1 / 36

Detecting Network Intrusions via Sampling : A Game Theoretic Approach

Detecting Network Intrusions via Sampling : A Game Theoretic Approach. Murali Kodialam. T.V. Lakshman. Presented By: Matt Vidal. muralik lakshman @bell-labs.com @bell-labs.com. Bell Labs, Lucent Technologies. July 22, 2003. Outline.

dchism
Télécharger la présentation

Detecting Network Intrusions via Sampling : A Game Theoretic Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting Network Intrusions via Sampling : A Game Theoretic Approach Murali Kodialam T.V. Lakshman Presented By: Matt Vidal muralik lakshman @bell-labs.com @bell-labs.com Bell Labs, Lucent Technologies July 22, 2003

  2. Outline • Introduction • Problem Definition • Solution of the Game • Routing to Improve the Value of the Game • Variants and Extensions • Experimental Results • Conclusions • Questions

  3. Introduction • Two key areas of interest in network security: • Intrusion Detection • Intrusion Prevention • Intrusions can take many forms • Denial of Service (DoS) / Distributed Denial of Service (DDoS) • Network Virus Propagation • Usually, an intruder tries to access a specific file server or website in the network • In this research, the authors focus on an intruder sending a malicious packet to a node in the network

  4. Introduction (2) • Packet Sampling: • Some packets traversing specific links are sampled and investigated to determine if they are malicious (intruder) • Requires fast and thorough processing • Intrusion detection requires a thorough examination of the sampled packets • Packet sampling must be performed in real time in order to prevent intruders from slipping by • Packet examination must be done at line speed to keep from disrupting routing

  5. Problem Definition • The problem of packet intrusion is described in three steps • 1) Network Set-Up • 2) Network Intrusion Game • 3) The Objective and Constraints of the Game

  6. Problem Definition: Network Set-Up • Network G = (N, E) • N: set of nodes in the network • E: set of unidirectional links in the network • n nodes • m links • ce: capacity of link e • fe: traffic flowing on link e • Pvu: set of paths from node u to v • Muv(w): Maximum flow between nodes u and v • Cvu: Minimum cut (comprised of a set of links in the network)

  7. Problem Definition: Network Intrusion Game • Two Players of the Game • Service Provider • Intruder • Intruder’s Objective: • Inject a malicious packet from attack node a in order to attack target node t • Service Provider’s Objective: • Detect and prevent the intrusion • To do so, the service provider samples packets in the network • It is assumed that the sampling is performed on the links (not at the nodes)

  8. Problem Definition: Network Intrusion Game (2) • Intruder tries to sneak a malicious packet from a to t

  9. Problem Description:The Objective and Constraints of the Game • B: sampling bound - the service provider can sample no more than B packets per second • If the service provider could sample all packets, it would easily find the intruder • Not enough resources to process all those packets anyway • Assumptions: • Both players have knowledge of network topology and link flows • The intruder is capable of picking paths in the network in order to make the detection by the service provider more difficult

  10. Players’ Strategies • For the Intruder: • Pick a path (or a distribution of paths) to get the malicious packet from from a to t • For the Service Provider • Determine a set of links on which sampling is necessary • Determine the sampling rate on each link, keeping the total under the sampling bound • The service provider picks a set of detection probabilities at the links it chooses to sample on

  11. Players’ Strategies (2) • Intruder’s and service provider’s actions

  12. Players’ Strategies (3) • Service provider’s action, arc sampling

  13. Players’ Objectives • The objective of the intruder is to pick a distribution q() that minimizes the service provider’s knowledge of the intrusion strategy • The service provider’s intent is for maximization • Classical two person zero-sum game with minmax result

  14. Players’ Objectives (2) • There exists an optimal solution to the game •  is the value of the game

  15. Solution of the Game • The value of the game is :  = BMat(f)-1 • Any maximum flow from a to t can be decomposed to a set of flows from a to t • The intruder needs to decompose the maximum flow from a to t using the capacity fe of link e into flows on paths P1, P2 … Pl with flows m1, m2 … ml • Introduces malicious packet on path Pi with probability mi*Mat(f)-1 • The service provider needs to compute the maximum flow from a to t using the capacity fe of link e using arcs e1, e2 … er with minimum cut flows f1, f2 … fr • Service provider samples link ei at rate BfiMat(f)-1

  16. Solution of the Game: Example B=5, a=1, t=5, Minimum Cut = 11.5 units

  17. Solution of the Game: Example (2) • Intruder’s Strategy • Introduce the malicious packet along the path 1-2-5 with probability 7.0 / 11.5 • Introduce the malicious packet along the path 1-2-6-5 with probability 0.5 / 11.5 • Introduce the malicious packet along the path 1-3-4-5 with probability 4.0 / 11.5 • Service Provider’s Strategy • Sample link 1-2 at rate 5 / 11.5 giving a total sampling rate of (5 x 7.5) / 11.5 on that link • Sample link 4-5 at rate 5 / 11.5 giving a total sampling rate of (5 x 4.0) / 11.5 on that link • If B  Mat(f) : malicious packet is always detected • If B  Mat(f) : malicious packet might not be detected

  18. Routing to Improve the Value of the Game • The game solution BMat(f)-1 assumes a fixed link flow f • Flows on the links are a result of routing the demands between node pairs in the network • In reality, the service provider can adjust the flows to maximize the value of the game • For K source-destination demand pairs in the network • s(k) - source node for commodity k • d(k) - destination node for commodity k • b(k) - amount of demand (bandwidth) that has to be routed for this source-destination pair

  19. Routing to Improve the Value of the Game (2) • 1) Original source-destination pairs and demands from game network example (with link capacity of 10 units) • 2) Route the demands such that the maximum link utilization in the network is minimized

  20. Routing to Improve the Value of the Game (3) • Service provider routes the flows such that the value of the network intrusion game is maximized • Increases the detection probability of the malicious packet • The objective is to route the source-destination demands in order to minimize the the value of Mat(f) • No explicit solution to the routing problem • Developed two heuristics and offer two solutions to the optimization problem

  21. Flow Flushing Algorithm (FFA) • c : link capacity, f : flow on the link • The flow on the links is a result of routing the different source-destination demands on the network • Mat(f) + Mat(c - f)  Mat(c) • Solution requires a multi-commodity (source-destination) flow problem with K+1 commodities, including the additional commodity between a and t • The link flows for FFA are shown for the first network example

  22. Flow Flushing Algorithm (FFA) (2) • Maximum flow Mat(f) = 9.95 units • Game value  = 5 / 9.95

  23. Cut Saturation Algorithm • The maximum flow between a and t is (upper) bounded by the size of any a - t cut • Cut Saturation Algorithm picks an a - t cut and attempts to direct flow away from this cut • Introduce two new nodes, s´ and t´ • Determine the highest flow that can be sent from s´ to t´ while maintaining routing for source-destination demands • Pick the minimum a - t cut and attempt to saturate that cut • Cut Saturation Algorithm can yield a better solution than the Flow Flushing Algorithm

  24. Cut Saturation Algorithm (CSA) (2) • Only cut links are shown in the network

  25. Cut Saturation Algorithm (CSA) (3) • Maximum flow Mat(f) = 8.0 units • Game value  = 5 / 8

  26. Variants and Extensions • 1) The intruder can introduce the malicious packet from one node of a subset of nodes in the network • 2) The intruder is attempting to reach one node of a set of target nodes in the network • The solution is to introduce • 1) a super source node that is connected to the subset of possible source nodes and • 2) a super sink node that is connected to the subset of possible target nodes • 3) The intruder can introduce a packet at any one of a set of nodes, but has no control of the routing in the network • The shortest path routing game

  27. Shortest Path Routing Game • All packets are routed from source to destination by shortest path routing • For any two nodes in the network, there is a unique path from one node to the other • A packet introduced into the network follows the unique path from that source node to the destination node • The intruder needs to determine which node of its available subset (A) it can use to introduce a malicious packet • The service provider needs to determine the sampling rate at the links that are subject to a sampling budget of B • The problem is that the maximum flow (L) (and hence the minimum cut) is no longer easy to compute • The value of the game is determined to be B / L(d)

  28. Experimental Results • The two algorithms (Flow Flushing and Cut Saturation) were evaluated on two experimental networks • The first network had 15 nodes and 27 link segments • The segments each contained two directed links with a capacity of 10 units

  29. Experimental Results: Network

  30. Experimental Results: Set-Up • Experiment Cases Performed • Single attack node and single target node • Multiple attack nodes and single target node • Multiple attack nodes and multiple target nodes • Three Algorithms Per Case • 1) Routing to minimize the highest utilized link • f1 represents the m-vector of link flows as a result of routing • 2) Routing with Flow Flushing Algorithm • f2 represents the m-vector of link flows as a result of routing • 3) Routing with Cut Saturation Algorithm • f3 represents the m-vector of link flows as a result of routing

  31. Experimental Results: Comparison • M() = B /  (sampling budget / game value) • The maximum flow that can be sent from node a to t using fi • The smaller the value of M, the better the chances of detection • The maximum flow value (and thus the game value) are highly dependent upon the routing in the network

  32. Effect of Capacity on the Value of the Game • When the network has more spare capacity, it is able to further reroute flows • The service provider can use the spare capacity to reroute flows and increase its detection probability • Using the second experimental network, with a link capacity of C, it was determined that the source provider can exploit the spare link capacity for rerouting flows • As the link capacity increases, there are more opportunities to reroute flows • Network simulations illustrate the relationship between maximum utilization and link capacity and the effect of Flow Flushing on the maximum flow value

  33. Effect of Capacity on the Value of the Game (2) • Maximum utilization decrease -> rerouting capacity increase • FFA and CSA will have more alternate paths available

  34. Effect of Capacity on the Value of the Game (3) • Base case: minimize maximum utilization • FFA: a - t maximum flow value decreases as link capacity increases

  35. Conclusions • Detect intruding packets in the network by sampling on network links • Requires real time, line speed processing, a costly procedure • To make it feasible means using an creative, yet effective sampling scheme • Introduced Flow Flushing Algorithm and Cut Saturation Algorithm • FFA and CSA facilitate better ingress-egress routing which maximizes the chances of detection • Performance of FFA and CSA shown to be better than the base case of minimizing maximum utilization

  36. Questions?

More Related