Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent."— Presentation transcript:

1 Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent Technologies muralik lakshman @bell-labs.com @bell-labs.com

2 2 Outline Introduction Problem Definition Solution of the Game Routing to Improve the Value of the Game Variants and Extensions Experimental Results Conclusions Questions

3 3 Introduction Two key areas of interest in network security: –Intrusion Detection –Intrusion Prevention Intrusions can take many forms –Denial of Service (DoS) / Distributed Denial of Service (DDoS) –Network Virus Propagation Usually, an intruder tries to access a specific file server or website in the network In this research, the authors focus on an intruder sending a malicious packet to a node in the network

4 4 Introduction (2) Packet Sampling: –Some packets traversing specific links are sampled and investigated to determine if they are malicious (intruder) Requires fast and thorough processing –Intrusion detection requires a thorough examination of the sampled packets –Packet sampling must be performed in real time in order to prevent intruders from slipping by –Packet examination must be done at line speed to keep from disrupting routing

5 5 Problem Definition The problem of packet intrusion is described in three steps –1) Network Set-Up –2) Network Intrusion Game –3) The Objective and Constraints of the Game

6 6 Problem Definition: Network Set-Up Network G = (N, E) –N: set of nodes in the network –E: set of unidirectional links in the network –n nodes –m links –c e : capacity of link e –f e : traffic flowing on link e –P v u : set of paths from node u to v –M uv (w): Maximum flow between nodes u and v –C v u : Minimum cut (comprised of a set of links in the network)

7 7 Problem Definition: Network Intrusion Game Two Players of the Game –Service Provider –Intruder Intruder’s Objective: –Inject a malicious packet from attack node a in order to attack target node t Service Provider’s Objective: –Detect and prevent the intrusion –To do so, the service provider samples packets in the network –It is assumed that the sampling is performed on the links (not at the nodes)

8 8 Problem Definition: Network Intrusion Game (2) Intruder tries to sneak a malicious packet from a to t

9 9 Problem Description: The Objective and Constraints of the Game B: sampling bound - the service provider can sample no more than B packets per second –If the service provider could sample all packets, it would easily find the intruder –Not enough resources to process all those packets anyway Assumptions: –Both players have knowledge of network topology and link flows –The intruder is capable of picking paths in the network in order to make the detection by the service provider more difficult

10 10 Players’ Strategies For the Intruder: –Pick a path (or a distribution of paths) to get the malicious packet from from a to t For the Service Provider –Determine a set of links on which sampling is necessary –Determine the sampling rate on each link, keeping the total under the sampling bound The service provider picks a set of detection probabilities at the links it chooses to sample on

11 11 Players’ Strategies (2) Intruder’s and service provider’s actions

12 12 Players’ Strategies (3) Service provider’s action, arc sampling

13 13 Players’ Objectives The objective of the intruder is to pick a distribution q() that minimizes the service provider’s knowledge of the intrusion strategy The service provider’s intent is for maximization Classical two person zero-sum game with minmax result

14 14 Players’ Objectives (2) There exists an optimal solution to the game  is the value of the game

15 15 Solution of the Game The value of the game is :  = BM at (f) -1 –Any maximum flow from a to t can be decomposed to a set of flows from a to t The intruder needs to decompose the maximum flow from a to t using the capacity f e of link e into flows on paths P 1, P 2 … P l with flows m 1, m 2 … m l –Introduces malicious packet on path P i with probability m i *M at (f) -1 The service provider needs to compute the maximum flow from a to t using the capacity f e of link e using arcs e 1, e 2 … e r with minimum cut flows f 1, f 2 … f r –Service provider samples link e i at rate Bf i M at (f) -1

16 16 Solution of the Game: Example B=5, a=1, t=5, Minimum Cut = 11.5 units

17 17 Solution of the Game: Example (2) Intruder’s Strategy –Introduce the malicious packet along the path 1-2-5 with probability 7.0 / 11.5 –Introduce the malicious packet along the path 1-2-6-5 with probability 0.5 / 11.5 –Introduce the malicious packet along the path 1-3-4-5 with probability 4.0 / 11.5 Service Provider’s Strategy –Sample link 1-2 at rate 5 / 11.5 giving a total sampling rate of (5 x 7.5) / 11.5 on that link –Sample link 4-5 at rate 5 / 11.5 giving a total sampling rate of (5 x 4.0) / 11.5 on that link If B  M at (f) : malicious packet is always detected If B  M at (f) : malicious packet might not be detected

18 18 Routing to Improve the Value of the Game The game solution BM at (f) -1 assumes a fixed link flow f Flows on the links are a result of routing the demands between node pairs in the network In reality, the service provider can adjust the flows to maximize the value of the game For K source-destination demand pairs in the network –s(k) - source node for commodity k –d(k) - destination node for commodity k –b(k) - amount of demand (bandwidth) that has to be routed for this source-destination pair

19 19 Routing to Improve the Value of the Game (2) 1) Original source-destination pairs and demands from game network example (with link capacity of 10 units) 2) Route the demands such that the maximum link utilization in the network is minimized

20 20 Routing to Improve the Value of the Game (3) Service provider routes the flows such that the value of the network intrusion game is maximized –Increases the detection probability of the malicious packet The objective is to route the source-destination demands in order to minimize the the value of M at (f) No explicit solution to the routing problem Developed two heuristics and offer two solutions to the optimization problem

21 21 Flow Flushing Algorithm (FFA) c : link capacity, f : flow on the link The flow on the links is a result of routing the different source-destination demands on the network –M at (f) + M at (c - f)  M at (c) Solution requires a multi-commodity (source-destination) flow problem with K+1 commodities, including the additional commodity between a and t The link flows for FFA are shown for the first network example

22 22 Flow Flushing Algorithm (FFA) (2) Maximum flow M at (f) = 9.95 units Game value  = 5 / 9.95

23 23 Cut Saturation Algorithm The maximum flow between a and t is (upper) bounded by the size of any a - t cut Cut Saturation Algorithm picks an a - t cut and attempts to direct flow away from this cut Introduce two new nodes, s´ and t´ Determine the highest flow that can be sent from s´ to t´ while maintaining routing for source-destination demands Pick the minimum a - t cut and attempt to saturate that cut Cut Saturation Algorithm can yield a better solution than the Flow Flushing Algorithm

24 24 Cut Saturation Algorithm (CSA) (2) Only cut links are shown in the network

25 25 Cut Saturation Algorithm (CSA) (3) Maximum flow M at (f) = 8.0 units Game value  = 5 / 8

26 26 Variants and Extensions 1) The intruder can introduce the malicious packet from one node of a subset of nodes in the network 2) The intruder is attempting to reach one node of a set of target nodes in the network The solution is to introduce –1) a super source node that is connected to the subset of possible source nodes and –2) a super sink node that is connected to the subset of possible target nodes 3) The intruder can introduce a packet at any one of a set of nodes, but has no control of the routing in the network –The shortest path routing game

27 27 Shortest Path Routing Game All packets are routed from source to destination by shortest path routing –For any two nodes in the network, there is a unique path from one node to the other A packet introduced into the network follows the unique path from that source node to the destination node The intruder needs to determine which node of its available subset (A) it can use to introduce a malicious packet The service provider needs to determine the sampling rate at the links that are subject to a sampling budget of B The problem is that the maximum flow (L) (and hence the minimum cut) is no longer easy to compute The value of the game is determined to be B / L(d)

28 28 Experimental Results The two algorithms (Flow Flushing and Cut Saturation) were evaluated on two experimental networks The first network had 15 nodes and 27 link segments The segments each contained two directed links with a capacity of 10 units

29 29 Experimental Results: Network

30 30 Experimental Results: Set-Up Experiment Cases Performed –Single attack node and single target node –Multiple attack nodes and single target node –Multiple attack nodes and multiple target nodes Three Algorithms Per Case –1) Routing to minimize the highest utilized link f 1 represents the m-vector of link flows as a result of routing –2) Routing with Flow Flushing Algorithm f 2 represents the m-vector of link flows as a result of routing –3) Routing with Cut Saturation Algorithm f 3 represents the m-vector of link flows as a result of routing

31 31 Experimental Results: Comparison M() = B /  (sampling budget / game value) –The maximum flow that can be sent from node a to t using f i –The smaller the value of M, the better the chances of detection The maximum flow value (and thus the game value) are highly dependent upon the routing in the network

32 32 Effect of Capacity on the Value of the Game When the network has more spare capacity, it is able to further reroute flows –The service provider can use the spare capacity to reroute flows and increase its detection probability Using the second experimental network, with a link capacity of C, it was determined that the source provider can exploit the spare link capacity for rerouting flows –As the link capacity increases, there are more opportunities to reroute flows Network simulations illustrate the relationship between maximum utilization and link capacity and the effect of Flow Flushing on the maximum flow value

33 33 Effect of Capacity on the Value of the Game (2) Maximum utilization decrease -> rerouting capacity increase FFA and CSA will have more alternate paths available

34 34 Effect of Capacity on the Value of the Game (3) Base case: minimize maximum utilization FFA: a - t maximum flow value decreases as link capacity increases

35 35 Conclusions Detect intruding packets in the network by sampling on network links Requires real time, line speed processing, a costly procedure To make it feasible means using an creative, yet effective sampling scheme Introduced Flow Flushing Algorithm and Cut Saturation Algorithm FFA and CSA facilitate better ingress-egress routing which maximizes the chances of detection Performance of FFA and CSA shown to be better than the base case of minimizing maximum utilization

36 36 Questions?

Download ppt "Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent."

Similar presentations

Impact of Interference on Multi-hop Wireless Network Performance Kamal Jain, Jitu Padhye, Venkat Padmanabhan and Lili Qiu Microsoft Research Redmond.

Impact of Interference on Multi-hop Wireless Network Performance Kamal Jain, Jitu Padhye, Venkat Padmanabhan and Lili Qiu Microsoft Research Redmond.
Capacity of wireless ad-hoc networks By Kumar Manvendra October 31,2002.

Capacity of wireless ad-hoc networks By Kumar Manvendra October 31,2002.
Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.

Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.
Price Of Anarchy: Routing

Price Of Anarchy: Routing
BY MICHAEL SUDKOVITCH AND DAVID ROITMAN UNDER THE GUIDANCE OF DR. GABI NAKIBLY OSPF Security project: Summary.

BY MICHAEL SUDKOVITCH AND DAVID ROITMAN UNDER THE GUIDANCE OF DR. GABI NAKIBLY OSPF Security project: Summary.
Introduction to Algorithms

Introduction to Algorithms
Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li, Iordanis Koutsopoulos, Radha Poovendran (InfoComm ’07) Presented.

Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li, Iordanis Koutsopoulos, Radha Poovendran (InfoComm ’07) Presented.
Data and Computer Communications Ninth Edition by William Stallings Chapter 12 – Routing in Switched Data Networks Data and Computer Communications, Ninth.

Data and Computer Communications Ninth Edition by William Stallings Chapter 12 – Routing in Switched Data Networks Data and Computer Communications, Ninth.
Rumor Routing in Sensor Networks David Braginsky and Deborah Estrin Presented By Tu Tran 1.

Rumor Routing in Sensor Networks David Braginsky and Deborah Estrin Presented By Tu Tran 1.
Network Capacity Planning IACT 418 IACT 918 Corporate Network Planning.

Network Capacity Planning IACT 418 IACT 918 Corporate Network Planning.
Distributed Algorithms for Secure Multipath Routing

Distributed Algorithms for Secure Multipath Routing
Jan 13, 2006Lahore University of Management Sciences1 Protection Routing in an MPLS Network using Bandwidth Sharing with Primary Paths Zartash Afzal Uzmi.

Jan 13, 2006Lahore University of Management Sciences1 Protection Routing in an MPLS Network using Bandwidth Sharing with Primary Paths Zartash Afzal Uzmi.
Traffic Engineering With Traditional IP Routing Protocols

Traffic Engineering With Traditional IP Routing Protocols
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.
December 20, 2004MPLS: TE and Restoration1 MPLS: Traffic Engineering and Restoration Routing Zartash Afzal Uzmi Computer Science and Engineering Lahore.

December 20, 2004MPLS: TE and Restoration1 MPLS: Traffic Engineering and Restoration Routing Zartash Afzal Uzmi Computer Science and Engineering Lahore.
PROFITABLE CONNECTION ASSIGNMENT IN ALL OPTICAL WDM NETWORKS VISHAL ANAND LANDER (Lab. for Advanced Network Design, Evaluation and Research) In collaboration.

PROFITABLE CONNECTION ASSIGNMENT IN ALL OPTICAL WDM NETWORKS VISHAL ANAND LANDER (Lab. for Advanced Network Design, Evaluation and Research) In collaboration.
Jerry Chou and Bill Lin University of California, San Diego

Jerry Chou and Bill Lin University of California, San Diego
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Bluenet a New Scatternet Formation Scheme * Huseyin Ozgur Tan * Zifang Wang,Robert J.Thomas, Zygmunt Haas ECE Cornell Univ*

Bluenet a New Scatternet Formation Scheme * Huseyin Ozgur Tan * Zifang Wang,Robert J.Thomas, Zygmunt Haas ECE Cornell Univ*
Lecture 3. Notations and examples D. Moltchanov, TUT, Spring 2008 D. Moltchanov, TUT, Spring 2015.

Lecture 3. Notations and examples D. Moltchanov, TUT, Spring 2008 D. Moltchanov, TUT, Spring 2015.

Similar presentations

Ads by Google