Under construction, look out for falling text and links!
The Third Annual Computer Misuse and Anomaly Detection Workshop
This is the home page for the third Computer Misuse and Anomaly Detection Workshop (CMAD), held in Sonoma, California January 10-12, 1995. It was organized by the Computer Science Department and the University of California, Davis, notably the Security Lab, and sponserred by the National Security Agency.
First, a song about the workshop, by our resident artist, Jeremy Frank:
Oh, NSA said to gurus "Talk about Intrusions!
Gurus said, "OK, But not among the cow dung!"
Agency said "Fine," Gurus said "Done,"
Levitt said "We found us a place,"
Agency said, "Great idea, let's run!"
Gurus said, "Where's this meetin' gon' be done?"
Levitt said, "Place out on Highway 121!"
Well, rain came down all that week,
East Coasters had to ford the creek!
Just to get out Napa way, things was lookin' bleak,
'Cause the road to Sonoma Mission was 6" deep!
Gurus said, "Flood attacks ain't no fun!"
People straggling in said, "How'd you get here, son?"
Bishop said, "Bad instructions to Highway 121!"
Finally started talkin' Security,
Auditing, Firewalls, Encrypted IP,
Network Feudalism and NID,
Suicidal Infosec and Legality!
Customers said, "Get some wine and let's run!"
Steamed and drunk on mineral water,
In a secure Spa off Highway 121!
The Setting
As was hinted at in Jeremy's song, the workshop took place at the Sonoma Mission Inn and Spa, which was a great location, except that heavy rains caused some serious floods in the area. Reportedly, the county we were in was declared a disaster area by the government. However, the flooding only really affected getting to and from the workshop and Debbie Chadwick's phone lines with people calling to see if CMAD was flooded out. (Debbie is the CS Department staffer that arranged most of the details for the workshop. Thanks!)
The Sessions
The workshop was divided into six focused sessions of around 3 hours 30 minutes each. We hope to have some notes from the sessions later on.
-
Auditing Application Software
- IDS systems analyze an audit trail to detect misuse or anomalies.
Currently, they use system-level audit trails. Would application-
level audit trails (that is, those made by the applications as
opposed to the system calls) make anomalies or misuses easier to
detect? Could the integrity of such logs, and the logging
mechanism, be assured? How could application logging be integrated
most effectively with application auditing? What do, and should,
standards provide? What formats are appropriate? Issues of logging
in distributed applications, distributed systems, and personal
computers are relevant here (the last since many sites use
networks of PCs, or intermingle them with workstations and larger
machines).
-
Network Management
- How can separate incidents be correlated to show that they are in
fact part of one attack? How do network management technologies
help confine, trace, and hinder such attacks? How can current
network management standards and technologies be enhanced to
provide new information that would aid IDSes? Consider all this in
light of firewalls as well as other security issues of networked
systems. Also consider techniques for tracing users across
networks. Vulnerabilities in network management tools and systems
can be discussed here as well.
-
System Vulnerabilities
- Focus on trends in attacks that we are seeing and consider attacks
we might expect; network-based attacks, in which key components of
the network (such as domain name servers, routers, and gateways)
are subverted, either to deny service, to reveal information (such
as by a sniffer) or to alter or otherwise interfere with datagrams
and/or connections. Consider also responses: should the IDS simply
stop the attack, or record it for later analysis, or
counterattack? Techniques to characterize vulnerabilities for
intrusion detection are of particular interest.
-
Protection Mechanisms for CMAD Systems
- What are the issues in protecting a CMAD system, especially the
software, database (rules or statistical profiles), and network
communications? What attacks on the CMAD system itself might
subvert the system? How can they be avoided? Of particular
interest is precluding a network-based CMAD system from being
used by an attacker to compromise other systems or an entire
network. Is there a TCB (trusted computing base) for a CMAD
system, or are CMAD systems inherently vulnerable?
-
Legal Issues: Present and Future:
- How do the legal issues associated with the use of cryptography
(for protection on the network) affect the implementation of CMAD
systems? How else do government regulations affect the use, and
implementation, of IDSes? How should they? What legal issues are
likely to arise in the future with respect to IDSes?
-
Customer Requirements: Present and Future
- What do security officers need from an IDS to take effective
action? What do financial officers at a bank or medical office
(for example) need an IDS to tell them so they can thwart attacks,
or recover from them? What are security officers and organizations
likely to need in the future, and will IDSes be able to provide
it? If not, how can they be modified to supply the needed
information? Who will be the IDS customers?
More to come! -- Jim
To the Security Lab home page
Please comment on our pages.
hoagland@cs.ucdavis.edu
March 6, 1995