Network Intrusions via Sampling : A Game Theoretic Approach Presented by Zhiqi Zhang Written by: Murali Kodialam (Bell Labs)‏ T.V. Lakshman (Bell Labs)‏

Structure of this Presentation  Introduction  Problem Definition  Solution of the Game  Routing to Improve the Value of the Game  Experimental Results  Conclusions

Intrusion in network: Typically, in an intrusion problem, the intruder attempts to gain access to a particular file server or website in the network. Includes: denial of service attacks, viruses introduced into the networks…… Two key areas in security  Intrusion detection –In this paper, the problem is that the intruder attempts to send a malicious packet to a given node in the network. The service provider attempts to detect this intrusion. The detection mechanism is packet sampling and examination in the network.  Intrusion prevention

4 Packet Sampling: some portion of packets traversing designated links (or router interfaces) are sampled and examined in detail to determine whether the packet is an intruder packet. Different Networking Purposes of Packet Sampling: –To estimate the number of active TCP flows in order to stabilize network buffer occupancy for TCP traffic. –To allocate the fairy link-bandwidth –To infer network traffic and routing characteristics  All these applications require only sampling based on packet header comparisons.

Requirements of sampling for intrusion detection:  More thorough examination of sampled packets than all above applications  Near line-speed packet sampling and examination Because copying sampled packets or packet-headers for off-line analysis is not sufficient to prevent intruding packets from getting through. Hence, it is imperative to keep the sampling costs in mind. This is also the motivation of this research.

Game theory has been used extensively to model different networking problems.  Shenker, S., “Making Greed Work in Networks: A Game-Theoretic Analysis of Switch Service Disciplines”, IEEE/ACM Transactions on Net-working,  Akella, A., Karp, R., Papadimitriou, C.,Seshan, S., Shenker, S., “Selfish Behavior and the Stability of the Internet: A Game Theoretic Analysis of TCP”, Proceedings of SIGCOMM 2002, 2002  Korilis, Y., Lazar, A., Orda, A., “Architecting Noncooperative networks”,IEEE Journal on Selected Areas in Communications, pp ,September 1995 This is the first time to model intrusion detection via sampling in communication networks using a game-theoretic framework.

This work is closely related to drug interdiction models.  Washburn, A., and Wood, K., “Two-Person Zero-Sum Games for Net-work Interdiction”, Operations Research, 43, pp , Two differences between this work and the drug interdiction models  The detection is by means of sampling, results are much more natural.  The game theoretic problem naturally leads to a routing problem (to maximize the service provider’s chances of detecting intruding packets)‏

 Game theory : attempts to mathematically capture behavior in strategic situations, in which an individual's success in making choices depends on the choices of others.  Types of games Cooperative or non-cooperative games Zero sum and non-zero sum games Symmetric and asymmetric games ……

PROBLEM DEFINITION Network Set-Up We consider a network G= (N, E)‏ N: set of nodes (s, u, v, m, t )‏ E: set of unidirectional links in the network. (e1,e2,e3,...)‏ c e : capacity of link e  E f e : the amount of traffic flowing on link e P s t :represent the set of paths from s to t in G

PROBLEM DEFINITION Two players: the Service Provider and the Intruder  Intruder’s Objective: Inject a malicious packet from attack node a in order to attack target node t  Service Provider’s Objective: Detect and prevent the intrusion  To do so, we assume that the service provider can sample packets along the links of the network looking for malicious packets.

PROBLEM DEFINITION We assume that:  An intruder wins when the malicious packet reaches the desired target t node without detection.  The service provider wins if it samples the malicious packet during the course of sampling.

PROBLEM DEFINITION The Objective and the Constraints of the Game –Service provider is given a sampling bound of B packets per second  If service provider could sample EVERY packet he could always win –Sampling of B packets per second can be arbitrarily distributed over all links on the network  Probability of detecting a malicious packet on a given link is: p e = s e / f e where s e is the sampling rate on link e, f e is the amount of traffic flowing on link e

PROBLEM DEFINITION Strategies for the Two Players: Intruder: –Pick a path (or a distribution of paths) to send the malicious packet from a to t  Probability distribution over paths P a t such that Service Provider –Choose the sampling rates for the network links that will give the greatest probability of detecting an attack  U = { p :  e  E p e f e  B } is the set of possible detection probability vectors that are within the sampling budget B

PROBLEM DEFINITION

PROBLEM DEFINITION

PROBLEM DEFINITION Payoff Matrix Payoff is the expected number of times the malicious packet is detected as it goes from a to t.  For a given path P a t, the payoff is  The probability that this path P is picked by the intruder is q(P.)‏  The payoff is Interchanging the order of summation, we get This can be equivalently written in a matrix form as q T Mp

PROBLEM DEFINITION Payoff Matrix The payoff is, This can be equivalently written in a matrix form as q T Mp M=

PROBLEM DEFINITION Objective of Intruder: Service provider wants to maximize this number: But the intruder knows this, tries to pick a distribution q() that minimizes this maximum value: Intruder’s Objective:

PROBLEM DEFINITION Objective of Service provider: Intruder wants to minimize this number: But the service provider knows this, tries to maximize the intruders minimum: Service provider’s objective:

SOLUTION OF THE GAME This is a classical two person zero-sum game There exists an optimal solution to the intrusion detection game: The value of the game is:  = BM at (f) -1 M at (f)- is max flow that can be sent from node a to t with f as the link capacities B -is sampling bound

SOLUTION OF THE GAME The intruder Strategy needs to decompose the max flow into flows on paths P 1, P 2, …, P l from a to t with flows of m 1, m 2, …, m l Introduces the malicious packet along the path P i with probability m i *M at (f) -1 The Service Provider Strategy needs to compute the maximum flow from a to t using f e as the capacity of link e e 1, e 2, …, e r represent the links of the corresponding minimum cut with flows f 1, f 2, …, f r samples link e i at rate Bf i M at (f) -1

SOLUTION OF THE GAME(example)‏ The intruder Strategy  Introduce the malicious packet along the path with probability 7.0 / 11.5  Introduce the malicious packet along the path with probability 0.5 / 11.5  Introduce the malicious packet along the path with probability 4.0 / 11.5 The Service Provider Strategy  Sample link 1-2 at rate 5 / 11.5 giving a total sampling rate of (5 x 7.5) / 11.5 on that link  Sample link 4-5 at rate 5 / 11.5 giving a total sampling rate of (5 x 4.0) / 11.5 on that link Game value:  = 5 / 11.5 Max Flow = M at (f) = 11.5 Sampling Budget B=5

Observation Since the service provider samples packets on the minimum cut, this implies that for any path the intruder would choose, the malicious packet will be sampled at most once. If B >= Mat(f) : the malicious packet will always be detected If B <Mat(f): then there is a some probabilities that the malicious packet will not be detected

ROUTING TO IMPROVE THE VALUE OF THE GAME  Previous solution BM at (f) -1 assumes a fixed link flow f  In reality service provider can adjust the flows in the network to maximize the value of the game Objective of the Service: Route the source-destination demands to minimize M at (f). Two Different Ways to Achieve this Objective: Flow Flushing Algorithm Cut Saturation Algorithm

Flow Flushing Algorithm The flow on the links is a result of routing the different source-destination demands in the network. M at (f) + M at (c - f)  M at (c)‏ - c : link capacity, f : flow on the link Solution requires a multi-commodity (source- destination) flow problem with K+1 commodities  K original commodities  an additional commodity between a and t

Flow Flushing Algorithm The link flows for FFA are shown for the first network example M at (f) = 9.95  = 5 / 9.95 M at (f) = 11.5  = 5 / 11.5

27 Cut Saturation Algorithm This algorithm relies on the fact that the maximum flow between a and t is upper bounded by the size of any a − t cut.  picks some a − t cut and tries to direct flow away from this cut  Once the source-destination demands are routed, this cut will be small and hence will limit the maximum a − t flow  How to implement?  Introduce two new nodes s’ and t’  Introduce an arc between node s’ and all nodes α(e)  Introduce an arc between node t’ and all nodes β(e)  let α(e) and β(e) represent the start and end nodes of short-cut link.

Cut Saturation Algorithm The link flows for FFA are shown for the first network example M at (f) = 9.95  = 5 / 9.95 M at (f) = 11.5  = 5 / 11.5 M at (f) = 7.0  = 5 / 7.0

Shortest Path Routing Game Assumes:  each link has a length  packets are routed from the source to the destination along shortest paths according to this length metric.  ties are broken arbitrarily. Objectives:  The intruder must determine which node of the attack set A to introduce the packet into  The service provider must determine the sampling rate at the links subject to a sampling budget of B Solution:  The value of the game is  = B / L(d)‏  L(d) represents the maximum flow that can be sent from all the nodes in A to the destination node d

EXPERIMENTAL RESULTS performed the following experiments: Single attack node and single target node. (3 problems). Multiple attack node and single target node. (1 problem). Multiple attack node and multiple target node. (1 problem). For each of the cases, we ran three different algorithms. 1) Routing to minimize the highest utilized link with f1 representing the m-vector of link flows as a result of this routing algorithm. 2) Routing with flow flushing algorithm with f2 representing the m-vector of link flows as a result of this routing algorithm. 3) Routing with cut saturation algorithm with f3 representing the m-vector of link flows as a result of this routing algorithm.

EXPERIMENTAL RESULTS Let M(f i ) for i = 1, 2, 3 represent the maximum flow that can be sent from node a to t using f i as the link capacities.  = B / M( ): The smaller that value of M, the better the chances of detection for a given sampling budget.

EXPERIMENTAL RESULTS From the table, note that the maximum flow value and hence the value of the game can be changed significantly by changing the routing in the network. In most of the examples the performance of the flow flushing algorithm and the cut saturation algorithm are quite similar, and better than the simple minimization of maximum link utilization algorithm

Effect of Capacity on the Value of the Game As the amount of spare capacity in a network increases, the opportunity to reroute flows increases.  Service Provider can improve probability of detection by exploiting the spare capacity to reroute flows A second experiment was conducted:  Capacity of the links in this example network are fixed at some constant value C.  If C increases, the opportunity to reroute flows also increases.

34 Effect of Capacity on the Value of the Game  As the maximum utilization becomes lower, the amount of spare capacity to reroute flows increases  This implies that both the Flow Flushing Algorithm and the Saturation Cut Algorithm will have more alternate paths

35 Effect of Capacity on the Value of the Game As the value of C increases, the maximum flow decreases,t hus the value of the game increases

36 CONCLUDING REMARKS Because  Packet sampling and examination in real-time can be expensive.  The network operator must devise an effective sampling scheme to detect intruding packets injected into the network by an adversary. Considered following scenarios:  Intruder has complete knowledge of the network topology  Intruder can pick paths in the network  Intruder can pick an entry point into the network if shortest path algorithm is being used Proposed  The detection via sampling problem was formulated in a game- theoretic framework  Tow two algorithms Flow Flushing Algorithm Cut Saturation A Evaluated: the performance of the minmax, flow flushing algorithm, and cut saturation algorithm