Countering Dos Attacks with Stateless Multipath Overlays

1
Network Intrusions via Sampling A Game
Theoretic Approach
Written by Murali Kodialam (Bell Labs)?
T.V. Lakshman (Bell Labs)?
Presented by Zhiqi Zhang
2009-03-25
1
2
Structure of this Presentation

• Introduction
• Problem Definition
• Solution of the Game
• Routing to Improve the Value of the Game
• Experimental Results
• Conclusions

2009-03-16
3

• Intrusion in network Typically, in an intrusion
  problem, the intruder attempts to gain access to
  a particular file server or website in the
  network.
• Includes denial of service attacks, viruses
  introduced into the networks
• Two key areas in security
• Intrusion detection
• In this paper, the problem is that the intruder
  attempts to send a malicious packet to a given
  node in the network. The service provider
  attempts to detect this intrusion. The detection
  mechanism is packet sampling and examination in
  the network.
• Intrusion prevention

3
2009-03-16
4

• Packet Sampling some portion of packets
  traversing designated links (or router
  interfaces) are sampled and examined in detail to
  determine whether the packet is an intruder
  packet.
• Different Networking Purposes of Packet Sampling
• To estimate the number of active TCP flows in
  order to stabilize network buffer occupancy for
  TCP traffic.
• To allocate the fairy link-bandwidth
• To infer network traffic and routing
  characteristics
• All these applications require only sampling
  based on packet header comparisons.

4
2009-03-16
5

• Requirements of sampling for intrusion detection
• More thorough examination of sampled packets than
  all above applications
• Near line-speed packet sampling and examination
• Because copying sampled packets or packet-headers
  for off-line analysis is not sufficient to
  prevent intruding packets from getting through.
  Hence, it is imperative to keep the sampling
  costs in mind. This is also the motivation of
  this research.

5
2009-03-16
6

• Game theory has been used extensively to model
  different networking problems.
• Shenker, S., Making Greed Work in Networks A
  Game-Theoretic Analysis of Switch Service
  Disciplines, IEEE/ACM Transactions on
  Net-working, 1995.
• Akella, A., Karp, R., Papadimitriou, C.,Seshan,
  S., Shenker, S., Selfish Behavior and the
  Stability of the Internet A Game Theoretic
  Analysis of TCP, Proceedings of SIGCOMM 2002,
  2002
• Korilis, Y., Lazar, A., Orda, A., Architecting
  Noncooperative networks,IEEE Journal on Selected
  Areas in Communications, pp. 1241-1251,September
  1995
• This is the first time to model intrusion
  detection via sampling in communication networks
  using a game-theoretic framework.

6
2009-03-16
7

• This work is closely related to drug interdiction
  models.
• Washburn, A., and Wood, K., Two-Person Zero-Sum
  Games for Net-work Interdiction, Operations
  Research, 43, pp. 243-251, 1995.
• Two differences between this work and the drug
  interdiction models
• The detection is by means of sampling, results
  are much more natural.
• The game theoretic problem naturally leads to a
  routing problem (to maximize the service
  providers chances of detecting intruding
  packets)?

7
2009-03-16
8

• Game theory attempts to mathematically capture
  behavior in strategic situations, in which an
  individual's success in making choices depends on
  the choices of others.
• Types of games
• Cooperative or non-cooperative games
• Zero sum and non-zero sum games
• Symmetric and asymmetric games

8
2009-03-16
9
PROBLEM DEFINITION

• Network Set-Up
• We consider a network G (N, E)?
• N set of nodes (s, u, v, m, t )?
• E set of unidirectional links in the network.
  (e1,e2,e3,...)?
• ce capacity of link e ?E
• fe the amount of traffic flowing on link e
• Pst represent the set of paths from s to t in G

9
2009-03-16
10

• PROBLEM DEFINITION

• Two players the Service Provider and the
  Intruder
• Intruders Objective
• Inject a malicious packet from attack node a in
  order to attack target node t
• Service Providers Objective
• Detect and prevent the intrusion
• To do so, we assume that the service provider
  can sample packets along the links of the network
  looking for malicious packets.

2009-03-16
10
11
PROBLEM DEFINITION

• We assume that
• An intruder wins when the malicious packet
  reaches the desired target t node without
  detection.
• The service provider wins if it samples the
  malicious packet during the course of sampling.

11
2009-03-16
12
PROBLEM DEFINITION

• The Objective and the Constraints of the Game
• Service provider is given a sampling bound of B
  packets per second
• If service provider could sample EVERY packet he
  could always win
• Sampling of B packets per second can be
  arbitrarily distributed over all links on the
  network
• Probability of detecting a malicious packet on a
  given link is pe se / fe where se is the
  sampling rate on link e, fe is the amount of
  traffic flowing on link e

12
2009-03-16
13
PROBLEM DEFINITION

• Strategies for the Two Players
• Intruder
• Pick a path (or a distribution of paths) to send
  the malicious packet from a to t
• Probability distribution over paths Pat such that
  
• Service Provider
• Choose the sampling rates for the network links
  that will give the greatest probability of
  detecting an attack
• U p ?e?E pefe ? B is the set of possible
  detection probability vectors that are within the
  sampling budget B

13
2009-03-16
14
PROBLEM DEFINITION
14
2009-03-16
15
PROBLEM DEFINITION
15
2009-03-16
16
PROBLEM DEFINITION

• Payoff Matrix
• Payoff is the expected number of times the
  malicious packet is detected as it goes from a to
  t.
• For a given path Pat, the payoff is
• The probability that this path P is picked by the
  intruder is q(P.)?
• The payoff is
• Interchanging the order of summation, we get
• This can be equivalently written in a matrix form
  as qTMp

16
2009-03-16
17
PROBLEM DEFINITION

• Payoff Matrix
• The payoff is ,
• This can be equivalently written in a matrix form
  as qTMp
• M

17
2009-03-16
18
PROBLEM DEFINITION

• Objective of Intruder
• Service provider wants to maximize this number
• But the intruder knows this, tries to pick a
  distribution q() that minimizes this maximum
  value
• Intruders Objective

18
2009-03-16
19
PROBLEM DEFINITION

• Objective of Service provider
• Intruder wants to minimize this number
• But the service provider knows this, tries to
  maximize the intruders minimum
• Service providers objective

19
2009-03-16
20
SOLUTION OF THE GAME

• This is a classical two person zero-sum game
• There exists an optimal solution to the intrusion
  detection game
• The value of the game is ? BMat(f)-1
• Mat(f) -is max flow that can be sent from node a
  to t with f as the link capacities
• B -is sampling bound

20
2009-03-16
21
SOLUTION OF THE GAME

• The intruder Strategy
• needs to decompose the max flow into flows on
  paths P1, P2, , Pl from a to t with flows of
  m1, m2, , ml
• Introduces the malicious packet along the path Pi
  with probability miMat(f)-1
• The Service Provider Strategy
• needs to compute the maximum flow from a to t
  using fe as the capacity of link e
• e1, e2, , er represent the links of the
  corresponding minimum cut with flows f1, f2, ,
  fr
• samples link ei at rate Bfi Mat(f)-1

21
2009-03-16
22
SOLUTION OF THE GAME(example)?
Max Flow Mat(f) 11.5 Sampling Budget B5

• The intruder Strategy
• Introduce the malicious packet along the path
  1-2-5 with probability 7.0 / 11.5
• Introduce the malicious packet along the path
  1-2-6-5 with probability 0.5 / 11.5
• Introduce the malicious packet along the path
  1-3-4-5 with probability 4.0 / 11.5
• The Service Provider Strategy
• Sample link 1-2 at rate 5 / 11.5 giving a total
  sampling rate of (5 x 7.5) / 11.5 on that
  link
• Sample link 4-5 at rate 5 / 11.5 giving a total
  sampling rate of (5 x 4.0) / 11.5 on that
  link
• Game value ? 5 / 11.5

22
2009-03-16
23
Observation

• Since the service provider samples packets on the
  minimum cut, this implies that for any path the
  intruder would choose, the malicious packet will
  be sampled at most once.
• If B gt Mat(f) the malicious packet will always
  be detected
• If B ltMat(f) then there is a some probabilities
  that the malicious packet will not be detected

23
2009-03-16
24
ROUTING TO IMPROVE THE VALUE OF THE GAME

• Previous solution BMat(f)-1 assumes a fixed link
  flow f
• In reality service provider can adjust the flows
  in the network to maximize the value of the game
• Objective of the Service
• Route the source-destination demands to minimize
  Mat(f).
• Two Different Ways to Achieve this Objective
• Flow Flushing Algorithm
• Cut Saturation Algorithm

24
2009-03-16
25
Flow Flushing Algorithm

• The flow on the links is a result of routing the
  different source-destination demands in the
  network.
• Mat(f) Mat(c - f) ? Mat(c)?
• - c link capacity, f flow on the link
• Solution requires a multi-commodity
  (source-destination) flow problem with K1
  commodities
• K original commodities
• an additional commodity between a and t

25
2009-03-16
26
Flow Flushing Algorithm
The link flows for FFA are shown for the first
network example

Mat(f) 11.5 ? 5 / 11.5
Mat(f) 9.95 ? 5 / 9.95
26
2009-03-16
27
Cut Saturation Algorithm

• This algorithm relies on the fact that the
  maximum flow between a and t is upper bounded by
  the size of any a - t cut.
• picks some a - t cut and tries to direct flow
  away from this cut
• Once the source-destination demands are routed,
  this cut will be small and hence will limit the
  maximum a - t flow

• How to implement?
• Introduce two new nodes s and t
• Introduce an arc between node s and all nodes
  a(e)
• Introduce an arc between node t and all nodes
  ß(e)
• let a(e) and ß(e)
• represent the start
• and end nodes of
• short-cut link.

27
28
Cut Saturation Algorithm
The link flows for FFA are shown for the first
network example

Mat(f) 11.5 ? 5 / 11.5
Mat(f) 7.0 ? 5 / 7.0
Mat(f) 9.95 ? 5 / 9.95
28
2009-03-16
29
Shortest Path Routing Game

• Assumes
• each link has a length
• packets are routed from the source to the
  destination along shortest paths according to
  this length metric.
• ties are broken arbitrarily.
• Objectives
• The intruder must determine which node of the
  attack set A to introduce the packet into
• The service provider must determine the sampling
  rate at the links subject to a sampling budget of
  B
• Solution
• The value of the game is ? B / L(d)?
• L(d) represents the maximum flow that can be sent
  from all the nodes in A to the destination node d

29
2009-03-16
30
EXPERIMENTAL RESULTS
performed the following experiments Single
attack node and single target node. (3
problems). Multiple attack node and single
target node. (1 problem). Multiple attack node
and multiple target node. (1 problem). For each
of the cases, we ran three different
algorithms. 1) Routing to minimize the highest
utilized link with f1 representing the m-vector
of link flows as a result of this routing
algorithm. 2) Routing with flow flushing
algorithm with f2 representing the m-vector of
link flows as a result of this routing
algorithm. 3) Routing with cut saturation
algorithm with f3 representing the m-vector of
link flows as a result of this routing
algorithm.

30
2009-03-16
31
EXPERIMENTAL RESULTS
Let M(fi) for i 1, 2, 3 represent the maximum
flow that can be sent from node a to t using fi
as the link capacities. ? B / M( ) The
smaller that value of M, the better the chances
of detection for a given sampling budget.

31
2009-03-16
32
EXPERIMENTAL RESULTS
From the table, note that the maximum flow value
and hence the value of the game can be changed
significantly by changing the routing in the
network. In most of the examples the
performance of the flow flushing algorithm and
the cut saturation algorithm are quite similar,
and better than the simple minimization of
maximum link utilization algorithm

32
2009-03-16
33
Effect of Capacity on the Value of the Game

• As the amount of spare capacity in a network
  increases , the opportunity to reroute flows
  increases.
• Service Provider can improve probability of
  detection by exploiting the spare capacity to
  reroute flows
• A second experiment was conducted
• Capacity of the links in this example network are
  fixed at some constant value C.
• If C increases, the opportunity to reroute flows
  also increases.

33
2009-03-16
34
Effect of Capacity on the Value of the Game

• As the maximum utilization becomes lower, the
  amount of spare capacity to reroute flows
  increases
• This implies that both the Flow Flushing
  Algorithm and the Saturation Cut Algorithm will
  have more alternate paths

34
35
Effect of Capacity on the Value of the Game
As the value of C increases, the maximum flow
decreases,thus the value of the game increases
35
36
CONCLUDING REMARKS

• Because
• Packet sampling and examination in real-time can
  be expensive.
• The network operator must devise an effective
  sampling scheme to detect intruding packets
  injected into the network by an adversary.

• Considered following scenarios
• Intruder has complete knowledge of the network
  topology
• Intruder can pick paths in the network
• Intruder can pick an entry point into the network
  if shortest path algorithm is being used

• Proposed
• The detection via sampling problem was formulated
  in a game-theoretic framework
• Tow two algorithms
• Flow Flushing Algorithm
• Cut Saturation A
• Evaluated
• the performance of the minmax, flow flushing
  algorithm, and cut saturation algorithm

36