June 22, 1999
1003 ENG II
In attendance:
Jeff Rowe (JR), Jason Schatz (JS), David O'Brien (DOB), Karl Levitt (KL), and Steven Templeton (ST)

Interface Client : Logical Service {

Event AbortedTransactions = # Aborted > Aborted Threshold;
Attribute long # Aborted;
Attribute long Aborted Threshold;

Interface TCP_Node : Node {

Problem TCPPacketLoss = AbortedTransactions, Slow Response;
Propagate AbortedTransactions = Client, Underlying;
Propagate SlowResponse = DBServer, Underlying;

Interface IP_Node : Node {

Problem PacketLoss = IPDiscarded Packets, TCPPacketsLoss;
Propagate TCPPacketsLoss = TCP_Node, Underlying;
Event IPDiscardedPackets = DiscardedPackets > DiscardedThreshold;

Interface Router_Backbone : Link {

Problem Failure = PacketsLoss;
Propagate PacketsLoss = IP_Node, ConnectedTo;
Export Failure;
  1. David O'Brien prevents the above modeling language from Yemini's paper
    1. ST: Are there temporal issues? DOB: Some notion of time.
    2. JS: Usefulness of the modeling language
      1. Modeling language allows you to not cover everything
      2. Can determine certain attacks with the modeling language
        1. Interface Broadcast_Pings:
        2. Interface ICMP: Node
        3. Model affect of Ping attack on the rest of the system
        4. Interface SMURF
      3. You may not see the attack where it occurred - only detect the symptom where the problem is.
      4. JS: Does not model intentionality
      5. ST: Model language - meta knowledge to communicate amongst host
  2. Goals
    1. Reduce the number of false positives
    2. Distinguish network problems from attacks.
    3. JR: Simple extensions; incorporate complexities later
    4. Incorporate Calvin Ko's specification work - Focused Intrusion Detection
      1. Specify normal behavior - host-based
    5. JS: All ramifications of certain attacks - Formalism with sensors at different locations. If there's missing data, you can still determine the attack.
      1. Polling to manage data
  3. Teknowledge
    1. Teknowledge will work above the enclave level
    2. Scripting of interesting attacks
    3. Configurable sensors
    4. How to model system behavior
  4. Next Meeting
    1. Thursday at 2:00
    2. JR - Worm; DOB - Smurf; JS - Connection Spoofing, DK - Cohen attack