March 24, 1999
2:00 3:30
1131 ENG II

In attendance:
Karl Levitt (KL), David Klotz (DK), Jeff Rowe (JR), Chris Wee (CW) and Jason Schatz (JS)

    Jeff looks at Conjunction SIDs in CIDF; defines worm
    Define wrapper specs
    Intrusion Detection Graduate Course
  1. Jeff looks at Conjunction SIDs in CIDF; defines worm (see handouts)
    1. Conjunction SIDs - meaningful CIDF conjunctions for Boeing
      1. ByMeansOf - most relevant - list of things - causality chain
      2. CommonCause - same root cause
      3. SID can be a port, a connection, a host, etc.
      4. Problems:
        1. How to represent a connection look Aà F
        2. CW: There is should only be one CommonCause; make it one layer deep and print a description list of infected hosts - you don't care about the order or structure
        3. Definition of equivalence
        4. Subgrammar
        5. Consumers to parse data
    2. Example Attack
      1. Attacker runs a buffer overflow attack on a Linux system, breaks in as root. The worm crosses domains, both of which are running GrIDS.
        1. Two responses? One from each domain? - Respond once or "at least once"
        2. Repetition of response is acceptable when blocking a connection, killing a user, deleting a file
        3. Repetition of response is not acceptable when there is an additive function - appending to a log, etc.
        4. Develop our response, requesting the type of SID reports to conform to "At Least Once" semantics
          1. Issue - how an application will handle an error such as deleting a deleted file (not an issue at the system level)
          2. Repeat kill connections regardless of report
          3. Model algebra of responses - Did responses take? Cumulative response
          4. Reversible responses vs. irreversible responses
  2. Define wrapper specs
    1. Kill any process (or user that started packets)
    2. Suspend or slow any process
    3. Disallow connections to Port # at filter or host
    4. Stop things associated with process
    5. Don't allow files to be deleted or setuids to be created
    6. Taxonomy à Knowledge-Base à Scenarios
    7. How to kill process associated with evil packets
      1. How to generate a sandbox, selectively contain a bad user, hold it, kill it, or send no packets.
  3. Intrusion Detection Graduate Course
    1. Discuss relevant ID papers/books
      1. Amorosa
      2. Escamilla
      3. Northcutt
      4. Dorothy Denning
      5. Becky's book