November 16, 1998
3085 ENG II
In attendance:
Karl Levitt, David Klotz, David O’Brien, Jeff Rowe, Jason Schatz (arrived near end)

Topics: Causality Model vs Root Cause vs. GrIDS
IDIP View of an Attack Translated into Global Guard Terminology
    1. Jeff suggested creating a Causality Model
      1. The difference between correlation and causality was discussed.
        1. Things can be correlated with no causal relationship
        2. Identify links in causality events
        3. If there is a statistical correlation, then you can make assumption on how to act.
        4. David Klotz suggested that you want a predictor; Jeff suggested that you want to document a chain of causality (as best as possible)
        5. It was mentioned that correlation might be more important than causality.
      2. Yemini’s theory of looking for the root cause was discussed.
      3. David O’Brien wanted to come to a deeper understanding than a causal relationship. He questioned what benefits would there be from determining a causal relationship?
        1. Source of attack - If a particular site is determined, you can take action against it.
        2. You can change events in the chain to break it.
        3. You can determine how an attack might spread.
        4. You can filter events coming in.
      4. GrIDS
        1. There is a causality assumption built into GrIDS
        2. GrIDS can incorrectly identify problems by:
          1. Using the wrong ruleset
          2. GrIDS can be spoofed
          3. GrIDS assumes causality when it puts together a chain of events
      5. David O’Brien demonstrates grouping attacks (assumption of correlation):

      6. IDS correctly identifies 3 attacks. Attacks 1 & 2 are related information warfare attacks. Attack 3 is some kid with Warez on his Lynx box.
      7. IDIP View of Relationship of Attacks. An attack is seen on A. Routers communicate with their neighbors, so A asks E if it saw the attack. It answers "Yes" and asks D, C, B, which answer "No," "No," and "Yes", respectively. It is possible to trace the attack back to its source, and local policy will determine what action is taken.
      8. Causality Chain in Global Guard Terms – breaking one link breaks the chain
      9. R2 cannot determine if there is an attack; it can only report whether it has seen the packet requested.
      10. David O’Brien asks if each piece of the system should look for a pathological packet. Jeff says Yes, eventually.
      11. David Klotz argues that the packet going through the router is not the cause of the alarm going off. The carrier is the cause of the alarm going off.
      12. David O’Brien has a problem with the granularity of the causality graphs.
      13. David O’Brien provides an example of the SMARTS system

  Symptoms (must be measurable)      
  Fever 100-103 degrees
  Fever > 103 degrees
  Sore Throat
Back Ache  
Morning Sickness
High White Cell Count  
Low Blood Sugar
Tunnel Vision
P1 = flu P2 = cold P3=Jeff’s disease

Tunnel vision can be taken out because all 3 illnesses have it; you can’t differentiate one disease from the other based on tunnel vision. Symptoms indicated with arrows à discern P1 from P2. Yemini would determine how much data you could lose and still be able to correctly diagnose the problem. You want to leave some redundancy.