GLOBAL GUARD MEETING
January 19, 1998
3085 ENG II
1:00-2:00 p.m.
In attendance:
Karl Levitt (KL), David O’Brien (DOB), Jeff Rowe (JR) and Steven Templeton (ST)

TOPIC:
Miscellaneous Concerns
Concepts for Global Guard
    1. Miscellaneous Concerns
      1. Quarterly report due 1 month ago (December)
      2. Use of Yemini’s software was approved
        1. JR and DOB - Visit Yemini in April
      3. Information Assurance Visioning Workshop next week (Tues-Wed.)
    2. Concepts for Global Guard
      1. DOB – Focus on technology instead of scenarios
      2. GrIDS – encoding ideas and rules
        1. JR – ad hoc aggregation, not correlation
        2. JR – Add abstract ideas
          1. Every edge now is a network connection or event between machines
          2. Edge – abstract relationship
            1. Ex. Cohen attack is a causal connection not necessarily event
            2. Expand on graphs, scalability
          3. DOB – Are graphs the correct representation/model?
            1. Other types of models include object representation, first-order logic, predicates, semantic nets, UML
          4. What are the limitations of GrIDS and the implementation details?
        3. ST – SMURF attack (broadcast PING to Hosts using forged address – people reply to the victim) – trace back to who sent the original message.
          1. Aggregation of reports
          2. KL – stop attack by telling sites not to respond to it
          3. JR – tell machines not to reply
          4. ST – send message to router saying not to allow pings through
          5. DOB – same as packet filtering
        4. ST – Do we assume that we have IDIP routers or include others? KL: Include others.
      3. KL – Evaluate the best place to do response, criteria or constraints
        1. Stay ahead of the attack
        2. Minimize damage
        3. Best place to stop attack
        4. Game playing – attacker responds to us
        5. ST – solve entire problem or take bites out of sections
      4. Correlation – detect false positives and filter out
        1. ST: Two aspects of correlation
          1. Passive – codebook approach – relates other parts together
          2. Active – search approach – have some information, find things that relate to it. The response is based on information discovered in search.
      5. Discovering root cause
        1. Restrict attacker for 1 minute, 2 minutes, 4 minutes etc. as attacks continue
        2. Problems with spoofing
      6. Prediction
      7. Determining other places/sites compromised
      8. Representation- CIDF S-expressions- tags – language to describe attacks
        1. SIDs – semantic identifiers – no natural language ideas
        2. JR – not clear how you can add two attack together – need ability to build new S-expressions
          1. KL – add function called related
          2. DOB – parse two expressions
          3. JR – will have to write function at different levels
      9. AI analog? Inference network for composition; infusion?
        1. ST – sensor and data fusion
          1. Data fusion – Combine data from a number of sensors to get a better estimate
          2. Sensor fusion – Use all types of imaging sensor from different sources/locations (radar, sonar etc.) and combine abstracted data
            1. KL – sensors at different locations in the network?
      10. How serious are the attacks?
      11. Response, if necessary