INTEL GROUP MEETING
December 2, 1998
9:00 – 10:00
3085 ENG II
In attendance:
Jim Hoagland (JH), Steven Templeton
(ST), Chris Wee (CW)
TOPICS
Intel Projects
How to convert LaSCO to GrIDS
Chris Wee’s Proposal
-
Intel Projects
-
Matt – Vulnerabilities Analysis
-
Chris Wee – Misuse Detection / Auditing
Records
-
Jim – Policy to Enforcement – LaSCO
--> GrIDS
-
How to Convert LaSCO to GrIDS
-
ST: Consider dumping GrIDS rules
-
ST: Using network activity, determine
what is normal, then dynamically adjust the parameters for rulesets. The
system administrator corrects the rules for any false positives. He makes
changes to the original rules for better performance
-
ST: Network Activity – Temporal Logic
Statement
-
Modify rules in whatever format that’s
convenient for the rules – map to GrIDS later
-
JH: Edge report – Enforcing LaSCO rules
in GrIDS – ruleset builds up partial matches to policy graph. From partial
matches, come to a general conclusion
-
ST: Look for type of structure; template,
undefined pieces. Define pieces as they come in; treat undefined pieces
as missing data/information and generalize conclusion.
-
ST: What is a general graph template?
-
JH: A fixed typological structure
-
Example: Portscan graph – there is a
pair of nodes with 5 edges in between. Node in each port in variable; check
to make sure ports are different.
-
JH: If GrIDS had a notion of a template
to put node/entry points in, that would be good because LaSCO already has
a template
-
ST: Use CLIPS instead of GrIDS rules.
In CLIPS, the templates can be general or specific. It tries to match each
fact in parallel; adjusts level of substantiation building templates.
-
Map GrIDS and LaSCO to a standard moderate-performance
system (i.e. CLIPS)
-
Chris Wee’s Proposal
-
CW: Negotiate policy between agents;
dynamically evolve rules
-
Set up 2 firewalls that keep rules synchronized
-
Set up an algorithm to decide whether
or not to change the rules
-
Each host knows each other’s rules by
communication
-
Two ways to refuse service – 1) deny
and 2) reject
-
One method drops the packet and keeps
quiet (TCP connection is open); the other sends back a reset
-
ST: Remap connections – not a service
we allow – ignore sequence numbers and only have to keep 1 port open
-
CW: David O’Brien remaps unknown connections
to port-sucker.
-
Web-server timeout period when connection
is dropped. Network grinds to a halt when there are millions of connections.