In attendance:
Karl Levitt (KL), David O’Brien (DOB), David Klotz (DK), and Steven Templeton (ST)TOPICS
Benefits of CYC
Steven Templeton's Smurf Attack Example
Benefits of CYC CYC will give us knowledge of attacks, responses, and enable us to do reasoning. It may be too general and too slow for our purposes, but it will be complete. Can do a rapid prototype on a system and can demo something We can attempt to correlate activity from different places, connect with CIDF DK: In essence we're building an expert system, domain knowledge, but won't come up with data for machine learning. KL: FTP inductive learning, perhaps. SMARTS with Yemini is still an option. Can codify some of the knowledge. Steven Templeton's Smurf Attack Example
X = primary target subnet Y = other subnet Zi = some other host site X = broadcast address for X Y = broadcast address for Y Zi ÏX u Y X = X - {X} Y = Y - {Y} Xi = some host in X Yi = some host in Y a = actual address of attacker Î {Zi,Xi} b = source address in attack packet Î {Zi, Xi, Yi, Y, X, Zj} µ = destination address in attack packet Î {Xj, X} Cases: destination address of Attack = X Attack: (a ,b ,µ , icmp echo request) for Smurf a b µ =X Zi Zi Non-spoofed Smurf Xi N/A Yi Spoofed smurf à Yi X Feedback magnify X à X Y Magnify X à Y Zj X à Zj a b Mac Spoofed Mac Xi Zi Ö Xi Ö Yi Ö X Ö Ö Y Ö Zj Xj Ö
- Determine facts, rules, missing data
- Codify negative cases to determine whether an attack is close to a smurf attack or not.