Title: Detecting Network Intrusions via Sampling : A Game Theoretic Approach INFOCOM 2003
1Detecting Network Intrusions via Sampling A
Game Theoretic ApproachINFOCOM 2003
Murali Kodialam
T.V. Lakshman
Bell Labs, Lucent Technologies
- Presented by Boris Margolin
2Introduction
- The authors present a simple model of intrusion
detection, consisting of - A network
- An intruder who sends a malicious packet to a
node in the network - A defender who uses packet sampling on links in
an attempt to detect this intrusion
3Problem Definition Network Set-Up
- Network G (N, E)
- N set of nodes in the network
- E set of unidirectional links in the network
- n nodes
- m links
- ce capacity of link e
- fe traffic flowing on link e
- Pvu set of paths from node u to v
- mi traffic flowing along a path Pi
- Muv(w) Maximum flow between nodes u and v
- w represents the edges to be used
- Cvu edges in the minimum cut between u and v
4Problem Definition Network Intrusion Game
- Two Players of the Game
- Intruder
- Defender
- Both know network topology and flows
- Intruders Objective
- Inject a malicious packet from attack node a in
order to attack target node t - Defenders Objective
- Sample this packet as it goes along some edge
- Constrained by a maximum sampling rate
5Problem Definition Network Intrusion Game
6Players Strategies
- For the Intruder
- Pick a distribution over paths to get the
malicious packet from from a to t with max
probability - For the Defender
- Choose a sampling rate on each link, keeping the
total under the sampling bound, to maximize
detection probability - In the paper, the defender chooses sampling
probability, which is equivalent.
7Intruders Strategy
8Defenders Strategy
9Equilibrium
- Intruder pick a distribution of paths that
minimizes the value of the defenders best
detection strategy - Defender pick detection probabilities to
minimize the value of the intruders best evasion
strategy - Zero sum game with a single value for both
players. Solve as an optimization problem.
10Solution of the Game
- The value of the game is ? BMat(f)-1
- value is the expected number of detections of a
malicious packet, equivalent to the probability
of detection in this case - Intruder strategy
- send the packet along paths with probability
proportional to the path flow - Defender strategy
- sample along mincut edges with probability
proportional to the edge flow - (mincut solvable in time O(NE2) )
11Example Solution
B5, a1, t5, Minimum Cut 11.5 units
12Routing to Improve the Value of the Game
- The defender might be able to raise the detection
probability by rerouting flows - Defender is constrained by required flow over K
source-destination pairs. - s(k) - source node for commodity k
- d(k) - destination node for commodity k
- b(k) - amount of demand (bandwidth) that has to
be routed for this source-destination pair
13Routing Heuristics
- Optimization problem is now non-linear and
intractable - Some heuristics
- Minimize maximum link utilization
- the control heuristic
- Flow-flushing
- In effect, maximize a sort of negative flow
between a and t. - Cut saturation
- pick some cut and minimize flow across it
- Its not clear how these do against optimal
routing!
14Flow Flushing
- c link capacity, f flow on the link
- Easy to show that
- Mat(f) Mat(c - f) ? Mat(c)
- since l.h.s. is a feasable set of flows.
- Minimize Mat(f) by maximizing Mat(c - f)
- Represents a flow problem with K1 commodities,
including the additional commodity between a and
t - Find maximum feasible flow between a and t using
bisection search
15Flow Flushing Algorithm Example
- Maximum flow Mat(f) 9.95 units
- Game value ? 5 / 9.95
16Cut Saturation Algorithm
- Pick an a - t cut and attempt to direct flow away
from this cut - can start with mincut given prior routing
- To solve
- introduce two new nodes, s and t, connected to
cut - introduce a new commodity flow between them
- again use bisection search to find max feasible
flow
17Cut Saturation Algorithm
18Cut Saturation Algorithm
- Maximum flow Mat(f) 8.0 units
- Game value ? 5 / 8
19Variants
- Replace a and t with sets of nodes that the
intruder can choose from - Solution is equivalent to previous problems with
an added source and destination - Intruder can choose source, but routes are along
shortest path - Eliminate all edges except tree from set A to t
- Its now possible to compute mincut in linear,
rather than polynomial time.
20Experimental Results
- Flow Flushing and Cut Saturation were evaluated
on a simulated network - Five (!) different routing problems were
considered - For each, game value for the min link
utilization, flow flushing, and cut saturation
heuristics were calculated - Flow flushing and Cut saturation consistently
performed significantly better than Min link
utilization - Neither was clearly superior, especially given
the small number of trials
21Experimental Results Network
22Experimental Results
Flow Flushing
Cut Saturation
Min Link
(Max-flow is shown, so higher is better for
defender)
23Effect of Capacity on the Value of the Game
- Experiments also done on effects of capacity
- When the network has more capacity, Defender has
more freedom to reroute flows - reflected in lower max utilization
- Results show the performance of flow flushing is
significantly dependent on spare capacity - cut saturation performance apparently not tested
- No details of tests...
24Capacity vs. Max Link Utilization
25Capacity vs. FFA Max Flow
26Discussion
- Relatively easily implementable advice
- Paper was used to promote sampling products!
- Is the model presented helpful to defenders?
- Could make all external traffic go through a
single link - How hard is it to examine all packets in
real-time? - Is the malicious packet a good model of an
intrusion? - Results are similar to
- Two-person Zero-sum games for network
interdiction, by Washburn and Wood, published
1995 - Derived max-flow / min cut strategies for drug
interdiction - Allocation likewise proportional to inverse
probability of detection. - Flow flushing and Cut Saturation are introduced
by this paper. - How close are heuristic results to optimal?
- Experimental results seem like an afterthought
- Few experiments
- Do experimental results hold for other
topologies?