GLOBAL GUARD MEETING
January 19, 1998
3085 ENG II
1:00-2:00 p.m.
In attendance:
Karl Levitt (KL), David OBrien (DOB), Jeff Rowe (JR) and Steven Templeton
(ST)
TOPIC:
Miscellaneous Concerns
Concepts for Global Guard
-
Miscellaneous Concerns
-
Quarterly report due 1 month ago (December)
-
Use of Yeminis software was approved
-
JR and DOB - Visit Yemini in April
-
Information Assurance Visioning Workshop next week (Tues-Wed.)
-
Concepts for Global Guard
-
DOB Focus on technology instead of scenarios
-
GrIDS encoding ideas and rules
-
JR ad hoc aggregation, not correlation
-
JR Add abstract ideas
-
Every edge now is a network connection or event between machines
-
Edge abstract relationship
-
Ex. Cohen attack is a causal connection not necessarily event
-
Expand on graphs, scalability
-
DOB Are graphs the correct representation/model?
-
Other types of models include object representation, first-order logic,
predicates, semantic nets, UML
-
What are the limitations of GrIDS and the implementation details?
-
ST SMURF attack (broadcast PING to Hosts using forged address people
reply to the victim) trace back to who sent the original message.
-
Aggregation of reports
-
KL stop attack by telling sites not to respond to it
-
JR tell machines not to reply
-
ST send message to router saying not to allow pings through
-
DOB same as packet filtering
-
ST Do we assume that we have IDIP routers or include others? KL: Include
others.
-
KL Evaluate the best place to do response, criteria or constraints
-
Stay ahead of the attack
-
Minimize damage
-
Best place to stop attack
-
Game playing attacker responds to us
-
ST solve entire problem or take bites out of sections
-
Correlation detect false positives and filter out
-
ST: Two aspects of correlation
-
Passive codebook approach relates other parts together
-
Active search approach have some information, find things that relate
to it. The response is based on information discovered in search.
-
Discovering root cause
-
Restrict attacker for 1 minute, 2 minutes, 4 minutes etc. as attacks continue
-
Problems with spoofing
-
Prediction
-
Determining other places/sites compromised
-
Representation- CIDF S-expressions- tags language to describe attacks
-
SIDs semantic identifiers no natural language ideas
-
JR not clear how you can add two attack together need ability to build
new S-expressions
-
KL add function called related
-
DOB parse two expressions
-
JR will have to write function at different levels
-
AI analog? Inference network for composition; infusion?
-
ST sensor and data fusion
-
Data fusion Combine data from a number of sensors to get a better estimate
-
Sensor fusion Use all types of imaging sensor from different sources/locations
(radar, sonar etc.) and combine abstracted data
-
KL sensors at different locations in the network?
-
How serious are the attacks?
-
Response, if necessary