1 - CS7701 – Fall 2004 Review of: Detecting Network Intrusions via Sampling: A Game Theoretic Approach Paper by: – Murali Kodialam (Bell Labs) – T.V. Lakshman.

Slides:



Advertisements
Similar presentations
Ch. 12 Routing in Switched Networks
Advertisements

Impact of Interference on Multi-hop Wireless Network Performance Kamal Jain, Jitu Padhye, Venkat Padmanabhan and Lili Qiu Microsoft Research Redmond.
Capacity of wireless ad-hoc networks By Kumar Manvendra October 31,2002.
The strength of routing Schemes. Main issues Eliminating the buzz: Are there real differences between forwarding schemes: OSPF vs. MPLS? Can we quantify.
Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.
Introduction to Algorithms
How Bad is Selfish Routing? By Tim Roughgarden Eva Tardos Presented by Alex Kogan.
Lecture: 4 WDM Networks Design & Operation
Generated Waypoint Efficiency: The efficiency considered here is defined as follows: As can be seen from the graph, for the obstruction radius values (200,
Chapter 10: Iterative Improvement The Maximum Flow Problem The Design and Analysis of Algorithms.
An Energy Efficient Hierarchical Heterogeneous Wireless Sensor Network
Distributed Algorithms for Secure Multipath Routing
Routing Strategies Fixed Routing
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
Lecture 3. Preview of Markov Process A sequence of random variables X 1, X 2,….,X n,….. such that –X i+1 is independent of X 1,….X i-1 given X i –Pr(X.
1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Mobile Ad Hoc Networks Theory of Data Flow and Random Placement.
Chapter 7 Network Flow Models.
Jerry Chou and Bill Lin University of California, San Diego
A Scalable Network Resource Allocation Mechanism With Bounded Efficiency Loss IEEE Journal on Selected Areas in Communications, 2006 Johari, R., Tsitsiklis,
CISS Princeton, March Optimization via Communication Networks Matthew Andrews Alcatel-Lucent Bell Labs.
EE 685 presentation Optimization Flow Control, I: Basic Algorithm and Convergence By Steven Low and David Lapsley Asynchronous Distributed Algorithm Proof.
1 Emulating AQM from End Hosts Presenters: Syed Zaidi Ivor Rodrigues.
Online Data Gathering for Maximizing Network Lifetime in Sensor Networks IEEE transactions on Mobile Computing Weifa Liang, YuZhen Liu.
Lecture 8. Why do we need residual networks? Residual networks allow one to reverse flows if necessary. If we have taken a bad path then residual networks.
S. Suri, M, Waldvogel, P. Warkhede CS University of Washington Profile-Based Routing: A New Framework for MPLS Traffic Engineering.
On Self Adaptive Routing in Dynamic Environments -- A probabilistic routing scheme Haiyong Xie, Lili Qiu, Yang Richard Yang and Yin Yale, MR and.
1 Algorithms for Bandwidth Efficient Multicast Routing in Multi-channel Multi-radio Wireless Mesh Networks Hoang Lan Nguyen and Uyen Trang Nguyen Presenter:
NetworkModel-1 Network Optimization Models. NetworkModel-2 Network Terminology A network consists of a set of nodes and arcs. The arcs may have some flow.
MATE: MPLS Adaptive Traffic Engineering Anwar Elwalid, et. al. IEEE INFOCOM 2001.
1 Topology Control of Multihop Wireless Networks Using Transmit Power Adjustment Infocom /12/20.
Game theoretic models for detecting network intrusions OPLab 1.
Flow Models and Optimal Routing. How can we evaluate the performance of a routing algorithm –quantify how well they do –use arrival rates at nodes and.
Distributed Quality-of-Service Routing of Best Constrained Shortest Paths. Abdelhamid MELLOUK, Said HOCEINI, Farid BAGUENINE, Mustapha CHEURFA Computers.
Efficiency Loss in a Network Resource Allocation Game Paper by: Ramesh Johari, John N. Tsitsiklis [ Informs] Presented by: Gayatree Ganu.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 2007 (TPDS 2007)
Integrated Dynamic IP and Wavelength Routing in IP over WDM Networks Murali Kodialam and T. V. Lakshman Bell Laboratories Lucent Technologies IEEE INFOCOM.
Detecting Network Intrusions Via Sampling Detecting Network Intrusions via Sampling Detecting Network Intrusions via Sampling By Murali Kodialam T. V.
NOBEL WP Szept Stockholm Game Theory in Inter-domain Routing LÓJA Krisztina - SZIGETI János - CINKLER Tibor BME TMIT Budapest,
Network Aware Resource Allocation in Distributed Clouds.
L14. Fair networks and topology design D. Moltchanov, TUT, Spring 2008 D. Moltchanov, TUT, Spring 2015.
Linear Programming Data Structures and Algorithms A.G. Malamos References: Algorithms, 2006, S. Dasgupta, C. H. Papadimitriou, and U. V. Vazirani Introduction.
Interconnect Performance Modeling. Performance modeling Given an interconnect topology, routing, and other parameters, predict the interconnect performance.
Researchers: Preet Bola Mike Earnest Kevin Varela-O’Hara Han Zou Advisor: Walter Rusin Data Storage Networks.
ACN: RED paper1 Random Early Detection Gateways for Congestion Avoidance Sally Floyd and Van Jacobson, IEEE Transactions on Networking, Vol.1, No. 4, (Aug.
Network Survivability Against Region Failure Signal Processing, Communications and Computing (ICSPCC), 2011 IEEE International Conference on Ran Li, Xiaoliang.
Copyright: S.Krishnamurthy, UCR Power Controlled Medium Access Control in Wireless Networks – The story continues.
1/30 Energy-Efficient Forwarding Strategies for Geographic Routing in Lossy Wireless Sensor Networks Wireless and Sensor Network Seminar Dec 01, 2004.
Network Optimization Problems
Presenter: Jonathan Murphy On Adaptive Routing in Wavelength-Routed Networks Authors: Ching-Fang Hsu Te-Lung Liu Nen-Fu Huang.
ENERGY-EFFICIENT FORWARDING STRATEGIES FOR GEOGRAPHIC ROUTING in LOSSY WIRELESS SENSOR NETWORKS Presented by Prasad D. Karnik.
Optimization Flow Control—I: Basic Algorithm and Convergence Present : Li-der.
Network Intrusions via Sampling : A Game Theoretic Approach Presented by Zhiqi Zhang Written by: Murali Kodialam (Bell Labs)‏ T.V. Lakshman.
Games. Adversaries Consider the process of reasoning when an adversary is trying to defeat our efforts In game playing situations one searches down the.
Optimization of Wavelength Assignment for QoS Multicast in WDM Networks Xiao-Hua Jia, Ding-Zhu Du, Xiao-Dong Hu, Man-Kei Lee, and Jun Gu, IEEE TRANSACTIONS.
05/2007ORNL Presentation Distributed Denial of Service Games by Chinar Dingankar, Student Dr. R. R. Brooks, Associate Professor Holcombe Department of.
Simultaneous routing and resource allocation via dual decomposition AUTHOR: Lin Xiao, Student Member, IEEE, Mikael Johansson, Member, IEEE, and Stephen.
EE 685 presentation Optimization Flow Control, I: Basic Algorithm and Convergence By Steven Low and David Lapsley.
June 4, 2003EE384Y1 Demand Based Rate Allocation Arpita Ghosh and James Mammen {arpitag, EE 384Y Project 4 th June, 2003.
Content caching and scheduling in wireless networks with elastic and inelastic traffic Group-VI 09CS CS CS30020 Performance Modelling in Computer.
1 An Arc-Path Model for OSPF Weight Setting Problem Dr.Jeffery Kennington Anusha Madhavan.
11/02/2001 Workshop on Optical Networking 1 Design Method of Logical Topologies in WDM Network with Quality of Protection Junichi Katou Dept. of Informatics.
Load Balanced Link Reversal Routing in Mobile Wireless Ad Hoc Networks Nabhendra Bisnik, Alhussein Abouzeid ECSE Department RPI Costas Busch CSCI Department.
1 Bottleneck Routing Games on Grids Costas Busch Rajgopal Kannan Alfred Samman Department of Computer Science Louisiana State University.
Distance Vector Routing
A Probabilistic Routing Protocol for Mobile Ad Hoc Networks
Network Optimization Research Laboratory
Yiannis Andreopoulos et al. IEEE JSAC’06 November 2006
Srinivasan Seetharaman - College of Computing, Georgia Tech
Maximum Flow Problems in 2005.
Presentation transcript:

1 - CS7701 – Fall 2004 Review of: Detecting Network Intrusions via Sampling: A Game Theoretic Approach Paper by: – Murali Kodialam (Bell Labs) – T.V. Lakshman (Bell Labs) Published in: – IEEE Infocom 2003 Reviewed by: – James Moscola Discussion Leader: – Todd Sproull CS7701: Research Seminar on Networking

2 - CS7701 – Fall 2004 Outline Introduction Problem Definition Solution of the Game Routing to Improve the Value of the Game Variants and Extensions Experimental Results Conclusions

3 - CS7701 – Fall 2004 Introduction Two key areas of network security are: –Intrusion Detection –Intrusion Prevention Intrusions can be: –Denial of Service Attacks –Viruses In a typical intrusion problem the intruder tries to access a particular file server or website –Authors examine problem where an intruder attempts to send a malicious packet to a given network node Network attempts to detect the intrusion through sampling

4 - CS7701 – Fall 2004 Background Previous work that used network sampling: –[6] – “SRED: Stabilized RED” –[7] – “CHOKE, A Stateless Active Queue Management Scheme for Approximating Fair Bandwidth Allocation” –[3] – “A Framework for Passive Packet Measurement” Above all require ONLY header sampling What’s different with this work: –Detecting intrusion will most likely require looking at more than the header –Must sample in real time if we want to detect and prevent an intrusion. Must keep sampling cost in mind during analysis

5 - CS7701 – Fall 2004 Problem Definition: Network Set-Up –G = (N, E) –N is the set of nodes –E is the set of unidirectional links –n is the number of nodes –m is the number of links –capacity of link e  E is denoted c e –Traffic on link e is denoted by f e –P u v is the set of paths from u to v in G –M uv (w) is max flow that can be sent from node u to v with w as the link capacities –C u v is the set of links in the minimum cut

6 - CS7701 – Fall 2004 Problem Definition (continued): Network Intrusion Game –Two players Intruder –Inject an attack packet from attack node a trying to reach target node t –Successful if attack packet reaches t undetected Service Provider –Detect malicious packets »Sample packets along the links of the network looking for malicious packets –Intrusion is detected if service provider samples the attack packet

7 - CS7701 – Fall 2004 Problem Definition (continued): Constraints of the Game –Service provider is given a sampling bound of B packets per second to make the game more interesting and realistic If service provider could sample EVERY packet he could always win In the real world there wouldn’t be enough resources to sample all packets anyway –Sampling of B packets per second can be arbitrarily distributed over all links on the network Probability of detecting a malicious packet on a given link is: p e = s e / f e where s e is the sampling rate on link e  e  E s e  B –More assumptions to make the game more interesting Service Provider AND Intruder have complete knowledge of network topology Intruder is capable of picking paths in the network for his attack to make detecting the attack more difficult for the Service Provider

8 - CS7701 – Fall 2004 Strategies for the Game Intruder –Select an attack path from the set of all available paths between a and t ( P a t ) with probability q(P) Probability distribution over paths P a t such that  P  P q(P) = 1 V = { q :  P  P q(P) = 1 } is the set of possible probability allocations over the set of paths between a and t Service Provider –Choose the sampling rates for the network links that will give the greatest probability of detecting an attack U = { p :  e  E p e f e  B } is the set of possible detection probability vectors that are within the sampling budget B

9 - CS7701 – Fall 2004 Strategies for the Game

10 - CS7701 – Fall 2004 Strategies for the Game

11 - CS7701 – Fall 2004 Payoff / Strategy The number of times the malicious packet is detected as it goes from a to t over path P: –  P  P q(P) *  e  P p e –Service provider wants to maximize this number: max p  U  P  P q(P) *  e  P p e –But the intruder knows this, and thus wants to minimize the service providers maximum: min q  V max p  U  P  P q(P) *  e  P p e The flipside: –Intruder wants to minimize  P  P q(P) *  e  P p e min q  V  P  P q(P) *  e  P p e –But the service provider knows this, and thus wants to maximize the intruders minimum: max p  U min q  V  P  P q(P) *  e  P p e

12 - CS7701 – Fall 2004 Solution of the Game The value of the game is:  = BM at (f) -1 The intruder … –needs to decompose the max flow into flows on paths P 1, P 1, …, P l from a to t with flows of m 1, m 2, …, m l –Introduces the malicious packet along the path P i with probability m i * M at (f) -1 The Service Provider … –needs to compute the maximum flow from a to t using f e as the capacity of link e e 1, e 2, …, e r represent the links of the corresponding minimum cut with flows f 1, f 2, …, f r –samples link e i at rate Bf i M at (f) -1

13 - CS7701 – Fall 2004 Example Max Flow = M at (f) = 11.5 Sampling Budget B=5 a = 1 t = 5 Intruder: –Introduce packets on P i with probability m i * M at (f) -1 Prob of P = 7.0/11.5 Prob of P = 0.5/11.5 Prob of P = 4.0/11.5 Service Provider –Sample link e i at a rate of Bf i M at (f) -1 where e i is a link in the minimum cut Rate of e 1-2 = (5*7.5)/11.5 Rate of e 4-5 = (5*4.0)/11.5  = 5 / 11.5

14 - CS7701 – Fall 2004 Observations Since the service provider samples packets on the minimum cut, this implies that for any path the intruder would choose, the malicious packet will be sampled at most once If B  M at (f) then the malicious packet will always be detected If B < M at (f) then there is some probability that the malicious packet will not be detected

15 - CS7701 – Fall 2004 Routing to Improve the Value of the Game The previous solution BM at (f) -1 assumes a fixed link flow Flows on the links are a result of routing demands between nodes pairs in the network Service Provider can adjust the flows on network links: –Increase prob of detecting malicious packet –Increase the value of the game Want to maximize value of the game Minimize M at (f)

16 - CS7701 – Fall 2004 Objective of Service Provider Route the source-destination demands to minimize M at (f) –Solve the following: min x  X M at (f), where f =  k  P  P: e  P x(P) –X »Denotes allocation of flow on paths »Meets the demand for each commodity »Satisfies capacity constraints on network links min x  X M at (  k  P  P: e  P x(P)) –Need a way to solve the above equation Try two different heuristic methods –Flow Flushing Algorithm –Cut Saturation Algorithm

17 - CS7701 – Fall 2004 Flow Flushing Algorithm The flow on the links is a result of routing the different source-destination demands in the network –M at (f) + M at (c-f)  M at (c) Solve this as a multi-commodity flow problem with K+1 commodities –K original demands –+1 new demand between a and t for the attack

18 - CS7701 – Fall 2004 Flow Flushing Algorithm (cont…)  = 5 / 9.95

19 - CS7701 – Fall 2004 Cut Saturation Algorithm Picks some a – t cut and tries to direct flow away from the cut. –Making the cut small limits the max a – t flow Introduce two new nodes s’ and t’ Determine the highest flow that can be sent from s’ to t’ while keeping the source-destination demands routable Solve similarly to the Flow Flushing Algorithm –K+1 flows go between s’ and t’ instead of between a and t

20 - CS7701 – Fall 2004 Cut Saturation Algorithm (cont …)  = 5 / 8.0

21 - CS7701 – Fall 2004 Variants and Extensions First two variants: –The intruder can introduce the malicious packet from any one of a set of attack nodes where A  N Assume t  A –The objective of the intruder is to reach any one of a set of target nodes T  N Assume A  T = { } –Solution for the above two variants: Introduce a super source node that is connected to all nodes in A Introduce a super sink node that is connected to all nodes in T Play game between super source and super sink node Third variant: –The intruder can introduce the packet at any one of a set of attack nodes A but no longer has control over the routing in the network Routing in the network is shortest-path routing

22 - CS7701 – Fall 2004 Shortest Path Routing Game Assume that each link has a length Packets are routed from the source to the destination along the shortest paths according to the length metric –Ties are broken arbitrarily –Given any two nodes in the network, there is a unique path from one to the other Objectives –The intruder must determine which node of the attack set A to introduce the packet into –The service provider must determine the sampling rate at the links subject to a sampling budget of B Solve like a shortest path problem where we find the shortest path from all nodes in A to the destination d –L(d) represents the maximum flow that can be sent from all the nodes in A to the destination node d –The value of the game is  = B / L(d)

23 - CS7701 – Fall 2004 Experimental Results The experimental network –Each unidirectional link represents two directed links each having a capacity of 10 units

24 - CS7701 – Fall 2004 Experimental Results (cont …) The following experiments were performed: –Single attack node and single target node –Multiple attack nodes and single target node –Multiple attack nodes and multiple target nodes For each of the above, three algorithms were run: –Routing to minimize the highest utilized link f 1 represents the m-vector of link flows as a result of this alg. –Routing with flow flushing algorithm f 2 represents the m-vector of link flows as a result of this alg. –Routing with cut saturation algorithm f 3 represents the m-vector of link flows as a result of this alg.

25 - CS7701 – Fall 2004 Experimental Results (cont …) M(f i ) represents the maximum flow that can be sent from node a to t using f i as the link capacities Value of the game is:  = B / M( ) –The smaller the value of M, the better the chances of detection for a given sampling budget

26 - CS7701 – Fall 2004 Experimental Results (cont …) Changing the routing significantly changes the maximum flow and hence the value of the game The flow flushing algorithm and the cut saturation algorithm both perform similarly well. –Both out-perform the simple minmax solution

27 - CS7701 – Fall 2004 Effect of Capacity on the Value of the Game As the amount of spare capacity in a network increases, the opportunity to reroute flows increases –Service Provider can improve probability of detection by exploiting the spare capacity to reroute flows A second experiment was conducted to illustrate this –Link capacity is fixed at some constant C –If C increases, the opportunity to reroute flows also increases

28 - CS7701 – Fall 2004 Effect of Capacity on the Value of the Game As the maximum utilization becomes lower, the amount of spare capacity to reroute flows increases –This implies that both the Flow Flushing Algorithm and the Saturation Cut Algorithm will have more alternate paths

29 - CS7701 – Fall 2004 Effect of Capacity on the Value of the Game As the value of C increases, the maximum flow decreases –Thus the value of the game increases

30 - CS7701 – Fall 2004 Conclusions Packet sampling and examination can be expensive in real- time –Network operator must devise a sampling scheme that will have the greatest probability of detecting intruding packets Several scenarios were considered –Intruder has complete knowledge of the network topology –Intruder can pick paths in the network –Intruder can pick an entry point into the network if shortest path algorithm is being used Proposed two algorithms –Flow Flushing Algorithm –Cut Saturation Algorithm Evaluated the performance of the minmax, flow flushing algorithm, and cut saturation algorithm

31 - CS7701 – Fall 2004