Agenda for Misuse Detection Project

Paper: NT viruses (0:15) Julie

Debrief VMTH meeting (0:15) Raymond

plan our next step.
can we get their audit logs?
begin to assemble their security policy.
what about mumps?
schedule another meeting with VMTH. explain technical details of our project.

Schedule Milestones (0:15) Steven

ORD wants milestones, e.g., lit search, prototypes

Share books and papers(0:10) Chris

Wrap Up (0:05) Chris

Review assignments

discuss NSA project

Topics for next agenda

Paper: NT viruses

Julie presented:

Understanding Virus Behavior in the Windows NT Environment

http://www.symantec.com/avcenter/reference/vbnt.html

Differences between Windows NT and other Microsoft platforms:

• - doesn't rely on DOS for system services
• - supports FAT-based, OS/2 HPFS, NTFS and MAC file system
• - uses NT-specific software drivers to perform low-level disk access functions
• - prevents DOS programs from writing directly to hard drives.

Virus Behavior in Windows NT:

• Susceptible to MBR/Boot record infection by booting from infected floppy. (Disks only exist in DOS, not NTFS)
• MBR/Boot record infection by dropper program or multipartite virus prevented, unless Win95 or DOS booted from NT

Additionally:

• NT's protected mode drivers disable MBR virus once the OS is started. But BIOS disk drivers are used during boot-up so payload may execute then. If stealth virus modifies partition table, system will not boot becauses virus is unable to decrypt original table, bad one is read.
• Boot record: if virus does not protect originaly, NT may overwrite. Most boot record viruses will cause an NTFS- based system to crash.

DOS file Viruses

• Direct-action-file viruses function same as in DOS or 95.
• most DOS viruses are not able to infect Windows programs, in general.
• File access control in NT can be used to prevent infection of protected files - must be explicitly configured.

Windows 3.1 Viruses

• Most will function the same under Windows NT.
• 3.1 TSR viruses can only infect other 3.1 executables.
• NT allows 3.1 programs to be run in protected memory space. This will prevent infection.

Macro Viruses (ORD calls data-driven)

• will work if host application works under NT.
• NT file access control can be used to prevent spreading.

Native Windows NT Viruses

• Hardware necessary for NT software development prohibitively expensive. NT and 95 do not allow 32-bit apps to use DOS system services. Virus writers must understand Windows 32-bit API as DOS based virus algorithms don't work.
• Currently, no known NT viruses.

Conclusion

• NT reduces the ability of DOS based viruses to spread, but damage can occur during bootup (before NT is in control), cause crashes and damage data.
• "dual boot" functionality between NT and DOS/95 - if boot record of DOS/95 infected prior to NT installation, infection can spread to NT boot record and be undetectable. (The boot record is stored as a file, so a virus scanner will not detect it.)
• NTFS file access protection can be used to limit spread of virus. Doesn't work on FAT-based partitions. Average user is not likely to configure.

Other observations:

• NTFS is a jounraling file system
• Unix Viruses - none in wild, possibly in scripts, transmitted via ftp
• A new addition in Windows NT 4.0 allows video drivers to be downloaded directly into the kernel
• How do you know if Windows is trojaned? This project doesn't involve the assurance problem.

Debrief VMTH meeting

We reviewed Chris's paper on Detecting Misuse in a Healthcare network

VTMH only logs updates. Do we want to suggest audit changes? Yes, but not immediately. Everyone doesn't log in as themselves. Hopefully, they will accelerate the plan to do this.

Plan to invite VMTH here. Try for the 21st at 12:30.

They are the best people to work with, but is it rich enough? maybe not

• open policy
• little sensivity
• consequences minimal

Some stuff is sensitive. For example, you could change information on a racehorse to harm the animial, etc.

The VTMH policy is not as rich as we would like, but they are self-contained and are more willing to change than those in human medicine where we would not get far prototyping. Also, we can act as if something is more sensitive than it actually is.

We agreed to keep working with VMTH while looking at others. Karl has a contact at Stanford that he will contact.

Raymond and Brant knows MUMPS. Hopefully, we will just get data and not have to modify source code. They will modify and we provide the specs. The question was asked, if they do not have the resources, can we provide a programmer for them. This is probably not in the budget, although Chris is willing to do it.

Milestones

Prototypes are due Oct 97

Report is due Jun 97

ASAC is in July and the IEEE Oakland conference is in early Dec.

The period of intensive literature search will go throughOct to June resulting in a survey. Although it will actually go on all year.

Policy development for VTMH will go through Oct to Feb resulting in a policy report. As with any policy the rules must be listed along side the threats. So this includes misuse examples. It also includes audit and logging requirements. We will not do more than one policy. A general policy language might come later, after learning about a specific policy.

Session characteristics, viruses, and misuse characteristics will go on simultaneously. Hopefully, session characteristics will have a preliminary report by the Oakland conference. Access logs can be gotten from the VTMH within a month. Then preliminary session characteristics can be compared to existing data.

Other milestones:

• Windows NT network
• Identify threats to VMTH system
• Identify protection & enforcement mechanisms in VMTH system
• Develop signatures or anomaly thesholds
• e.g. No clinics access via remote dial-in
• Are all "remote" dial ins remote?
• Are all local connections local?
• NT Seminar
• Re-org www servers

Share books and papers

Chris distributed Reuters Medical News, the paper he is currently working on about Detecting Misuse in a Healthcare network, confidential information about a VMTH visit, an intoruction to the VMTH computer system, and he had a couple of copies of Inference and Aggregation Security Attack Analysis by Gary W. Smith.

Raymond had a paper on statistical misuse detection.

Brant will create a binder with CORBA stuff.

Wrap Up

The NSA should not have a separate meeting for now. There is overlap of people and possibly topics.

There has been zero progress on equipment.

Agenda for next meeting:

• Milestones
• VTMH meeting
• report on Stanford
• Raymond presents a paper on misuse detection