Agenda for Misuse Detection Project

Monday 14-Oct-96, 5-6pm

Paper: NT viruses (0:15) Julie

Debrief VMTH meeting (0:15) Raymond

Schedule Milestones (0:15) Steven

ORD wants milestones, e.g., lit search, prototypes

Share books and papers(0:10) Chris

Wrap Up (0:05) Chris

Review assignments

discuss NSA project

Topics for next agenda

Meeting Notes for Misuse Project


Attendees: Steven Templeton, Chris, Julie, Raymond, Brant, Karl

Notes taken by Brant Hashii

Paper: NT viruses

Julie presented:

Understanding Virus Behavior in the Windows NT Environment

Differences between Windows NT and other Microsoft platforms:

Virus Behavior in Windows NT:


DOS file Viruses

Windows 3.1 Viruses

Macro Viruses (ORD calls data-driven)

Native Windows NT Viruses


Other observations:

Debrief VMTH meeting

We reviewed Chris's paper on Detecting Misuse in a Healthcare network

VTMH only logs updates. Do we want to suggest audit changes? Yes, but not immediately. Everyone doesn't log in as themselves. Hopefully, they will accelerate the plan to do this.

Plan to invite VMTH here. Try for the 21st at 12:30.

They are the best people to work with, but is it rich enough? maybe not

Some stuff is sensitive. For example, you could change information on a racehorse to harm the animial, etc.

The VTMH policy is not as rich as we would like, but they are self-contained and are more willing to change than those in human medicine where we would not get far prototyping. Also, we can act as if something is more sensitive than it actually is.

We agreed to keep working with VMTH while looking at others. Karl has a contact at Stanford that he will contact.

Raymond and Brant knows MUMPS. Hopefully, we will just get data and not have to modify source code. They will modify and we provide the specs. The question was asked, if they do not have the resources, can we provide a programmer for them. This is probably not in the budget, although Chris is willing to do it.


Prototypes are due Oct 97

Report is due Jun 97

ASAC is in July and the IEEE Oakland conference is in early Dec.

The period of intensive literature search will go throughOct to June resulting in a survey. Although it will actually go on all year.

Policy development for VTMH will go through Oct to Feb resulting in a policy report. As with any policy the rules must be listed along side the threats. So this includes misuse examples. It also includes audit and logging requirements. We will not do more than one policy. A general policy language might come later, after learning about a specific policy.

Session characteristics, viruses, and misuse characteristics will go on simultaneously. Hopefully, session characteristics will have a preliminary report by the Oakland conference. Access logs can be gotten from the VTMH within a month. Then preliminary session characteristics can be compared to existing data.

Other milestones:

Share books and papers

Chris distributed Reuters Medical News, the paper he is currently working on about Detecting Misuse in a Healthcare network, confidential information about a VMTH visit, an intoruction to the VMTH computer system, and he had a couple of copies of Inference and Aggregation Security Attack Analysis by Gary W. Smith.

Raymond had a paper on statistical misuse detection.

Brant will create a binder with CORBA stuff.

Wrap Up

The NSA should not have a separate meeting for now. There is overlap of people and possibly topics.

There has been zero progress on equipment.

Agenda for next meeting: