Effectve Network Defense Strateges aganst Malcous Attacks wth Varous Defense Mechansms under Qualty of Servce Constrants Frank Yeong-Sung Ln Department of Informaton Natonal Tawan Unversty Tape, Tawan, R.O.C. ysln@m.ntu.edu.tw Yu-Shun Wang Department of Informaton Natonal Tawan Unversty Tape, Tawan, R.O.C. d98002@m.ntu.edu.tw Yu-Pu Wu Department of Informaton Natonal Tawan Unversty Tape, Tawan, R.O.C. r99012@m.ntu.edu.tw Cha-Yang Hsu Department of Informaton Natonal Tawan Unversty Tape, Tawan, R.O.C. r98033@m.ntu.edu.tw Abstract How to apply tmely and effectve defense strateges aganst attackers whle maxmzng system survvablty s a crtcal ssue for a defender. Ths paper mathematcally models attack and defense scenaros, usng varous defensve mechansms durng both the plannng and defendng stages and under qualty of servce constrants. Ths model ncorporates hgh degrees of randomness, as attackers are assumed to have ncomplete nformaton. Gven such nondetermnstc problems, ths paper dentfes the approprate tme for applyng defense n depth or resource concentraton strategy. Keywords: Network Survvablty; Defense Strateges; Mathematcal Programmng; Incomplete Informaton; I. INTRODUCTION The losses caused by cyber-attacks are a crtcal ssue for busness enterprses. In State of Enterprse Securty [1], the authors note that the top costs of cyber-attacks nclude lost productvty, lost revenue and the loss of customer trust. Smlarly, the 2011 Global State of Informaton Securty Survey [2] also lsted fnancal losses, theft of ntellectual property, and a compromsed brand or reputaton as the top three consequences of cyber-attacks. The frst step n dscussng cyber-attack-and-defense s to determne how to measure the defensve status of a gven system. There are many deal metrcs wthn the exstng lterature that are wdely used to descrbe system status, for example, survvablty, avalablty, relablty and dependablty. In ths work, we focus specfcally on survvablty for measurng network systems. We adopt the defnton from [3] and defne survvablty as the capablty of a system to fulfll ts msson, n a tmely manner, n the presence of attacks, falures, or accdents, where system s defned n the broadest possble sense, ncludng networks and large-scale systems of systems. In ths way, our adopted defnton not only follows a system perspectve, but also a servce perfectve whch focuses on mantanng the qualty of servce. Mantanng a focus on servce s mportant because whle defendng aganst malcous attacks, the defender must mantan provded servces smoothly. In other words, the defender must not only protect the system, but also smultaneously serve legtmate users at a certan level of QoS (Qualty of Servce). Therefore, survvablty s an deal metrc for judgng defensve capabltes. In our prevous network attack and defense studes, models are often confgured so that attackers can compromse target nodes only f ther spent resources are greater than the defensve resources deployed on nodes. However, such models are too smple to reflect real world scenaros snce t s determnstc. One soluton to ths problem s to adopt the contest success functon. In [4], the contest success functon s appled from economcs to determne each player s probablty of wnnng as a functon of all players efforts. The form of the contest success m functon s T where T and t denote resources that each m m T t player has nvested respectvely, and m denotes contest ntensty. In [5] and [6], the authors adopt the contest success functon for network attack and defense scenaros, where T refers to resources that the attacker spends on the target node and t stands for the defensve resources deployed on the same node. In ths work, the contest success functon s also utlzed for determnng the probablty of an attacker successfully compromsng one node. Defenders often act reactvely n network attack and defense scenaros. However, as technology progresses, defense solutons are no longer bounded by general defense resources such as frewalls or IPS (Intruson Preventon System). Now, there are also mechansms lke dynamc topology reconfguraton [7] [8], cloud computng securty servces (.e. Securty as a Servce, SaaS) [9] [10], and attack sgnatures that help grant mmunty to certan types of attacks. Moreover, as cloud computng ncreases n popularty, vrtualzaton technques have garnered more attenton. Many defense solutons are developed based on these technologes, such as the Vrtual Machne Montor Intruson Preventon System (VMM-IPS), whch s an ntruson preventon system embedded n the VMM that controls all correspondng vrtual machnes [11] [12]. However, tme and mproved technques have not only resulted n mproved defenses, but also mproved attacks. Attack tools and equpment have contnually evolved not only n quantty but also qualty. Before launchng an attack, attackers spend a certan porton of ther budget to acqure attack tools as preparaton. Ths ncludes buyng ready-made tools, reconstructng tools based on ready-made examples, and self-development projects. Intutvely, buyng readymade tools costs less snce attackers can spend less tme confgurng them. However, they are also easly blocked by securty tools such as ntruson preventon systems, snce the
sgnatures of the ready-made tools may already be well known. Furthermore, ready-made tools tend to be lower n qualty than self-developed alternatves. Hgher-qualty attack tools often more effectvely utlze the full budget of an attacker. Obtanng attack tools allows an attacker to launch an attack, however n most cases; attackers do not have complete nformaton regardng the target network, lke the exact locaton of core nodes and defense confguraton. They can only collect nformaton durng an attack. The ncomplete nformaton assumpton makes the attack-defense scenaro more realstc but rases the dffculty n solvng the problem. As a result, much prevous research must assume that attackers have perfect knowledge regardng target networks [5] [6] [13]. Although the defender can apply dverse defense mechansms, some of these solutons have negatve effects on the qualty of servce. For nstance, dynamc topology reconfguraton may ncrease the number of hops (.e., ntermedate nodes) that legtmate users experence. Therefore, defenders must delberately apply defense strateges to mnmze the attackers success probablty. For defense resource allocaton, there are two wellknown strateges defenders can apply: resource concentraton and defense n depth strategy. However, these strateges are not unversal. It s extremely mportant to determne under what condtons resource concentraton or defense n depth strategy perform better n terms of survvablty. Gven these problems, ths paper provdes several contrbutons to the exstng lterature. It frst examnes the robustness of grd, random, and scale free networks. It then dentfes the proper tme and condtons for resource concentraton and defense n depth strateges, as well as consders varous attack/defense mechansms and the qualty of servce constrants wthn attack and defense scenaros. Lastly, t provdes a more realstc attack scenaro by assumng that attackers have ncomplete nformaton on the target network. II. RELATED WORK As mentoned above, the determnaton of whether an attacker compromses a node s based on the contest success functon, orgnatng from economcs. The major characterstc of ths functon s contest ntensty. As an exponent, the value sgnfcantly nfluences the result. Accordng to prevous research [14] [15], the dfferent values of contest ntensty reflect dstnct real world battle scenaros. When contest ntensty les from 0m 1, t represents fght to wn or de crcumstances. Wth respect to 1 m, t stands for the effectveness of resources each player nvested s exponentally ncreasng snce contest ntensty s the exponent of contest success functon. When m, t depcts wnner takes all crcumstance. In most attack and defense scenaro studes, researchers ether consder few defense mechansms n a smple system or assume the attacker has complete nformaton on the target network [5] [6] [13]. For example, n [5], the authors propose an optmal dstrbuton of defense resources n a seres system, rather than a network topology. Regardng [6], the authors assume that the defender only has one sngle object that can be destroyed by the attacker. Such an assumpton s not sutable for the servce-provdng scenaro consdered n ths work, snce t results n poor qualty of servce. Lastly, wth [13], the authors assume the attacker has complete nformaton on the target network and that the attacker collects every detal of the defense confguraton before launchng ther assault. The defense mechansms consdered n ths work are all referenced from ether academc or practcal domans. For nstance, n [4] and [5], the authors apply the concept of rotatng servers to mprove system survvablty. Extendng ths deal, wth the help of the Securty Operaton Center (SOC), the defender s capable of dynamcally regulatng the network s topology, such as the connectons between nodes. Once there s a detected compromsed node, the defender can flter out the traffc sourced from that node. Here, ths knd of defense strategy s denoted as Dynamc Topology Reconfguraton. Although ths technque s effectve n stallng attackers, t may severely jeopardze the qualty of servce. Therefore, a defender should carefully consder ther optons before applyng ths defense mechansm. Other optons nvolve vrtualzaton technques, whch allow underlyng physcal resources to be shared between dfferent Vrtual Machnes (VMs). The frmware that provdes ths vrtualzaton s called a Vrtual Machne Montor (VMM). Snce all access to hardware resources must go through the VMM, t becomes an deal place to mplement the Intruson Preventon System (IPS) [11] [12] [16]. Therefore, the term VMM-IPS denotes an ntruson preventon system constructed wthn a VMM, protectng all VMs governed by the same VMM. For nstance, a VMM can flter out malcous traffc to protect the system. However, ths knd of mechansm, called local defense, may also result n false postves that flter out legtmate users. Therefore, t s assumed that there s a certan probablty that ths local defense servce has a negatve effect on qualty of servce. Furthermore, whle under attack usng a VMM, the defender s able to request from a thrd party securty servce provder the sgnature of the attack. Once the sgnature s updated, all VMs and VMMs are mmune to ths partcular attack. Nevertheless, because the VMM has total control of ts VMs, compromsng the VMM s the same as compromsng all the VMs governed by t. In addton to the sgnature, the concept of servce orented perspectve s ncreasngly popular wthn the securty doman. Provders are gradually preferrng to perform securty servces remotely rather than sellng local products. For example, n [17], the provder performs dfferent levels of traffc nspecton and flterng servces from a cloud envronment. Nonetheless, smlar to local defense servces, there are stll chances that false postves wll occur. Thus t s assumed that there s a certan probablty that ths strategy wll stll jeopardze QoS.
III. PROBLEM FORMULATION A. Problem Descrpton In order to mprove network survvablty, the defender allocates fnte resources on nodes durng the plannng phase, ncludng nstallng a vrtualzaton envronment, settng up cloud securty servce software and establshng the VMM- IPS. Whle under attack, the defender s capable of mmedately applyng some defense strateges, such as requestng an attack sgnature, under qualty of servce constrants. The defender may be an enterprse or a government admnstrator, and there are several core nodes provdng servces wth dfferent prortes. The detaled assumptons are lsted n table 1. TABLE I: PROBLEM ASSUMPTIONS 1. There are multple core nodes and servces n the network. 2. Each core node can provde only one specfc servce. 3. Each servce has dfferent weght determned by the defender. 4. There s a Securty Operaton Center (SOC) governng the network. 5. The defender has perfect knowledge of network and can allocate resources or adopt defense solutons by the SOC. 6. Attackers only have ncomplete nformaton about the network. 7. Whether a node s compromsed or not s determned by the revsed contest success functon. 8. Only malcous nodal attacks are consdered. For attackers, each carres a dstnct budget, capablty and aggressveness that match a general dstrbuton. Whle selectng the next canddate to compromse, attackers depend on the stuaton at the moment to adopt correspondng crtera. Accordng to [18], the authors propose several attack strateges, most of whch are mplemented n the attackers selectng crtera whch s used to choose next vctm to compromse. B. Mathematcal Formulaton Based on the problem descrpton, a correspondng mathematcal formulaton s proposed. The gven parameters are lsted n table 2, and the decson varables are presented n table 3. Snce the prevously dscussed scenaro s nondetermnstc and nvolves sgnfcant amounts of randomness, t s qute dffcult to formulate purely usng mathematcs. Consequently, the proposed model ncludes verbal notatons, whch are lsted n table 4. TABLE II: GIVEN PARAMETERS Gven Parameters Notaton Descrpton N The ndex set of all nodes C The ndex set of all core nodes L The ndex set of all lnks M The ndex set of all level of vrtual machne montors (VMMs) H The ndex set of all level of cloud securty servces S The ndex set of all knds of servces Q The ndex set of all canddate nodes equpped wth cloud securty agent B The defender s total budget E All possble defense confguratons, ncludng defense resources allocatons and defendng strateges All possble attacker categores, ncludng attacker attrbutes, Z correspondng strateges and transton rules An attack confguraton, ncludng the attrbutes, A j correspondng strateges and transton rules of the attacker launches j th attack on th servce, where S, 1 j F The total attackng tmes on th servce for all attackers, where S w The cost of constructng one ntermedate node o The cost of constructng one core node p The cost of constructng each vrtual machne (VM) k The maxmum number of vrtual machnes on VMM level, where M The weght of th servce, where S c The cost of settng a cloud securty agent to one node The rato of defense enhanced on VMs and VMM when local d r defense s actvated The rato of defense enhanced by applyng level cloud securty servces, where H TABLE III: DECISION VARIABLES Decson Varables Notaton Descrpton A defense confguraton, ncludng defense resource D allocaton and defendng strateges on th servce, where S 1 f the attacker can acheve hs goal successfully, and 0 Tj ( D, Aj ) otherwse, where S, 1 j n The general defense resource allocated to node, where N e The total number of ntermedate nodes The capacty of drect lnk between node and j, where N, q j j N l The number of VMs and level VMM purchased, where M vl ( ) The cost of constructng a level VMM wth l VMs, where M 1 f node s equpped wth the cloud securty agent, 0 x otherwse, where N B NL The budget of constructng nodes and lnks B general The budget of general defense resource B specal The budget of specal defense resources B vrtualzaton The budget of vrtualzaton The budget of equppng cloud agents B cloud agent TABLE IV: VERBAL NOTATIONS Verbal Notatons Notaton Descrpton G core Resdual loadng of each core node, where C Ulnk K effect I effect J effect P effect O tocore Y W threshold W fnal W() defense hops Lnk utlzaton, where L Negatve effect caused by applyng flawed sgnature Negatve effect caused by applyng dynamc topology reconfguraton Negatve effect caused by applyng flawed local defense Negatve effect caused by applyng cloud securty servce The number of hops that legtmate users experenced from one of the edge nodes to core nodes The total compromse events The predefned QoS threshold The fnal QoS level at the end of an attack The total defense resource of the shortest path from detected compromsed nodes to one core node dvded by total defense resource The mnmum number of hops from detected compromsed nodes to one core node dvded by the maxmum number of hops from attacker s startng pont to one core node The lnk degree of one core node dvded by the maxmum degree lnk degree among all nodes n the topology s prorty threshold The prorty of servce dvded by the hghest prorty of servce n the network, where S The rsk threshold of core nodes
() The rsk status of each core node whch s the aggregaton of defense resource, number of hops, lnk degree and servce prorty The objectve functon (IP 1) stands for the defender s objectve, whch s to mnmze the weghted servce compromse probablty by effectvely adjustng the defense confguraton. Evdently, any defense confguraton that the defender apples should come out of all possble defense confguratons; the correspondng constrant s (IP 1.1). Alternatvely, (IP 1.2) represents a smlar deal for the attackers sde. (IP 1.3) means that the lnk capacty must be a postve quantty. (IP 1.4) ~ (IP 1.9) jontly descrbe that the cost of constructng nodes, lnks, vrtual machnes, cloud securty agents and deployng general defense resources durng the plannng phase should not volate budget lmtatons. (IP 1.10) ~ (IP 1.14) are ntegral and numercal constrants. Objectve Functon: F Constrants: D E mn D S j j j1 S T ( D, A ) F (IP 1) S (IP 1.1) Aj Z S,1 j Fk (IP 1.2) ks qj 0, j N (IP 1.3) BNL Bgeneral Bspecal B (IP 1.4) Bvrtualzaton Bcloudagent Bspecal (IP 1.5) gq ( j ) weo C N jn 2 BNL (IP 1.6) n Bgeneral (IP 1.7) N vl ( ) p l k B vrtualzaton (IP 1.8) M M x c Bcloudagent (IP 1.9) N gq ( j ) 0, j N (IP 1.10) n 0 N (IP 1.11) vl ( ) 0 M (IP 1.12) e 0 (IP 1.13) x 0 or 1 N (IP 1.14) Verbal constrants : Y y WGcore U K I J Peffect Otocore dy (IP 1.15) lnk effect effect effect j [ (,,,,,, )] 1 Y Wthreshold, where C, jl Wfnal Wthreshold (IP 1.16) The total cost of applyng defendng phase solutons must not volate budget lmtaton (IP 1.17) ( defense, hops, degree, s ) threshold, where S. (IP 1.18) prorty Beyond those constrants that are well-modeled mathematcally, there are stll some constrants that must be descrbed verbally. (IP 1.17) refers to the budget constrant of the defense phase. Whle adoptng any defense soluton, the defender must consder related budget lmtatons. (IP 1.18) descrbes how all defendng phase solutons are actvated only f the rsk level s hgher than a predefned threshold. IV. COMPUTATIONAL EXPERIMENTS A. Smulaton Envronment All smulatons are programmed n the C language. The system parameters are lsted n table 5. The evaluaton tmes for each attack and defense scenaro are determned by smulatons, whch are presented n the next secton. For defender-related parameters, grd, random and scale free topologes are appled to network types. The constructng algorthms of random and scale free networks are cted from [19] and [20]. The remanng parameters are presented n table 6. For attacker-related parameters, three mportant attrbutes are consdered, ncludng total budget, capablty, and aggressveness. All of these attrbutes shown n table 7 are determned by a general dstrbuton. In the followng smulatons, a normal dstrbuton s appled for decdng the value of each attrbute. TABLE V. SYSTEM PARAMETERS Parameter Value Compler GNU GCC Evaluaton Tmes for each 70,000 Attack and Defense Scenaro TABLE VI: DEFENDER PARAMETERS Parameter Topology Type Value Grd, Random, Scale-Free Topology Scale Small Medum Number of Nodes 9 25 Number of Servce(s) 1 2 Number of Total Core Node(s) 1 3 Total Budget for Network Constructon and defense 500,000 1,000,000 TABLE VII: ATTACKER PARAMETERS Parameter Value Total Budget Normal dstrbuton wth boundary (300,000 ~ 1,500,000) Capablty Normal dstrbuton wth boundary (0 ~ 1) Aggressveness Normal dstrbuton wth boundary (0 ~ 1) B. Smulaton Results 1) Convergence In ths work, the convergence of data s consdered as the numercal stablty. Whle the magntude of data vbratons s wthn the acceptable nterval, for example, 0.2%, the correspondng number of smulaton tmes s set to be the evaluaton tmes for each attack and defense scenaro. For each smulaton, the horzontal axs represents the evaluaton tme, and the vertcal axs stands for the network system compromse probablty, whch s the objectve functon of the proposed mathematcal model. Fgure 1 demonstrates that when the attack and defense scenaro takes place on a 9 node grd network, the contest ntensty equals 2. The fluctuaton of the network compromse probablty s less than 0.2% when evaluaton tmes exceed 69,000. Based on ths result, the evaluaton tme for each attack and defense scenaro s determned to be 70,000.
Fgure 1. Convergence experment on a 9 nodes grd network 2) Influence of Contest Intensty and Aggressveness As mentoned n the problem descrpton, the contest ntensty greatly nfluences the nature of an attack and defense scenaro. However, there s no obvous trend for system compromse probablty through dfferent values of contest ntensty [5] [6]. The result of these smulatons s consstent wth prevous research [5], [6]. In fgure 2, a 9 nodes scale free network s taken for example. As the value of contest ntensty ncreases, the system compromse probablty does not show an ncreasng or decreasng trend. Instead, the compromse probablty s low when contest ntensty equals 0.5 and 1.5. Whle the ntensty s 1 and 2, the probablty s hgh. Fgure 3. Influence of contest ntensty and aggressveness on a 25 nodes grd network The same results can be observed n scale free and random networks. Correspondng data s shown n fgure 4 and 5. Ths result s because once the attacker determnes hs/her aggressveness to a certan node, the correspondng cost can be calculated by the contest success functon. Wth dfferent values of contest ntensty, the cost that one attacker must spend for compromsng each node s dstnct. In other words, when the value of contest ntensty ncreases, the cost of compromsng one node for a certan attacker exponentally decreases. Fgure 4. Influence of contest ntensty and aggressveness on a 25 nodes scale-free network Fgure 2. Influence of contest ntensty on a 9 nodes scale-free network However, f the nfluences of contest ntensty and attacker aggressveness are jontly consdered, there are some nterestng results that must be explaned. As shown n fgure 3, the attack and defense scenaro s constructed on a 25 nodes grd network. If attacker aggressveness s determned by a normal dstrbuton wth lower boundary 0.1 and upper boundary 0.9, there s no trend on compromse probablty. Nevertheless, f the normal dstrbuton of attacker aggressveness s bounded by 0.1 ~ 0.5 or 0.5 ~ 0.9, there are obvous trends. For the lower nterval of attacker aggressveness, the system compromse probablty shows a decreasng trend through the value of contest ntensty from 0.5 to 2. Wth regard to the hgher nterval of attacker aggressveness, the compromse probablty dsplays an ncreasng tendency. Fgure 5. Influence of contest ntensty and aggressveness on a 25 nodes random network Therefore, when the value of contest ntensty s small, attackers wth a hgh value of aggressveness must spend a large porton of ther budget to compromse every target. More specfcally, attackers wth hgh aggressveness wll
exhaust ther budget at an early stage. They consume more resources to compromse fewer nodes wth hgh success probablty. Consequently, the system compromse probablty s low. In contrast, when the value of contest ntensty s large, the cost of compromsng each node for attackers wth a hgh degree of aggressveness s far lower than the scenaro wth a small value of contest ntensty. Hence, even for attackers wth hgh degrees of aggressveness, the cost of compromsng the whole system s affordable. For attackers wth low levels of aggressveness, the system compromse probablty s hgher when the degree of contest ntensty s small. Although these attackers may suffer from many attack falures and have to compromse agan, the total attack cost s stll lower than attackers wth a hgh value of aggressveness. V. DISCUSSION OF RESULTS Defense n depth strategy s advantageous for defenders facng less aggressve attackers wth fght to wn or de crcumstances Less aggressve attackers tend to spend small amounts of resources on compromsng ther target nodes. They prefer opportunsm; falure n compromsng ntermedated nodes s acceptable. Spendng large amounts of resources for compromsng targets s not a proper strategy for such attackers. Whle under fght to wn or de crcumstances (.e., contest ntensty s small [14]), the effectveness of defensve resources exponentally decreases. Thus, a resource concentraton strategy results n poor survvablty. Therefore, for the defender facng less aggressve attackers wth fght to wn or de crcumstances, a defense n depth strategy mantans a better degree of survvablty than resource concentraton strateges. Resource concentraton strategy s advantageous for defense aganst aggressve attackers wth wnner takes all crcumstances Aggressve attackers tend to spend large amounts of resources to compromse ther target nodes wth hgh success probablty. They prefer pragmatsm. A one-shot compromse of the targeted node s an deal strategy. Spendng fewer resources for each attack and acceptng rsk or falure s not acceptable for ths attack type. Wth wnner takes all crcumstances (.e., contest ntensty s large [15]), the effectveness of defense resource s sgnfcant. The performance of resource concentraton strategy s better than defense n depth strategy. Hence, for the defender facng aggressve attackers wth wnner takes all crcumstances, concentratng fnte defense resources on a few mportant nodes s a better strategy for achevng hgher survvablty. VI. CONCLUSION AND FUTURE WORK In summary, the degree of randomness nvolved n the problem dscussed above creates a non-determnstc stuaton, for whch varous defense mechansms are consdered. Ths paper successfully models the problem as a mathematcal formulaton. Further, through the smulaton results, effectve defense strateges are provded to the defender. For future work, other types of defense mechansms and attrbutes may be consdered to ncrease the robustness of the modeled scenaro. ACKNOWLEDGMENT Ths work was supported by the Natonal Scence Councl, Tawan, Republc of Chna (grant nos. NSC 100-2221-E-002-174). REFERENCES [1] "State of Enterprse Securty," Symantec Corporaton, Techncal report, 2010. [2] "Global State of Informaton Securty Survey," PwC, Techncal report, 2011. [3] R. J. Ellson, et al., "Survvable Network Systems: An Emergng Dscplne," Techncal Report CMU/SEI-97-TR-013, 1997 (Revsed: May 1999). [4] S. Skaperdas, "Contest success functons," Economc Theory, vol. 7, pp. 283-290, 1996. [5] K. Hausken and G. Levtn, "Protecton vs. false targets n seres systems," Relablty Engneerng & System Safety, vol. 94, pp. 973-981, 2009. [6] G. Levtn and K. Hausken, "False targets effcency n defense strategy," European Journal of Operatonal Research, vol. 194, pp. 155-162, 2009. [7] Y. Huang, et al., "Incorruptble system self-cleansng for ntruson tolerance," 25th IEEE Internatonal Conference on Performance, Computng, and Communcatons (IPCCC), pp. 492-496, 2006. [8] Y. Huang, et al., "Closng Cluster Attack Wndows Through Server Redundancy and Rotatons," Sxth IEEE Internatonal Symposum on Cluster Computng and the Grd, vol. 2, pp.21, 2006. [9] H. E. Schaffer, "X as a Servce, Cloud Computng, and the Need for Good Judgment," IT Professonal, vol. 11, pp. 4-5, 2009. [10] Johns, Software as a Servce - SaaS:Emergng trends n IT, (http://knol.google.com/k/johns/software-as-a-servce-saas/54w8qsaycxa/2), 2008. [11] VMware, VMware vsheldtm Product Famly, http://www.vmware.com/products/vsheld/ [12] Trend Mcro, Trend Mcro Deep Securty, http://tw.trendmcro.com/tw/products/enterprse/deep-securty/ndex.html [13] C. Ryu, R. Sharman, H.R. Rao, S. Upadhyaya, Securty protecton desgn for decepton and real system regmes: A model and analyss, European Journal of Operatonal Research, Vol. 201, Issue 2, pp. 545-556, 2010. [14] Jack Hrshlefer "Conflct and rent-seekng success functons - Rato vs dfference models of relatve success," Proc. Publc Choce, pp.101-112, 1989. [15] Jack Hrshlefer "The Paradox of Power," Proc. Economcs and Poltcs, Vol. 3, pp.177-200, 1993. [16] P. M. Chen and B. D. Noble, "When Vrtual Is Better Than Real," Eghth Workshop on Hot Topcs n Operatng Systems, 2001. [17] Zscaler Products. http://www.zscaler.com/productsataglance.html [18] F. Cohen, "Managng network securty: Attack and defence strateges," Network Securty, vol. 1999, pp. 7-11, 1999. [19] J. Bltzsten and P. Dacons, "A Sequental Importance Samplng Algorthm for Generatng Random Graphs wth Prescrbed Degrees," Internet Mathematcs, vol. 6, pp. 489-522, 2011. [20] S. Nagaraja and R. Anderson, "Dynamc Topologes for Robust Scale-Free Networks," Bo-Inspred Computng and Communcaton, vol. 5151, pp. 411-426, 2008.