GLOBAL GUARD MEETING
February 2, 1999
3085 ENG II
1:00-2:00 p.m.
In attendance:
Karl Levitt (KL), David O’Brien (DOB), David Klotz (DK), Jason Schatz (JS) and Steven Templeton (ST)

TOPICS

Course of action for Global Guard
Correlation
New Technology
Knowledge base
SMARTS
    1. Course of action for Global Guard
      1. Continuation of GrIDS – what can’t be done with GrIDS
        1. GrIDS rules – ad hoc and arbitrary
      2. Generalize, look at missing data
      3. All generate something new
      4. Feed into other projects – Jim Just’s Situation Assessment will be funded
      5. Compare signatures of known attacks, develop signatures for multi-stage attacks
        1. Combine signatures of single attacks
        2. Putting attacks together with pre and post conditions
    2. Correlation
      1. Putting sensor reports together
      2. ST will do a library web search on sensor and data fusion.
      3. Knowledge based for Aggregation
        1. Attacks in General
        2. Suspicious and Normal Activity
      4. Correlation as deduction and induction
        1. ST: Induction – general rules that describe data and infer good/bad
      5. Why do aggregation?
        1. Eliminate false positives – check to see if an attack goes anywhere (verify from multiple sources)
        2. Severity of attack – cost model approach to intrusion detection
      6. How do you do correlation?
        1. Technology basis of putting events together
        2. Using that technology to do something about intrusion detection
        3. Temporal Correlation
        4. Prediction
        5. DK: Ex. See signs of a worm, but don’t see the executable program
    3. DOB: New Technology or Areas (techniques, algorithms etc.)
      1. ST: With knowledge base, look at Fuzzy Clips version – assessment, general rules
      2. CYC – inference engine – commercial product
      3. Code and Model everything you can – may do nothing useful
    4. Knowledge Base – define related activities and unrelated activities
      1. ST: Higher order rules – meta rules, interview experts
      2. JS: Model language from Yemini
        1. Model attacks with it and propagation of attacks
      3. With Knowledge base, can’t do fundamental things
        1. Have to organize it and determine what to put in it, understand what problems there are
      4. Robust knowledge bases – missing data or errors – find missing data
    5. JS: Is SMARTS effective as an intrusion detection tool? Can we tie it into Global Guard – intrusion detection as symptoms in SMARTS?
      1. Ex. Model network symptoms and problems. Code book – symptoms tell you the problem
        1. DOB: Hasn’t been carried out yet.
      2. Code book reduction, encoding theory
        1. Characteristics of LAND attacks
        2. DOB: Ex. High traffic, lots of packets, congestion propagates, look for SYN packet (SYN or network problem)
        3. DK: If a web server is useless only for a short amount of time, then it is not a SYN flood attack.
          1. DOB: The rate of connections coming in from a web server may already overflow buffers – normal operation.
        4. DOB: With code book approach, there is a problem with incorporating enough redundancy to tolerate missing data. Ultimately we want to know the root cause.