INTEL GROUP MEETING
December 2, 1998
9:00 – 10:00
3085 ENG II
In attendance:
Jim Hoagland (JH), Steven Templeton (ST), Chris Wee (CW)

TOPICS
Intel Projects
How to convert LaSCO to GrIDS
Chris Wee’s Proposal
    1. Intel Projects
      1. Matt – Vulnerabilities Analysis
      2. Chris Wee – Misuse Detection / Auditing Records
      3. Jim – Policy to Enforcement – LaSCO --> GrIDS
    2. How to Convert LaSCO to GrIDS
      1. ST: Consider dumping GrIDS rules
      2. ST: Using network activity, determine what is normal, then dynamically adjust the parameters for rulesets. The system administrator corrects the rules for any false positives. He makes changes to the original rules for better performance
      3. ST: Network Activity – Temporal Logic Statement
        1. Modify rules in whatever format that’s convenient for the rules – map to GrIDS later
      4. JH: Edge report – Enforcing LaSCO rules in GrIDS – ruleset builds up partial matches to policy graph. From partial matches, come to a general conclusion
      5. ST: Look for type of structure; template, undefined pieces. Define pieces as they come in; treat undefined pieces as missing data/information and generalize conclusion.
      6. ST: What is a general graph template?
        1. JH: A fixed typological structure
        2. Example: Portscan graph – there is a pair of nodes with 5 edges in between. Node in each port in variable; check to make sure ports are different.
        3. JH: If GrIDS had a notion of a template to put node/entry points in, that would be good because LaSCO already has a template
      7. ST: Use CLIPS instead of GrIDS rules. In CLIPS, the templates can be general or specific. It tries to match each fact in parallel; adjusts level of substantiation building templates.
        1. Map GrIDS and LaSCO to a standard moderate-performance system (i.e. CLIPS)
    3. Chris Wee’s Proposal
      1. CW: Negotiate policy between agents; dynamically evolve rules
        1. Set up 2 firewalls that keep rules synchronized
        2. Set up an algorithm to decide whether or not to change the rules
        3. Each host knows each other’s rules by communication
      2. Two ways to refuse service – 1) deny and 2) reject
        1. One method drops the packet and keeps quiet (TCP connection is open); the other sends back a reset
      3. ST: Remap connections – not a service we allow – ignore sequence numbers and only have to keep 1 port open
        1. CW: David O’Brien remaps unknown connections to port-sucker.
        2. Web-server timeout period when connection is dropped. Network grinds to a halt when there are millions of connections.