Agenda for Misuse Detection Project Meeting
Tuesday 17-June-97, 1pm - 3pm

Select a timekeeper.
What are my plans this summer (2:00)
    Chris, Julie, Steven and Brant outline their plans this summer.

Topics for next agenda (0:05)

17-June-97 Meeting Notes, 1:10pm - 3:30pm

Attendees: Steven Templeton, Chris, Julie, Brant, Scott Miller, Karl Levitt, Matt Bishop
Notetaker: Chris Wee

Karl's plans this summer
    Brainstorm new proposal to Susan. Karl, Matt and Chris will call Susan
    on the phone and give her an update and solicit additional funding for
    next year.

Chris's plans this summer
    Chris has been working on polymorphic viruses (with Julie and
    Maria Lau), audit countermeasures and reading about electronic
    patient records. Chris also distributed his  brain fart about how
    to formulate a security policy.

    He plans on completing the virus and audit countermeasures work,
    work on an NT audit tutorial and writing 2 papers.

Julie's plans this summer
    Julie has been working on polymorphic viruses and macro viruses.
    She will continue to focus on macro viruses and specifically on
    Wordbasic viruses. Matt suggested that she compare standard viruses
    to data-driven malicious code and note simliarities and differences.
    Chris suggested that an effective management approach to data-driven
    viruses is needed, such as tools and advice on how to reduce
    infection, vulnerability to data-driven attacks.

    Julie will write her MS thesis this summer.

Steven's plans this summer
    Write many whitepapers on misuse. Steven wants to focus on inferring
    intent from user actions. It is the differentiation in intent that
    sets misuse apart from legitimate use. Chris suggested he look at
    project SLAMMER to gain insight into hacker mentality and objectives.

    Steven may want to use a GUI (aka language) to extract a policy
    from the user.

Brant's plans this summer
    Brant has been working on audit countermeasures. Chris suggested that
    he look at the NT policy editor and tease out its policy language.
    Next he will try to extend that policy language, possibily using the
    access control matrix model or an object-oriented language model
    (e.g., C++) to capture user policies.  Chris is concerned that users
    would be unable to fathom how to write a security policy using an
    object oriented policy language. He suggests something much simpler
    like a predicate logic. Steven pointed out that a translator could be
    built to transform a policy P in some language L into another
    english-like language L'.

    Complete audit countermeasures work. Brant will write a report
    on policy language and session characterization to discharge his
    responsibility on the misuse project. Then Brant will leave to join
    the Ariel project.

Scott Miller
    Scott is thinking of joining the misuse project. Scott is still

Kathy Lam
    Chris received a resume from Kathy. She is a sophomore
    undergraduate interested in a summer internship. Karl gives
    her a very high recommendation, Kathy scored a 99 (2nd highest
    score) on his ECS150 operating systems final. [Of course, Kathy
    has never taken ECS150, but she has taken ECS100 from Karl).

    Chris will interview her and if appropriate, offer her a
    summer internship with the misuse project. She will likely be
    asked to perform some NT system administration, some
    programming and some WWW page maintenance.

Topics for next agenda (0:05)
    Scott Miller present Hochberg, Jackson, et. al. paper
    "Addressing the insider threat"
    Brant present his findings on the NT policy editor
    Chris present more thoughts on formulating medical security
    Schedule visit to ORD this summer.