GLOBAL GUARD MEETING
Thursday, September 9, 1999
3-4pm
3085 EU II
In attendance:
Karl Levitt (KL), Steven Cheung (SC), Aaron Stearns (AS), Rick Crawford (RC), David O'Brien (DOB), Marcus Tylutki (MT) and Steven Templeton
GrIDS, Tripwire
Combining partial specifications of attacks with learning
Low detect distributed sweep - temporally related
Difficult to force GrIDS to monitor
Avoid false positives and negatives
Lower threshold individually
Password guessing
ST: Testing GrIDS - port scans of seclab
Each host did random ports to random seclab hosts
GrIDS saw connects to all port, but didn't do anything
Not enough activity to detect
KL: Could show up in JIGSAW - used to express correlation possibilities
Distributed port scanning
Correlation property - additional concept - individual port scan objects
ST: Correlation with Kuang
Looking for vulnerabilities - backward chaining to look for goals.
Create abstract model that represents attack interactions
Drive policy/analysis system
Proposal Agenda
KL: Attack Reasoning Workbench - thoughts by noon tomorrow.
Attack descriptions, reason about them in isolation, how do they affect policy, script that runs attack (CLIPS or CYC) - don't commit to either.
Large Database triggers concepts.
SQL query - match trigger - sends off an alert
Database table for each message type
Explicitly define message
Table for each possible message
Nice model, but triggers are slow
RC: Quicker or easier to watch efficient query, secondary storage, index for rules that use a fact
Assignments
RC - NetSTAT - Dick Kemmerer
Inflated claims that couldn't be substantiated
State transition analysis workbench for people to look for signature or ruleset, library of events or rulesets. Handcrafted, characterized our network states.
Correlation - have scenario graph set up beforehand, message passed at link level - describe ongoing TCP connect - precondition
ST: UCDP spoofing attack - Mac address couldn't come from where it claims - wrong side of the router
RC: Assertions about state transitions - static and dynamic, theoretical and practical
ST: Similar to Calvin's work. Network traffic, host-based.
Sniffers go through filters; sensors look for certain reports to come in. UCP spoofing attack - at link level (below where we detect attacks). Feed into EMERALD. Matching capabilities to requirements.
SC - PBest - 1999 Oakland Conference
Use system to make old IDES, NIDES, EMERALD. PBest generates an inference engine. Signature based intrusion detection. Forward chaining - not a lot of attack concepts.
Three attacks
Password guessing
SYN flooding TCP - build abstraction from half-open connections
Buffer Overflow attacks - heuristics to detect attacks involve exact system protocols
Compiles ruleset, generates C program
Part of a larger attack
Simple language - nice interface to C language library functions
Can be interfaced with other C programs
Dynamically activate/deactivate rule sets without human intervention
RC: Reasoning about certain conditions - new network services - automatically bring up rulesets for web service
Limitations
No tolerance for incomplete or incorrect data
Doesn't detect unknown attack or combination of known attacks.