Detecting Network Intrusions via Sampling : A Game Theoretic Approach

Presented By: Matt Vidal

Murali Kodialam

T.V. Lakshman

July 22, 2003

Bell Labs, Lucent Technologies

muralik lakshman

@bell-labs.com @bell-labs.com

2

Outline

• Introduction

• Problem Definition

• Solution of the Game

• Routing to Improve the Value of the Game

• Variants and Extensions

• Experimental Results

• Conclusions

• Questions

3

Introduction

• Two key areas of interest in network security:– Intrusion Detection

– Intrusion Prevention

• Intrusions can take many forms– Denial of Service (DoS) / Distributed Denial of Service (DDoS)

– Network Virus Propagation

• Usually, an intruder tries to access a specific file server or website in the network

• In this research, the authors focus on an intruder sending a malicious packet to a node in the network

4

Introduction (2)

• Packet Sampling:– Some packets traversing specific links are sampled and

investigated to determine if they are malicious (intruder)

• Requires fast and thorough processing– Intrusion detection requires a thorough examination of the

sampled packets– Packet sampling must be performed in real time in order to prevent

intruders from slipping by– Packet examination must be done at line speed to keep from

disrupting routing

5

Problem Definition

• The problem of packet intrusion is described in three steps

– 1) Network Set-Up

– 2) Network Intrusion Game

– 3) The Objective and Constraints of the Game

6

Problem Definition: Network Set-Up

• Network G = (N, E)– N: set of nodes in the network

– E: set of unidirectional links in the network

– n nodes

– m links

– ce: capacity of link e

– fe: traffic flowing on link e

– Pvu: set of paths from node u to v

– Muv(w): Maximum flow between nodes u and v

– Cvu: Minimum cut (comprised of a set of links in the network)

7

Problem Definition: Network Intrusion Game

• Two Players of the Game– Service Provider

– Intruder

• Intruder’s Objective:– Inject a malicious packet from attack node a in order to attack

target node t

• Service Provider’s Objective:– Detect and prevent the intrusion

– To do so, the service provider samples packets in the network

– It is assumed that the sampling is performed on the links (not at the nodes)

8

Problem Definition: Network Intrusion Game (2)

• Intruder tries to sneak a malicious packet from a to t

9

Problem Description:The Objective and Constraints of the Game

• B: sampling bound - the service provider can sample no more than B packets per second– If the service provider could sample all packets, it would easily

find the intruder

– Not enough resources to process all those packets anyway

• Assumptions:– Both players have knowledge of network topology and link flows

– The intruder is capable of picking paths in the network in order to make the detection by the service provider more difficult

10

Players’ Strategies

• For the Intruder:– Pick a path (or a distribution of paths) to get the malicious packet

from from a to t

• For the Service Provider– Determine a set of links on which sampling is necessary

– Determine the sampling rate on each link, keeping the total under the sampling bound

• The service provider picks a set of detection probabilities at the links it chooses to sample on

11

Players’ Strategies (2)

• Intruder’s and service provider’s actions

12

Players’ Strategies (3)

• Service provider’s action, arc sampling

13

Players’ Objectives

• The objective of the intruder is to pick a distribution q() that minimizes the service provider’s knowledge of the intrusion strategy

• The service provider’s intent is for maximization

• Classical two person zero-sum game with minmax result

14

Players’ Objectives (2)

• There exists an optimal solution to the game

• is the value of the game

15

Solution of the Game

• The value of the game is : = BMat(f)-1

– Any maximum flow from a to t can be decomposed to a set of flows from a to t

• The intruder needs to decompose the maximum flow from a to t using the capacity fe of link e into flows on paths P1, P2 … Pl with flows m1, m2 … ml

– Introduces malicious packet on path Pi with probability mi*Mat(f)-1

• The service provider needs to compute the maximum flow from a to t using the capacity fe of link e using arcs e1, e2 … er with minimum cut flows f1, f2 … fr

– Service provider samples link ei at rate BfiMat(f)-1

16

Solution of the Game: Example

B=5, a=1, t=5, Minimum Cut = 11.5 units

17

Solution of the Game: Example (2)

• Intruder’s Strategy– Introduce the malicious packet along the path 1-2-5 with probability 7.0 / 11.5

– Introduce the malicious packet along the path 1-2-6-5 with probability 0.5 / 11.5

– Introduce the malicious packet along the path 1-3-4-5 with probability 4.0 / 11.5

• Service Provider’s Strategy– Sample link 1-2 at rate 5 / 11.5 giving a total sampling rate of (5 x 7.5) /

11.5 on that link

– Sample link 4-5 at rate 5 / 11.5 giving a total sampling rate of (5 x 4.0) / 11.5 on that link

• If B Mat(f) : malicious packet is always detected

• If B Mat(f) : malicious packet might not be detected

18

Routing to Improve the Value of the Game

• The game solution BMat(f)-1 assumes a fixed link flow f

• Flows on the links are a result of routing the demands between node pairs in the network

• In reality, the service provider can adjust the flows to maximize the value of the game

• For K source-destination demand pairs in the network– s(k) - source node for commodity k

– d(k) - destination node for commodity k

– b(k) - amount of demand (bandwidth) that has to be routed for this source-destination pair

19

Routing to Improve the Value of the Game (2)

• 1) Original source-destination pairs and demands from game network example (with link capacity of 10 units)

• 2) Route the demands such that the maximum link utilization in the network is minimized

20

Routing to Improve the Value of the Game (3)

• Service provider routes the flows such that the value of the network intrusion game is maximized– Increases the detection probability of the malicious packet

• The objective is to route the source-destination demands in order to minimize the the value of Mat(f)

• No explicit solution to the routing problem

• Developed two heuristics and offer two solutions to the optimization problem

21

Flow Flushing Algorithm (FFA)

• c : link capacity, f : flow on the link

• The flow on the links is a result of routing the different source-destination demands on the network– Mat(f) + Mat(c - f) Mat(c)

• Solution requires a multi-commodity (source-destination) flow problem with K+1 commodities, including the additional commodity between a and t

• The link flows for FFA are shown for the first network example

22

Flow Flushing Algorithm (FFA) (2)

• Maximum flow Mat(f) = 9.95 units

• Game value = 5 / 9.95

23

Cut Saturation Algorithm

• The maximum flow between a and t is (upper) bounded by the size of any a - t cut

• Cut Saturation Algorithm picks an a - t cut and attempts to direct flow away from this cut

• Introduce two new nodes, s´ and t´

• Determine the highest flow that can be sent from s´ to t´ while maintaining routing for source-destination demands

• Pick the minimum a - t cut and attempt to saturate that cut

• Cut Saturation Algorithm can yield a better solution than the Flow Flushing Algorithm

24

Cut Saturation Algorithm (CSA) (2)

• Only cut links are shown in the network

25

Cut Saturation Algorithm (CSA) (3)

• Maximum flow Mat(f) = 8.0 units

• Game value = 5 / 8

26

Variants and Extensions

• 1) The intruder can introduce the malicious packet from one node of a subset of nodes in the network

• 2) The intruder is attempting to reach one node of a set of target nodes in the network

• The solution is to introduce– 1) a super source node that is connected to the subset of possible

source nodes and– 2) a super sink node that is connected to the subset of possible

target nodes

• 3) The intruder can introduce a packet at any one of a set of nodes, but has no control of the routing in the network– The shortest path routing game

27

Shortest Path Routing Game

• All packets are routed from source to destination by shortest path routing– For any two nodes in the network, there is a unique path from one

node to the other

• A packet introduced into the network follows the unique path from that source node to the destination node

• The intruder needs to determine which node of its available subset (A) it can use to introduce a malicious packet

• The service provider needs to determine the sampling rate at the links that are subject to a sampling budget of B

• The problem is that the maximum flow (L) (and hence the minimum cut) is no longer easy to compute

• The value of the game is determined to be B / L(d)

28

Experimental Results

• The two algorithms (Flow Flushing and Cut Saturation) were evaluated on two experimental networks

• The first network had 15 nodes and 27 link segments

• The segments each contained two directed links with a capacity of 10 units

29

Experimental Results: Network

30

Experimental Results: Set-Up

• Experiment Cases Performed– Single attack node and single target node

– Multiple attack nodes and single target node

– Multiple attack nodes and multiple target nodes

• Three Algorithms Per Case– 1) Routing to minimize the highest utilized link

• f1 represents the m-vector of link flows as a result of routing

– 2) Routing with Flow Flushing Algorithm• f2 represents the m-vector of link flows as a result of routing

– 3) Routing with Cut Saturation Algorithm• f3 represents the m-vector of link flows as a result of routing

31

Experimental Results: Comparison

• M() = B / (sampling budget / game value)– The maximum flow that can be sent from node a to t using f i

– The smaller the value of M, the better the chances of detection

• The maximum flow value (and thus the game value) are highly dependent upon the routing in the network

32

Effect of Capacity on the Value of the Game

• When the network has more spare capacity, it is able to further reroute flows– The service provider can use the spare capacity to reroute flows

and increase its detection probability

• Using the second experimental network, with a link capacity of C, it was determined that the source provider can exploit the spare link capacity for rerouting flows– As the link capacity increases, there are more opportunities to

reroute flows

• Network simulations illustrate the relationship between maximum utilization and link capacity and the effect of Flow Flushing on the maximum flow value

33

Effect of Capacity on the Value of the Game (2)

• Maximum utilization decrease -> rerouting capacity increase• FFA and CSA will have more alternate paths available

34

Effect of Capacity on the Value of the Game (3)

• Base case: minimize maximum utilization• FFA: a - t maximum flow value decreases as link capacity

increases

35

Conclusions

• Detect intruding packets in the network by sampling on network links

• Requires real time, line speed processing, a costly procedure

• To make it feasible means using an creative, yet effective sampling scheme

• Introduced Flow Flushing Algorithm and Cut Saturation Algorithm

• FFA and CSA facilitate better ingress-egress routing which maximizes the chances of detection

• Performance of FFA and CSA shown to be better than the base case of minimizing maximum utilization

36

Questions?