December 8, 1998
3085 ENG II
9:00 - 10:00
In attendance:
Karl Levitt (KL), David Klotz (DK), David O'Brien (DOB), and Jeff Rowe (JR)

PI Meeting Presentation Ideas
Paprika Attack
Additional Ideas for Global Guard
For Next Week’s PI Meeting
    1. PI Meeting Presentation Ideas
      1. KL: Viewgraphs and scenarios with correlation
      2. David O'Brien explains CIDF and potential direction for Global Guard

      3. DOB has concerns about:
        1. Yemini model – how many attacks it can detect
        2. Can’t express everything in terms of SEMS
        3. Build in Tripwire
        4. A problem with a single symptom creates a disconnected graph
      4. Global Guard take CIDF view; make Smart Event Management System (SEMS), detect XYZ attack in SEMS model
        1. Augment SEMS for intrusion detection and response
        2. Codebook
    2. Paprika Attack
      1. DOB: Linux machine attacked causing network performance problems: response times were slow, packets were missing caused by hackers overloading the routers
      2. SEMS would have misdiagnosed the problem as congested routers or a bad router card
      3. JR: Use sniffer, profile people’s traffic?
      4. DOB: Set threshold: Machines using 80% bandwidth over 10 minute period. Our collision rates are too high.
      5. Causality Chain leads to codebook. What is there is a problem that doesn’t have any redundancy in its symptoms?

      6. DOB: Use SEMS for things with a "natural fit."
        1. Will have to augment some problems
        2. Modeling language
      7. KL: Correlation attacks – formulate using SEMS?
      8. JR: Still use codebook approach to correlation
    3. Additional Ideas for Global Guard
      1. DOB: Correlation Aggregation
        1. Upper level A-Box to take in data sources
        2. A-box tripwire
      2. Aggregate codebook in Global Guard
      3. To reduce false positives, use multiple IDS
    4. For Next Week’s PI Meeting
      1. Roughly encode with SEMS by Friday
      2. Scenario à Causality Graph à Codebook
      3. Spend 5 minutes talking about why we need correlation
        1. SEMS – faster at rulesets than GrIDS because of the codebook
        2. SEMS has optimization
        3. GrIDS can’t do aggregation
      4. Codebook correlations and correlation of the correlations
      5. KL: Permutation matrix – redundancy level now, need for error detection
      6. Models
        1. Model generic attacks – network, host, DOS, protocol based (SYN-FLOOD)
          1. Multistage attack, coordinated attacks, distributed attacks
        2. DK: Model symptoms
        3. Model Attackers
          1. Certain symptoms he can change
          2. What symptoms he can make us see
          3. Attacker can make attack look like a network problem
          4. Attacker misleads – different host
      7. Access IDS vulnerabilities based on attacks
      8. Embellish Paprika attack
      9. Piecing together attacks – hierarchical problem.