Agenda for Misuse Detection Project Meeting: Wednesday 09-Apr-97,
6pm - 8pm
Select a timekeeper.
09-Apr-97 Meeting Notes
Attendees: Steven Templeton, Chris, Julie, Brant, Karl, Raymond
Notes taken by Julie Lang
Meeting began @ 6:10pm and ended @ 7:30pm
Framework for on-line analysis of NT audit
Brant wrote program to read contents of audit log.
Need to implement filtering, maybe use query tool (MS
pattern recognition, Crystal Report Writer
Auditing of NT based objects
Brant has researched a little.
Can they be used to detect misuse? Requires further
Id std app programs thru auditing
Use dlls to determine if user is behaving normally.
No research done yet.
Experiment with opening apps and checking audit log.
Report summarizing TOF NT 3.51
` Steven has looked at it. C2 certification only
applicable to the exact OS and system that was evaluated.
We will all look through and make notes on what is useful.
Code and documentation for creating on-line analyzer
See number 1
NT auditing tool
See number 2
Report on characterization of misuse with emphasis on
Determine std events NT File system logs
Brainstorm examples of misuse relative to some policies
Will be doing soon
NT security login suitable for misuse detection?
Ongoing. Events logged better than Unix.
Static Analysis of program with respect to telltale signs.
Currently on detection of polymorphic viruses.
Raymond Lo's thesis.
Changed direction, no longer applicable
Ongoing. Research and considering applicability of
polymorphic virus. Is the source code always available?
More high level info available.
Eliminated by sponsors.
Analyzing currently available detection methods
Ongoing. Need to install on NT machine and test. Use
Talk to Rick Crawford, Mark Dilger.
Abstractions for Event Records
Chris and Brant started. Need to write up. Will
SIS - key data, major concern is that data can be corrupted.
Banner - general database - payroll, inventory.
They will give us access to any and all data associated with
the University, including UCDMC and VMTH. If not online
system then static snapshot.
Chris will meet with David on Friday to discuss his master's
thesis on fraud in financial aid.
Agenda for Next Week
Medical Misuse talk
Mentee - Industrial Espionage, writing macro viruses - virus
that does n-gram document recognition