GLOBAL GUARD MEETING
February 23, 1999
3085 ENG II
1:00-2:00 p.m.
In attendance:
Karl Levitt (KL), David O’Brien (DOB), David Klotz (DK) and Steven Templeton (ST)


TOPICS CIDF is looking at Correlation and Gidos
Potential Project for David O’Brien to consider
CYC versus CLIPS
Data Fusion, Sensor Fusion and Codebook Definitions
    1. CIDF is looking at Correlation and Gidos and would like us to look at a couple of test cases
      1. SMURF attack
        1. Various report hosts could lie
        2. ICMP Echo Ping Broadcast Address – Is it flooding or a SMURF attack?
        3. With sniffer sensor it is possible to detect:
          1. See someone pings the broadcast address
          2. Percentage of Traffic
          3. Number of Hosts that reply to ping
        4. Host could tell you
          1. Round-trip time
          2. Amount of congestion (Number of packets in/out)
          3. NSF timeouts
        5. Can infer about these readings that:
          1. It’s a serious matter.
          2. Services are impacted.
          3. SMURF attack
      2. CIDF is coming up with a vocabulary for correlation (but won’t do the actual correlation)
      3. ST: Need to consider what else may have caused the same situation (to avoid false correlation)
        1. Take a knowledge-based approach and organize information.
        2. Use CYC as a reference or model
        3. How to code probably uncertainties
        4. Certainty Value (Ex. 0.1 SMURF; 0.9 Other Cause)
        5. Ad hoc numbers – way of specifying uncertainty
        6. Likelihood of something is too difficult to determine
    2. Potential Project for David O’Brien to consider
      1. Project with Jim Just (organize knowledge base)
      2. Sami wants Karl to organize a correlation workshop
      3. CIDF group work
    3. CYC versus CLIPS
      1. CYC is a commercial product, has better hashing, RETE enhance, used to be a huge LISP program
      2. ECLIPS and Fuzzy CLIPS are two CLIPS commercial products, it’s free and well understood
    4. Data Fusion, Sensor Fusion and Codebook Definitions
      1. ST: Data Fusion is an idea in the large with wide collection of data from any source that results in conclusions
      2. Sensor Fusion is data from a specific sensor
      3. Codebook – definition involves taking all possible sets of parameter values for a feature set in a connect classification and do nearest neighbor mapping generating a training set for all values.