摘要: | 入侵偵測系統(IDS)在網路主機上,安裝防護軟體偵測入侵者,並防止病毒加害主機;又如美國本土防恐防護系統(HSAS),建立「安全監控中心」(EOC)及「區分威脅等級」警示系統,提昇各地區緊急反應單位對恐怖攻擊的敏感度,以及強化資源的配置效率來提昇安全應變能力。這兩個系統必須在廣闊的保護區域中設置多個節點,無法全面性的考量到有多個可能會受到攻擊的目標,我們用多重代理人系統(MAS)概念來佈建防禦系統,由於這些由多個互動代理人所組成的系統會遭受到外來的威脅,因此本研究應用賽局理論來設計系統,以應付大量的攻擊與破壞。綜觀現行的相關研究,如果考量防護代理人數量過多時,會遭遇可擴充性的問題。本研究提出一個整合的賽局模型去改善這問題,並建置一個優先配置多重代理人的系統來防護整體系統的安全。 本論文結合非合作賽局與合作賽局模型,提出一個兩階段的整合模型。第一階段用非合作賽局去塑模與分析外來攻擊者與防守代理人之間的互動行為,然後從納許均衡解計算出單一代理人遭受攻擊時的威脅值。第二階段用合作賽局去塑模多重代理人間資源分享的互動行為,考量在不同的安全警戒程度下,用代理人的威脅值計算夏普利值,因此可以基於各個代理人的平均邊際貢獻下得到一個可行的防守代理人配置集合。提出的模型應用在三個案例,數值模擬的結果呈現兩個意涵:第一,模型可以量化各防護代理人的受威脅值,可以預測那些防護代理人是較容易遭受攻擊?那些是較堅固?可提供系統管理者做決策。第二,如果將整體安全情況區分為若干等級,本研究發現:在警戒程度較低時,管理者可以把系統內所有的資源均分給多數的防護代理人,達到「防微杜漸」的功能;而在警戒程度較高時,把所有的資源給少數的重要代理人,達到「抓大放小」的取捨。在有限的資源下,可以有效的分配整體多代理人系統的資源。緊急事件管理者應用本架構可以量化評估那個代理人是較危險?以增加系統處理外來威脅的反應能力。 In intrusion detection systems (IDSs), a software sensor is installed in a host of network to identify intrusions and viruses in order to prevent from entering the host by analyzing system calls. Homeland security advisory system (HSAS) is developed by the U.S. government to set up alarm system of emergency operations centers (EOC) and decide when to raise the threat level of system. The HSAS facilitates the sensitivity of protection of various regional emergency agencies, as well as strengthens resource reallocation and deployment efficiency so as to improve the response agency’s capability against terrorist attacks. Because IDS and HSAS need to deploy a large scale of response nodes at overall region, these systems cannot fulfill the requirement of resources allocation while all targeted nodes are attacked by outside attackers, especially when the available resources are constrained. Thus, the concept of multi-agent system (MAS) is applied to construct these systems. These MASs are designed to deploy multiple response agents when face outside threat. The related works encounter scalability problem that MASs handle growing amounts of agent work in a graceful manner or a large number of agents. Therefore, an integrated model of noncooperative game and cooperative game is proposed to improve this problem and prioritize to allocate the resources of MAS so as to implement overall system security. This dissertation proposes a two-stage model to connect the noncooperative game model with cooperative game model. In the first stage, the interactive behaviors between the outside attacker and the district response agent are modeled and analyzed as a noncooperative game, after which the outside threat value is derived from the Nash equilibrium. In the second stage, the interactive behaviors among agents are modeled as a cooperative game, and the threat value is utilized to compute the Shapley value of all response agents for several different threat levels. Then an acceptable resources allocation of response agents based on the expected marginal contribution creates a minimum set of resource deployment costs. The two-stage model is applied to three MAS cases, and the experimental results discussed. Two implications are suggested. First, based on the interactions between agent and attacker, the proposed model provides administrator decision-making that can predict which agent is more vulnerable to attack, and which agent is more robust against outside attacks. Second, the overall security situation of protective region is divided into a number of alert levels. The experimental results show that at a low level, the MAS advises emergency managers to redistribute the response resources to many agents in order to "nip attacks in the bud". When the alert level is raised to its highest level, emergency managers redistribute all resources to a small number of critical agents in order to "achieve the goal of resisting serious attacks and discarding less effective agent". Thus, the two-stage model enables to allocate resources efficiently in the overall system given resource constraints. In addition, this framework can be used to increase the emergency manager’s ability to immediately respond to outside multiple attacks. |