March 10, 1999
2:15 3:30
1131 ENG II

In attendance:
Karl Levitt (KL), David Klotz (DK), Jeff Rowe (JR), Jason Schatz (JS), and Chris Wee (CW)


    Boeing Visit/Task List
    Other News
  1. Boeing Visit/Task List
    1. Integrated Feasibility Demonstration (IFD) changed to Integrated Feasibility Experiments (IFE)
    2. Dan Schnackenberg wants us to test our system in the next six months to determine whether it would do as well as a human at response
      1. They have extensive local cost models.
      2. Installation on Tick will likely be difficult.
    3. Task 1: Get all values/costs from Dalen and Kelley's cost model and determine whether our cost model is a reasonable design.
      1. Utility Theory - belief in the state of a system; various actions available - take action of greatest utility
        1. How is this different from hill-climbing?
        2. Optimize for collective benefit
        3. Summary benefit across the network to generate maximum number vs. equal degradation
      2. No more cheap gooey tricks!
    4. Task 2: Determine capability of responders in cost model
    5. Task 3: Output from correlation engine - use CIDF
      1. Ex. Worm in CIDF/GIDO language
    6. Task 4: Ability to override actions of the cost model (UNDO button)
      1. Wrapper Configuration Language (WML) - Bob Balser on NT, FreeBSD, and Solaris systems
      2. Dan leans toward using a host-based response.
    7. Task 5: List of responses we want to take (specifications) - Chris Wee will do this task.
      1. See of macro tasks - stop a user or a connection
      2. Drew has a system that detects intruders, increases auditing, keeps files that the intruder deletes, scans the intruder to pick up SSH keys (for post-mortem decryption)
      3. Two applications for TIS
        1. Transparent encrypted file system
        2. Virtual world for attacker (padded cell, sandbox, fishbowl)
    8. Task 6: We currently rely on IDIP connection timeouts. We need to be able to tell local IDIP nodes to remove blocking
      1. Centralized control has to have ultimate control
      2. Keep track of responses made, add a time, a queue -- Stalin Cost Model
    9. Task 7: Make an OS response toolkit (wrappers can't do it).
      1. This task will likely be impossible
    10. Task 8: Documentation for Boeing - no one knows how to run code
  2. Other News
    1. Applications Conference - Jason submit a response paper
      1. JS: Difficult to map connections to a value
      2. Bidirectionality - specify value connection to web server
    2. Ken Shodding Initiative: Partners Program
      1. Jim Hoagland/Chris Wee involved
      2. Talk to Ken about GrIDS
    3. Seclab Research Network (Firewall) is up and running
    4. Plan to visit CISCO on the 19th