Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 - CS7701 – Fall 2004 Review of: Detecting Network Intrusions via Sampling: A Game Theoretic Approach Paper by: – Murali Kodialam (Bell Labs) – T.V. Lakshman.

Similar presentations


Presentation on theme: "1 - CS7701 – Fall 2004 Review of: Detecting Network Intrusions via Sampling: A Game Theoretic Approach Paper by: – Murali Kodialam (Bell Labs) – T.V. Lakshman."— Presentation transcript:

1 1 - CS7701 – Fall 2004 Review of: Detecting Network Intrusions via Sampling: A Game Theoretic Approach Paper by: – Murali Kodialam (Bell Labs) – T.V. Lakshman (Bell Labs) Published in: – IEEE Infocom 2003 Reviewed by: – James Moscola Discussion Leader: – Todd Sproull CS7701: Research Seminar on Networking http://arl.wustl.edu/~jst/cse/770/

2 2 - CS7701 – Fall 2004 Outline Introduction Problem Definition Solution of the Game Routing to Improve the Value of the Game Variants and Extensions Experimental Results Conclusions

3 3 - CS7701 – Fall 2004 Introduction Two key areas of network security are: –Intrusion Detection –Intrusion Prevention Intrusions can be: –Denial of Service Attacks –Viruses In a typical intrusion problem the intruder tries to access a particular file server or website –Authors examine problem where an intruder attempts to send a malicious packet to a given network node Network attempts to detect the intrusion through sampling

4 4 - CS7701 – Fall 2004 Background Previous work that used network sampling: –[6] – “SRED: Stabilized RED” –[7] – “CHOKE, A Stateless Active Queue Management Scheme for Approximating Fair Bandwidth Allocation” –[3] – “A Framework for Passive Packet Measurement” Above all require ONLY header sampling What’s different with this work: –Detecting intrusion will most likely require looking at more than the header –Must sample in real time if we want to detect and prevent an intrusion. Must keep sampling cost in mind during analysis

5 5 - CS7701 – Fall 2004 Problem Definition: Network Set-Up –G = (N, E) –N is the set of nodes –E is the set of unidirectional links –n is the number of nodes –m is the number of links –capacity of link e  E is denoted c e –Traffic on link e is denoted by f e –P u v is the set of paths from u to v in G –M uv (w) is max flow that can be sent from node u to v with w as the link capacities –C u v is the set of links in the minimum cut

6 6 - CS7701 – Fall 2004 Problem Definition (continued): Network Intrusion Game –Two players Intruder –Inject an attack packet from attack node a trying to reach target node t –Successful if attack packet reaches t undetected Service Provider –Detect malicious packets »Sample packets along the links of the network looking for malicious packets –Intrusion is detected if service provider samples the attack packet

7 7 - CS7701 – Fall 2004 Problem Definition (continued): Constraints of the Game –Service provider is given a sampling bound of B packets per second to make the game more interesting and realistic If service provider could sample EVERY packet he could always win In the real world there wouldn’t be enough resources to sample all packets anyway –Sampling of B packets per second can be arbitrarily distributed over all links on the network Probability of detecting a malicious packet on a given link is: p e = s e / f e where s e is the sampling rate on link e  e  E s e  B –More assumptions to make the game more interesting Service Provider AND Intruder have complete knowledge of network topology Intruder is capable of picking paths in the network for his attack to make detecting the attack more difficult for the Service Provider

8 8 - CS7701 – Fall 2004 Strategies for the Game Intruder –Select an attack path from the set of all available paths between a and t ( P a t ) with probability q(P) Probability distribution over paths P a t such that  P  P q(P) = 1 V = { q :  P  P q(P) = 1 } is the set of possible probability allocations over the set of paths between a and t Service Provider –Choose the sampling rates for the network links that will give the greatest probability of detecting an attack U = { p :  e  E p e f e  B } is the set of possible detection probability vectors that are within the sampling budget B

9 9 - CS7701 – Fall 2004 Strategies for the Game

10 10 - CS7701 – Fall 2004 Strategies for the Game

11 11 - CS7701 – Fall 2004 Payoff / Strategy The number of times the malicious packet is detected as it goes from a to t over path P: –  P  P q(P) *  e  P p e –Service provider wants to maximize this number: max p  U  P  P q(P) *  e  P p e –But the intruder knows this, and thus wants to minimize the service providers maximum: min q  V max p  U  P  P q(P) *  e  P p e The flipside: –Intruder wants to minimize  P  P q(P) *  e  P p e min q  V  P  P q(P) *  e  P p e –But the service provider knows this, and thus wants to maximize the intruders minimum: max p  U min q  V  P  P q(P) *  e  P p e

12 12 - CS7701 – Fall 2004 Solution of the Game The value of the game is:  = BM at (f) -1 The intruder … –needs to decompose the max flow into flows on paths P 1, P 1, …, P l from a to t with flows of m 1, m 2, …, m l –Introduces the malicious packet along the path P i with probability m i * M at (f) -1 The Service Provider … –needs to compute the maximum flow from a to t using f e as the capacity of link e e 1, e 2, …, e r represent the links of the corresponding minimum cut with flows f 1, f 2, …, f r –samples link e i at rate Bf i M at (f) -1

13 13 - CS7701 – Fall 2004 Example Max Flow = M at (f) = 11.5 Sampling Budget B=5 a = 1 t = 5 Intruder: –Introduce packets on P i with probability m i * M at (f) -1 Prob of P 1-2-5 = 7.0/11.5 Prob of P 1-2-6-5 = 0.5/11.5 Prob of P 1-3-4-5 = 4.0/11.5 Service Provider –Sample link e i at a rate of Bf i M at (f) -1 where e i is a link in the minimum cut Rate of e 1-2 = (5*7.5)/11.5 Rate of e 4-5 = (5*4.0)/11.5  = 5 / 11.5

14 14 - CS7701 – Fall 2004 Observations Since the service provider samples packets on the minimum cut, this implies that for any path the intruder would choose, the malicious packet will be sampled at most once If B  M at (f) then the malicious packet will always be detected If B < M at (f) then there is some probability that the malicious packet will not be detected

15 15 - CS7701 – Fall 2004 Routing to Improve the Value of the Game The previous solution BM at (f) -1 assumes a fixed link flow Flows on the links are a result of routing demands between nodes pairs in the network Service Provider can adjust the flows on network links: –Increase prob of detecting malicious packet –Increase the value of the game Want to maximize value of the game Minimize M at (f)

16 16 - CS7701 – Fall 2004 Objective of Service Provider Route the source-destination demands to minimize M at (f) –Solve the following: min x  X M at (f), where f =  k  P  P: e  P x(P) –X »Denotes allocation of flow on paths »Meets the demand for each commodity »Satisfies capacity constraints on network links min x  X M at (  k  P  P: e  P x(P)) –Need a way to solve the above equation Try two different heuristic methods –Flow Flushing Algorithm –Cut Saturation Algorithm

17 17 - CS7701 – Fall 2004 Flow Flushing Algorithm The flow on the links is a result of routing the different source-destination demands in the network –M at (f) + M at (c-f)  M at (c) Solve this as a multi-commodity flow problem with K+1 commodities –K original demands –+1 new demand between a and t for the attack

18 18 - CS7701 – Fall 2004 Flow Flushing Algorithm (cont…)  = 5 / 9.95

19 19 - CS7701 – Fall 2004 Cut Saturation Algorithm Picks some a – t cut and tries to direct flow away from the cut. –Making the cut small limits the max a – t flow Introduce two new nodes s’ and t’ Determine the highest flow that can be sent from s’ to t’ while keeping the source-destination demands routable Solve similarly to the Flow Flushing Algorithm –K+1 flows go between s’ and t’ instead of between a and t

20 20 - CS7701 – Fall 2004 Cut Saturation Algorithm (cont …)  = 5 / 8.0

21 21 - CS7701 – Fall 2004 Variants and Extensions First two variants: –The intruder can introduce the malicious packet from any one of a set of attack nodes where A  N Assume t  A –The objective of the intruder is to reach any one of a set of target nodes T  N Assume A  T = { } –Solution for the above two variants: Introduce a super source node that is connected to all nodes in A Introduce a super sink node that is connected to all nodes in T Play game between super source and super sink node Third variant: –The intruder can introduce the packet at any one of a set of attack nodes A but no longer has control over the routing in the network Routing in the network is shortest-path routing

22 22 - CS7701 – Fall 2004 Shortest Path Routing Game Assume that each link has a length Packets are routed from the source to the destination along the shortest paths according to the length metric –Ties are broken arbitrarily –Given any two nodes in the network, there is a unique path from one to the other Objectives –The intruder must determine which node of the attack set A to introduce the packet into –The service provider must determine the sampling rate at the links subject to a sampling budget of B Solve like a shortest path problem where we find the shortest path from all nodes in A to the destination d –L(d) represents the maximum flow that can be sent from all the nodes in A to the destination node d –The value of the game is  = B / L(d)

23 23 - CS7701 – Fall 2004 Experimental Results The experimental network –Each unidirectional link represents two directed links each having a capacity of 10 units

24 24 - CS7701 – Fall 2004 Experimental Results (cont …) The following experiments were performed: –Single attack node and single target node –Multiple attack nodes and single target node –Multiple attack nodes and multiple target nodes For each of the above, three algorithms were run: –Routing to minimize the highest utilized link f 1 represents the m-vector of link flows as a result of this alg. –Routing with flow flushing algorithm f 2 represents the m-vector of link flows as a result of this alg. –Routing with cut saturation algorithm f 3 represents the m-vector of link flows as a result of this alg.

25 25 - CS7701 – Fall 2004 Experimental Results (cont …) M(f i ) represents the maximum flow that can be sent from node a to t using f i as the link capacities Value of the game is:  = B / M( ) –The smaller the value of M, the better the chances of detection for a given sampling budget

26 26 - CS7701 – Fall 2004 Experimental Results (cont …) Changing the routing significantly changes the maximum flow and hence the value of the game The flow flushing algorithm and the cut saturation algorithm both perform similarly well. –Both out-perform the simple minmax solution

27 27 - CS7701 – Fall 2004 Effect of Capacity on the Value of the Game As the amount of spare capacity in a network increases, the opportunity to reroute flows increases –Service Provider can improve probability of detection by exploiting the spare capacity to reroute flows A second experiment was conducted to illustrate this –Link capacity is fixed at some constant C –If C increases, the opportunity to reroute flows also increases

28 28 - CS7701 – Fall 2004 Effect of Capacity on the Value of the Game As the maximum utilization becomes lower, the amount of spare capacity to reroute flows increases –This implies that both the Flow Flushing Algorithm and the Saturation Cut Algorithm will have more alternate paths

29 29 - CS7701 – Fall 2004 Effect of Capacity on the Value of the Game As the value of C increases, the maximum flow decreases –Thus the value of the game increases

30 30 - CS7701 – Fall 2004 Conclusions Packet sampling and examination can be expensive in real- time –Network operator must devise a sampling scheme that will have the greatest probability of detecting intruding packets Several scenarios were considered –Intruder has complete knowledge of the network topology –Intruder can pick paths in the network –Intruder can pick an entry point into the network if shortest path algorithm is being used Proposed two algorithms –Flow Flushing Algorithm –Cut Saturation Algorithm Evaluated the performance of the minmax, flow flushing algorithm, and cut saturation algorithm

31 31 - CS7701 – Fall 2004


Download ppt "1 - CS7701 – Fall 2004 Review of: Detecting Network Intrusions via Sampling: A Game Theoretic Approach Paper by: – Murali Kodialam (Bell Labs) – T.V. Lakshman."

Similar presentations


Ads by Google