In attendance:
Jeff Rowe (JR), Jason Schatz (JS), David O'Brien (DOB), Karl Levitt (KL), and Steven Templeton (ST)Interface Client : Logical Service {
Event AbortedTransactions = # Aborted > Aborted Threshold;};
Attribute long # Aborted;
Attribute long Aborted Threshold;Interface TCP_Node : Node {
Problem TCPPacketLoss = AbortedTransactions, Slow Response;};
Propagate AbortedTransactions = Client, Underlying;
Propagate SlowResponse = DBServer, Underlying;Interface IP_Node : Node {
Problem PacketLoss = IPDiscarded Packets, TCPPacketsLoss;};
Propagate TCPPacketsLoss = TCP_Node, Underlying;
Event IPDiscardedPackets = DiscardedPackets > DiscardedThreshold;Interface Router_Backbone : Link {
Problem Failure = PacketsLoss;};
Propagate PacketsLoss = IP_Node, ConnectedTo;
Export Failure;
- David O'Brien prevents the above modeling language from Yemini's paper
- ST: Are there temporal issues? DOB: Some notion of time.
- JS: Usefulness of the modeling language
- Modeling language allows you to not cover everything
- Can determine certain attacks with the modeling language
- Interface Broadcast_Pings:
- Interface ICMP: Node
- Model affect of Ping attack on the rest of the system
- Interface SMURF
- You may not see the attack where it occurred - only detect the symptom where the problem is.
- JS: Does not model intentionality
- ST: Model language - meta knowledge to communicate amongst host
- Goals
- Reduce the number of false positives
- Distinguish network problems from attacks.
- JR: Simple extensions; incorporate complexities later
- Incorporate Calvin Ko's specification work - Focused Intrusion Detection
- Specify normal behavior - host-based
- JS: All ramifications of certain attacks - Formalism with sensors at different locations. If there's missing data, you can still determine the attack.
- Polling to manage data
- Teknowledge
- Teknowledge will work above the enclave level
- Scripting of interesting attacks
- Configurable sensors
- How to model system behavior
- Next Meeting
- Thursday at 2:00
- JR - Worm; DOB - Smurf; JS - Connection Spoofing, DK - Cohen attack