GLOBAL GUARD MEETING
March 16, 1999
3085 ENG II
1:00-2:00 p.m.
 
In attendance:
Karl Levitt (KL), David O’Brien (DOB), David Klotz (DK), and Steven Templeton (ST)

TOPICS

Benefits of CYC
Steven Templeton's Smurf Attack Example
 
  • Benefits of CYC
  • CYC will give us knowledge of attacks, responses, and enable us to do reasoning. It may be too general and too slow for our purposes, but it will be complete.
  • Can do a rapid prototype on a system and can demo something
  • We can attempt to correlate activity from different places, connect with CIDF
  • DK: In essence we're building an expert system, domain knowledge, but won't come up with data for machine learning. KL: FTP inductive learning, perhaps.
  • SMARTS with Yemini is still an option. Can codify some of the knowledge.
  • Steven Templeton's Smurf Attack Example
  • X = primary target subnet Y = other subnet Zi = some other host site
    X = broadcast address for X Y = broadcast address for Y Zi ÏX u Y
    X = X - {X} Y = Y - {Y}
    Xi = some host in X Yi = some host in Y
    a = actual address of attacker Î {Zi,Xi}
    b = source address in attack packet Î {Zi, Xi, Yi, Y, X, Zj}
    µ = destination address in attack packet Î {Xj, X}
    Cases: destination address of Attack = X Attack: (a ,b ,µ , icmp echo request) for Smurf
    a
    b
    µ =X
    Zi
    Zi
    Non-spoofed Smurf
    Xi
    N/A
    Yi
    Spoofed smurf à Yi
    X
    Feedback magnify X à X
    Y
    Magnify X à Y
    Zj
    X à Zj
    a
    b
    Mac
    Spoofed Mac
    Xi
    Zi
    Ö
    Xi
    Ö
    Yi
    Ö
    X
    Ö
    Ö
    Y
    Ö
    Zj
    Xj
    Ö