GLOBAL GUARD MEETING
December 1, 1998
3085 ENG II
9:00  10:00
In attendance:
Karl Levitt (KL), David Klotz (DK), David O'Brien (DOB), Jeff Rowe
(JR), and Steven Templeton (ST)
TOPICS
Correlation à Discovery
Relation to Current IDS
Purpose of Correlation?
Next Meeting (Tuesday 8th)

Correlation à Discover

ST: There is a problem with Correlation leading to discovery.

Example: I have N urns, with K color marbles evenly distributed in the
urns. I find that if I put a black one out of one, then I will get a black
one out of all of them. We have to find a way to heuristically beat this
down.

DOB: <C_{1}, C_{2}, C_{3}, C_{4}> 
vector – want to encode some notion of this vector

D = encoding of what you want to get out

<C_{1}, C_{2}, C_{3}, C_{4}> (Pull vector)
Þ
Personality P_{i}

D_{i} = function (P_{i}D_{i1})

O(N^{M}) à O^{M}

Stuart’s Thumbprinting

H_{1} à H_{2} à
H_{3} à H_{4} à
Attack world

Thumbprint between each host access

Cheap to compute and additive

Generating Correlation vs. Covariance matrix (mean, standard deviation,
covariance matrix)

Random Sampling – confidence interval of result

Node for every possible combination

ST: Continuous variable – working off a mean, calculate covariance matrix
based on the standard deviation

ST: With discrete events the commonoturics explode.

JR: Transform vector space to principle axis, ignore the rest

ST: Not with discrete events

KL: How this relates to current IDS through 1) attack signatures,
2) anomaly detection, 3) counts – thresholds on sweeps, SINFLOODing, rules

Carry 3 dimension to correlation

Attack – multiple sites – combine signatures

Joint Profiles – profile of 2 sites, attack on both or lots of connections
from the outside (coordinated attack)

Anomaly Detection – rules combine 2 activities with respect to profiles

Preconditions – casual or correlation – 3 x 3 matrix

KL: Setting thresholds if it too high, you’ll miss some attacks, if it’s
low, you’ll generate false positives

DOB: Digging for correlation – no correlation engine

KL: Pick off lowest hanging fruit. Attack with root kit on many sites,
you can capture the attack.

ST: Correlation through GrIDS, what is the next level up?

KL: Missing data

DOB: Correlation, grouping similar

ST: Aggregation – knowing things go together

ST: Need a logical statement that relates event without overstating them

Purpose of Correlation?

JR: Metaclassification into aggregated

KL: 1) Prediction 2) Damage Assessment

ST: Based on expert opinion. Codify what the expert expects to see. Normal
profile

DOB: Detectors – simple attacks: got root, root kit installed, SINFLOOD,
sourcerouted packet, high network traffic, Land – source = destination
at IP level

Are these attacks or not?

Treat the patient or determine the attacker?

DOB: You need to know the root cause and how the condition came about,
so you can prevent it in the future

Next Meeting (Tuesday)

Map Out Presentation for DARPA/PI Meeting

Steven Cheung, Watchers, Jim Hoagland

Global Guard – 10 minute discussion on purpose, scenarios, plans