GLOBAL GUARD MEETING
Thursday, September 2, 1999
3-4pm
3085 EU II
In attendance:
Karl Levitt (KL), Steven Cheung (SC), Aaron Stearns (AS), Rick Crawford (RC), David O'Brien (DOB), Marcus Tylutki (MT) and Steven Templeton
Proposals for BAA 99-33
Proposal work on a policy
Tie policy to system descriptions, reason about policy using CYC, project down to system configurations
Team with John DeSanto possibly
AS: Profile all users
Boeing - Cost Model
TIS - taking policy to describe missions (resource needed by particular tasks)
Attack language workbench - description of attacks
Signature - test out capabilities
Building a correlator
Mapping attacks to policy (how it affects resources)
Extension of Lincoln Labs - simulate attacks and the environment
Other names for attack language:
Attack planning
Adversary Simulator System
Incident Reasoning Workbench
Attack Scenario Analysis and Planning (ASAP)
ST Ideas
Math description of attack scenario - boost capabilities
Probabilities, level of success, autonomous agent, emergent behavior
Attack Language - causal, functional, compositional, sub-symbolic, statistical
Attack Language Teleconference
5-6 people (including Karl) will write a mission statement
Create website to post descriptions of attacks
Look at Lincoln Lab attacks
Write concepts for lower level attacks, correlate, add scenarios
Neptune, Tear Drop (DoS on NT)
Assignments
Look at other people's work
RC: Dick Kemmer (UCSB) - STAT - state transition analysis - recognizes streams
No initial state unless you bring the network down.
Signatures are hand-crafted and secret in a language
Preprocessor for audit data - fit in signature data
Don't change knowledge base - just preprocessor
MT: Look at Stanford work
SC: Look at PBest at SRI (Phil Porras work)
DOB: Lincoln Lab attacks
ST: Code Lincoln Lab attacks in JIGSAW
AS: Look at translation into Jess or CLIPS
Everyone: Develop new scenarios and variants on existing scenarios for multi-stage attacks.