In attendance:
Karl Levitt (KL), Steven Templeton (ST), Jeff Rowe (JR), Steven Cheung (SC), Aaron Stearns (AS), Rick Crawford (RC), Chris Wee (CW), and Nik Joshi (NJ)
Meeting in Phoenix
Significant progress in developing a language to correlate domain knowledge using Model or an extension of Model
Attack description language, put things together
Symptoms of attacks in programs
Form processing - codebook
CATL - computer attack transcription language
How does it compare with CIDF
KL: CIDF doesn't do correlation
JR: Doesn't have a relationship between objects
RC: It can -- s-expressions.
CW: CIDF has most of the semantics of the intrusion detection language.
Schedule
Distinguish project from Teknowledge -- lower level
Example from paper that Karl and Steven are reviewing
File handle guessing, info gathering, logging in
Subvert client host - get file handle when transmitted legitimately to client
Change authorization for logging in
CW: Group under storage authorization/privileges
Attempt to install a sniffer
Change .rhost file
JR: Lots of ways to change an .rhost file - Trojan horse etc.
Rhost mechanism should only use by domain
Change rhost file only if logged in from host already
Storing Data
May not want to store some data
Look at suspicious information only
Insider threat
Random security checks
Correlation used to reduce false positives
No different between signature detection - just a matter of scale
Reduce uncertainty with correlator
Miscorrelates- more false positives
Bad Correlation - links events that shouldn't be linked
Ultimate correlation
Assessing severity of attack
Cost model layered on top
Events related - common source
Look for evidence that links attacks
Generate predictions? Our domain knowledge will judge how well we correlate
Need an experimental control - random generator
Can't model the intent of attackers
Global Guard
Is the premise valid?
Is our approach worthwhile?
Describe normal activity?
MYCIN language, Calvin' work
Steven Cheung's misbehaving routers in MODEL language
Expressiveness of language an issue
Dropped table-based approach
For next Tuesday
JR and AS - Codebook and GrIDS rulesets - worm - distinguish normal activity
SC - Fit malicious router into Codebook - Put in typology