Detecting Network Intrusions Via Sampling Detecting Network Intrusions via Sampling Detecting Network Intrusions via Sampling By Murali Kodialam T. V

Detecting Network Intrusions Via Sampling

Detecting Network Intrusions via Sampling

By

Murali Kodialam T. V. LakshmanBell Laboratories

Lucent Technologies

A Game Theoretic Approach

Presented by:Eric Banks


Structure of this Presentation

Introduction Related Work Explanation of the Network Intrusion

Game Results Conclusions


Introduction

This paper focuses on the problem of intrusion detection in a communication network

The network attempts to detect the intrusion of an adversary who is typically trying to gain access to a particular file server or website on the network.


Introduction

Intrusion in networks takes many forms including denial of service attacks, viruses introduced into the networks, etc.

It is commonly associated with intrusion prevention to defend against malicious attacks. But it is important to understand that detection does not involve the act of preventing or countering an attack that has already been launched.

Intrusion detection involves uncovering or detecting an adversary’s attempt to conduct malicious acts.


Introduction The two most well known categories of Intrusion detection are

signature/misuse based and anomaly based detection. Signature/misuse by searching for a known identity (signature) for

each specific intrusion event. This means a database of signatures is maintained and the behaviors on the network are cross-referenced with these signatures to see if there is a match. There is a drawback because the signature database may not

always be current.

Anomaly based detects computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules. This solution’s drawback is that it a good baseline has to be in

place to compare to chances in the network. There also may legitimate factors in the network that can be outside of the expected threshold at times which may cause false positives.


Introduction

Sampling takes some portion of packets traversing the network and examines them for details to determine whether they are legitimate packets

Packet sampling uses randomness in the sampling process to prevents synchronization with any periodic patterns in the traffic. On average, 1 in every N packets is captured and analyzed.


Related Research

Stabilized Random Early Drop (SRED) Scheme uses packet sampling to estimate the number of active TCP flows in order to stabilize network buffer occupancy.

Core Stateless Fair Queuing (CSFQ) or fair link-bandwidth allocation, uses packet sampling to reduce the design complexity core routers

Packet filtering is also used to infer network traffic and routing characteristics when used to determine baselines for the network.


Related Research

Game theory has been used extensively to model different networking problems

This research is closely related to drug interdiction models from the paper “Two-Person Zero-Sum Games for Network Interdiction” by Washburn, A., and Wood, K.,


Related Research SRED

SRED: Stabilized RED

SRED is a packet sampling mechanism that was designed to identify flows that are taking more than a fair share of bandwidth

Makes packet sampling simpler because only packet headers need to be examined

pre-emptively discards packets with a load-dependent probability when a buffer in a router in the Internet or an Intranet seems congested.

has an additional feature that over a wide range of load levels helps it stabilize its buffer occupation at a level independent of the number of active connections.

does this by estimating the number of active connections or flows. This estimate is obtained without collecting or analyzing state information on individual flows.


Related ResearchCore Stateless Fair Queuing (CSFQ)

Core-Stateless Fair Queueing: Achieving Approximately Fair Bandwidth Allocations in High Speed Networks

A fair bandwidth allocation mechanism that conducts packet sampling based on header informaion

Edge routers maintain per flow state; they estimate the incoming rate of each flow and insert a label into each packet header based on this estimate.

Core routers maintain no per flow state; they use FIFO packet scheduling augmented by a probabilistic dropping algorithm that uses the packet labels and an estimate of the aggregate traffic at the router.

They employ a probabilistic dropping algorithm that uses the information in the packet labels along with the router's own measurement of the aggregate traffic to clear the congestion.


Related ResearchPassive packet measurement

packet sampling that is general enough to serve as the basis for a wide range of

operational tasks, and needs only a small set of packet selectors that facilitate ubiquitous

deployment in router interfaces or dedicated measurement devices, even at very high speeds.

The framework also covers reporting and exporting functions used by the sampling element, and configuration of the sampling element.

all reported quantities that relate to the packet treatment MUST reflect the router state and configuration


Related ResearchGame Theory

Game theory is a branch of applied mathematics that is often used in the context of economics. It studies strategic interactions between agents. In strategic games, agents choose strategies which will maximize

their return, given the strategies the other agents choose. The essential feature is that it provides a formal modeling

approach to social situations in which decision makers interact with other agents.

The first known discussion of game theory occurred in a letter written by James Waldegrave in 1713. In this letter, Waldegrave provides a minimax mixed strategy solution to a two-person version of the card game le Her Minimax (sometimes minmax) is a method in decision theory for

minimizing the maximum possible loss. mixed strategy is a strategy which chooses randomly between

possible moves. The strategy has some probability distribution which corresponds to how frequently each move is chosen.


Releated ResearchTwo-person zero-sum game

Games with only two players in which one player wins what the other player loses.

The problem for the service provider is to find probabilistic “arc inspection strategy” which maximizes the probability of detecting the adversary called interdiction probability while the problem of the adversary is to find a path selection strategy which minimizes the interdiction probability


Related Research

Though there have been papers published on IDS, Sampling, and Game Theoretic Framework.

However, no known previous research has been conducted modeling intrusion detection via sampling in communication networks using game-theoretic framework

This work differs from the drug interdiction models in two ways. First, in the drug interdiction models the objective is to deploy

agents which is a discrete allocation problem. In this case, the detection is by means of sampling. Therefore the game theoretic results are much more natural than the discrete allocation models.

Secondly, in this case, the game theoretic problem naturally leads to a routing problem (to maximize the service provider’s chances of detecting intruding packets) which is absent in the drug interdiction problem. The solution to the game theoretic formulation is a maximum flow problem and the routing problem can be formulated as a multi-commodity flow problem.


Explanation of the Network Intrusion Game Two Players

The intruders The service provider

Given a network considerations are: N Set of nodes E set of unidirectional links in the network M links between the nodes P The number of links between any given two nodes W The link capacity


Explanation of the Network Intrusion Game

The playing Field

The adversary Objective is to reach a desired

target with a malicious packet Sampling boundary is the

maximum rate at which a ID node can processes packets in REAL TIME

Knows the topology of the network and detection probability

Is able to choose paths for injecting network packets

The service provider Objective is to sample the

malicious packet Can sample packets and

examine network packets Knows the topology of the

network and detection probability

Some cases Shortest-Path algorithm is always used (this makes it easier to know how packets will traverse the network)



The Intruders Strategy

The adversary chooses a path based on a feasibility probability that will determine the most probable path in a set of paths.

If a link has traffic Fe flowing on it at a sample of rate Se the probability of detecting a malicious packet on this link is given by dividing the sample rate by the traffic flow rate or Pe = Se/Fe.

The adversary can also consider the fact there the sampling rate will be less than the sampling budget.

Ultimately the adversary would like to minimize the ability of the service provider to predict the expected number of times a packet is detected as it goes form source to destination



The Service Provider’s Strategy

The service provider determines a set of links on which sampling has to be done.

Then for that link, a sampling rate must be chosen that does not exceed the sampling budget.

A malicious packet on the link can be detected with probability Pe = Se/Fe.

Therefore a vector of probabilities calculated for all links sampled can be represented by

Determine the strategy of the adversary so that a counter strategy can be formed to maximize the ability to predict the number of expected times a packet is detected as an adversary sends it from source to destination.






Explanation of the Network Intrusion GameExample

Max Flow = Mat(f) = 11.5, Sampling Budget =5, a = 1 ,t = 5

Intruder strategy Inserts packet from 1 to 2 to 5 with probability 7.0/11.5 Inserts packet from 1 to 2 to 6 to 5 with probability 5.0/11.5 Inserts packet from 1 to 3 to 4 to 5 probability 4.0/11.5

Service Provider strategy Sample with the minimum cut

From 1 to 2 = (5*7.5)/11.5 From 4 to 5 = (5*4.0)/11.5

= 5 / 11.5

If B < Mat(f) there is a chance that the malicious packet will make it to the destination without being sampled



Routing to improve the value of the game

The service provider also the ability to change routes between devices that maximize the probability of detection of the malicious packet .

When designing these routes it is important to consider the Flow cut

maximum flow in a network is dictated by its bottleneck.

Between any two nodes, the quantity of material flowing from one to the other cannot be greater than the weakest set of links somewhere between the two nodes.




The service provider can route the demand so that the maximum link utilization is minimized. This will increase the probability

of detecting the malicious packet

K- a commodity in the network

S(k)- source node for k

d(k)- destination node for k

b(k)-amount of bandwidth between a s(k) and d(k) pair




Proposed solutions for optimizing network flow when changing routes in the network.

Flow Flushing Based on link capacity and flow on the link

Cut saturation Based on directing traffic flow away from

saturated links until link is not as saturated anymore.


Optimizing network routingFlow Flushing

Routing the different source/destination pair demands controls the flow on the links

Mat(f) + Mat(c-f) Mat(c)

This a multi-commodity flow problem with K+1 commodities K original commodities + one additional commodity between a and t


Optimizing network routingCut saturation

The maximum flow between a and t upper bounded by the size of the a-t cut

Determine the highest flow with in the routing rules from s to t Then choose the minimum a-t cut and saturate it Making the cut small limits the max a – t flow



The shortest path routing game

Using the shortest path algorithm the network becomes static and it is easier to compute the maximum flow as well as the cut on a tree.


Results Three cases

1) Routing to minimize the highest utilized link with f1 representing the m-vector of link flows as a result of this routing algorithm.

2) Routing with flow flushing algorithm with f2 representing the m-vector of link flows as a result of this routing algorithm.

3) Routing with cut saturation algorithm with f3 representing the m-vector of link flows as a result of this routing algorithm.


Conclusions Packet examining is a proven method for intrusion detection

Sampling packets at a efficient rate will provide sufficient intrusion detection given that the sample rate is chosen precisely so that it is not to frequent for the network to handle but frequent and intelligent enough for the probability of detection to be high

This is a good strategy for implementing intrusion detection, but it is important to keep in mind the capacity of the network in relation to the rate of sampling. The more large and complex the network become the more the sampling rate must increase and intelligence the design of the sampling scheme must increase.


References Ott, T. J., and Lakshman, T. V., and Wong, L. H., “SRED:

Stabilized RED”, Proceedings of Infocom 1999, pp. 1346-1355, 1999.

Pan, R., Prabhakar, B., Psounis, K., “CHOKE, A Stateless Active Queue Management Scheme for Approximating Fair Bandwidth Allocation”, Proceedings of Infocom 200, pp. 942-951, 2000.

Washburn, A., and Wood, K., “Two-Person Zero-Sum Games for Network Interdiction”, Operations Research, 43, pp. 243-251, 1995.

Chin-Tser Huang Nathan L. Johnson Jeff Janies Alex X. Liu “On Capturing and Containing E-mail Worms” University of South Carolina The University of Texas at Austin

Documents

Detecting Network Intrusions Via Sampling Detecting Network Intrusions via Sampling Detecting Network Intrusions via Sampling By Murali Kodialam T. V