June 10, 1999
3085 ENG II

In attendance:
Jeff Rowe (JR), Jason Schatz (JS), David Klotz (DK), Karl Levitt (KL)
  1. WATCHERS - where do you set the threshold for lost packets? There is a similar problem in Steven Cheung's thesis with DNS cache poisoning and latency problems.
    1. JR: Decide what level of background you can tolerate and how much data you can handle, set the threshold at that point and throw the rest of the data away. Maximize the amount of data you're willing to take.
    2. KL: Can an attacker use diversionary or nuisance attacks to take advantage of your threshold?
  2. Plan for Lake Placid PI Meeting in August
    1. JR: Prototype codebook - add ad hoc rules
    2. KL: Use a home-grown host-based IDS
      1. Examples of Host Based IDS
        1. Forrest's anomaly detection work
        2. Rich Fiertag - negotiation work
        3. CYBERCOP Server
        4. Web Stalker
      2. Generate a codebook by band
  3. Methodology and Issues
    1. Vector display of problems/symptoms; include hamming distance
    2. Use GrIDS as a mechanism for getting information back and forth and use a codebook compiler
    3. KL: Tolerances - aspect of language that may complicate it
    4. JS: Events vs. symptoms - distinguish the two
    5. JS: Categorize all things that could be symptoms, pole for it using a network management device; look up in audit logs
      1. KL: Poling more effective than interrupts?
      2. DK: Problem of ambiguity - with a large set of symptoms, it may be possible to diagnose two different attacks.
    6. JS: Look at timing between symptoms (i.e. connection hijacking).
    7. KL: Will need to verify rulesets, look for inconsistencies in rulesets and more than one conclusion from data.