Download presentation
Presentation is loading. Please wait.
1
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent Technologies muralik lakshman @bell-labs.com @bell-labs.com
2
2 Outline Introduction Problem Definition Solution of the Game Routing to Improve the Value of the Game Variants and Extensions Experimental Results Conclusions Questions
3
3 Introduction Two key areas of interest in network security: –Intrusion Detection –Intrusion Prevention Intrusions can take many forms –Denial of Service (DoS) / Distributed Denial of Service (DDoS) –Network Virus Propagation Usually, an intruder tries to access a specific file server or website in the network In this research, the authors focus on an intruder sending a malicious packet to a node in the network
4
4 Introduction (2) Packet Sampling: –Some packets traversing specific links are sampled and investigated to determine if they are malicious (intruder) Requires fast and thorough processing –Intrusion detection requires a thorough examination of the sampled packets –Packet sampling must be performed in real time in order to prevent intruders from slipping by –Packet examination must be done at line speed to keep from disrupting routing
5
5 Problem Definition The problem of packet intrusion is described in three steps –1) Network Set-Up –2) Network Intrusion Game –3) The Objective and Constraints of the Game
6
6 Problem Definition: Network Set-Up Network G = (N, E) –N: set of nodes in the network –E: set of unidirectional links in the network –n nodes –m links –c e : capacity of link e –f e : traffic flowing on link e –P v u : set of paths from node u to v –M uv (w): Maximum flow between nodes u and v –C v u : Minimum cut (comprised of a set of links in the network)
7
7 Problem Definition: Network Intrusion Game Two Players of the Game –Service Provider –Intruder Intruder’s Objective: –Inject a malicious packet from attack node a in order to attack target node t Service Provider’s Objective: –Detect and prevent the intrusion –To do so, the service provider samples packets in the network –It is assumed that the sampling is performed on the links (not at the nodes)
8
8 Problem Definition: Network Intrusion Game (2) Intruder tries to sneak a malicious packet from a to t
9
9 Problem Description: The Objective and Constraints of the Game B: sampling bound - the service provider can sample no more than B packets per second –If the service provider could sample all packets, it would easily find the intruder –Not enough resources to process all those packets anyway Assumptions: –Both players have knowledge of network topology and link flows –The intruder is capable of picking paths in the network in order to make the detection by the service provider more difficult
10
10 Players’ Strategies For the Intruder: –Pick a path (or a distribution of paths) to get the malicious packet from from a to t For the Service Provider –Determine a set of links on which sampling is necessary –Determine the sampling rate on each link, keeping the total under the sampling bound The service provider picks a set of detection probabilities at the links it chooses to sample on
11
11 Players’ Strategies (2) Intruder’s and service provider’s actions
12
12 Players’ Strategies (3) Service provider’s action, arc sampling
13
13 Players’ Objectives The objective of the intruder is to pick a distribution q() that minimizes the service provider’s knowledge of the intrusion strategy The service provider’s intent is for maximization Classical two person zero-sum game with minmax result
14
14 Players’ Objectives (2) There exists an optimal solution to the game is the value of the game
15
15 Solution of the Game The value of the game is : = BM at (f) -1 –Any maximum flow from a to t can be decomposed to a set of flows from a to t The intruder needs to decompose the maximum flow from a to t using the capacity f e of link e into flows on paths P 1, P 2 … P l with flows m 1, m 2 … m l –Introduces malicious packet on path P i with probability m i *M at (f) -1 The service provider needs to compute the maximum flow from a to t using the capacity f e of link e using arcs e 1, e 2 … e r with minimum cut flows f 1, f 2 … f r –Service provider samples link e i at rate Bf i M at (f) -1
16
16 Solution of the Game: Example B=5, a=1, t=5, Minimum Cut = 11.5 units
17
17 Solution of the Game: Example (2) Intruder’s Strategy –Introduce the malicious packet along the path 1-2-5 with probability 7.0 / 11.5 –Introduce the malicious packet along the path 1-2-6-5 with probability 0.5 / 11.5 –Introduce the malicious packet along the path 1-3-4-5 with probability 4.0 / 11.5 Service Provider’s Strategy –Sample link 1-2 at rate 5 / 11.5 giving a total sampling rate of (5 x 7.5) / 11.5 on that link –Sample link 4-5 at rate 5 / 11.5 giving a total sampling rate of (5 x 4.0) / 11.5 on that link If B M at (f) : malicious packet is always detected If B M at (f) : malicious packet might not be detected
18
18 Routing to Improve the Value of the Game The game solution BM at (f) -1 assumes a fixed link flow f Flows on the links are a result of routing the demands between node pairs in the network In reality, the service provider can adjust the flows to maximize the value of the game For K source-destination demand pairs in the network –s(k) - source node for commodity k –d(k) - destination node for commodity k –b(k) - amount of demand (bandwidth) that has to be routed for this source-destination pair
19
19 Routing to Improve the Value of the Game (2) 1) Original source-destination pairs and demands from game network example (with link capacity of 10 units) 2) Route the demands such that the maximum link utilization in the network is minimized
20
20 Routing to Improve the Value of the Game (3) Service provider routes the flows such that the value of the network intrusion game is maximized –Increases the detection probability of the malicious packet The objective is to route the source-destination demands in order to minimize the the value of M at (f) No explicit solution to the routing problem Developed two heuristics and offer two solutions to the optimization problem
21
21 Flow Flushing Algorithm (FFA) c : link capacity, f : flow on the link The flow on the links is a result of routing the different source-destination demands on the network –M at (f) + M at (c - f) M at (c) Solution requires a multi-commodity (source-destination) flow problem with K+1 commodities, including the additional commodity between a and t The link flows for FFA are shown for the first network example
22
22 Flow Flushing Algorithm (FFA) (2) Maximum flow M at (f) = 9.95 units Game value = 5 / 9.95
23
23 Cut Saturation Algorithm The maximum flow between a and t is (upper) bounded by the size of any a - t cut Cut Saturation Algorithm picks an a - t cut and attempts to direct flow away from this cut Introduce two new nodes, s´ and t´ Determine the highest flow that can be sent from s´ to t´ while maintaining routing for source-destination demands Pick the minimum a - t cut and attempt to saturate that cut Cut Saturation Algorithm can yield a better solution than the Flow Flushing Algorithm
24
24 Cut Saturation Algorithm (CSA) (2) Only cut links are shown in the network
25
25 Cut Saturation Algorithm (CSA) (3) Maximum flow M at (f) = 8.0 units Game value = 5 / 8
26
26 Variants and Extensions 1) The intruder can introduce the malicious packet from one node of a subset of nodes in the network 2) The intruder is attempting to reach one node of a set of target nodes in the network The solution is to introduce –1) a super source node that is connected to the subset of possible source nodes and –2) a super sink node that is connected to the subset of possible target nodes 3) The intruder can introduce a packet at any one of a set of nodes, but has no control of the routing in the network –The shortest path routing game
27
27 Shortest Path Routing Game All packets are routed from source to destination by shortest path routing –For any two nodes in the network, there is a unique path from one node to the other A packet introduced into the network follows the unique path from that source node to the destination node The intruder needs to determine which node of its available subset (A) it can use to introduce a malicious packet The service provider needs to determine the sampling rate at the links that are subject to a sampling budget of B The problem is that the maximum flow (L) (and hence the minimum cut) is no longer easy to compute The value of the game is determined to be B / L(d)
28
28 Experimental Results The two algorithms (Flow Flushing and Cut Saturation) were evaluated on two experimental networks The first network had 15 nodes and 27 link segments The segments each contained two directed links with a capacity of 10 units
29
29 Experimental Results: Network
30
30 Experimental Results: Set-Up Experiment Cases Performed –Single attack node and single target node –Multiple attack nodes and single target node –Multiple attack nodes and multiple target nodes Three Algorithms Per Case –1) Routing to minimize the highest utilized link f 1 represents the m-vector of link flows as a result of routing –2) Routing with Flow Flushing Algorithm f 2 represents the m-vector of link flows as a result of routing –3) Routing with Cut Saturation Algorithm f 3 represents the m-vector of link flows as a result of routing
31
31 Experimental Results: Comparison M() = B / (sampling budget / game value) –The maximum flow that can be sent from node a to t using f i –The smaller the value of M, the better the chances of detection The maximum flow value (and thus the game value) are highly dependent upon the routing in the network
32
32 Effect of Capacity on the Value of the Game When the network has more spare capacity, it is able to further reroute flows –The service provider can use the spare capacity to reroute flows and increase its detection probability Using the second experimental network, with a link capacity of C, it was determined that the source provider can exploit the spare link capacity for rerouting flows –As the link capacity increases, there are more opportunities to reroute flows Network simulations illustrate the relationship between maximum utilization and link capacity and the effect of Flow Flushing on the maximum flow value
33
33 Effect of Capacity on the Value of the Game (2) Maximum utilization decrease -> rerouting capacity increase FFA and CSA will have more alternate paths available
34
34 Effect of Capacity on the Value of the Game (3) Base case: minimize maximum utilization FFA: a - t maximum flow value decreases as link capacity increases
35
35 Conclusions Detect intruding packets in the network by sampling on network links Requires real time, line speed processing, a costly procedure To make it feasible means using an creative, yet effective sampling scheme Introduced Flow Flushing Algorithm and Cut Saturation Algorithm FFA and CSA facilitate better ingress-egress routing which maximizes the chances of detection Performance of FFA and CSA shown to be better than the base case of minimizing maximum utilization
36
36 Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.