GLOBAL GUARD MEETING
November 17, 1998
3085 ENG II
9:00 – 10:00

  In attendance:
Karl Levitt (KL), David O’Brien (DOB), Jeff Rowe (JR), and Steven Templeton (ST)

Topics:

Summary of Previous Meeting
Continued Discussion on Causality
How to Translate Causality into the Codebook
 
    1. Summary of Previous Meeting (on Nov 16th)
      1. ST: If action is taken because of something, it’s a causal relationship. It comes down to what level of granularity you’re willing to work with. The coarser the granularity, the larger the potential for error.
    2. ST: In Redux model there are subsets of features that are discernable between classes but indiscernible within the class.
      1. Set of rules based on Redux, each rule votes once and may have a weighted value.
      2. DOB: Compression – as you go up the tree chart, compress everything you’ve seen before for faster lookup tables.
      3. Encoding the causal relationship – with given symptoms, you can identify the cause.
    3. DOB: You can detect attacks at first router. Causality is only interesting if you want to know where the attack is coming from.
      1. ST: The attack doesn’t affect the carrier – the carrier doesn’t have any symptoms generated, but there is an effect (sniffer and other alarms are triggered)
      2. ST: Correlation – an indirect cascade of things happen before you get a fever, for example. Don’t worry about the intermediate steps.
        1. If the goal is to identify the source, then you need to know the causality chain
        2. If the goal is to know how the attack is done, then the causality chain is irrelevant.
      3. The proprietary response to an attack is:
        1. Stop the effects of an attack
        2. Shoot back at the attacker (secondary)
      4. With the current infrastructure, it’s difficult to trace back to the attacker
    4. Global Guard List of people involved is huge and includes Columbia University (SMARTS system) and USC.

      5.  

       

    5. Intrusion Detection System – existing system with network operators
      1. Network Management – denial of service attack augment their matrix
      2. JR: You have to reduce it down to Yes/No Questions
        1. ST: There are an infinite set of features that can’t be turned into binary.
        2. DOB: In network management, they want to tell you that you have a problem and where it is.
          1. We need enough features to discern attacks from network problems
          2. We’d like to determine the next attack before it happens.
            1. Within vulnerabilities, find the next closest category of attack (i.e., buffer overflow, SINFLOOD
            2. Determine the past behavior of the attacker to help predict what happens next
        3. ST: Denial of service of other attacks – monitor and defend
          1. Prediction definition - events that are expected to occur or are reasonable and likely based on past behavior of the attacker or our current knowledge of attacks
        4. DOB: Need a higher meaning for the attack. Is it a single attack constructed of two events or are there two separate attacks?
          1. DOB: Definition of an attack: There is an attack if the local security policy says there is an attack. The policy will define an attack as misuse, access to proprietary data, etc
        5. Security Policy vs. Acceptable Use Policy (doesn’t include security specifications)
    6. Security is too multi-faceted
      1. Denial of service
      2. Integrity, Confidentiality, Availability, Non repudiation of identity/receipt, Authenticity
      3. How do you determine if SPAM is an attack or just some idiot?
        1. JR: Intent of the SPAM
      4. ST: Taxonomy of attacks
      5. DOB: Focus on network-based attacks, not on host-based attacks
      6. JR: You have to detect all attacks whether it’s a false alarm or not – willingness/intent
        1. We’re building the cop, the investigative mechanism, not the judge.
    7. How does causality come into the codebook?
      1. If there’s an attack on IP, with symptoms on TCP and applications
      2. Model what symptoms network management should have caused, for example
    8. Next week Topics:
      1. How to include an attack in the codebook (binary).