1 - cs7701 – fall 2004 review of: detecting network intrusions via sampling: a game theoretic...
TRANSCRIPT
1 - CS7701 – Fall 2004
Review of: Detecting Network Intrusions via Sampling:
A Game Theoretic Approach
• Paper by: – Murali Kodialam (Bell Labs)– T.V. Lakshman (Bell Labs)
• Published in:– IEEE Infocom 2003
• Reviewed by:– James Moscola
•Discussion Leader:– Todd Sproull
CS7701: Research Seminar on Networkinghttp://arl.wustl.edu/~jst/cse/770/
2 - CS7701 – Fall 2004
Outline
• Introduction• Problem Definition• Solution of the Game• Routing to Improve the Value of the Game• Variants and Extensions• Experimental Results• Conclusions
3 - CS7701 – Fall 2004
Introduction
• Two key areas of network security are:– Intrusion Detection– Intrusion Prevention
• Intrusions can be:– Denial of Service Attacks– Viruses
• In a typical intrusion problem the intruder tries to access a particular file server or website– Authors examine problem where an intruder attempts to
send a malicious packet to a given network node• Network attempts to detect the intrusion through sampling
4 - CS7701 – Fall 2004
Background
• Previous work that used network sampling:– [6] – “SRED: Stabilized RED”– [7] – “CHOKE, A Stateless Active Queue Management
Scheme for Approximating Fair Bandwidth Allocation”– [3] – “A Framework for Passive Packet Measurement”
• Above all require ONLY header sampling
• What’s different with this work:– Detecting intrusion will most likely require looking at
more than the header– Must sample in real time if we want to detect and
prevent an intrusion.
• Must keep sampling cost in mind during analysis
5 - CS7701 – Fall 2004
Problem Definition:
• Network Set-Up– G = (N, E)– N is the set of nodes– E is the set of unidirectional links– n is the number of nodes– m is the number of links– capacity of link eE is denoted ce
– Traffic on link e is denoted by fe
– Puv is the set of paths from u to v in G
– Muv(w) is max flow that can be sent from node u to v with w as the link capacities
– Cuv is the set of links in the minimum cut
6 - CS7701 – Fall 2004
Problem Definition (continued):
• Network Intrusion Game– Two players
• Intruder– Inject an attack packet from attack node a trying to reach
target node t– Successful if attack packet reaches t undetected
• Service Provider– Detect malicious packets
» Sample packets along the links of the network looking for malicious packets
– Intrusion is detected if service provider samples the attack packet
7 - CS7701 – Fall 2004
Problem Definition (continued):
• Constraints of the Game– Service provider is given a sampling bound of B packets per
second to make the game more interesting and realistic• If service provider could sample EVERY packet he could always win• In the real world there wouldn’t be enough resources to sample all
packets anyway
– Sampling of B packets per second can be arbitrarily distributed over all links on the network
• Probability of detecting a malicious packet on a given link is: pe = se / fe where se is the sampling rate on link e
• eE se B
– More assumptions to make the game more interesting• Service Provider AND Intruder have complete knowledge of network
topology• Intruder is capable of picking paths in the network for his attack to
make detecting the attack more difficult for the Service Provider
8 - CS7701 – Fall 2004
Strategies for the Game
• Intruder– Select an attack path from the set of all available paths
between a and t (Pat) with probability q(P)
• Probability distribution over paths Pat such that
PP q(P) = 1
• V = { q : PP q(P) = 1 } is the set of possible probability
allocations over the set of paths between a and t
• Service Provider– Choose the sampling rates for the network links that will
give the greatest probability of detecting an attack• U = { p : eE pefe B } is the set of possible detection
probability vectors that are within the sampling budget B
9 - CS7701 – Fall 2004
Strategies for the Game
10 - CS7701 – Fall 2004
Strategies for the Game
11 - CS7701 – Fall 2004
Payoff / Strategy
• The number of times the malicious packet is detected as it goes from a to t over path P:– PP q(P) * eP pe
– Service provider wants to maximize this number:• maxpU PP q(P) * eP pe
– But the intruder knows this, and thus wants to minimize the service providers maximum:
• minqV maxpU PP q(P) * eP pe
• The flipside:– Intruder wants to minimize PP q(P) * eP pe
• minqV PP q(P) * eP pe
– But the service provider knows this, and thus wants to maximize the intruders minimum:
• maxpU minqV PP q(P) * eP pe
12 - CS7701 – Fall 2004
Solution of the Game
• The value of the game is: = BMat(f)-1
• The intruder … – needs to decompose the max flow into flows on paths P1,
P1, … , Pl from a to t with flows of m1, m2, … , ml
– Introduces the malicious packet along the path Pi with probability mi * Mat(f)-1
• The Service Provider …– needs to compute the maximum flow from a to t using fe as
the capacity of link e• e1, e2, … , er represent the links of the corresponding minimum cut
with flows f1, f2, … , fr
– samples link ei at rate Bfi Mat(f)-1
13 - CS7701 – Fall 2004
Example• Max Flow = Mat(f) = 11.5• Sampling Budget B=5• a = 1• t = 5
• Intruder:– Introduce packets on Pi with
probability mi * Mat(f)-1
• Prob of P1-2-5 = 7.0/11.5• Prob of P1-2-6-5 = 0.5/11.5• Prob of P1-3-4-5 = 4.0/11.5
• Service Provider– Sample link ei at a rate of
Bfi Mat(f)-1 where ei is a link in the minimum cut
• Rate of e1-2 = (5*7.5)/11.5• Rate of e4-5 = (5*4.0)/11.5
= 5 / 11.5
14 - CS7701 – Fall 2004
Observations
• Since the service provider samples packets on the minimum cut, this implies that for any path the intruder would choose, the malicious packet will be sampled at most once
• If B Mat(f) then the malicious packet will always be detected
• If B < Mat(f) then there is some probability that the malicious packet will not be detected
15 - CS7701 – Fall 2004
Routing to Improve the Value of the Game
• The previous solution BMat(f)-1 assumes a fixed link flow
• Flows on the links are a result of routing demands between nodes pairs in the network
• Service Provider can adjust the flows on network links:– Increase prob of detecting malicious packet– Increase the value of the game
• Want to maximize value of the game• Minimize Mat(f)
16 - CS7701 – Fall 2004
Objective of Service Provider
• Route the source-destination demands to minimize Mat(f)– Solve the following:
• minxXMat(f) , where f = kPP:ePx(P)– X
» Denotes allocation of flow on paths» Meets the demand for each commodity» Satisfies capacity constraints on network links
• minxXMat(kPP:ePx(P))
– Need a way to solve the above equation• Try two different heuristic methods
– Flow Flushing Algorithm– Cut Saturation Algorithm
17 - CS7701 – Fall 2004
Flow Flushing Algorithm
• The flow on the links is a result of routing the different source-destination demands in the network– Mat(f) + Mat(c-f) Mat(c)
• Solve this as a multi-commodity flow problem with K+1 commodities– K original demands– +1 new demand between a and t for the attack
18 - CS7701 – Fall 2004
Flow Flushing Algorithm (cont…)
= 5 / 9.95
19 - CS7701 – Fall 2004
Cut Saturation Algorithm
• Picks some a – t cut and tries to direct flow away from the cut.– Making the cut small limits the
max a – t flow
• Introduce two new nodes s’ and t’
• Determine the highest flow that can be sent from s’ to t’ while keeping the source-destination demands routable
• Solve similarly to the Flow Flushing Algorithm– K+1 flows go between s’ and
t’ instead of between a and t
20 - CS7701 – Fall 2004
Cut Saturation Algorithm (cont …)
= 5 / 8.0
21 - CS7701 – Fall 2004
Variants and Extensions
• First two variants: – The intruder can introduce the malicious packet from any one of a
set of attack nodes where A N• Assume tA
– The objective of the intruder is to reach any one of a set of target nodes T N
• Assume AT = { }
– Solution for the above two variants:• Introduce a super source node that is connected to all nodes in A• Introduce a super sink node that is connected to all nodes in T• Play game between super source and super sink node
• Third variant:– The intruder can introduce the packet at any one of a set of attack
nodes A but no longer has control over the routing in the network• Routing in the network is shortest-path routing
22 - CS7701 – Fall 2004
Shortest Path Routing Game
• Assume that each link has a length• Packets are routed from the source to the destination along
the shortest paths according to the length metric– Ties are broken arbitrarily– Given any two nodes in the network, there is a unique path from
one to the other
• Objectives– The intruder must determine which node of the attack set A to
introduce the packet into– The service provider must determine the sampling rate at the links
subject to a sampling budget of B
• Solve like a shortest path problem where we find the shortest path from all nodes in A to the destination d– L(d) represents the maximum flow that can be sent from all the
nodes in A to the destination node d– The value of the game is = B / L(d)
23 - CS7701 – Fall 2004
Experimental Results
• The experimental network– Each unidirectional link represents two directed
links each having a capacity of 10 units
24 - CS7701 – Fall 2004
Experimental Results (cont …)
• The following experiments were performed:– Single attack node and single target node– Multiple attack nodes and single target node– Multiple attack nodes and multiple target nodes
• For each of the above, three algorithms were run:– Routing to minimize the highest utilized link
• f1 represents the m-vector of link flows as a result of this alg.– Routing with flow flushing algorithm
• f2 represents the m-vector of link flows as a result of this alg.– Routing with cut saturation algorithm
• f3 represents the m-vector of link flows as a result of this alg.
25 - CS7701 – Fall 2004
Experimental Results (cont …)
• M(fi) represents the maximum flow that can be sent from node a to t using fi as the link capacities
• Value of the game is: = B / M( )– The smaller the value of M, the better the
chances of detection for a given sampling budget
26 - CS7701 – Fall 2004
Experimental Results (cont …)
• Changing the routing significantly changes the maximum flow and hence the value of the game
• The flow flushing algorithm and the cut saturation algorithm both perform similarly well. – Both out-perform the simple minmax solution
27 - CS7701 – Fall 2004
Effect of Capacity on the Value of the Game
• As the amount of spare capacity in a network increases , the opportunity to reroute flows increases– Service Provider can improve probability of
detection by exploiting the spare capacity to reroute flows
• A second experiment was conducted to illustrate this– Link capacity is fixed at some constant C– If C increases, the opportunity to reroute flows
also increases
28 - CS7701 – Fall 2004
Effect of Capacity on the Value of the Game
• As the maximum utilization becomes lower, the amount of spare capacity to reroute flows increases– This implies that both the Flow Flushing Algorithm and the
Saturation Cut Algorithm will have more alternate paths
29 - CS7701 – Fall 2004
Effect of Capacity on the Value of the Game
• As the value of C increases, the maximum flow decreases– Thus the value of the game increases
30 - CS7701 – Fall 2004
Conclusions
• Packet sampling and examination can be expensive in real-time– Network operator must devise a sampling scheme that will have
the greatest probability of detecting intruding packets
• Several scenarios were considered– Intruder has complete knowledge of the network topology– Intruder can pick paths in the network– Intruder can pick an entry point into the network if shortest path
algorithm is being used
• Proposed two algorithms– Flow Flushing Algorithm– Cut Saturation Algorithm
• Evaluated the performance of the minmax, flow flushing algorithm, and cut saturation algorithm
31 - CS7701 – Fall 2004