2009-03-251
Network Intrusions via Sampling : A Game Theoretic Approach
Presented by Zhiqi Zhang
Written by:
Murali Kodialam (Bell Labs)
T.V. Lakshman (Bell Labs)
2009-03-16
Structure of this Presentation
Introduction
Problem Definition
Solution of the Game
Routing to Improve the Value of the Game
Experimental Results
Conclusions
Intrusion in network: Typically, in an intrusion problem, the intruder attempts to gain access to a particular file server or website in the network.
Includes: denial of service attacks, viruses introduced into the networks……
Two key areas in security Intrusion detection
– In this paper, the problem is that the intruder attempts to send a malicious packet to a given node in the network. The service provider attempts to detect this intrusion. The detection mechanism is packet sampling and examination in the network.
Intrusion prevention
3 2009-03-16
4 2009-03-16
Packet Sampling: some portion of packets traversing designated links (or router interfaces) are sampled and examined in detail to determine whether the packet is an intruder packet.
Different Networking Purposes of Packet Sampling:
– To estimate the number of active TCP flows in order to stabilize network buffer occupancy for TCP traffic.
– To allocate the fairy link-bandwidth
– To infer network traffic and routing characteristics All these applications require only sampling based on packet
header comparisons.
5 2009-03-16
Requirements of sampling for intrusion detection:More thorough examination of sampled packets than all above applicationsNear line-speed packet sampling and examination
Because copying sampled packets or packet-headers for off-line analysis is not sufficient to prevent intruding packets from getting through. Hence, it is imperative to keep the sampling costs in mind. This is also the motivation of this research.
6 2009-03-16
Game theory has been used extensively to model different networking problems. Shenker, S., “Making Greed Work in Networks: A Game-Theoretic Analysis of Switch Service Disciplines”, IEEE/ACM Transactions on Net-working, 1995.
Akella, A., Karp, R., Papadimitriou, C.,Seshan, S., Shenker, S., “Selfish Behavior and the Stability of the Internet: A Game Theoretic Analysis of TCP”, Proceedings of SIGCOMM 2002, 2002
Korilis, Y., Lazar, A., Orda, A., “Architecting Noncooperative networks”,IEEE Journal on Selected Areas in Communications, pp. 1241-1251,September 1995
This is the first time to model intrusion detection via sampling in communication networks using a game-theoretic framework.
7 2009-03-16
This work is closely related to drug interdiction models.
Washburn, A., and Wood, K., “Two-Person Zero-Sum Games for Net-work Interdiction”, Operations Research, 43, pp. 243-251, 1995.
Two differences between this work and the drug interdiction models
The detection is by means of sampling, results are much more natural.The game theoretic problem naturally leads to a routing problem (to maximize the service provider’s chances of detecting intruding packets)
8 2009-03-16
Game theory : attempts to mathematically capture behavior in strategic situations, in which an individual's success in making choices depends on the choices of others.
Types of games
Cooperative or non-cooperative games
Zero sum and non-zero sum games
Symmetric and asymmetric games
……
9 2009-03-16
PROBLEM DEFINITIONNetwork Set-UpWe consider a network G= (N, E)N: set of nodes (s, u, v, m, t )E: set of unidirectional links in the network. (e1,e2,e3,...)ce: capacity of link e Efe: the amount of traffic flowing on link ePs
t :represent the set of paths from s to t in G
s
u
m t
v
Pst
e1
e2e4
e5e6
e7
e3
10 2009-03-16
PROBLEM DEFINITION
Two players: the Service Provider and the Intruder Intruder’s Objective:
Inject a malicious packet from attack node a in order to attack target node t
Service Provider’s Objective:Detect and prevent the intrusion To do so, we assume that the service provider can sample packets along the links of the network looking for malicious packets.
11 2009-03-16
PROBLEM DEFINITION
We assume that: An intruder wins when the malicious packet reaches
the desired target t node without detection. The service provider wins if it samples the malicious
packet during the course of sampling.
12 2009-03-16
PROBLEM DEFINITION
The Objective and the Constraints of the Game–Service provider is given a sampling bound of B packets per secondIf service provider could sample EVERY packet he could always win
–Sampling of B packets per second can be arbitrarily distributed over all links on the networkProbability of detecting a malicious packet on a given link is: pe = se / fe where se is the sampling rate on link e, fe is the amount of traffic flowing on link e
13 2009-03-16
PROBLEM DEFINITION
Strategies for the Two Players:Intruder:
–Pick a path (or a distribution of paths) to send the malicious packet from a to tProbability distribution over paths Pa
t such that
Service Provider–Choose the sampling rates for the network links that will give the greatest probability of detecting an attackU = { p : eE pefe B } is the set of possible detection probability vectors that are within the sampling budget B
14 2009-03-16
PROBLEM DEFINITION
15 2009-03-16
PROBLEM DEFINITION
16 2009-03-16
PROBLEM DEFINITION
• Payoff Matrix• Payoff is the expected number of times the malicious
packet is detected as it goes from a to t. For a given path Pa
t, the payoff is The probability that this path P is picked by the
intruder is q(P.) The payoff is
• Interchanging the order of summation, we get
This can be equivalently written in a matrix form as
qTMp
17 2009-03-16
PROBLEM DEFINITION
• Payoff MatrixThe payoff is ,This can be equivalently written in a matrix form as
qTMp
M=
18 2009-03-16
PROBLEM DEFINITION
Objective of Intruder:Service provider wants to maximize this number:
But the intruder knows this, tries to pick a distribution q()
that minimizes this maximum value:
Intruder’s Objective:
19 2009-03-16
PROBLEM DEFINITION
Objective of Service provider:Intruder wants to minimize this number:
But the service provider knows this, tries to maximize the
intruders minimum:
Service provider’s objective:
20 2009-03-16
SOLUTION OF THE GAME
This is a classical two person zero-sum gameThere exists an optimal solution to the intrusion detection game:
The value of the game is: = BMat(f)-1
Mat(f) -is max flow that can be sent from node a to t with f
as the link capacities
B -is sampling bound
21 2009-03-16
SOLUTION OF THE GAME
The intruder Strategyneeds to decompose the max flow into flows on paths P1, P2, … , Pl
from a to t with flows of m1, m2, … , ml
Introduces the malicious packet along the path Pi with probability mi*Mat(f)-1
The Service Provider Strategyneeds to compute the maximum flow from a to t using fe as the
capacity of link ee1, e2, … , er represent the links of the corresponding minimum cut with flows f1, f2, … , fr
samples link ei at rate Bfi Mat(f)-1
22 2009-03-16
SOLUTION OF THE GAME(example)The intruder Strategy
Introduce the malicious packet along the path 1-2-5 with probability 7.0 / 11.5Introduce the malicious packet along the path 1-2-6-5 with probability 0.5 / 11.5Introduce the malicious packet along the path 1-3-4-5 with probability 4.0 / 11.5
The Service Provider StrategySample link 1-2 at rate 5 / 11.5 giving a total sampling rate of (5 x 7.5) / 11.5 on that linkSample link 4-5 at rate 5 / 11.5 giving a total sampling rate of (5 x 4.0) / 11.5 on that link
Game value: = 5 / 11.5
Max Flow = Mat(f) = 11.5Sampling Budget B=5
23 2009-03-16
Observation
•Since the service provider samples packets on the minimum cut, this implies that for any path the intruder would choose, the malicious packet will be sampled at most once.
•If B >= Mat(f) : the malicious packet will always be detected
•If B <Mat(f): then there is a some probabilities that the malicious packet will not be detected
24 2009-03-16
ROUTING TO IMPROVE THE VALUE OF THE GAME
Previous solution BMat(f)-1 assumes a fixed link flow f
In reality service provider can adjust the flows in the network to maximize the value of the game
Objective of the Service:Route the source-destination demands to minimize Mat(f).
Two Different Ways to Achieve this Objective:
•Flow Flushing Algorithm•Cut Saturation Algorithm
25 2009-03-16
Flow Flushing Algorithm
The flow on the links is a result of routing the different source-destination demands in the network.
Mat(f) + Mat(c - f) Mat(c)
- c : link capacity, f : flow on the link
Solution requires a multi-commodity (source-destination) flow problem with K+1 commodities K original commodities an additional commodity between a and t
26 2009-03-16
Flow Flushing AlgorithmThe link flows for FFA are shown for the first network example
Mat(f) = 9.95 = 5 / 9.95
Mat(f) = 11.5 = 5 / 11.5
27
Cut Saturation Algorithm
This algorithm relies on the fact that the maximum flow between a and t is upper bounded by the size of any a − t cut.picks some a − t cut and tries to direct flow away from this cutOnce the source-destination demands are routed, this cut will be small and hence will limit the maximum a − t flowHow to implement?Introduce two new nodes s’ and t’ Introduce an arc between node s’ and all nodes α(e) Introduce an arc between node t’ and all nodes β(e)
let α(e) and β(e) represent the start and end nodes of short-cut link.
28 2009-03-16
Cut Saturation AlgorithmThe link flows for FFA are shown for the first network example
Mat(f) = 9.95 = 5 / 9.95
Mat(f) = 11.5 = 5 / 11.5
Mat(f) = 7.0 = 5 / 7.0
292009-03-16
Shortest Path Routing GameAssumes:each link has a lengthpackets are routed from the source to the destination along shortest paths according to this length metric. ties are broken arbitrarily.
Objectives:The intruder must determine which node of the attack set A to introduce the packet intoThe service provider must determine the sampling rate at the links subject to a sampling budget of B
Solution:The value of the game is = B / L(d)L(d) represents the maximum flow that can be sent from all the nodes in A to the destination node d
30 2009-03-16
EXPERIMENTAL RESULTSperformed the following experiments:• Single attack node and single target node. (3 problems).• Multiple attack node and single target node. (1 problem).• Multiple attack node and multiple target node. (1 problem).
For each of the cases, we ran three different algorithms.1) Routing to minimize the highest utilized link with f1 representingthe m-vector of link flows as a result of this routing algorithm.2) Routing with flow flushing algorithm with f2 representingthe m-vector of link flows as a result of this routing algorithm.3) Routing with cut saturation algorithm with f3 representingthe m-vector of link flows as a result of this routing algorithm.
31 2009-03-16
EXPERIMENTAL RESULTSLet M(fi) for i = 1, 2, 3 represent the maximum flow that can be sent from node a to t using fi as the link capacities.
= B / M( ): The smaller that value of M, the better the chances of detection for a givensampling budget.
32 2009-03-16
EXPERIMENTAL RESULTSFrom the table, note that the maximum flow value and hencethe value of the game can be changed significantly by changingthe routing in the network. In most of the examples the performance of the flow flushing algorithm and the cut saturation algorithm are quite similar, and better than the simple minimization of maximum link utilization algorithm
33 2009-03-16
Effect of Capacity on the Value of the Game
As the amount of spare capacity in a network increases , the opportunity to reroute flows increases.Service Provider can improve probability of detection by exploiting the spare capacity to reroute flows
A second experiment was conducted:Capacity of the links in this example network are fixed at some constant value C.If C increases, the opportunity to reroute flows also increases.
34
Effect of Capacity on the Value of the Game
As the maximum utilization becomes lower, the amount of spare capacity to reroute flows increasesThis implies that both the Flow Flushing Algorithm and the Saturation Cut Algorithm will have more alternate paths
35
Effect of Capacity on the Value of the Game
As the value of C increases, the maximum flow decreases,thus the value of the game increases
36
CONCLUDING REMARKS
BecausePacket sampling and examination in real-time can be expensive.The network operator must devise an effective sampling scheme to detect intruding packets injected into the network by an adversary.
Considered following scenarios: Intruder has complete knowledge of the network topologyIntruder can pick paths in the networkIntruder can pick an entry point into the network if shortest path algorithm is being used
ProposedThe detection via sampling problem was formulated in a game-theoretic frameworkTow two algorithms
• Flow Flushing Algorithm• Cut Saturation A
Evaluated: the performance of the minmax, flow flushing algorithm, and cut saturation algorithm