Thursday, July 22, 1999
3085 EU II

In attendance:
Karl Levitt (KL), Steven Templeton (ST), Jeff Rowe (JR), Steven Cheung (SC), Aaron Stearns (AS), Rick Crawford (RC), Marcus Tylutki, and David O'Brien

Interface Node: Resource {

Relationshipset ConnectedVia, Link, ConnectedTo;


Interface Link: Resource {

Relationshipset ConnectedTo, Node, ConnectedVia;


Interface WormNode: Node {

Attribute IPAddress;

Relationshipset PropagatedFrom, WormNode PropagatedTo;

Relationshipset PropagatedTo, WormNode, PropagatedFrom;


    1. Worm in Model Language
      1. JR: You can pass up events, but no attributed at a higher level
        1. SC: You can specify source and destination
        2. SC: Hard to determine if a node is infected or not
        3. ST: Need Parent/Ancestor Relation
        4. JR: Define worm object in GrIDS, determine description, tables of hosts; assume links
        5. KL: Model event forming a graph
      2. DOB: Are there UML tools that exist to do this?
        1. Propagate symptoms
        2. Worm - problem with detectable symptoms
        3. Object is network or host; number of objects compromised
        4. UML - better documented, and supported
        5. KL: UML - too heavy weight and too expressive
      3. RC: If you use MODEL you need several layers of engines
      4. How to make a worm into objects: worm is a graph, nodes - host, link - network connection
        1. Method - Add/Remote Node
        2. Attributes - size, speed, how it spreads, vulnerability exploits
    2. Codebook
      1. DOB: Is it reasonable to do codebook given the worm example?
        1. ST: First-order logic statements for worm - ordering, temporal issues
          1. Propositional logic
        2. RC: Flaw in codebook approach to a worm.
        3. JR: Codebook good for missing data and redundancy problem.
        4. DOB: Codebook presentation of facts to correlator
          1. Use GrIDS to detect correlator for worms
          2. Rules can get too specific
            1. For some attacks - need detailed information
            2. Do redundancy in GrIDS - only assess connected graphs
          3. Commonotoric logic, Propositional logic - won't handle distance measures
          4. Codebook might be fine at a higher level - lower level need GrIDS or other.
      2. Advantages of Codebook
        1. RC: Efficiency, circle of confusion detecting code instrumentation,
        2. Off-line static mode - configuration analysis
        3. Use GrIDS for real-time IDS
        4. Lack of expressiveness is a drawback of codebook
        5. Codebook tells us features to distinguish between attacks
      3. Worm in CIDF
        ByMeansOf {
        Connection D-->E;
        Common Cause {
        Connection E-->F;
        Connection E-->G;
        1. SC: How do you put semantics in? How do you correlate? What is implied in "by means of"?
      4. Classification of attacks with general rules
        1. Objects in UML
        2. Distributed coordinated Attacks
          1. Hierarchical description of attacks
          2. General class of DoS
          3. Taxonomy that's executable
    3. For next week
      1. Write down Examples in Technical English
      2. Work in two groups