Thursday, July 15, 1999
3085 EU II

In attendance:
Karl Levitt (KL), Steven Templeton (ST), Jeff Rowe (JR), Steven Cheung (SC), Aaron Stearns (AS), Rick Crawford (RC), Chris Wee (CW), and Nik Joshi (NJ)

    1. Meeting in Phoenix
      1. Significant progress in developing a language to correlate domain knowledge using Model or an extension of Model
        1. Attack description language, put things together
        2. Symptoms of attacks in programs
        3. Form processing - codebook
          1. CATL - computer attack transcription language
        4. How does it compare with CIDF
          1. KL: CIDF doesn't do correlation
          2. JR: Doesn't have a relationship between objects
            1. RC: It can -- s-expressions.
          3. CW: CIDF has most of the semantics of the intrusion detection language.
      2. Schedule
      3. Distinguish project from Teknowledge -- lower level
    2. Example from paper that Karl and Steven are reviewing
      1. File handle guessing, info gathering, logging in
        1. Subvert client host - get file handle when transmitted legitimately to client
        2. Change authorization for logging in
        3. CW: Group under storage authorization/privileges
      2. Attempt to install a sniffer
      3. Change .rhost file
        1. JR: Lots of ways to change an .rhost file - Trojan horse etc.
        2. Rhost mechanism should only use by domain
          1. Change rhost file only if logged in from host already
      4. Storing Data
        1. May not want to store some data
        2. Look at suspicious information only
        3. Insider threat
        4. Random security checks
      5. Correlation used to reduce false positives
        1. No different between signature detection - just a matter of scale
        2. Reduce uncertainty with correlator
          1. Miscorrelates- more false positives
          2. Bad Correlation - links events that shouldn't be linked
        3. Ultimate correlation
          1. Assessing severity of attack
          2. Cost model layered on top
          3. Events related - common source
          4. Look for evidence that links attacks
          5. Generate predictions? Our domain knowledge will judge how well we correlate
          6. Need an experimental control - random generator
          7. Can't model the intent of attackers
    3. Global Guard
      1. Is the premise valid?
      2. Is our approach worthwhile?
        1. Describe normal activity?
          1. MYCIN language, Calvin' work
    4. Steven Cheung's misbehaving routers in MODEL language
      1. Expressiveness of language an issue
      2. Dropped table-based approach
    5. For next Tuesday
      1. JR and AS - Codebook and GrIDS rulesets - worm - distinguish normal activity
      2. SC - Fit malicious router into Codebook - Put in typology
      3. RC - CIDF encode in sids