Define wrapper specs
Intrusion Detection Graduate Course
- Conjunction SIDs - meaningful CIDF conjunctions for Boeing
- ByMeansOf - most relevant - list of things - causality chain
- CommonCause - same root cause
- SID can be a port, a connection, a host, etc.
- Problems:
- How to represent a connection look Aà F
- CW: There is should only be one CommonCause; make it one layer deep and print a description list of infected hosts - you don't care about the order or structure
- Definition of equivalence
- Subgrammar
- Consumers to parse data
- Example Attack
- Attacker runs a buffer overflow attack on a Linux system, breaks in as root. The worm crosses domains, both of which are running GrIDS.
- Two responses? One from each domain? - Respond once or "at least once"
- Repetition of response is acceptable when blocking a connection, killing a user, deleting a file
- Repetition of response is not acceptable when there is an additive function - appending to a log, etc.
- Develop our response, requesting the type of SID reports to conform to "At Least Once" semantics
- Issue - how an application will handle an error such as deleting a deleted file (not an issue at the system level)
- Repeat kill connections regardless of report
- Model algebra of responses - Did responses take? Cumulative response
- Reversible responses vs. irreversible responses
- Kill any process (or user that started packets)
- Suspend or slow any process
- Disallow connections to Port # at filter or host
- Stop things associated with process
- Don't allow files to be deleted or setuids to be created
- Taxonomy à Knowledge-Base à Scenarios
- How to kill process associated with evil packets
- How to generate a sandbox, selectively contain a bad user, hold it, kill it, or send no packets.
- Discuss relevant ID papers/books
- Amorosa
- Escamilla
- Northcutt
- Dorothy Denning
- Becky's book