December 8, 1998
3085 ENG II
3:15-5:00 p.m.
In attendance:
Karl Levitt (KL), David Klotz (DK), David O'Brien (DOB), Jeff Rowe (JR) and Steven Templeton (ST)

Global Guard Presentation at DARPA PI Meeting
    1. Global Guard Presentation at DARPA PI Meeting
      1. Scenarios – demonstrate kinds of correlations
        1. Root cause
        2. Put attack pieces together (Aggregation)
        3. Synthesis (putting things together) and Analysis (breaking things down)
      2. Scenario #1: Jeff’s scenario

      4. Scenario #2: Aggregation – missing link

      5. Scenario #3: Look at normal data to determine statistics of normal network activity
        1. ST: Generate a graph from activity on network
        2. ST: Find a commonality; then determine non-normal activity

        3. Need a big data structure that’s efficient and statistical information on selected features
        4. JR: Profile applications based on activity on network
        5. ST: Process as you go, create summaries, incremental
        6. KL: Can GrIDS help us generate the rules automatically?
          1. JR: Through a model of causality and Yemini’s rules, you can infer rules
      6. Scenario #4: Weak symptoms, missing data – Router broken into:
        1. Moved to T1 Backup
        2. Trace route: Traffic goes through EVIL.ORG
        3. RTR2 Audit Logs show Table Updated
        4. Check RTR1, put in anti-DOS filter
        5. Run IDIP, trace back to attacker
        6. Can we infer what the root cause is?

      7. Automated Response: enumerate all causes and responses
        1. Function for response needs data function
        2. IDIP codify into Yemini
        3. Why do we care about the cause?
          1. Find out the attack site
          2. Inform our neighbors
          3. Identify the service exploited and identify the capability of spreading
          4. Identify the vulnerability to prevent it from happening again
          5. Stop current attack