Detecting Network Intrusions via Sampling : A Game Theoretic Approach INFOCOM 2003

1
Detecting Network Intrusions via Sampling A
Game Theoretic ApproachINFOCOM 2003
Murali Kodialam
T.V. Lakshman
Bell Labs, Lucent Technologies

• Presented by Boris Margolin

2
Introduction

• The authors present a simple model of intrusion
  detection, consisting of
• A network
• An intruder who sends a malicious packet to a
  node in the network
• A defender who uses packet sampling on links in
  an attempt to detect this intrusion

3
Problem Definition Network Set-Up

• Network G (N, E)
• N set of nodes in the network
• E set of unidirectional links in the network
• n nodes
• m links
• ce capacity of link e
• fe traffic flowing on link e
• Pvu set of paths from node u to v
• mi traffic flowing along a path Pi
• Muv(w) Maximum flow between nodes u and v
• w represents the edges to be used
• Cvu edges in the minimum cut between u and v

4
Problem Definition Network Intrusion Game

• Two Players of the Game
• Intruder
• Defender
• Both know network topology and flows
• Intruders Objective
• Inject a malicious packet from attack node a in
  order to attack target node t
• Defenders Objective
• Sample this packet as it goes along some edge
• Constrained by a maximum sampling rate

5
Problem Definition Network Intrusion Game
6
Players Strategies

• For the Intruder
• Pick a distribution over paths to get the
  malicious packet from from a to t with max
  probability
• For the Defender
• Choose a sampling rate on each link, keeping the
  total under the sampling bound, to maximize
  detection probability
• In the paper, the defender chooses sampling
  probability, which is equivalent.

7
Intruders Strategy
8
Defenders Strategy
9
Equilibrium

• Intruder pick a distribution of paths that
  minimizes the value of the defenders best
  detection strategy
• Defender pick detection probabilities to
  minimize the value of the intruders best evasion
  strategy
• Zero sum game with a single value for both
  players. Solve as an optimization problem.

10
Solution of the Game

• The value of the game is ? BMat(f)-1
• value is the expected number of detections of a
  malicious packet, equivalent to the probability
  of detection in this case
• Intruder strategy
• send the packet along paths with probability
  proportional to the path flow
• Defender strategy
• sample along mincut edges with probability
  proportional to the edge flow
• (mincut solvable in time O(NE2) )

11
Example Solution
B5, a1, t5, Minimum Cut 11.5 units
12
Routing to Improve the Value of the Game

• The defender might be able to raise the detection
  probability by rerouting flows
• Defender is constrained by required flow over K
  source-destination pairs.
• s(k) - source node for commodity k
• d(k) - destination node for commodity k
• b(k) - amount of demand (bandwidth) that has to
  be routed for this source-destination pair

13
Routing Heuristics

• Optimization problem is now non-linear and
  intractable
• Some heuristics
• Minimize maximum link utilization
• the control heuristic
• Flow-flushing
• In effect, maximize a sort of negative flow
  between a and t.
• Cut saturation
• pick some cut and minimize flow across it
• Its not clear how these do against optimal
  routing!

14
Flow Flushing

• c link capacity, f flow on the link
• Easy to show that
• Mat(f) Mat(c - f) ? Mat(c)
• since l.h.s. is a feasable set of flows.
• Minimize Mat(f) by maximizing Mat(c - f)
• Represents a flow problem with K1 commodities,
  including the additional commodity between a and
  t
• Find maximum feasible flow between a and t using
  bisection search

15
Flow Flushing Algorithm Example

• Maximum flow Mat(f) 9.95 units
• Game value ? 5 / 9.95

16
Cut Saturation Algorithm

• Pick an a - t cut and attempt to direct flow away
  from this cut
• can start with mincut given prior routing
• To solve
• introduce two new nodes, s and t, connected to
  cut
• introduce a new commodity flow between them
• again use bisection search to find max feasible
  flow

17
Cut Saturation Algorithm
18
Cut Saturation Algorithm

• Maximum flow Mat(f) 8.0 units
• Game value ? 5 / 8

19
Variants

• Replace a and t with sets of nodes that the
  intruder can choose from
• Solution is equivalent to previous problems with
  an added source and destination
• Intruder can choose source, but routes are along
  shortest path
• Eliminate all edges except tree from set A to t
• Its now possible to compute mincut in linear,
  rather than polynomial time.

20
Experimental Results

• Flow Flushing and Cut Saturation were evaluated
  on a simulated network
• Five (!) different routing problems were
  considered
• For each, game value for the min link
  utilization, flow flushing, and cut saturation
  heuristics were calculated
• Flow flushing and Cut saturation consistently
  performed significantly better than Min link
  utilization
• Neither was clearly superior, especially given
  the small number of trials

21
Experimental Results Network
22
Experimental Results
Flow Flushing
Cut Saturation
Min Link
(Max-flow is shown, so higher is better for
defender)
23
Effect of Capacity on the Value of the Game

• Experiments also done on effects of capacity
• When the network has more capacity, Defender has
  more freedom to reroute flows
• reflected in lower max utilization
• Results show the performance of flow flushing is
  significantly dependent on spare capacity
• cut saturation performance apparently not tested
• No details of tests...

24
Capacity vs. Max Link Utilization
25
Capacity vs. FFA Max Flow
26
Discussion

• Relatively easily implementable advice
• Paper was used to promote sampling products!
• Is the model presented helpful to defenders?
• Could make all external traffic go through a
  single link
• How hard is it to examine all packets in
  real-time?
• Is the malicious packet a good model of an
  intrusion?
• Results are similar to
• Two-person Zero-sum games for network
  interdiction, by Washburn and Wood, published
  1995
• Derived max-flow / min cut strategies for drug
  interdiction
• Allocation likewise proportional to inverse
  probability of detection.
• Flow flushing and Cut Saturation are introduced
  by this paper.
• How close are heuristic results to optimal?
• Experimental results seem like an afterthought
• Few experiments
• Do experimental results hold for other
  topologies?