Date: Wed Sep 8 1998
by Christopher Wee
Attacks
The cost model is fed a stream of attacks. Each attack has a
pre-agreed-upon name (e.g., Syn-Flood, or portscan). The attacks have
parameters attached to them.
e.g.,
SYNFLOOD(victim_up, victim_port, src_ip, src_port)
PORTSCAN(beginning_port,ending_port)
The cost-model is implemented in CLIPS rules.
The rules are stored on /home/assp/sw/UCDavis/RespEngine/combined.cl.
Responses
The only response considered thus far is to block a connection.
The blocking capability is BLOCK_LINK(ip1,port2,ip2,port2) where
ip1 and ip2 describe an existing network link.
The response engine supplies a list of possible responses to each
attack to the cost-model. At this time, only one response per attack
is provided. Thus, the cost-model must decide whether to accept the
response, or do nothing.
Knowledge base
The knowledge base (KB) codifies what services are mapped to what port.
e.g., SMTP is mapped to port 25.
In the KB, there is a set of of service,value tuples. Some services include
SMTP, FTP, WWW. The values are a positive integer denoting the value
of the service to the entire system (and presumably, user population)
as a whole.
It is also possible to override this value for specific hosts with a
triple (e.g., < k2,FTP,200>).
The purpose of the cost-model is to select the reponse that minimizes
the cost to the total system.