1 / 74

Game theoretic models for detecting network intrusions

Game theoretic models for detecting network intrusions. 徐嘉陽 @ OPLab. Agenda. Abstract Introduction Problem Statement Scenario 1 : single intruder with multiple packets Scenario 2 : cooperative intruders Numerical results Conclusion.

dusan
Download Presentation

Game theoretic models for detecting network intrusions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Game theoretic models for detecting network intrusions 徐嘉陽 @ OPLab

  2. Agenda • Abstract • Introduction • Problem Statement • Scenario 1:single intruder with multiple packets • Scenario 2:cooperative intruders • Numerical results • Conclusion

  3. Game theoretic models for detecting network intrusions • Author: • HadiOtrok *, Mona Mehrandish, ChadiAssi, MouradDebbabi, Prabir Bhattacharya • Computer Security Laboratory, Concordia Institute for Information Systems Engineering, Concordia University, Montreal • Source: Computer Communications 31 (2008) • Year of publication: 2008

  4. Agenda • Abstract • Introduction • Problem Statement • Scenario 1:single intruder with multiple packets • Scenario 2:cooperative intruders • Numerical results • Conclusion

  5. Abstract • Use game theory to solve the problem of detecting intrusions in wired infrastructure networks. • Develop a packet sampling strategy to reduce the success chances of an intruder with sampling budget. • Two scenarios: • Single intruder with multiple packets • Cooperative intruders • If packets are independently analyzed then the intrusion will not be detected.

  6. Abstract(Cont.) • Non-cooperative game theory is used, where the two players are: • the smart intruder or the cooperative intruders (depends on the scenario) • the Intrusion Detection System (IDS) • The intruder(s) will know their attack strategy and the IDS to have an optimal sampling strategy in order to detect the malicious packets.

  7. Agenda • Abstract • Introduction • Problem Statement • Scenario 1:single intruder with multiple packets • Scenario 2:cooperative intruders • Numerical results • Conclusion

  8. Introduction • Wired infrastructure-based networks are designed to be secure networks: • by using firewalls and encryption techniques • Still suffer from types of intrusions: • denial of service attack • attempts to penetrate the network. • Intrusion Detection System (IDS) as a second line of defense. • IDS detects an unusual activity: • by monitoring and analyzing the network traffic

  9. Introduction(Cont.) • Analyzing the traffic is achieved by: • considering the whole traffic • sampling a portion of the traffic • Analyzing the whole traffic costs too much. • Sampling costs less but has lower detection rate. • Finding a strategy enhancing the probability of detection using sampling is considered challenging. • Harder problem considering intruder(s) sending an intrusion through multiple fragments. • If IDS analyzes these fragments independently, it will not be able to detect the intrusion.

  10. Introduction(Cont.) • Scenario 1: • a smart intruder able to divide the intrusion over different fragments • the intruder is able to select the routing paths to inject the fragments • IDS objective is to sample according to the sampling budget looking for the fragments at least m out of n. • Scenario 2: • a group of cooperative intruders sending a series of fragments from different sources using different routes. • IDS divides the sampling budget over the intruders • This work develops a network packet sampling policy by finding the value of the game using a min–max strategy.

  11. Introduction(Cont.) • Game theory has been applied to many disciplines: • including economics, political science, and computer science. • Game theory usually considers a multiplayer decision problem where multiple players with different objectives can compete and interact with each other. • Game theory classifies games into two categorizes: • non-cooperative and cooperative. • Non-cooperative games are games with two or more players that are competing with each other. • Cooperative games are games with multi-players cooperating with each other in order to achieve the greatest possible total benefits.

  12. Agenda • Abstract • Introduction • Problem Statement • Scenario 1:single intruder with multiple packets • Scenario 2:cooperative intruders • Numerical results • Conclusion

  13. Problem Statement

  14. Problem Statement(Cont.)

  15. Problem Statement(Cont.) • In the first scenario, we assume that the game is played on an infrastructure-based network between two players: the IDS and the intruder. • The objective of the intruder is to inject n a-fragments from some attacking node a ∈ N with the intention of attacking a target node t ∈ N. • In order to detect the intrusion, the IDS is allowed to sample packets in the network. It is assumed that sampling takes place on the links in the network.

  16. Problem Statement(Cont.) • In the second scenario, assuming the set of cooperative intruders as one player, we model the game as a zero-sum game with complete information about the: IDS and intruders. • The objective of each intruder x ∈ Ωis to send an a-fragment to the target node t. • To detect the intrusion, the IDS samples packets traffic on each link in the network.

  17. Problem Statement(Cont.) • The IDS has a sampling budget of packets/second. • The budget can be distributed arbitrarily over the links in the network, and can be viewed as the maximum rate the IDS can process in real-time. • If a link , with traffic flowing on it, is sampled at rate , the probability of sampling a malicious fragment on this link is given by • Sampling constraint: • Assume that all the players have complete information about the topology of the network and all the link flows in the network.

  18. Problem Statement(Cont.)

  19. Agenda • Abstract • Introduction • Problem Statement • Scenario 1:single intruder with multiple packets • Scenario 2:cooperative intruders • Numerical results • Conclusion

  20. Scenario 1 • Having the intruder and IDS each chosen their strategies(their probability distributions), the probability of sampling an a-fragment traversing from node a to node t is the sum of probability of taking each path times the probability of sampling the a-fragment on that particular path over all possible routes from a to t.

  21. Scenario 1(Cont.) • The probability of detecting an intrusion that requires exactly m a-fragments is, • The IDS will detect the intrusion if at least m a-fragments are sampled,

  22. Scenario 1(Cont.) • The IDS will choose a strategy that maximizes the detection probability:

  23. Scenario 1(Cont.) • On the other hand, the objective of the intruder is to choose a distribution q and number of fragments n that minimize this maximum value. • In other words, the objective is: • Similarly , the objective of the IDS becomes:

  24. Scenario 1(Cont.) • This is a classical two person zero-sum game. There exists an optimal solution to the intrusion detection game where the following noted min–max result holds,

  25. Scenario 1(Cont.) • Due to the mathematical complexity on solving the game in Eq. (7), the paper solve the game for the case an intrusion detection requires only m a-fragments out of n. • By recalling Eq. (2), • the game is reduced to the following:

  26. Scenario 1(Cont.) • Considering the intruder problem the game is reduced to the following: • For a fixed q, it is sufficient to solve the following: • For a fixed n to maximize the expression above we have to maximize m and α.

  27. Scenario 1(Cont.)

  28. Scenario 1(Cont.) • The second derivative at critical value m=n α where the simplified form is given as follows: • From this we can conclude that Γ has a maximum at m=n α. Therefore, the work to be done is to maximize α.

  29. Scenario 1(Cont.)

  30. Scenario 1(Cont.) • This objective function is non-linear which makes the problem intractable. • Given the assumption of sampling is bounded with a budget that restricts the sampling efforts, the work allocates sampling efforts on the links that belongs to the set. • Since sampling will be done for at most one link in path P, we can rewrite Eq. (16) as:

  31. Scenario 1(Cont.)

  32. Scenario 1(Cont.) Associating a dual variable λ, we obtain the following dual optimization problem with the corresponding constraints:

  33. Scenario 1(Cont.)

  34. Scenario 1(Cont.)

  35. Scenario 1(Cont.)

  36. Scenario 1(Cont.)

  37. Scenario 1(Cont.) • In Fig. 2, the numbers next to the links are the flows on the links. • Suppose that there is a sampling budget Bs of 12 units for the IDS. • Additionally, we assume the intruder’s fragmentation is equal to 3 where a=A and t=I are the intruder and victim respectively. • The minimum cut (and hence the maximum flow) has a value of 29 units.

  38. Scenario 1(Cont.) • The intruder launches the attack over 3 fragments where each fragment is forwarded according to the following strategy: • Transmit the malicious fragment along the path A–C–E–I with probability 11/29. • Transmit the malicious fragment along the path A–B–G–H–I with probability 8/29. • Transmit the malicious fragment along the path A–B–D–F–I with probability 7/29. • Transmit the malicious fragment along the path A–B–D–G–H–I with probability 2/29. • Transmit the malicious fragment along the path A–B–D–E–F–I with probability 1/29.

  39. Scenario 1(Cont.)

  40. Agenda • Abstract • Introduction • Problem Statement • Scenario 1:single intruder with multiple packets • Scenario 2:cooperative intruders • Numerical results • Conclusion

  41. Scenario 2 • In scenario 2, the work extends the previous game to the case where multiple intruders will cooperate with each other to attack the same target. • The intrusion is fragmented to n fragments. • The objective of each intruder x ∈Ω is to send a fragment of the intrusion to the target node t where | Ω | is the number of intruders.

  42. Scenario 2(Cont.) • The intruders and IDS should choose their strategies(probability distributions). • The objective of each intruder is to inject a fragment of the intrusion by selecting the path that can reduce the IDS probability of detection. • For any node x ∈Ω, the probability of detecting a fragment of the intrusion traversing from node x to node t is:

  43. Scenario 2(Cont.) • Define the function Φ to be the mean value of detecting the intrusion through sampling:

  44. Scenario 2(Cont.) • On the other hand, the cooperative intruders aim at minimizing Eq. (22), which will be done by assigning probabilities for all possible routes to the target node:

  45. Scenario 2(Cont.)

  46. Scenario 2(Cont.) • Solving the min–max problem formulated, first we consider the intruders’ problem: • Therefore, the problem simplifies to:

  47. Scenario 2(Cont.)

  48. Scenario 2(Cont.)

  49. Scenario 2(Cont.) • Using the same approach, the game reduces to the following:

  50. Scenario 2(Cont.)

More Related