310 likes | 325 Views
This paper reviews a game theoretic approach for detecting network intrusions via sampling, focusing on intrusion detection and prevention. The research outlines problem definitions, solutions, routing strategies, and experimental results as key components. It explains the network setup, intrusion game constraints, and strategies for intruders and service providers, highlighting the interplay between maximizing detection probabilities and minimizing detection costs in a network scenario. The game's value, payoff strategies, and the overall solution process are discussed in detail.
E N D
CS7701: Research Seminar on Networking http://arl.wustl.edu/~jst/cse/770/ Review of: Detecting Network Intrusions via Sampling: A Game Theoretic Approach Paper by: Murali Kodialam (Bell Labs) T.V. Lakshman (Bell Labs) Published in: IEEE Infocom 2003 Reviewed by: James Moscola Discussion Leader: Todd Sproull
Outline • Introduction • Problem Definition • Solution of the Game • Routing to Improve the Value of the Game • Variants and Extensions • Experimental Results • Conclusions
Introduction • Two key areas of network security are: • Intrusion Detection • Intrusion Prevention • Intrusions can be: • Denial of Service Attacks • Viruses • In a typical intrusion problem the intruder tries to access a particular file server or website • Authors examine problem where an intruder attempts to send a malicious packet to a given network node • Network attempts to detect the intrusion through sampling
Background • Previous work that used network sampling: • [6] – “SRED: Stabilized RED” • [7] – “CHOKE, A Stateless Active Queue Management Scheme for Approximating Fair Bandwidth Allocation” • [3] – “A Framework for Passive Packet Measurement” • Above all require ONLY header sampling • What’s different with this work: • Detecting intrusion will most likely require looking at more than the header • Must sample in real time if we want to detect and prevent an intrusion. • Must keep sampling cost in mind during analysis
Problem Definition: • Network Set-Up • G = (N, E) • N is the set of nodes • E is the set of unidirectional links • n is the number of nodes • m is the number of links • capacity of link eE is denoted ce • Traffic on link e is denoted by fe • Puv is the set of paths from u to v in G • Muv(w)is max flow that can be sent from node u to v with w as the link capacities • Cuv is the set of links in the minimum cut
Problem Definition (continued): • Network Intrusion Game • Two players • Intruder • Inject an attack packet from attack node a trying to reach target node t • Successful if attack packet reaches t undetected • Service Provider • Detect malicious packets • Sample packets along the links of the network looking for malicious packets • Intrusion is detected if service provider samples the attack packet
Problem Definition (continued): • Constraints of the Game • Service provider is given a sampling bound of B packets per second to make the game more interesting and realistic • If service provider could sample EVERY packet he could always win • In the real world there wouldn’t be enough resources to sample all packets anyway • Sampling of B packets per second can be arbitrarily distributed over all links on the network • Probability of detecting a malicious packet on a given link is: pe = se / fe where seis the sampling rate on link e • SeE se B • More assumptions to make the game more interesting • Service Provider AND Intruder have complete knowledge of network topology • Intruder is capable of picking paths in the network for his attack to make detecting the attack more difficult for the Service Provider
Strategies for the Game • Intruder • Select an attack path from the set of all available paths between a and t (Pat) with probability q(P) • Probability distribution over paths Pat such that SPPq(P) = 1 • V = { q : SPPq(P) = 1 } is the set of possible probability allocations over the set of paths between a and t • Service Provider • Choose the sampling rates for the network links that will give the greatest probability of detecting an attack • U = { p : SeE pefe B } is the set of possible detection probability vectors that are within the sampling budget B
Payoff / Strategy • The number of times the malicious packet is detected as it goes from a to t over path P: • SPP q(P) * SePpe • Service provider wants to maximize this number: • maxpUSPP q(P) * SePpe • But the intruder knows this, and thus wants to minimize the service providers maximum: • minqV maxpUSPP q(P) * SePpe • The flipside: • Intruder wants to minimize SPP q(P) * SePpe • minqVSPP q(P) * SePpe • But the service provider knows this, and thus wants to maximize the intruders minimum: • maxpU minqVSPP q(P) * SePpe
Solution of the Game • The value of the game is: = BMat(f)-1 • The intruder … • needs to decompose the max flow into flows on paths P1, P1, … , Pl from a to t with flows of m1, m2, … , ml • Introduces the malicious packet along the path Pi with probability mi * Mat(f)-1 • The Service Provider … • needs to compute the maximum flow from a to t using fe as the capacity of link e • e1, e2, … , errepresent the links of the corresponding minimum cut with flows f1, f2, … , fr • samples link eiat rate Bfi Mat(f)-1
Example • Max Flow = Mat(f) = 11.5 • Sampling Budget B=5 • a = 1 • t = 5 • Intruder: • Introduce packets on Pi with probability mi * Mat(f)-1 • Prob of P1-2-5 = 7.0/11.5 • Prob of P1-2-6-5 = 0.5/11.5 • Prob of P1-3-4-5 = 4.0/11.5 • Service Provider • Sample link ei at a rate of Bfi Mat(f)-1where ei is a link in the minimum cut • Rate of e1-2 = (5*7.5)/11.5 • Rate of e4-5 = (5*4.0)/11.5 • = 5 / 11.5
Observations • Since the service provider samples packets on the minimum cut, this implies that for any path the intruder would choose, the malicious packet will be sampled at most once • If B Mat(f) then the malicious packet will always be detected • If B < Mat(f) then there is some probability that the malicious packet will not be detected
Routing to Improve the Value of the Game • The previous solution BMat(f)-1 assumes a fixed link flow • Flows on the links are a result of routing demands between nodes pairs in the network • Service Provider can adjust the flows on network links: • Increase prob of detecting malicious packet • Increase the value of the game • Want to maximize value of the game • Minimize Mat(f)
Objective of Service Provider • Route the source-destination demands to minimize Mat(f) • Solve the following: • minxXMat(f) , where f = SkSPP:ePx(P) • X • Denotes allocation of flow on paths • Meets the demand for each commodity • Satisfies capacity constraints on network links • minxXMat(SkSPP:ePx(P)) • Need a way to solve the above equation • Try two different heuristic methods • Flow Flushing Algorithm • Cut Saturation Algorithm
Flow Flushing Algorithm • The flow on the links is a result of routing the different source-destination demands in the network • Mat(f) + Mat(c-f) Mat(c) • Solve this as a multi-commodity flow problem with K+1 commodities • K original demands • +1 new demand between a and t for the attack
Flow Flushing Algorithm (cont…) • = 5 / 9.95
Cut Saturation Algorithm • Picks some a – t cut and tries to direct flow away from the cut. • Making the cut small limits the max a – t flow • Introduce two new nodes s’ and t’ • Determine the highest flow that can be sent from s’ to t’ while keeping the source-destination demands routable • Solve similarly to the Flow Flushing Algorithm • K+1 flows go between s’ and t’ instead of between a and t
Cut Saturation Algorithm (cont …) = 5 / 8.0
Variants and Extensions • First two variants: • The intruder can introduce the malicious packet from any one of a set of attack nodes where A N • Assume tA • The objective of the intruder is to reach any one of a set of target nodes T N • Assume AT = { } • Solution for the above two variants: • Introduce a super source node that is connected to all nodes in A • Introduce a super sink node that is connected to all nodes in T • Play game between super source and super sink node • Third variant: • The intruder can introduce the packet at any one of a set of attack nodes A but no longer has control over the routing in the network • Routing in the network is shortest-path routing
Shortest Path Routing Game • Assume that each link has a length • Packets are routed from the source to the destination along the shortest paths according to the length metric • Ties are broken arbitrarily • Given any two nodes in the network, there is a unique path from one to the other • Objectives • The intruder must determine which node of the attack set A to introduce the packet into • The service provider must determine the sampling rate at the links subject to a sampling budget of B • Solve like a shortest path problem where we find the shortest path from all nodes in A to the destination d • L(d) represents the maximum flow that can be sent from all the nodes in A to the destination node d • The value of the game is = B / L(d)
Experimental Results • The experimental network • Each unidirectional link represents two directed links each having a capacity of 10 units
Experimental Results (cont …) • The following experiments were performed: • Single attack node and single target node • Multiple attack nodes and single target node • Multiple attack nodes and multiple target nodes • For each of the above, three algorithms were run: • Routing to minimize the highest utilized link • f1represents the m-vector of link flows as a result of this alg. • Routing with flow flushing algorithm • f2 represents the m-vector of link flows as a result of this alg. • Routing with cut saturation algorithm • f3 represents the m-vector of link flows as a result of this alg.
Experimental Results (cont …) • M(fi) represents the maximum flow that can be sent from node a to t using fi as the link capacities • Value of the game is: = B / M( ) • The smaller the value of M, the better the chances of detection for a given sampling budget
Experimental Results (cont …) • Changing the routing significantly changes the maximum flow and hence the value of the game • The flow flushing algorithm and the cut saturation algorithm both perform similarly well. • Both out-perform the simple minmax solution
Effect of Capacity on the Value of the Game • As the amount of spare capacity in a network increases , the opportunity to reroute flows increases • Service Provider can improve probability of detection by exploiting the spare capacity to reroute flows • A second experiment was conducted to illustrate this • Link capacity is fixed at some constant C • If C increases, the opportunity to reroute flows also increases
Effect of Capacity on the Value of the Game • As the maximum utilization becomes lower, the amount of spare capacity to reroute flows increases • This implies that both the Flow Flushing Algorithm and the Saturation Cut Algorithm will have more alternate paths
Effect of Capacity on the Value of the Game • As the value of C increases, the maximum flow decreases • Thus the value of the game increases
Conclusions • Packet sampling and examination can be expensive in real-time • Network operator must devise a sampling scheme that will have the greatest probability of detecting intruding packets • Several scenarios were considered • Intruder has complete knowledge of the network topology • Intruder can pick paths in the network • Intruder can pick an entry point into the network if shortest path algorithm is being used • Proposed two algorithms • Flow Flushing Algorithm • Cut Saturation Algorithm • Evaluated the performance of the minmax, flow flushing algorithm, and cut saturation algorithm