Wednesday, July 28, 1999
3085 EU II

In attendance:

Karl Levitt (KL), Steven Templeton (ST), Steven Cheung (SC), Aaron Stearns (AS), Rick Crawford (RC) and Marcus Tylutki

    1. Agenda for Meeting
      1. Accomplish Concept Model
      2. Flesh out more Examples
      3. Generalizations
      4. Assignments
    2. Concept Model
      1. Higher level attacks with misbehaving routers - compromise router to allow other attacks to progress
      2. AS: Template for concept - syntactic description. Don't have to translate. Transformations to write CLIPS rules
      3. ST: Dynamic remapping of names - any attack has a maximum number of hosts
      4. RC: Demo - brings us back to the design - too much implementation
        1. AS: Show that the language has value - example of complex structure, definition of grammar
        2. ST: Attack that we haven't seen before
          1. Black hole/router
      5. Sami has BAA just on correlation
        1. KL: Kind of reasoning, complexity
          1. AS: Depends on how we build the grammar. If cyclic - don't have to trace again
          2. ST: Worm is cyclic
          3. RC: Difference between constant and instance of a constant
        2. KL: Error correction - if missing a sensor, as long as have other sensors, it doesn't matter.
      6. ST: "OR" is helpful - WHERE section must have "ORs"
        1. MT: 3 sensors - one response; 6 sensors - different response
        2. RC: Language takes directly into C or Perl. If get good constellation of concepts
          1. 2 concepts - high level concepts
          2. Specific attacks that we solve
          3. Genetic algorithm for imperative language
            1. AS: Genetic program - start altering classes
            2. RC: Rapid prototyping - genetic algorithms
            3. AS: Alteration and connection between classes; new classes
            4. RC: Suites of data - Lincoln Labs
            5. ST: Genetic Programs done with LISP - change values for constants
          4. Rearrange concepts
    3. Next Steps
      1. ACTION statement
        1. Turn on auditing, alert security, retarget sensors, patch vulnerability, etc.
        2. Sniffer detector - sends out ethernet packet that has mac for machine not on network - broadcast ping. Smarter sniffer wouldn't respond to ping.
        3. DNS - dummy names/IP addresses
    4. Assignments
      1. SC - work on DNS slides