Jeff Rowe (JR), Jason Schatz (JS), David O'Brien (DOB), Karl Levitt
(KL), Steven Templeton (ST), and Chris Wee (CW)
News Items
Laura will send out pieces of the attack to us.
August PI Meeting will be in Phoenix, not Lake Placid.
Aaron Stearns and Marcus Tylutki to join Global Guard
Ideas for Global Guard
JR: Develop a signature or rule-based language for symptoms to look for
and develop a way of specifying symptoms
Develop a language to compile into codebook or GrIDS rulesets
KL: Using local information like Yemini's codebook
JR: Use GrIDS as the basic mechanism for the communication package and
hierarchy
JS: Signature language compiling to production style rules - alternative
to codebook. Polling could be written in production-style rules, with a
C Function, compile into CLIPS, returns with new facts
Codebook is too simple for polling - poll first, then send the information
to the codebook
May have an answer before you even go to the codebook
JS: Query model - give symptoms, get confirmation. Clues from one symptom
may lead to queries of other symptoms. The codebook is the master classifier
or decision table
CW: Use a learning algorithm
KL: Won't work with this project.
ST: Get information from real world experiences and generate all possible
values or parameters from archetypal attacks
JS: Language or methodology - we need to propose a mechanism to match symptoms
to attacks.
KL: Questions to answer: What is the attack? What sites has it hit? How
is it spreading? How will you respond to it?
CW: Interested in exploring aggregation and data dissemination algorithms.
Enclaves
Write Objectives down for Global Guard
Building an IDS to :
Detect attacks based on distributed data
Events lead to higher level events which lead to ? (Abstract Reasoning)
Interrupts (Push) and Polling (Query - Pull)
Develop methodology and a knowledge to populate the IDS
Ask Experts
Look at Events from Data
JR: Format of IDS should be transferable to GrIDS, codebook or something
that aggregators can digest easily.
Temporal aggregation
Questions of IDS
Do we have connection spoofing?
Source, attributes, time, destination, extent, data leaks
Are symptoms related or have a common cause?
Evidence of an attack, with what certainty?
How did classified data get to an unclassified machine?
Is there a sniffer on a machine? (Symptoms such as a network card in promiscuous
mode)
Possible Goals
Incremental Change to GrIDS to do:
Model correlation as graph composition
Model Language - Expert describes links among events
Build an IDS that processes distributed events to do aggregation, correlation,
fusion
Events come from commercial IDS
For Next Tuesday:
Jason - Describe some concrete rules for the project