GLOBAL GUARD
June 17, 1999
4-6pm
1003 ENG II
In attendance:

Jeff Rowe (JR), Jason Schatz (JS), David O'Brien (DOB), Karl Levitt (KL), Steven Templeton (ST), and Chris Wee (CW)
    1. News Items
      1. Laura will send out pieces of the attack to us.
      2. August PI Meeting will be in Phoenix, not Lake Placid.
      3. Aaron Stearns and Marcus Tylutki to join Global Guard
    2. Ideas for Global Guard
      1. JR: Develop a signature or rule-based language for symptoms to look for and develop a way of specifying symptoms
        1. Develop a language to compile into codebook or GrIDS rulesets
        2. KL: Using local information like Yemini's codebook
        3. JR: Use GrIDS as the basic mechanism for the communication package and hierarchy
        4. JS: Signature language compiling to production style rules - alternative to codebook. Polling could be written in production-style rules, with a C Function, compile into CLIPS, returns with new facts
          1. Codebook is too simple for polling - poll first, then send the information to the codebook
          2. May have an answer before you even go to the codebook
        5. JS: Query model - give symptoms, get confirmation. Clues from one symptom may lead to queries of other symptoms. The codebook is the master classifier or decision table
        6. CW: Use a learning algorithm
          1. KL: Won't work with this project.
        7. ST: Get information from real world experiences and generate all possible values or parameters from archetypal attacks
      2. JS: Language or methodology - we need to propose a mechanism to match symptoms to attacks.
        1. KL: Questions to answer: What is the attack? What sites has it hit? How is it spreading? How will you respond to it?
      3. CW: Interested in exploring aggregation and data dissemination algorithms. Enclaves
    3. Write Objectives down for Global Guard
      1. Building an IDS to :
        1. Detect attacks based on distributed data
        2. Events lead to higher level events which lead to ? (Abstract Reasoning)
        3. Interrupts (Push) and Polling (Query - Pull)
        4. Develop methodology and a knowledge to populate the IDS
          1. Ask Experts
          2. Look at Events from Data
        5. JR: Format of IDS should be transferable to GrIDS, codebook or something that aggregators can digest easily.
        6. Temporal aggregation
    4. Questions of IDS
      1. Do we have connection spoofing?
      2. Source, attributes, time, destination, extent, data leaks
      3. Are symptoms related or have a common cause?
      4. Evidence of an attack, with what certainty?
      5. How did classified data get to an unclassified machine?
      6. Is there a sniffer on a machine? (Symptoms such as a network card in promiscuous mode)
    5. Possible Goals
      1. Incremental Change to GrIDS to do:
        1. Model correlation as graph composition
      2. Model Language - Expert describes links among events
      3. Build an IDS that processes distributed events to do aggregation, correlation, fusion
      4. Events come from commercial IDS
    6. For Next Tuesday:
      1. Jason - Describe some concrete rules for the project
      2. Steven - Brainstorm information to query
      3. David - Look at requirements for project