GLOBAL GUARD MEETING
March 9, 1999
3085 ENG II
1:00-2:00 p.m.
In attendance:
Karl Levitt (KL), David O’Brien (DOB), David Klotz (DK), Jeff Rowe (JR) and Steven Templeton (ST)

TOPICS

CYC Training in Austin
Basian vs. Non-Basian Beliefs
SMURF Model
    1. CYC Training in Austin
      1. There is a training session from April 6-9th in Austin. JR and DK would be willing to go. ST could make it if the session was in May.
      2. Karl will inquire about dates and deferring costs.
    2. Basian vs. Non-Basian Beliefs
      1. KL: There is a lack of direction in Global Guard. We have some hard examples, but no easy examples.
      2. ST: There are two schools of thought - Basian and Non-Basian
        1. Basians believe that the actual probability of something occurring takes into account the occurrence of that thing in the general population.
          1. Ex. The chance that you have AIDS is very small when viewed in the context of the general population.
          2. When the symptom is only a 1% indicator of the disease, then the prior statistical knowledge of occurrence in the population is necessary.
        2. DK: When including a temporal distribution, the probability should increase.
      3. Considering a SMURF Attack
        1. For a SMURF attack, you must balance out the low probability (Basian) with the strength of the facts/evidence (Non-Basian)
        2. When dealing with classification, you don't care about probability, just the evidence. Prior probabilities for computer security attacks may be unknown, constantly changing or may become an epidemic when they are published.
    3. SMURF Model
      1. Dan Schnakenberg is looking at GIDOs (Generalized Intrusion Detection Objects) -- similar to S-expressions
      2. KL: With DOB and ST, I'd like to model the SMURF attack with Basian/Non-Basian belief networks.
        1. Case 1: a Ï X; src Î X - X; dst = X Attacker is not on target subnet X
        2. Case 2: a Î X; src Î U; dst = X Attacker is on target subnet X
      3. Motivation
        1. Case 1: src Î {X, Y} Attacker attacks one subnet which causes it to attack another subnet (attacking two subnets)
        2. Case 2: src Ï X u Y - {X, Y} u {G} Single host is being targeted.
      4. Assumption is that what you're seeing is a SMURF attack. If you see a packet crossing the network with the broadcast address, the probability of it being for a legitimate use is only 5%.
        1. If you do response to this attack, you may do a DoS on your network
        2. NMap - flag port scanning - uses bogus IP addresses à coordinated multi-national attack?
      5. ST: Case 3: G can't get through to R, but gets X to attack R.