.4. Average inverse geodesic lengths of the size of this equilibrium component rings and clique adaption, under centrality at- increases steadily from about 150 with clique tack size 8 to almost 300 at clique size 20. 7 Defence Evolution – Second Round Nowthatweknowcentralityattacksarepower- ful,wehavetriedanumberofotherpossiblede- fences. The most promising at present appears tobeacompounddefencebasedoncliques and delegation. The idea behind delegation is fairly simple. A node that is becoming too well-connected selects one of its neighbours as 8 a ‘deputy’ and connects it to a second neighbour, with which it then disconnects. This reflects normal human behaviour even in Vertex order attack peacetime: busy leaders pass new recruits on with various clique sizes to colleagues. In wartime, and with an enemy 0 that might resort to vertex-order attacks, the 0 4 incentive to delegate is even greater. Thus a nt terrorist leader who gets an offer from a e 0 on 30 wealthy businessman to finance an attack p m might simply introduce him to a young o 0 C 0 militant who wants to carry one out. The st 2 leader need now maintain communications e g 0 ar 0 with at most one of the two. L 1 Delegationonitsownisratherslow;ittakes dozens of roundsfor delegation to ‘immunise’ a 0 networkagainstvertex-orderattack.Ifavanilla 0 5 10 15 20 25 30 scale-free network is going to be exposed to ei- theravertex-orderorcentralityattackfromthe size 5 Rounds size 8 next round, then drastic action (such as clique size 11 formation) is needed at once; else it will bedis- size 14 connected within two or three rounds. Slower size 17 defenceslikedelegationcanhoweverplayarole, size 20 provided they are started from network forma- tionorareasonabletimeperiod(say20rounds) Centrality attack before the attack begins. with various clique sizes It turns out that the delegation defence, on its own, is rather like the rings of dining 0 40 steganographers. Network fragmentation is nt postponed (about 14 rounds with the e 0 n 0 parameters used here) though not ultimately o 3 p averted. m o 0 What is interesting, however, is this. If we C 0 st 2 formanetworkandimmuniseitbyrunningthe e rg 0 delegation strategy, then run a clique defence a 0 L 1 as well from the initiation of hostilities, this compound strategy works rather better than ordinarycliques. Figure 6shows thesimulation 0 5 10 15 20 25 30 results. Figure 7 may give some insight into the size 5 Rounds mechanisms. Delegation results in shorter path size 8 lengths under attack: it postpones and slows size 11 down the growth of path length that otherwise size 14 size 17 results from hub elimination. As a result, equi- size 20 libriumisachieved later,andwithalargermin- imum connected component. Fig.5. Clique recovery with different clique 8 Conclusions and Future Work sizes under a centrality attack In this paper, we have built a bridge between network science and evolutionary game theory. 9 Centrality attack Centrality attack with Cliques and Delegation with Cliques and Delegation 0 o o 0 4 4 0 eh 0. 0 sgt nt 3 ern 3 ne nvLe 0. Compo 200 oo erage Iodesic 0.2 100 AvGe 0.1 ooooooooooooooooooooooooooooo 0 ooooooooooooooooooooooooooooooo 0. 0 5 10 15 20 25 30 0 5 10 15 20 25 30 Rounds Rounds 0 No replenishment 0 No replenishment Delegation Delegation Clique Clique Clique + Delegation Clique + Delegation Fig.6. Component size: clique, immunization Fig.7. Clique, immunization by delegation, bydelegation, andcombined cliqueanddelega- and combined clique and delegation defenses tion defenses against centrality attack against centrality attack 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.