Detecting network intrusions via sampling: a game theoretic approach

In this paper, we consider the problem of detecting an intruding packet in a communication network. Detection is accomplished by sampling a portion of the packets transiting selected network links (or router interfaces). Since sampling entails incurring network costs for real-time packet sampling and packet examination hardware, we would like to develop a network packet sampling strategy to effectively detect network intrusions while not exceeding a given total sampling budget. We consider this problem in a game theoretic framework, where the intruder picks paths (or the network ingress point if only shortest path routing is possible) to minimize chances of detection and where the network operator chooses a sampling strategy to maximize the chances of detection. We formulate the game theoretic problem, and develop sampling schemes that are optimal in this game theoretic setting.

[1]  Scott Shenker,et al.  Making greed work in networks: a game-theoretic analysis of switch service disciplines , 1995, TNET.

[2]  Jochen Könemann,et al.  Faster and simpler algorithms for multicommodity flow and other fractional packing problems , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[3]  T. V. Lakshman,et al.  SRED: stabilized RED , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[4]  David K. Smith Network Flows: Theory, Algorithms, and Applications , 1994 .

[5]  Alan Washburn,et al.  Two-Person Zero-Sum Games for Network Interdiction , 1995, Oper. Res..

[6]  Konstantinos Psounis,et al.  CHOKe - a stateless active queue management scheme for approximating fair bandwidth allocation , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[7]  Farhad Shahrokhi,et al.  The maximum concurrent flow problem , 1990, JACM.

[8]  Ariel Orda,et al.  Architecting noncooperative networks , 1995, Eighteenth Convention of Electrical and Electronics Engineers in Israel.

[9]  Srinivasan Seshan,et al.  Selfish behavior and stability of the internet: a game-theoretic analysis of TCP , 2002, SIGCOMM.