BOEING MEETING
March 24, 1999
2:00 – 3:30
1131 ENG II
In attendance:
Karl Levitt (KL), David Klotz (DK), Jeff Rowe (JR), Chris Wee (CW)
and Jason Schatz (JS)
TOPICS
Jeff looks at Conjunction SIDs in CIDF; defines worm
Define wrapper specs
Intrusion Detection Graduate Course
-
Jeff looks at Conjunction SIDs in CIDF; defines worm (see handouts)
-
Conjunction SIDs - meaningful CIDF conjunctions for Boeing
-
ByMeansOf - most relevant - list of things - causality chain
-
CommonCause - same root cause
-
SID can be a port, a connection, a host, etc.
-
Problems:
-
How to represent a connection look Aà
F
-
CW: There is should only be one CommonCause; make it one layer deep and
print a description list of infected hosts - you don't care about the order
or structure
-
Definition of equivalence
-
Subgrammar
-
Consumers to parse data
-
Example Attack
-
Attacker runs a buffer overflow attack on a Linux system, breaks in as
root. The worm crosses domains, both of which are running GrIDS.
-
Two responses? One from each domain? - Respond once or "at least once"
-
Repetition of response is acceptable when blocking a connection, killing
a user, deleting a file
-
Repetition of response is not acceptable when there is an additive function
- appending to a log, etc.
-
Develop our response, requesting the type of SID reports to conform to
"At Least Once" semantics
-
Issue - how an application will handle an error such as deleting a deleted
file (not an issue at the system level)
-
Repeat kill connections regardless of report
-
Model algebra of responses - Did responses take? Cumulative response
-
Reversible responses vs. irreversible responses
-
Define wrapper specs
-
Kill any process (or user that started packets)
-
Suspend or slow any process
-
Disallow connections to Port # at filter or host
-
Stop things associated with process
-
Don't allow files to be deleted or setuids to be created
-
Taxonomy à Knowledge-Base à
Scenarios
-
How to kill process associated with evil packets
-
How to generate a sandbox, selectively contain a bad user, hold it, kill
it, or send no packets.
-
Intrusion Detection Graduate Course
-
Discuss relevant ID papers/books
-
Amorosa
-
Escamilla
-
Northcutt
-
Dorothy Denning
-
Becky's book