Game theoretic models for detecting network intrusions

In this paper, we study using game theory the problem of detecting intrusions in wired infrastructure networks. Detection is accomplished by sampling a subset of the transmitted packets over selected network links or router interfaces. Given a total sampling budget, our framework aims at developing a network packet sampling strategy to effectively reduce the success chances of an intruder. We consider two different scenarios: (1) A well informed intruder divides his attack over multiple packets in order to increase his chances of successfully intruding a target domain. (2) Different cooperating intruders distribute the attack among themselves each send their attack fragments to the target node. Each of the packets containing a fragment of the attack is transmitted through a different path using multi-path routing, where each path is selected with a different probability. Knowing that, if these packets are independently analyzed then the intrusion will not be detected, i.e., a series of packets form an intrusion. To the best of our knowledge, there has not been any work done for the case where the attack is split over multiple packets or distributed over cooperative intruders using game theory. Non-cooperative game theory is used to formally express the problem, where the two players are: (1) the smart intruder or the cooperative intruders (depends on which scenario we are solving) and (2) the Intrusion Detection System (IDS). Our game theoretic framework will guide the intruder or the intruders to know their attack strategy and the IDS to have an optimal sampling strategy in order to detect the malicious packets.