CS7701: Research Seminar on Networking
http://arl.wustl.edu/~jst/cse/770/
Review of:
Detecting Network Intrusions via Sampling:
A Game Theoretic Approach
• Paper by:
– Murali Kodialam (Bell Labs)
– T.V. Lakshman (Bell Labs)
• Published in:
– IEEE Infocom 2003
• Reviewed by:
– James Moscola
•Discussion Leader:
– Todd Sproull
1 - CS7701 – Fall 2004
Outline
•
•
•
•
•
•
•
Introduction
Problem Definition
Solution of the Game
Routing to Improve the Value of the Game
Variants and Extensions
Experimental Results
Conclusions
2 - CS7701 – Fall 2004
Introduction
• Two key areas of network security are:
– Intrusion Detection
– Intrusion Prevention
• Intrusions can be:
– Denial of Service Attacks
– Viruses
• In a typical intrusion problem the intruder tries to
access a particular file server or website
– Authors examine problem where an intruder attempts to
send a malicious packet to a given network node
• Network attempts to detect the intrusion through sampling
3 - CS7701 – Fall 2004
Background
• Previous work that used network sampling:
– [6] – “SRED: Stabilized RED”
– [7] – “CHOKE, A Stateless Active Queue Management
Scheme for Approximating Fair Bandwidth Allocation”
– [3] – “A Framework for Passive Packet Measurement”
• Above all require ONLY header sampling
• What’s different with this work:
– Detecting intrusion will most likely require looking at
more than the header
– Must sample in real time if we want to detect and
prevent an intrusion.
• Must keep sampling cost in mind during analysis
4 - CS7701 – Fall 2004
Problem Definition:
• Network Set-Up
–
–
–
–
–
–
–
–
–
G = (N, E)
N is the set of nodes
E is the set of unidirectional links
n is the number of nodes
m is the number of links
capacity of link eE is denoted ce
Traffic on link e is denoted by fe
Puv is the set of paths from u to v in G
Muv(w) is max flow that can be sent from node u to v with
w as the link capacities
– Cuv is the set of links in the minimum cut
5 - CS7701 – Fall 2004
Problem Definition (continued):
• Network Intrusion Game
– Two players
• Intruder
– Inject an attack packet from attack node a trying to reach
target node t
– Successful if attack packet reaches t undetected
• Service Provider
– Detect malicious packets
» Sample packets along the links of the network looking
for malicious packets
– Intrusion is detected if service provider samples the attack
packet
6 - CS7701 – Fall 2004
Problem Definition (continued):
• Constraints of the Game
– Service provider is given a sampling bound of B packets per
second to make the game more interesting and realistic
• If service provider could sample EVERY packet he could always win
• In the real world there wouldn’t be enough resources to sample all
packets anyway
– Sampling of B packets per second can be arbitrarily distributed
over all links on the network
• Probability of detecting a malicious packet on a given link is:
pe = se / fe where se is the sampling rate on link e
• SeE se  B
– More assumptions to make the game more interesting
• Service Provider AND Intruder have complete knowledge of network
topology
• Intruder is capable of picking paths in the network for his attack to
make detecting the attack more difficult for the Service Provider
7 - CS7701 – Fall 2004
Strategies for the Game
• Intruder
– Select an attack path from the set of all available paths
between a and t (Pat) with probability q(P)
• Probability distribution over paths Pat such that
SPP q(P) = 1
• V = { q : SPP q(P) = 1 } is the set of possible probability
allocations over the set of paths between a and t
• Service Provider
– Choose the sampling rates for the network links that will
give the greatest probability of detecting an attack
• U = { p : SeE pefe  B } is the set of possible detection
probability vectors that are within the sampling budget B
8 - CS7701 – Fall 2004
Strategies for the Game
9 - CS7701 – Fall 2004
Strategies for the Game
10 - CS7701 – Fall 2004
Payoff / Strategy
• The number of times the malicious packet is
detected as it goes from a to t over path P:
– SPP q(P) * SeP pe
– Service provider wants to maximize this number:
• maxpU SPP q(P) * SeP pe
– But the intruder knows this, and thus wants to minimize
the service providers maximum:
• minqV maxpU SPP q(P) * SeP pe
• The flipside:
– Intruder wants to minimize SPP q(P) * SeP pe
• minqV SPP q(P) * SeP pe
– But the service provider knows this, and thus wants to
maximize the intruders minimum:
• maxpU minqV SPP q(P) * SeP pe
11 - CS7701 – Fall 2004
Solution of the Game
• The value of the game is:  = BMat(f)-1
• The intruder …
– needs to decompose the max flow into flows on paths
P1, P1, … , Pl from a to t with flows of m1, m2, … , ml
– Introduces the malicious packet along the path Pi with
probability mi * Mat(f)-1
• The Service Provider …
– needs to compute the maximum flow from a to t using fe
as the capacity of link e
• e1, e2, … , er represent the links of the corresponding minimum
cut with flows f1, f2, … , fr
– samples link ei at rate Bfi Mat(f)-1
12 - CS7701 – Fall 2004
Example
•
•
•
•
Max Flow = Mat(f) = 11.5
Sampling Budget B=5
a=1
t=5
• Intruder:
– Introduce packets on Pi with
probability mi * Mat(f)-1
• Prob of P1-2-5 = 7.0/11.5
• Prob of P1-2-6-5 = 0.5/11.5
• Prob of P1-3-4-5 = 4.0/11.5
• Service Provider
– Sample link ei at a rate of
Bfi Mat(f)-1 where ei is a link in the
minimum cut
• Rate of e1-2 = (5*7.5)/11.5
• Rate of e4-5 = (5*4.0)/11.5
•
 = 5 / 11.5
13 - CS7701 – Fall 2004
Observations
• Since the service provider samples packets
on the minimum cut, this implies that for
any path the intruder would choose, the
malicious packet will be sampled at most
once
• If B  Mat(f) then the malicious packet will
always be detected
• If B < Mat(f) then there is some probability
that the malicious packet will not be
detected
14 - CS7701 – Fall 2004
Routing to Improve the Value of the Game
• The previous solution BMat(f)-1 assumes a
fixed link flow
• Flows on the links are a result of routing
demands between nodes pairs in the
network
• Service Provider can adjust the flows on
network links:
– Increase prob of detecting malicious packet
– Increase the value of the game
• Want to maximize value of the game
• Minimize Mat(f)
15 - CS7701 – Fall 2004
Objective of Service Provider
• Route the source-destination demands to
minimize Mat(f)
– Solve the following:
• minxXMat(f) , where f = SkSPP:ePx(P)
–X
» Denotes allocation of flow on paths
» Meets the demand for each commodity
» Satisfies capacity constraints on network links
• minxXMat(SkSPP:ePx(P))
– Need a way to solve the above equation
• Try two different heuristic methods
– Flow Flushing Algorithm
– Cut Saturation Algorithm
16 - CS7701 – Fall 2004
Flow Flushing Algorithm
• The flow on the links is a result of routing
the different source-destination demands
in the network
– Mat(f) + Mat(c-f)  Mat(c)
• Solve this as a multi-commodity flow
problem with K+1 commodities
– K original demands
– +1 new demand between a and t for the attack
17 - CS7701 – Fall 2004
Flow Flushing Algorithm (cont…)
•  = 5 / 9.95
18 - CS7701 – Fall 2004
Cut Saturation Algorithm
• Picks some a – t cut and tries
to direct flow away from the
cut.
– Making the cut small limits the
max a – t flow
• Introduce two new nodes s’
and t’
• Determine the highest flow that
can be sent from s’ to t’ while
keeping the source-destination
demands routable
• Solve similarly to the Flow
Flushing Algorithm
– K+1 flows go between s’ and
t’ instead of between a and t
19 - CS7701 – Fall 2004
Cut Saturation Algorithm (cont …)
•  = 5 / 8.0
20 - CS7701 – Fall 2004
Variants and Extensions
• First two variants:
– The intruder can introduce the malicious packet from any one of a
set of attack nodes where A  N
• Assume tA
– The objective of the intruder is to reach any one of a set of target
nodes T  N
• Assume AT = { }
– Solution for the above two variants:
• Introduce a super source node that is connected to all nodes in A
• Introduce a super sink node that is connected to all nodes in T
• Play game between super source and super sink node
• Third variant:
– The intruder can introduce the packet at any one of a set of attack
nodes A but no longer has control over the routing in the network
• Routing in the network is shortest-path routing
21 - CS7701 – Fall 2004
Shortest Path Routing Game
• Assume that each link has a length
• Packets are routed from the source to the destination along
the shortest paths according to the length metric
– Ties are broken arbitrarily
– Given any two nodes in the network, there is a unique path from
one to the other
• Objectives
– The intruder must determine which node of the attack set A to
introduce the packet into
– The service provider must determine the sampling rate at the links
subject to a sampling budget of B
• Solve like a shortest path problem where we find the shortest
path from all nodes in A to the destination d
– L(d) represents the maximum flow that can be sent from all the
nodes in A to the destination node d
– The value of the game is  = B / L(d)
22 - CS7701 – Fall 2004
Experimental Results
• The experimental network
– Each unidirectional link represents two directed
links each having a capacity of 10 units
23 - CS7701 – Fall 2004
Experimental Results (cont …)
• The following experiments were performed:
– Single attack node and single target node
– Multiple attack nodes and single target node
– Multiple attack nodes and multiple target nodes
• For each of the above, three algorithms were run:
– Routing to minimize the highest utilized link
• f1 represents the m-vector of link flows as a result of this alg.
– Routing with flow flushing algorithm
• f2 represents the m-vector of link flows as a result of this alg.
– Routing with cut saturation algorithm
• f3 represents the m-vector of link flows as a result of this alg.
24 - CS7701 – Fall 2004
Experimental Results (cont …)
• M(fi) represents the maximum flow that can
be sent from node a to t using fi as the link
capacities
• Value of the game is:  = B / M( )
– The smaller the value of M, the better the
chances of detection for a given sampling
budget
25 - CS7701 – Fall 2004
Experimental Results (cont …)
• Changing the routing significantly changes the maximum flow
and hence the value of the game
• The flow flushing algorithm and the cut saturation algorithm
both perform similarly well.
– Both out-perform the simple minmax solution
26 - CS7701 – Fall 2004
Effect of Capacity on the Value of the Game
• As the amount of spare capacity in a
network increases , the opportunity to
reroute flows increases
– Service Provider can improve probability of
detection by exploiting the spare capacity to
reroute flows
• A second experiment was conducted to
illustrate this
– Link capacity is fixed at some constant C
– If C increases, the opportunity to reroute flows
also increases
27 - CS7701 – Fall 2004
Effect of Capacity on the Value of the Game
• As the maximum utilization becomes lower, the amount of
spare capacity to reroute flows increases
– This implies that both the Flow Flushing Algorithm and the
Saturation Cut Algorithm will have more alternate paths
28 - CS7701 – Fall 2004
Effect of Capacity on the Value of the Game
• As the value of C increases, the maximum flow decreases
– Thus the value of the game increases
29 - CS7701 – Fall 2004
Conclusions
• Packet sampling and examination can be expensive in realtime
– Network operator must devise a sampling scheme that will have
the greatest probability of detecting intruding packets
• Several scenarios were considered
– Intruder has complete knowledge of the network topology
– Intruder can pick paths in the network
– Intruder can pick an entry point into the network if shortest path
algorithm is being used
• Proposed two algorithms
– Flow Flushing Algorithm
– Cut Saturation Algorithm
• Evaluated the performance of the minmax, flow flushing
algorithm, and cut saturation algorithm
30 - CS7701 – Fall 2004
31 - CS7701 – Fall 2004