Under construction, look out for falling text and links!

The Third Annual Computer Misuse and Anomaly Detection Workshop

This is the home page for the third Computer Misuse and Anomaly Detection Workshop (CMAD), held in Sonoma, California January 10-12, 1995. It was organized by the Computer Science Department and the University of California, Davis, notably the Security Lab, and sponserred by the National Security Agency.

First, a song about the workshop, by our resident artist, Jeremy Frank: 


Oh, NSA said to gurus "Talk about Intrusions!
Gurus said, "OK, But not among the cow dung!"
Agency said "Fine," Gurus said "Done,"
Levitt said "We found us a place,"
Agency said, "Great idea, let's run!"
Gurus said, "Where's this meetin' gon' be done?"
Levitt said, "Place out on Highway 121!"

Well, rain came down all that week,
East Coasters had to ford the creek!
Just to get out Napa way, things was lookin' bleak,
'Cause the road to Sonoma Mission was 6" deep!
Gurus said, "Flood attacks ain't no fun!"
People straggling in said, "How'd you get here, son?"
Bishop said, "Bad instructions to Highway 121!"

Finally started talkin' Security,
Auditing, Firewalls, Encrypted IP,
Network Feudalism and NID,
Suicidal Infosec and Legality!
Customers said, "Get some wine and let's run!"
Steamed and drunk on mineral water,
In a secure Spa off Highway 121!

The Setting

As was hinted at in Jeremy's song, the workshop took place at the Sonoma Mission Inn and Spa, which was a great location, except that heavy rains caused some serious floods in the area. Reportedly, the county we were in was declared a disaster area by the government. However, the flooding only really affected getting to and from the workshop and Debbie Chadwick's phone lines with people calling to see if CMAD was flooded out. (Debbie is the CS Department staffer that arranged most of the details for the workshop. Thanks!)

The Sessions

The workshop was divided into six focused sessions of around 3 hours 30 minutes each. We hope to have some notes from the sessions later on.

o Auditing Application Software

IDS systems analyze an audit trail to detect misuse or anomalies. Currently, they use system-level audit trails. Would application- level audit trails (that is, those made by the applications as opposed to the system calls) make anomalies or misuses easier to detect? Could the integrity of such logs, and the logging mechanism, be assured? How could application logging be integrated most effectively with application auditing? What do, and should, standards provide? What formats are appropriate? Issues of logging in distributed applications, distributed systems, and personal computers are relevant here (the last since many sites use networks of PCs, or intermingle them with workstations and larger machines).

o Network Management

How can separate incidents be correlated to show that they are in fact part of one attack? How do network management technologies help confine, trace, and hinder such attacks? How can current network management standards and technologies be enhanced to provide new information that would aid IDSes? Consider all this in light of firewalls as well as other security issues of networked systems. Also consider techniques for tracing users across networks. Vulnerabilities in network management tools and systems can be discussed here as well.

o System Vulnerabilities

Focus on trends in attacks that we are seeing and consider attacks we might expect; network-based attacks, in which key components of the network (such as domain name servers, routers, and gateways) are subverted, either to deny service, to reveal information (such as by a sniffer) or to alter or otherwise interfere with datagrams and/or connections. Consider also responses: should the IDS simply stop the attack, or record it for later analysis, or counterattack? Techniques to characterize vulnerabilities for intrusion detection are of particular interest.

o Protection Mechanisms for CMAD Systems

What are the issues in protecting a CMAD system, especially the software, database (rules or statistical profiles), and network communications? What attacks on the CMAD system itself might subvert the system? How can they be avoided? Of particular interest is precluding a network-based CMAD system from being used by an attacker to compromise other systems or an entire network. Is there a TCB (trusted computing base) for a CMAD system, or are CMAD systems inherently vulnerable?

o Legal Issues: Present and Future:

How do the legal issues associated with the use of cryptography (for protection on the network) affect the implementation of CMAD systems? How else do government regulations affect the use, and implementation, of IDSes? How should they? What legal issues are likely to arise in the future with respect to IDSes?

o Customer Requirements: Present and Future

What do security officers need from an IDS to take effective action? What do financial officers at a bank or medical office (for example) need an IDS to tell them so they can thwart attacks, or recover from them? What are security officers and organizations likely to need in the future, and will IDSes be able to provide it? If not, how can they be modified to supply the needed information? Who will be the IDS customers?

More to come! -- Jim
<- To the Security Lab home page

Please comment on our pages.

hoagland@cs.ucdavis.edu
March 6, 1995