GLOBAL GUARD MEETING
December 1, 1998
3085 ENG II
9:00 - 10:00
In attendance:
Karl Levitt (KL), David Klotz (DK), David O'Brien (DOB), Jeff Rowe
(JR), and Steven Templeton (ST)
TOPICS
Correlation à Discovery
Relation to Current IDS
Purpose of Correlation?
Next Meeting (Tuesday 8th)
-
Correlation à Discover
-
ST: There is a problem with Correlation leading to discovery.
-
Example: I have N urns, with K color marbles evenly distributed in the
urns. I find that if I put a black one out of one, then I will get a black
one out of all of them. We have to find a way to heuristically beat this
down.
-
DOB: <C1, C2, C3, C4> -
vector – want to encode some notion of this vector
-
D = encoding of what you want to get out
-
<C1, C2, C3, C4> (Pull vector)
Þ
Personality Pi
-
Di = function (PiDi-1)
-
O(NM) à OM
-
Stuart’s Thumbprinting
-
H1 à H2 à
H3 à H4 à
Attack world
-
Thumbprint between each host access
-
Cheap to compute and additive
-
Generating Correlation vs. Covariance matrix (mean, standard deviation,
covariance matrix)
-
Random Sampling – confidence interval of result
-
Node for every possible combination
-
ST: Continuous variable – working off a mean, calculate covariance matrix
based on the standard deviation
-
ST: With discrete events the commonoturics explode.
-
JR: Transform vector space to principle axis, ignore the rest
-
ST: Not with discrete events
-
KL: How this relates to current IDS through 1) attack signatures,
2) anomaly detection, 3) counts – thresholds on sweeps, SINFLOODing, rules
-
Carry 3 dimension to correlation
-
Attack – multiple sites – combine signatures
-
Joint Profiles – profile of 2 sites, attack on both or lots of connections
from the outside (coordinated attack)
-
Anomaly Detection – rules combine 2 activities with respect to profiles
-
Preconditions – casual or correlation – 3 x 3 matrix
-
KL: Setting thresholds if it too high, you’ll miss some attacks, if it’s
low, you’ll generate false positives
-
DOB: Digging for correlation – no correlation engine
-
KL: Pick off lowest hanging fruit. Attack with root kit on many sites,
you can capture the attack.
-
ST: Correlation through GrIDS, what is the next level up?
-
KL: Missing data
-
DOB: Correlation, grouping similar
-
ST: Aggregation – knowing things go together
-
ST: Need a logical statement that relates event without overstating them
-
Purpose of Correlation?
-
JR: Meta-classification into aggregated
-
KL: 1) Prediction 2) Damage Assessment
-
ST: Based on expert opinion. Codify what the expert expects to see. Normal
profile
-
DOB: Detectors – simple attacks: got root, root kit installed, SINFLOOD,
source-routed packet, high network traffic, Land – source = destination
at IP level
-
Are these attacks or not?
-
Treat the patient or determine the attacker?
-
DOB: You need to know the root cause and how the condition came about,
so you can prevent it in the future
-
Next Meeting (Tuesday)
-
Map Out Presentation for DARPA/PI Meeting
-
Steven Cheung, Watchers, Jim Hoagland
-
Global Guard – 10 minute discussion on purpose, scenarios, plans