July 1, 1999
3085 ENG II
In attendance:
Jeff Rowe (JR), Rick Crawford (RC), David O'Brien (DOB), Karl Levitt (KL), Aaron Stearns (AS) and Steven Templeton (ST)

    1. Aaron goes over framework for Global Guard
      1. Cell (i, j)
        1. 1 if event occurred
        2. 0 if not
        3. Calculated by table lookup using rules
        4. Boolean arithmetic - look up in "code book"
      2. Probabilistic Model - values are percents - fuzzy logic
      3. Missing data handled by logical formula - no attributes (implicit) in codebook
      4. Codebook - pattern matching
      5. How do you keep track of host, port etc? The third dimension is attributes
      6. DOB: Start with functionality before optimization
      7. Event IDS - keep state - event timestamp
        1. Log things from the past
        2. Internal state - run garbage collector - forensic software
        3. List of events
        4. Logging of sensor data
        5. Rules should tell you how far back to log
      8. RC: Scaleability - different memory hierarchies
        1. Fast codebook lookup - if see something suspicious go to much larger memory (e.g. CYC engine). If more suspicious activity noted, then go to optical juke box that doesn't throw anything away and is very slow
        2. Log results of intermidiate computations
      9. Use assumption, then toss it.
      10. Need to come up with language that sits above it. Language to compile into codebook
      11. ST: Can view these as facts and use CLIPS - generating facts - loop could go on forever.
        1. Track users over domains
      12. DIDS - colelct data for network and host monitors
        1. SM was part of ASYM which is part of DIDS
    2. Next Wednesday at 10:00am
      1. Jeff and David O will go over the model document and try to come up with code/language for SMURF and Jason's attack.