Agenda for Misuse Detection Project Meeting: Monday 08-Nov-96, 4-6pm

Med informatics survey (0:05) Raymond
	Who will attend & distribute since we're at CMAD IV.

Development environment (0:15) Steven
	NT server, NT workstation, technet and Office have arrived.
	Reflection X on hold until more details.
	Someone has to volunteer to order the H/W by a deadline.
	Programming tools.

Walnut Creek Hospital (0:10) Chris
	Julie contacts the hospital in Walnut Creek
KDD (0:20) Steven
	off the shelf packages?
	intrusion data from contest.

Detecting Misuse in Healthcare (0:20) Brant
	Chris presents paper; everyone provide feedback

Network Router Auditing: A toy problem? (0:20) Chris
	Brant presents paper; everyone provide feedback

08-Nov-96 Meeting Notes for Misuse Project

Attendees: Steven Templeton, Chris, Julie, Raymond, Brant, Karl
Notes taken by Brant Hashii
Meeting began @ 99:99 and ended @ 99:99.

Med informatics survey
The survey was sent to Leah and Hogarth. Leah will distribute it. Mike Hogarth - 2 med students doing a survey. We ca piggy back with theirs. Steve will tabulate results.

Development environment
We have the software. Reflection X is about $300+, but David and Alan say they got it for about $100.
$10,000 left after notebook
Options: 1 server and 2 workstations?
not clear what we are going to do.
$6000 left for software and supplies (1000 spent)
should get a C compiler since we would also get the API interface, etc. Get the Microsoft compiler.
Can we get 3 machine instead of 2? Is 3 better than 2? Probably not. We won't be able to generate our own NT logs on our own network anyway.
Julie and Steven will order the hardware + programing tools

Walnut Creek Hospital
Email to FOX news bounces back. The station apparently has no on-line connectivity. Julie will try the phone


Detecting Misuse in Healthcare
Most rules given to us are not useful. "Info most be limited with a need to know." Its too high level. There is a hugh body of policy that we still do not know. Integrity is also weak. For example, "limited pharamacists can change prices" is too ambiguous. How accurate must the policy be? We can make up our own and see how flexible we can be when changing policy. We can have the system generate its own rules. We need a generalization engine and inductive learning.

What is the VMACS access control mechanism? Can we dump the rules of their enforcement mechanisms? Raymond proposes that perhaps we need to implement our own toy IS system. Then we will role play or use audit logs from VMACS to drive a simulation.

Another stategy is to find vendors that sell NT-based medical information systems. Ask them for clients. Ask clients for audit data.
Find a snippet of real audit data. We will allow ourselves until Feb 97 to locate a source of NT-based medical audit data. We anticipate that we won't actually need multi-megabytes of audit data until Summer 97 for the KDD tools.

Network Router Auditing
Mars, the router simulator, doesn't appear to fit the project. One way to think of it is as an application with a client as a packet that queries the router to go out a door. The application is one client, one query, etc. It might be useful to explore audit log management issue.

How much is enough to construct a good model?
It depends on noise, how much missing, etc.
There is similarity between KDD tasks
To be continued

Topics for next week
con't Steven's talk on KDD
Julie and Steven on Hardware
monthly report - 10 min.
Julie presents thesis
Walnut Creek / NT hospital
20 minutes for papers
NT audit logs