Detecting Network Intrusions Via Sampling Detecting Network Intrusions via Sampling Detecting Network Intrusions via Sampling By Murali Kodialam T. V. Lakshman Bell Laboratories Lucent Technologies A Game Theoretic Approach Presented by: Eric Banks

Detecting Network Intrusions Via Sampling Structure of this Presentation  Introduction  Related Work  Explanation of the Network Intrusion Game  Results  Conclusions

Detecting Network Intrusions Via Sampling Introduction  This paper focuses on the problem of intrusion detection in a communication network  The network attempts to detect the intrusion of an adversary who is typically trying to gain access to a particular file server or website on the network.

Detecting Network Intrusions Via Sampling Introduction  Intrusion in networks takes many forms including denial of service attacks, viruses introduced into the networks, etc.  It is commonly associated with intrusion prevention to defend against malicious attacks. But it is important to understand that detection does not involve the act of preventing or countering an attack that has already been launched.  Intrusion detection involves uncovering or detecting an adversary’s attempt to conduct malicious acts.

Detecting Network Intrusions Via Sampling Introduction  The two most well known categories of Intrusion detection are signature/misuse based and anomaly based detection. Signature/misuse by searching for a known identity (signature) for each specific intrusion event. This means a database of signatures is maintained and the behaviors on the network are cross- referenced with these signatures to see if there is a match.  There is a drawback because the signature database may not always be current. Anomaly based detects computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules.  This solution’s drawback is that it a good baseline has to be in place to compare to chances in the network. There also may legitimate factors in the network that can be outside of the expected threshold at times which may cause false positives.

Detecting Network Intrusions Via Sampling Introduction  Sampling takes some portion of packets traversing the network and examines them for details to determine whether they are legitimate packets  Packet sampling uses randomness in the sampling process to prevents synchronization with any periodic patterns in the traffic. On average, 1 in every N packets is captured and analyzed.

Detecting Network Intrusions Via Sampling Related Research  Stabilized Random Early Drop (SRED) Scheme uses packet sampling to estimate the number of active TCP flows in order to stabilize network buffer occupancy.  Core Stateless Fair Queuing (CSFQ) or fair link- bandwidth allocation, uses packet sampling to reduce the design complexity core routers  Packet filtering is also used to infer network traffic and routing characteristics when used to determine baselines for the network.

Detecting Network Intrusions Via Sampling Related Research  Game theory has been used extensively to model different networking problems  This research is closely related to drug interdiction models from the paper “ Two-Person Zero-Sum Games for Network Interdiction” by Washburn, A., and Wood, K.,

Detecting Network Intrusions Via Sampling Related Research SRED SRED: Stabilized RED  SRED is a packet sampling mechanism that was designed to identify flows that are taking more than a fair share of bandwidth Makes packet sampling simpler because only packet headers need to be examined pre-emptively discards packets with a load-dependent probability when a buffer in a router in the Internet or an Intranet seems congested. has an additional feature that over a wide range of load levels helps it stabilize its buffer occupation at a level independent of the number of active connections. does this by estimating the number of active connections or flows. This estimate is obtained without collecting or analyzing state information on individual flows.

Detecting Network Intrusions Via Sampling Related Research Core Stateless Fair Queuing (CSFQ) Core-Stateless Fair Queueing: Achieving Approximately Fair Bandwidth Allocations in High Speed Networks  A fair bandwidth allocation mechanism that conducts packet sampling based on header informaion  Edge routers maintain per flow state; they estimate the incoming rate of each flow and insert a label into each packet header based on this estimate.  Core routers maintain no per flow state; they use FIFO packet scheduling augmented by a probabilistic dropping algorithm that uses the packet labels and an estimate of the aggregate traffic at the router.  They employ a probabilistic dropping algorithm that uses the information in the packet labels along with the router's own measurement of the aggregate traffic to clear the congestion.

Detecting Network Intrusions Via Sampling Related Research Passive packet measurement  packet sampling that is general enough to serve as the basis for a wide range of operational tasks, and needs only a small set of packet selectors that facilitate ubiquitous deployment in router interfaces or dedicated measurement devices, even at very high speeds. The framework also covers reporting and exporting functions used by the sampling element, and configuration of the sampling element. all reported quantities that relate to the packet treatment MUST reflect the router state and configuration

Detecting Network Intrusions Via Sampling Related Research Game Theory  Game theory is a branch of applied mathematics that is often used in the context of economics. It studies strategic interactions between agents. In strategic games, agents choose strategies which will maximize their return, given the strategies the other agents choose. The essential feature is that it provides a formal modeling approach to social situations in which decision makers interact with other agents.  The first known discussion of game theory occurred in a letter written by James Waldegrave in In this letter, Waldegrave provides a minimax mixed strategy solution to a two-person version of the card game le Her Minimax (sometimes minmax) is a method in decision theory for minimizing the maximum possible loss. mixed strategy is a strategy which chooses randomly between possible moves. The strategy has some probability distribution which corresponds to how frequently each move is chosen.

Detecting Network Intrusions Via Sampling Releated Research Two-person zero-sum game  Games with only two players in which one player wins what the other player loses.  The problem for the service provider is to find probabilistic “arc inspection strategy” which maximizes the probability of detecting the adversary called interdiction probability while the problem of the adversary is to find a path selection strategy which minimizes the interdiction probability

Detecting Network Intrusions Via Sampling Related Research  Though there have been papers published on IDS, Sampling, and Game Theoretic Framework.  However, no known previous research has been conducted modeling intrusion detection via sampling in communication networks using game-theoretic framework  This work differs from the drug interdiction models in two ways. First, in the drug interdiction models the objective is to deploy agents which is a discrete allocation problem. In this case, the detection is by means of sampling. Therefore the game theoretic results are much more natural than the discrete allocation models. Secondly, in this case, the game theoretic problem naturally leads to a routing problem (to maximize the service provider’s chances of detecting intruding packets) which is absent in the drug interdiction problem. The solution to the game theoretic formulation is a maximum flow problem and the routing problem can be formulated as a multi-commodity flow problem.

Detecting Network Intrusions Via Sampling Explanation of the Network Intrusion Game  Two Players The intruders The service provider  Given a network considerations are: NSet of nodes Eset of unidirectional links in the network Mlinks between the nodes P The number of links between any given two nodes W The link capacity

Detecting Network Intrusions Via Sampling Explanation of the Network Intrusion Game The playing Field The adversary  Objective is to reach a desired target with a malicious packet  Sampling boundary is the maximum rate at which a ID node can processes packets in REAL TIME  Knows the topology of the network and detection probability  Is able to choose paths for injecting network packets The service provider  Objective is to sample the malicious packet  Can sample packets and examine network packets  Knows the topology of the network and detection probability  Some cases Shortest-Path algorithm is always used (this makes it easier to know how packets will traverse the network)

Detecting Network Intrusions Via Sampling Explanation of the Network Intrusion Game The Intruders Strategy  The adversary chooses a path based on a feasibility probability that will determine the most probable path in a set of paths.  If a link has traffic F e flowing on it at a sample of rate S e the probability of detecting a malicious packet on this link is given by dividing the sample rate by the traffic flow rate or P e = S e /F e.  The adversary can also consider the fact there the sampling rate will be less than the sampling budget.  Ultimately the adversary would like to minimize the ability of the service provider to predict the expected number of times a packet is detected as it goes form source to destination

Detecting Network Intrusions Via Sampling Explanation of the Network Intrusion Game The Service Provider’s Strategy  The service provider determines a set of links on which sampling has to be done.  Then for that link, a sampling rate must be chosen that does not exceed the sampling budget.  A malicious packet on the link can be detected with probability P e = S e /F e.  Therefore a vector of probabilities calculated for all links sampled can be represented by  Determine the strategy of the adversary so that a counter strategy can be formed to maximize the ability to predict the number of expected times a packet is detected as an adversary sends it from source to destination.

Detecting Network Intrusions Via Sampling Explanation of the Network Intrusion Game

Detecting Network Intrusions Via Sampling Explanation of the Network Intrusion Game

Detecting Network Intrusions Via Sampling Explanation of the Network Intrusion Game Example  Max Flow = M at (f) = 11.5, Sampling Budget =5, a = 1,t = 5  Intruder strategy  Inserts packet from 1 to 2 to 5 with probability 7.0/11.5  Inserts packet from 1 to 2 to 6 to 5 with probability 5.0/11.5  Inserts packet from 1 to 3 to 4 to 5 probability 4.0/11.5  Service Provider strategy Sample with the minimum cut  From 1 to 2 = (5*7.5)/11.5  From 4 to 5 = (5*4.0)/11.5   = 5 / 11.5  If B < M at (f) there is a chance that the malicious packet will make it to the destination without being sampled

Detecting Network Intrusions Via Sampling Explanation of the Network Intrusion Game Routing to improve the value of the game The service provider also the ability to change routes between devices that maximize the probability of detection of the malicious packet. When designing these routes it is important to consider the Flow cut  maximum flow in a network is dictated by its bottleneck.  Between any two nodes, the quantity of material flowing from one to the other cannot be greater than the weakest set of links somewhere between the two nodes.

Detecting Network Intrusions Via Sampling Explanation of the Network Intrusion Game Routing to improve the value of the game  The service provider can route the demand so that the maximum link utilization is minimized. This will increase the probability of detecting the malicious packet  K- a commodity in the network  S(k)- source node for k  d(k)- destination node for k  b(k)-amount of bandwidth between a s(k) and d(k) pair

Detecting Network Intrusions Via Sampling Explanation of the Network Intrusion Game Routing to improve the value of the game Proposed solutions for optimizing network flow when changing routes in the network.  Flow Flushing Based on link capacity and flow on the link  Cut saturation Based on directing traffic flow away from saturated links until link is not as saturated anymore.

Detecting Network Intrusions Via Sampling Optimizing network routing Flow Flushing  Routing the different source/destination pair demands controls the flow on the links M at (f) + M at (c-f)  M at (c)  This a multi-commodity flow problem with K+1 commodities K original commodities + one additional commodity between a and t

Detecting Network Intrusions Via Sampling Optimizing network routing Cut saturation  The maximum flow between a and t upper bounded by the size of the a-t cut Determine the highest flow with in the routing rules from s to t Then choose the minimum a-t cut and saturate it Making the cut small limits the max a – t flow

Detecting Network Intrusions Via Sampling Explanation of the Network Intrusion Game  The shortest path routing game Using the shortest path algorithm the network becomes static and it is easier to compute the maximum flow as well as the cut on a tree.

Detecting Network Intrusions Via Sampling Results  Three cases 1) Routing to minimize the highest utilized link with f1 representing the m-vector of link flows as a result of this routing algorithm. 2) Routing with flow flushing algorithm with f2 representing the m- vector of link flows as a result of this routing algorithm. 3) Routing with cut saturation algorithm with f3 representing the m-vector of link flows as a result of this routing algorithm.

Detecting Network Intrusions Via Sampling Conclusions  Packet examining is a proven method for intrusion detection  Sampling packets at a efficient rate will provide sufficient intrusion detection given that the sample rate is chosen precisely so that it is not to frequent for the network to handle but frequent and intelligent enough for the probability of detection to be high  This is a good strategy for implementing intrusion detection, but it is important to keep in mind the capacity of the network in relation to the rate of sampling. The more large and complex the network become the more the sampling rate must increase and intelligence the design of the sampling scheme must increase.

Detecting Network Intrusions Via Sampling References  Ott, T. J., and Lakshman, T. V., and Wong, L. H., “SRED: Stabilized RED”, Proceedings of Infocom 1999, pp ,  Pan, R., Prabhakar, B., Psounis, K., “CHOKE, A Stateless Active Queue Management Scheme for Approximating Fair Bandwidth Allocation”, Proceedings of Infocom 200, pp ,  Washburn, A., and Wood, K., “Two-Person Zero-Sum Games for Network Interdiction”, Operations Research, 43, pp ,  Chin-Tser Huang Nathan L. Johnson Jeff Janies Alex X. Liu “On Capturing and Containing Worms” University of South Carolina The University of Texas at Austin