December 1, 1998
3085 ENG II
9:00 - 10:00
In attendance:
Karl Levitt (KL), David Klotz (DK), David O'Brien (DOB), Jeff Rowe (JR), and Steven Templeton (ST)

Correlation à Discovery
Relation to Current IDS
Purpose of Correlation?
Next Meeting (Tuesday 8th)
    1. Correlation à Discover
      1. ST: There is a problem with Correlation leading to discovery.
        1. Example: I have N urns, with K color marbles evenly distributed in the urns. I find that if I put a black one out of one, then I will get a black one out of all of them. We have to find a way to heuristically beat this down.
      2. DOB: <C1, C2, C3, C4> - vector – want to encode some notion of this vector
        1. D = encoding of what you want to get out
        2. <C1, C2, C3, C4> (Pull vector) Þ Personality Pi
        3. Di = function (PiDi-1)
        4. O(NM) à OM
      3. Stuart’s Thumbprinting
        1. H1 à H2 à H3 à H4 à Attack world
          1. Thumbprint between each host access
        2. Cheap to compute and additive
      4. Generating Correlation vs. Covariance matrix (mean, standard deviation, covariance matrix)
      5. Random Sampling – confidence interval of result
      6. Node for every possible combination

      7. ST: Continuous variable – working off a mean, calculate covariance matrix based on the standard deviation
      8. ST: With discrete events the commonoturics explode.
        1. JR: Transform vector space to principle axis, ignore the rest
        2. ST: Not with discrete events
    2. KL: How this relates to current IDS through 1) attack signatures, 2) anomaly detection, 3) counts – thresholds on sweeps, SINFLOODing, rules
      1. Carry 3 dimension to correlation
        1. Attack – multiple sites – combine signatures
        2. Joint Profiles – profile of 2 sites, attack on both or lots of connections from the outside (coordinated attack)
        3. Anomaly Detection – rules combine 2 activities with respect to profiles
        4. Preconditions – casual or correlation – 3 x 3 matrix
      2. KL: Setting thresholds if it too high, you’ll miss some attacks, if it’s low, you’ll generate false positives
      3. DOB: Digging for correlation – no correlation engine
        1. KL: Pick off lowest hanging fruit. Attack with root kit on many sites, you can capture the attack.
        2. ST: Correlation through GrIDS, what is the next level up?
          1. KL: Missing data
          2. DOB: Correlation, grouping similar
          3. ST: Aggregation – knowing things go together
        3. ST: Need a logical statement that relates event without overstating them



    3. Purpose of Correlation?
      1. JR: Meta-classification into aggregated
      2. KL: 1) Prediction 2) Damage Assessment
      3. ST: Based on expert opinion. Codify what the expert expects to see. Normal profile
      4. DOB: Detectors – simple attacks: got root, root kit installed, SINFLOOD, source-routed packet, high network traffic, Land – source = destination at IP level
        1. Are these attacks or not?
        2. Treat the patient or determine the attacker?
          1. DOB: You need to know the root cause and how the condition came about, so you can prevent it in the future
    4. Next Meeting (Tuesday)
      1. Map Out Presentation for DARPA/PI Meeting
        1. Steven Cheung, Watchers, Jim Hoagland
        2. Global Guard – 10 minute discussion on purpose, scenarios, plans