June 29, 1999
3085 ENG II

In attendance:
Jeff Rowe (JR), Rick Crawford (RC), David O'Brien (DOB), Karl Levitt (KL), Aaron Stearns (AS) and Steven Templeton (ST)


Discuss Constraints of Global Guard
Jeff, David and Karl's Morning Discussion
Structure of Global Guard

    1. Discuss Constraints of Global Guard
      1. KL: Sami wants Global Guard to be a higher-level project; to determine the attacker's objectives, whether there is a serious threat, what the next moves of the attacker are, etc.
      2. Use existing architecture
      3. Have used 3-4 scenarios to drive the work: take piece of information and put them together
        1. Jason - Connection Spoofing
        2. Steven - SMURF
        3. David O'Brien - Fred Cohen Attack
        4. Jeff - Password Guessing - Worm
        5. Need to detect all variants of these attacks
        6. Use codebook to determine the problem from the symptoms
    2. Jeff, David and Karl's Morning Discussion
      1. Have many symptoms coming in; partition symptoms into related subsets (that are part of the same attack)
      2. RC: Distinguish the ankle biters from the real threat
      3. DOB: Report all symptoms to the black box (Global Guard) which filters out the ankle biters, determines related symptoms, coalesces the events and determines the type of attack
        1. KL: Doesn't consider the time bomb attack, which may look like an ankle biter to begin with.
      4. RC: There are some very ambiguous parts. Rules and threat profiles, predetermined attackers, their goals etc. Model attackers within the system
        1. KL: It needs to be more complicated, and has less certainty
        2. JR: Don't rule out things that have been seen before
          1. ST: Need to prune and group events based on likelihood of scenario
          2. ST: Don't care if there is 1 attacker or 10 attackers
            1. Lump ankle biters together.
        3. AS: Verify coordinated attack or not
    3. Structure of Global Guard
      1. Decide on attributes of each symptom, piece them together
      2. Modeling the even is better than modeling the attacker
        1. Hard to model intent, doesn't consider unforeseen attacks
      3. Objectives of the attacker
        1. Confidentiality of data
        2. Integrity of data
        3. Denial of Service
        4. Information Gathering
        5. Use resources for own purposes - Extortion
        6. Clandestine Storage
        7. Violate Policy
        8. Has the attacker met his objectives? Plan/Objective recognition
      4. AS: Look at what could happen to the system
      5. ST: Based on concept rather than a specific occurrence (event)
      6. JR: Hierarchy of correlators, feedback
    4. For Thursday
      1. David O'Brien will work on the SMURF attack
      2. Jeff and Aaron will work on the sequence modeling and flesh out the modeling language.