Network Intrusions via Sampling :
A Game Theoretic Approach
Written by:
Murali Kodialam (Bell Labs)
T.V. Lakshman (Bell Labs)
Presented by Zhiqi Zhang
1
2009-03-25
Structure of this Presentation
Introduction
Problem Definition
Solution of the Game
Routing to Improve the Value of the Game
Experimental Results
Conclusions
2009-03-16
Intrusion in network: Typically, in an intrusion problem, the
intruder attempts to gain access to a particular file server or
website in the network.
Includes: denial of service attacks, viruses introduced into the
networks……
Two key areas in security
 Intrusion detection
– In this paper, the problem is that the intruder attempts to
send a malicious packet to a given node in the network. The
service provider attempts to detect this intrusion. The
detection mechanism is packet sampling and examination
in the network.
 Intrusion prevention
3
2009-03-16
 Packet Sampling: some portion of packets traversing
designated links (or router interfaces) are sampled and
examined in detail to determine whether the packet is an
intruder packet.
 Different Networking Purposes of Packet Sampling:
– To estimate the number of active TCP flows in order to
stabilize network buffer occupancy for TCP traffic.
– To allocate the fairy link-bandwidth
– To infer network traffic and routing characteristics
 All these applications require only sampling based on packet
header comparisons.
4
2009-03-16
Requirements of sampling for intrusion detection:
More thorough examination of sampled packets than all above
applications
Near line-speed packet sampling and examination
Because copying sampled packets or packet-headers for off-line
analysis is not sufficient to prevent intruding packets from
getting through. Hence, it is imperative to keep the sampling
costs in mind. This is also the motivation of this research.
5
2009-03-16
 Game theory has been used extensively to model
different networking problems.
Shenker, S., “Making Greed Work in Networks: A Game-Theoretic
Analysis of Switch Service Disciplines”, IEEE/ACM Transactions on
Net-working, 1995.
Akella, A., Karp, R., Papadimitriou, C.,Seshan, S., Shenker, S.,
“Selfish Behavior and the Stability of the Internet: A Game Theoretic
Analysis of TCP”, Proceedings of SIGCOMM 2002, 2002
Korilis, Y., Lazar, A., Orda, A., “Architecting Noncooperative
networks”,IEEE Journal on Selected Areas in Communications, pp.
1241-1251,September 1995
6
This is the first time to model intrusion detection via sampling
in communication networks using a game-theoretic
framework.
2009-03-16
This work is closely related to drug interdiction models.
Washburn, A., and Wood, K., “Two-Person Zero-Sum Games for
Net-work Interdiction”, Operations Research, 43, pp. 243-251, 1995.
Two differences between this work and the drug
interdiction models
The detection is by means of sampling, results are much more
natural.
The game theoretic problem naturally leads to a routing problem (t
maximize the service provider’s chances of detecting intruding
packets)
7
2009-03-16
 Game theory : attempts to mathematically capture behavior
in strategic situations, in which an individual's success in
making choices depends on the choices of others.
 Types of games
Cooperative or non-cooperative games
Zero sum and non-zero sum games
Symmetric and asymmetric games
……
8
2009-03-16
PROBLEM DEFINITION
Network Set-Up
We consider a network G= (N, E)
N: set of nodes (s, u, v, m, t )
E: set of unidirectional links in the network. (e1,e2,e3,...)
ce: capacity of link e E
fe: the amount of traffic flowing on link e
Pst :represent the set of paths from s to t in G
Pst
u
e1
s
e5
e6
e3
m
e2
e7
v
9
2009-03-16
t
e4
PROBLEM DEFINITION
Two players: the Service Provider and the Intruder
 Intruder’s Objective:
Inject a malicious packet from attack node a in
order to attack target node t
 Service Provider’s Objective:
Detect and prevent the intrusion
 To do so, we assume that the service provider can sample
packets along the links of the network looking for malicious
packets.
10
2009-03-16
PROBLEM DEFINITION
 We assume that:
 An intruder wins when the malicious packet reaches
the desired target t node without detection.
 The service provider wins if it samples the malicious
packet during the course of sampling.
11
2009-03-16
PROBLEM DEFINITION
 The Objective and the Constraints of the Game
–Service provider is given a sampling bound of B
packets per second
If service provider could sample EVERY packet he could
always win
–Sampling of B packets per second can be
arbitrarily distributed over all links on the network
Probability of detecting a malicious packet on a given link is:
pe = se / fe where se is the sampling rate on link e, fe is the
amount of traffic flowing on link e
12
2009-03-16
PROBLEM DEFINITION
 Strategies for the Two Players:
 Intruder:
–Pick a path (or a distribution of paths) to send the malicious
packet from a to t
Probability distribution over paths Pat such that
 Service Provider
–Choose the sampling rates for the network links that will give
the greatest probability of detecting an attack
U = { p : eE pefe  B } is the set of possible detection
probability vectors that are within the sampling budget B
13
2009-03-16
PROBLEM DEFINITION
14
2009-03-16
PROBLEM DEFINITION
15
2009-03-16
PROBLEM DEFINITION
• Payoff Matrix
• Payoff is the expected number of times the malicious
packet is detected as it goes from a to t.
 For a given path Pat, the payoff is
 The probability that this path P is picked by the
intruder is q(P.)
 The payoff is
• Interchanging the order of summation, we get
This can be equivalently written in a matrix form as
16
qTMp
2009-03-16
PROBLEM DEFINITION
• Payoff Matrix
 The payoff is
,
 This can be equivalently written in a matrix form as
qTMp

M=
17
2009-03-16
PROBLEM DEFINITION
 Objective of Intruder:
Service provider wants to maximize this number:
But the intruder knows this, tries to pick a distribution q()
that minimizes this maximum value:
Intruder’s Objective:
18
2009-03-16
PROBLEM DEFINITION
 Objective of Service provider:
Intruder wants to minimize this number:
But the service provider knows this, tries to maximize the
intruders minimum:
Service provider’s objective:
19
2009-03-16
SOLUTION OF THE GAME
 This is a classical two person zero-sum game
There exists an optimal solution to the intrusion
detection game:
The value of the game is:  = BMat(f)-1
Mat(f) -is max flow that can be sent from node a to t with f
as the link capacities
B -is sampling bound
20
2009-03-16
SOLUTION OF THE GAME
The intruder Strategy
needs to decompose the max flow into flows on paths P1, P2, … , Pl
from a to t with flows of m1, m2, … , ml
Introduces the malicious packet along the path Pi with
probability mi*Mat(f)-1
The Service Provider Strategy
needs to compute the maximum flow from a to t using fe as the
capacity of link e
e1, e2, … , er represent the links of the corresponding
minimum cut with flows f1, f2, … , fr
samples link ei at rate Bfi Mat(f)-1
21
2009-03-16
SOLUTION OF THE GAME(example)
Max Flow = Mat(f) = 11.5
Sampling Budget B=5
The intruder Strategy
Introduce the malicious packet
along the path 1-2-5 with
probability 7.0 / 11.5
Introduce the malicious packet
along the path 1-2-6-5 with
probability 0.5 / 11.5
Introduce the malicious packet
along the path 1-3-4-5 with
probability 4.0 / 11.5
The Service Provider Strategy
Sample link 1-2 at rate 5 / 11.5
giving a total sampling rate of
(5 x 7.5) / 11.5 on that link
Sample link 4-5 at rate 5 / 11.5
giving a total sampling rate of
(5 x 4.0) / 11.5 on that link
22
2009-03-16
Game value:  = 5 / 11.5
Observation
•Since the service provider samples packets on
the minimum cut, this implies that for any path
the intruder would choose, the malicious
packet will be sampled at most once.
•If B >= Mat(f) : the malicious packet will always
be detected
•If B <Mat(f): then there is a some probabilities
that the malicious packet will not be detected
23
2009-03-16
ROUTING TO IMPROVE THE VALUE OF THE GAME
Previous solution BMat(f)-1 assumes a fixed link flow f
In reality service provider can adjust the flows in the
network to maximize the value of the game
Objective of the Service:
Route the source-destination demands to minimize Mat(f).
Two Different Ways to Achieve this Objective:
•Flow Flushing Algorithm
•Cut Saturation Algorithm
24
2009-03-16
Flow Flushing Algorithm
The flow on the links is a result of routing the different
source-destination demands in the network.
Mat(f) + Mat(c - f)  Mat(c)
- c : link capacity, f : flow on the link
Solution requires a multi-commodity (sourcedestination) flow problem with K+1 commodities
 K original commodities
 an additional commodity between a and t
25
2009-03-16
Flow Flushing Algorithm
The link flows for FFA are shown for the first network
example
26
Mat(f) = 11.5
 = 5 / 11.5
Mat(f) = 9.95
 = 5 / 9.95
2009-03-16
Cut Saturation Algorithm
This algorithm relies on the fact that the maximum flow
between a and t is upper bounded by the size of any a − t cut.
picks some a − t cut and tries to direct flow away from this
cut
Once the source-destination demands are routed, this cut
will
be small
and hence will limit the maximum a − t flow
How
to implement?
Introduce two new nodes s’ and
t’
Introduce an arc between node s’
and all nodes α(e)
Introduce an arc between node t’
and all nodes β(e)
27
let α(e) and β(e)
represent the start
and end nodes of
short-cut link.
Cut Saturation Algorithm
The link flows for FFA are shown for the first network
example
Mat(f) = 11.5
 = 5 / 11.5
Mat(f) = 7.0
 = 5 / 7.0
28
2009-03-16
Mat(f) = 9.95
 = 5 / 9.95
Shortest Path Routing Game
Assumes:
each link has a length
packets are routed from the source to the destination along
shortest paths according to this length metric.
ties are broken arbitrarily.
Objectives:
The intruder must determine which node of the attack set A to
introduce the packet into
The service provider must determine the sampling rate at the
links subject to a sampling budget of B
Solution:
The value of the game is  = B / L(d)
L(d) represents the maximum flow that can be sent from all the
nodes in A to the destination node d
29
2009-03-16
EXPERIMENTAL RESULTS
performed the following experiments:
• Single attack node and single target node. (3 problems).
• Multiple attack node and single target node. (1 problem).
• Multiple attack node and multiple target node. (1 problem).
For each of the cases, we ran three different algorithms.
1) Routing to minimize the highest utilized link with f1 representing
the m-vector of link flows as a result of this routing algorithm.
2) Routing with flow flushing algorithm with f2 representing
the m-vector of link flows as a result of this routing algorithm.
3) Routing with cut saturation algorithm with f3 representing
the m-vector of link flows as a result of this routing algorithm.
30
2009-03-16
EXPERIMENTAL RESULTS
Let M(fi) for i = 1, 2, 3 represent the
maximum flow that can be sent from
node a to t using fi as the link
capacities.
 = B / M( ): The smaller that value of M, the
better the chances of detection for a given
sampling budget.
31
2009-03-16
EXPERIMENTAL RESULTS
From the table, note that the maximum flow value and hence
the value of the game can be changed significantly by changing
the routing in the network.
In most of the examples the performance of the flow flushing
algorithm and the cut saturation algorithm are quite similar, and
better than the simple minimization of maximum link utilization
algorithm
32
2009-03-16
Effect of Capacity on the Value of the Game
As the amount of spare capacity in a network
increases , the opportunity to reroute flows
increases.
Service Provider can improve probability of detection
by exploiting the spare capacity to reroute flows
A second experiment was conducted:
Capacity of the links in this example network are fixed
at some constant value C.
If C increases, the opportunity to reroute flows also
increases.
33
2009-03-16
Effect of Capacity on the Value of the Game
34
As the maximum utilization becomes lower, the amount of spare capacity to
reroute flows increases
This implies that both the Flow Flushing Algorithm and the Saturation Cut
Algorithm will have more alternate paths
Effect of Capacity on the Value of the Game
35
As the value of C increases, the maximum flow decreases,thus
the value of the game increases
CONCLUDING REMARKS
Because
Packet sampling and examination in real-time can be expensive.
The network operator must devise an effective sampling scheme to
detect intruding packets injected into the network by an adversary.
Considered following scenarios:
Intruder has complete knowledge of the network topology
Intruder can pick paths in the network
Intruder can pick an entry point into the network if shortest path
algorithm is being used
Proposed
The detection via sampling problem was formulated in a gametheoretic framework
Tow two algorithms
• Flow Flushing Algorithm
• Cut Saturation A
Evaluated:
36
the performance of the minmax, flow flushing algorithm, and cut
saturation algorithm