Thursday, September 9, 1999
3085 EU II

In attendance:
Karl Levitt (KL), Steven Cheung (SC), Aaron Stearns (AS), Rick Crawford (RC), David O'Brien (DOB), Marcus Tylutki (MT) and Steven Templeton

    1. GrIDS, Tripwire
      1. Combining partial specifications of attacks with learning
      2. Low detect distributed sweep - temporally related
        1. Difficult to force GrIDS to monitor
        2. Avoid false positives and negatives
          1. Lower threshold individually
          2. Password guessing
      3. ST: Testing GrIDS - port scans of seclab
        1. Each host did random ports to random seclab hosts
        2. GrIDS saw connects to all port, but didn't do anything
        3. Not enough activity to detect
        4. KL: Could show up in JIGSAW - used to express correlation possibilities
          1. Distributed port scanning
          2. Correlation property - additional concept - individual port scan objects
        5. ST: Correlation with Kuang
          1. Looking for vulnerabilities - backward chaining to look for goals.
          2. Create abstract model that represents attack interactions
          3. Drive policy/analysis system
    2. Proposal Agenda
      1. KL: Attack Reasoning Workbench - thoughts by noon tomorrow.
        1. Attack descriptions, reason about them in isolation, how do they affect policy, script that runs attack (CLIPS or CYC) - don't commit to either.
        2. Large Database triggers concepts.
        3. SQL query - match trigger - sends off an alert
          1. Database table for each message type
          2. Explicitly define message
          3. Table for each possible message
          4. Nice model, but triggers are slow
          5. RC: Quicker or easier to watch efficient query, secondary storage, index for rules that use a fact
    3. Assignments
      1. RC - NetSTAT - Dick Kemmerer
        1. Inflated claims that couldn't be substantiated
        2. State transition analysis workbench for people to look for signature or ruleset, library of events or rulesets. Handcrafted, characterized our network states.
        3. Correlation - have scenario graph set up beforehand, message passed at link level - describe ongoing TCP connect - precondition
        4. ST: UCDP spoofing attack - Mac address couldn't come from where it claims - wrong side of the router
        5. RC: Assertions about state transitions - static and dynamic, theoretical and practical
        6. ST: Similar to Calvin's work. Network traffic, host-based.
          1. Sniffers go through filters; sensors look for certain reports to come in. UCP spoofing attack - at link level (below where we detect attacks). Feed into EMERALD. Matching capabilities to requirements.
      2. SC - PBest - 1999 Oakland Conference
        1. Use system to make old IDES, NIDES, EMERALD. PBest generates an inference engine. Signature based intrusion detection. Forward chaining - not a lot of attack concepts.
        2. Three attacks
          1. Password guessing
          2. SYN flooding TCP - build abstraction from half-open connections
          3. Buffer Overflow attacks - heuristics to detect attacks involve exact system protocols
        3. Compiles ruleset, generates C program
          1. Part of a larger attack
          2. Simple language - nice interface to C language library functions
            1. Can be interfaced with other C programs
            2. Dynamically activate/deactivate rule sets without human intervention
            3. RC: Reasoning about certain conditions - new network services - automatically bring up rulesets for web service
        4. Limitations
          1. No tolerance for incomplete or incorrect data
          2. Doesn't detect unknown attack or combination of known attacks.