Agenda for Misuse Detection Project Meeting: Wednesday 09-Apr-97, 6pm - 8pm

Select a timekeeper.

09-Apr-97 Meeting Notes

Attendees: Steven Templeton, Chris, Julie, Brant, Karl, Raymond Notes taken by Julie Lang Meeting began @ 6:10pm and ended @ 7:30pm

Milestones Framework for on-line analysis of NT audit Brant wrote program to read contents of audit log. Need to implement filtering, maybe use query tool (MS Access) pattern recognition, Crystal Report Writer Auditing of NT based objects Brant has researched a little. Can they be used to detect misuse? Requires further investigation. Id std app programs thru auditing Use dlls to determine if user is behaving normally. No research done yet. Experiment with opening apps and checking audit log. Report summarizing TOF NT 3.51 ` Steven has looked at it. C2 certification only applicable to the exact OS and system that was evaluated. We will all look through and make notes on what is useful. Code and documentation for creating on-line analyzer See number 1 NT auditing tool See number 2 Report on characterization of misuse with emphasis on malicious accesses???? Determine std events NT File system logs Done Brainstorm examples of misuse relative to some policies Will be doing soon NT security login suitable for misuse detection? Ongoing. Events logged better than Unix. Static Analysis of program with respect to telltale signs. Currently on detection of polymorphic viruses. Ongoing. Raymond Lo's thesis. Changed direction, no longer applicable Specification approach Ongoing. Macro Viruses Ongoing. Research and considering applicability of polymorphic virus. Is the source code always available? More high level info available. Java/Activex Eliminated by sponsors. Analyzing currently available detection methods Ongoing. Need to install on NT machine and test. Use zip drive. Talk to Rick Crawford, Mark Dilger. Abstractions for Event Records Chris and Brant started. Need to write up. Will continue working. Internal Auditors SIS - key data, major concern is that data can be corrupted. Grades, etc. Banner - general database - payroll, inventory. They will give us access to any and all data associated with the University, including UCDMC and VMTH. If not online system then static snapshot. Chris will meet with David on Friday to discuss his master's thesis on fraud in financial aid. Agenda for Next Week N-gram Medical Misuse talk Internal Auditors Mentee - Industrial Espionage, writing macro viruses - virus that does n-gram document recognition