April 27, 1999
3085 ENG II

In attendance:
Karl Levitt (KL), Marcus Tylutki (MT), Jason Schatz (JS), David Klotz (DK) and David O'Brien (DOB)


    News Items
    Info to Work On
    Next Meeting
  1. News items
    1. Karl has been summoned back to Rome Labs, where Sami will meet up with him to talk about Global Guard
    2. Karl wants to have an intensive meeting on Thursday (assign topics today)
    3. CYC runs on Solaris, NT, Linux -- favored OS is Linux
      1. Problems with version on NT
    4. Papers to look at
      1. Papers by Tim Bass, John Lowry email list
        1. Data Fusion and Intrusion Detection accepted for CACM -- terrible
        2. Hierarchical Model -- levels based ton traffic coming in -- worth looking at
      2. Distributed Detection and Data Fusion (Signal Processing and Data Fusion)-- K. Varshney 1995
    5. Another PI meeting in December
  2. Information to Work On
    1. General Idea
      1. Informal description for rules, what knowledge is needed for inferencing or aggregation?
      2. Take some examples and figure out how to correlate or combine reports
      3. What kind of knowledge do we need?
      4. Donít need to consider coding in CYC.
      5. Is something interesting (an attack) happening?
      6. How severe is the attack?
        1. DOB: How do you determine severity?
        2. KL: Ordering or partial ordering. More severe is more severe than severe.
        3. JR: It will be different for everyone.
        4. DK: CYC methodology -- start with base micro theory, then create specific micro theories for each system/network
      7. What could happen next?
    2. Summary of attacks -- SMURF written out
    3. Todd and Matt presented a generalization of a multi-stage connection hijacking attack
      1. The paper claims there is no way of preventing attack except by having IP Sec.
      2. IDS could catch pieces -- flooding, sequence number guessing, relate to inactivity to connection for a while (wedge TCP)
      3. Could we make a mistake and confuse an attack with normal behavior?
  3. Assignments
    1. Jeff will work on the basic architecture to build on.
      1. CIDF has a way of getting message between components, discovering neighbors. Messages going from different sources to combine.
      2. JR: Query people to see if youíve seen attack. Tradeoffs with querying web. Web server log = flooded with web server access.
    2. Jason will look at Todd and Mattís work -- description of hijacking connections.
      1. DOB: USENIX people at Merret (J. Jalosky) did further work on it.
      2. Comes from different sites, wedging, sequence number guessing, source of data packets (changes source).
      3. There may be pieces missing
      4. Look at other possible causes for what you're seeing.
      5. Where would a worm go next?
        1. DOB: Based on algorithm of worm and method of propagation. What does worm do at each host? What's the purpose of the attack? Steel the bandwidth?
        2. JS: Is there a heuristic to guide where itís going?
          1. DOB: Morse worm looked at R host. A worm itself is not trying to get to a certain machine -- it would go there directly (or may not). To take out a machine, a worm may send out several soldiers to attack one machine.
        3. DK: If you see this worm attacking boxes with RedHat Linux 5.1 only -- or sendmail 2.x, you can likely determine future attack sites.
        4. KL: Trust relationships -- have to know configuration
        5. DOB: Network management or asset tracking system, configuration of whole network.
      6. JS: Techniques to formalize signature for hijacking? State machine, rules, discover generalities.
        1. JR: Do you need to be on same LAN?
          1. DOB: No, have the source routed to you, send probes to find secret number succession, guess what next ones will be. In connection hijacking, on network, hijack for least amount of time, or get kicked off.
    3. David O will look at the rules for SMURF
    4. David Klotz will look at Fred Cohen --connections to website
      1. Ex. Worm presented back at PI meeting with password guessing happening. Missing data might not get reports of where worm travels.
      2. Progress of a worm, facts we need, rules. Worm may hit another place it has hit before. Worm will go 5 steps out before we can contain it.
        1. DK: Itís dangerous to think of it in terms of steps. Worms donít follow topology. Fully connected graph. Worm starts out and can go anywhere (1 hop to everything). Worm doesnít have to propagate to machines that are topologically near it.
        2. KL: Exploiting sendmail and then trust relationships.
        3. DOB: A worm propagates through a vulnerability or trust relationship. Trust relationship may have reinfection or revisits.
          1. DK: With trust relationships, it's more local.
    5. Karl will do the correlation framework.
  4. Next Meeting
    1. KL: Meet Thursday. 11:00 -- 1:30. Karl will treat to lunch.
    2. Think of aggregation in informal terms.
      1. Information you need, general rules, inference rules, how you might make wrong decision. Signatures for connection hijacking attacks.