Agenda for Misuse Detection Project Meeting
Thursday 18-September-97, 10am - 12pm

Review agenda. Select a timekeeper.
Susan's meeting (0:20) Chris

Baltimore Conference (0:10) Chris

Audit Performance (0:30) Scott
    Audit Stat

Polymorphic Viruses (0:15) Kathy

Topics for next agenda (0:10)
    schedule meeting with Susan
    polymorphic virus mutation

18-September-97 Meeting Notes, 1:36am - 4:15pm

Attendees: Chris, Kathy, Scott

Susan's meeting (0:20) Chris
    update David, the technical sponsor   
    	Scott's paper - prototype
		          proposal
	Chris - Intel policy proposal: specification language
		          what is misuse : Horn clause

Baltimore Conference (0:10) Chris
    Baltimore meeting with cia should be cancelled due to low turnout 

Audit Performance (0:30) Scott/Chris
	-Audit_Stat  BSM
	 in Solaris that has two options:
	 interogates kernal for numbers, # of records, #blocks, amount of memory used,
	 64K auditing version, efficient, dumps code out
	-snapshots @ 3 sec. intervals. 
	 net search compare w/ nt tools
	-Audit_D 
	 audit_to or au_to is in MAN pages.  These functions are sub-routines.  
		
     Event Delete   
	 analysis : input is saved event log
	 delete_event hacks into saved event log, and counts number of events
	 contact German guy about API's and find out how he found info re: audit log

Polymorphic Viruses (0:15) Kathy
     talk w/ Julie about CIA work. 
     consult Maria:
	1) Polymorphic virus library: link with mutation engine code: 
	   *.asm assembly program
	2) use a disassembler: gdb
 	goal: create a robust signature to detect viruses.
 
Topics for next agenda 
(0:10)
    schedule meeting with Susan
    polymorphic virus mutation