1 / 31

Review of: Detecting Network Intrusions via Sampling: A Game Theoretic Approach

CS7701: Research Seminar on Networking http://arl.wustl.edu/~jst/cse/770/. Review of: Detecting Network Intrusions via Sampling: A Game Theoretic Approach. Paper by: Murali Kodialam (Bell Labs) T.V. Lakshman (Bell Labs) Published in: IEEE Infocom 2003 Reviewed by: James Moscola

marius
Download Presentation

Review of: Detecting Network Intrusions via Sampling: A Game Theoretic Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS7701: Research Seminar on Networking http://arl.wustl.edu/~jst/cse/770/ Review of: Detecting Network Intrusions via Sampling: A Game Theoretic Approach Paper by: Murali Kodialam (Bell Labs) T.V. Lakshman (Bell Labs) Published in: IEEE Infocom 2003 Reviewed by: James Moscola Discussion Leader: Todd Sproull

  2. Outline • Introduction • Problem Definition • Solution of the Game • Routing to Improve the Value of the Game • Variants and Extensions • Experimental Results • Conclusions

  3. Introduction • Two key areas of network security are: • Intrusion Detection • Intrusion Prevention • Intrusions can be: • Denial of Service Attacks • Viruses • In a typical intrusion problem the intruder tries to access a particular file server or website • Authors examine problem where an intruder attempts to send a malicious packet to a given network node • Network attempts to detect the intrusion through sampling

  4. Background • Previous work that used network sampling: • [6] – “SRED: Stabilized RED” • [7] – “CHOKE, A Stateless Active Queue Management Scheme for Approximating Fair Bandwidth Allocation” • [3] – “A Framework for Passive Packet Measurement” • Above all require ONLY header sampling • What’s different with this work: • Detecting intrusion will most likely require looking at more than the header • Must sample in real time if we want to detect and prevent an intrusion. • Must keep sampling cost in mind during analysis

  5. Problem Definition: • Network Set-Up • G = (N, E) • N is the set of nodes • E is the set of unidirectional links • n is the number of nodes • m is the number of links • capacity of link eE is denoted ce • Traffic on link e is denoted by fe • Puv is the set of paths from u to v in G • Muv(w)is max flow that can be sent from node u to v with w as the link capacities • Cuv is the set of links in the minimum cut

  6. Problem Definition (continued): • Network Intrusion Game • Two players • Intruder • Inject an attack packet from attack node a trying to reach target node t • Successful if attack packet reaches t undetected • Service Provider • Detect malicious packets • Sample packets along the links of the network looking for malicious packets • Intrusion is detected if service provider samples the attack packet

  7. Problem Definition (continued): • Constraints of the Game • Service provider is given a sampling bound of B packets per second to make the game more interesting and realistic • If service provider could sample EVERY packet he could always win • In the real world there wouldn’t be enough resources to sample all packets anyway • Sampling of B packets per second can be arbitrarily distributed over all links on the network • Probability of detecting a malicious packet on a given link is: pe = se / fe where seis the sampling rate on link e • SeE se B • More assumptions to make the game more interesting • Service Provider AND Intruder have complete knowledge of network topology • Intruder is capable of picking paths in the network for his attack to make detecting the attack more difficult for the Service Provider

  8. Strategies for the Game • Intruder • Select an attack path from the set of all available paths between a and t (Pat) with probability q(P) • Probability distribution over paths Pat such that SPPq(P) = 1 • V = { q : SPPq(P) = 1 } is the set of possible probability allocations over the set of paths between a and t • Service Provider • Choose the sampling rates for the network links that will give the greatest probability of detecting an attack • U = { p : SeE pefe B } is the set of possible detection probability vectors that are within the sampling budget B

  9. Strategies for the Game

  10. Strategies for the Game

  11. Payoff / Strategy • The number of times the malicious packet is detected as it goes from a to t over path P: • SPP q(P) * SePpe • Service provider wants to maximize this number: • maxpUSPP q(P) * SePpe • But the intruder knows this, and thus wants to minimize the service providers maximum: • minqV maxpUSPP q(P) * SePpe • The flipside: • Intruder wants to minimize SPP q(P) * SePpe • minqVSPP q(P) * SePpe • But the service provider knows this, and thus wants to maximize the intruders minimum: • maxpU minqVSPP q(P) * SePpe

  12. Solution of the Game • The value of the game is:  = BMat(f)-1 • The intruder … • needs to decompose the max flow into flows on paths P1, P1, … , Pl from a to t with flows of m1, m2, … , ml • Introduces the malicious packet along the path Pi with probability mi * Mat(f)-1 • The Service Provider … • needs to compute the maximum flow from a to t using fe as the capacity of link e • e1, e2, … , errepresent the links of the corresponding minimum cut with flows f1, f2, … , fr • samples link eiat rate Bfi Mat(f)-1

  13. Example • Max Flow = Mat(f) = 11.5 • Sampling Budget B=5 • a = 1 • t = 5 • Intruder: • Introduce packets on Pi with probability mi * Mat(f)-1 • Prob of P1-2-5 = 7.0/11.5 • Prob of P1-2-6-5 = 0.5/11.5 • Prob of P1-3-4-5 = 4.0/11.5 • Service Provider • Sample link ei at a rate of Bfi Mat(f)-1where ei is a link in the minimum cut • Rate of e1-2 = (5*7.5)/11.5 • Rate of e4-5 = (5*4.0)/11.5 •  = 5 / 11.5

  14. Observations • Since the service provider samples packets on the minimum cut, this implies that for any path the intruder would choose, the malicious packet will be sampled at most once • If B  Mat(f) then the malicious packet will always be detected • If B < Mat(f) then there is some probability that the malicious packet will not be detected

  15. Routing to Improve the Value of the Game • The previous solution BMat(f)-1 assumes a fixed link flow • Flows on the links are a result of routing demands between nodes pairs in the network • Service Provider can adjust the flows on network links: • Increase prob of detecting malicious packet • Increase the value of the game • Want to maximize value of the game • Minimize Mat(f)

  16. Objective of Service Provider • Route the source-destination demands to minimize Mat(f) • Solve the following: • minxXMat(f) , where f = SkSPP:ePx(P) • X • Denotes allocation of flow on paths • Meets the demand for each commodity • Satisfies capacity constraints on network links • minxXMat(SkSPP:ePx(P)) • Need a way to solve the above equation • Try two different heuristic methods • Flow Flushing Algorithm • Cut Saturation Algorithm

  17. Flow Flushing Algorithm • The flow on the links is a result of routing the different source-destination demands in the network • Mat(f) + Mat(c-f)  Mat(c) • Solve this as a multi-commodity flow problem with K+1 commodities • K original demands • +1 new demand between a and t for the attack

  18. Flow Flushing Algorithm (cont…) •  = 5 / 9.95

  19. Cut Saturation Algorithm • Picks some a – t cut and tries to direct flow away from the cut. • Making the cut small limits the max a – t flow • Introduce two new nodes s’ and t’ • Determine the highest flow that can be sent from s’ to t’ while keeping the source-destination demands routable • Solve similarly to the Flow Flushing Algorithm • K+1 flows go between s’ and t’ instead of between a and t

  20. Cut Saturation Algorithm (cont …)  = 5 / 8.0

  21. Variants and Extensions • First two variants: • The intruder can introduce the malicious packet from any one of a set of attack nodes where A  N • Assume tA • The objective of the intruder is to reach any one of a set of target nodes T  N • Assume AT = { } • Solution for the above two variants: • Introduce a super source node that is connected to all nodes in A • Introduce a super sink node that is connected to all nodes in T • Play game between super source and super sink node • Third variant: • The intruder can introduce the packet at any one of a set of attack nodes A but no longer has control over the routing in the network • Routing in the network is shortest-path routing

  22. Shortest Path Routing Game • Assume that each link has a length • Packets are routed from the source to the destination along the shortest paths according to the length metric • Ties are broken arbitrarily • Given any two nodes in the network, there is a unique path from one to the other • Objectives • The intruder must determine which node of the attack set A to introduce the packet into • The service provider must determine the sampling rate at the links subject to a sampling budget of B • Solve like a shortest path problem where we find the shortest path from all nodes in A to the destination d • L(d) represents the maximum flow that can be sent from all the nodes in A to the destination node d • The value of the game is  = B / L(d)

  23. Experimental Results • The experimental network • Each unidirectional link represents two directed links each having a capacity of 10 units

  24. Experimental Results (cont …) • The following experiments were performed: • Single attack node and single target node • Multiple attack nodes and single target node • Multiple attack nodes and multiple target nodes • For each of the above, three algorithms were run: • Routing to minimize the highest utilized link • f1represents the m-vector of link flows as a result of this alg. • Routing with flow flushing algorithm • f2 represents the m-vector of link flows as a result of this alg. • Routing with cut saturation algorithm • f3 represents the m-vector of link flows as a result of this alg.

  25. Experimental Results (cont …) • M(fi) represents the maximum flow that can be sent from node a to t using fi as the link capacities • Value of the game is:  = B / M( ) • The smaller the value of M, the better the chances of detection for a given sampling budget

  26. Experimental Results (cont …) • Changing the routing significantly changes the maximum flow and hence the value of the game • The flow flushing algorithm and the cut saturation algorithm both perform similarly well. • Both out-perform the simple minmax solution

  27. Effect of Capacity on the Value of the Game • As the amount of spare capacity in a network increases , the opportunity to reroute flows increases • Service Provider can improve probability of detection by exploiting the spare capacity to reroute flows • A second experiment was conducted to illustrate this • Link capacity is fixed at some constant C • If C increases, the opportunity to reroute flows also increases

  28. Effect of Capacity on the Value of the Game • As the maximum utilization becomes lower, the amount of spare capacity to reroute flows increases • This implies that both the Flow Flushing Algorithm and the Saturation Cut Algorithm will have more alternate paths

  29. Effect of Capacity on the Value of the Game • As the value of C increases, the maximum flow decreases • Thus the value of the game increases

  30. Conclusions • Packet sampling and examination can be expensive in real-time • Network operator must devise a sampling scheme that will have the greatest probability of detecting intruding packets • Several scenarios were considered • Intruder has complete knowledge of the network topology • Intruder can pick paths in the network • Intruder can pick an entry point into the network if shortest path algorithm is being used • Proposed two algorithms • Flow Flushing Algorithm • Cut Saturation Algorithm • Evaluated the performance of the minmax, flow flushing algorithm, and cut saturation algorithm

More Related