Thursday, September 2, 1999
3085 EU II

In attendance:
Karl Levitt (KL), Steven Cheung (SC), Aaron Stearns (AS), Rick Crawford (RC), David O'Brien (DOB), Marcus Tylutki (MT) and Steven Templeton

    1. Proposals for BAA 99-33
      1. Proposal work on a policy
        1. Tie policy to system descriptions, reason about policy using CYC, project down to system configurations
        2. Team with John DeSanto possibly
        3. AS: Profile all users
      2. Boeing - Cost Model
      3. TIS - taking policy to describe missions (resource needed by particular tasks)
      4. Attack language workbench - description of attacks
        1. Signature - test out capabilities
        2. Building a correlator
        3. Mapping attacks to policy (how it affects resources)
        4. Extension of Lincoln Labs - simulate attacks and the environment
        5. Other names for attack language:
          1. Attack planning
          2. Adversary Simulator System
          3. Incident Reasoning Workbench
          4. Attack Scenario Analysis and Planning (ASAP)
      5. ST Ideas
        1. Math description of attack scenario - boost capabilities
        2. Probabilities, level of success, autonomous agent, emergent behavior
        3. Attack Language - causal, functional, compositional, sub-symbolic, statistical
    2. Attack Language Teleconference
      1. 5-6 people (including Karl) will write a mission statement
      2. Create website to post descriptions of attacks
      3. Look at Lincoln Lab attacks
        1. Write concepts for lower level attacks, correlate, add scenarios
        2. Neptune, Tear Drop (DoS on NT)


    3. Assignments
      1. Look at other people's work
        1. RC: Dick Kemmer (UCSB) - STAT - state transition analysis - recognizes streams
          1. No initial state unless you bring the network down.
          2. Signatures are hand-crafted and secret in a language
          3. Preprocessor for audit data - fit in signature data
          4. Don't change knowledge base - just preprocessor
        2. MT: Look at Stanford work
        3. SC: Look at PBest at SRI (Phil Porras work)
        4. DOB: Lincoln Lab attacks
      2. ST: Code Lincoln Lab attacks in JIGSAW
      3. AS: Look at translation into Jess or CLIPS
      4. Everyone: Develop new scenarios and variants on existing scenarios for multi-stage attacks.
        1. Internet worm
        2. Tsutomo attack
        3. Jeff worm