Nov 18 Misuse Project Meeting Agenda & Notes

Agenda for Misuse Detection Project Meeting: Monday 18-Nov-96, 5-6pm


Med informatics survey (0:05) Julie
	what is the status?

John Muir Hospital (0:15) Julie
	Julie contacts the hospital in Walnut Creek
    
Debrief CMAD (0:30) Chris
	expand Julie's task to cover data-driven attacks (e.g. ActiveX, Java)
	does NT auditing provide all the data that we need?
	obtaining real audit data

Meeting notes, monthly reports (0:05) Chris
	we've asked Cheryl to help us scribe our meetings.
	comments from Jim & Jennifer

KDD (0:10) Steven
	continuation from last week

Topics for next agenda (0:05) Brant
	move meeting to 4pm?

18-Nov-96 Meeting Notes for Misuse Project

Attendees: Steven Templeton, Chris, Julie, Raymond, Brant, Cheryl
Notes taken by Chris Wee
Meeting began @ 04:38 and ended @ 06:15. Chris & Julie promise to be more careful about assigning facilitation duties. Assign facilitators based on their familiarity of the subject. Thus Chris and Julie will be the defacto facilitators.

Med informatics survey (0:05) Julie
Nancy handed them out and Leah collected them. Steven will contact Leah. Another med student was also conducting a computer usage survey. Brant will try to get the results of the that survey.

John Muir Hospital (0:15) Julie
julie handed out a marketing blurb from Xircom and Clinicomp. The John Miur Hospital in Walnut Creek hospital uses an on-line, wireless system to charting duties (e.g., vital signs, fluids, treatment) at the patient's bed-side. CliniComp provides Unix servers and the clinicians use toshiba slates. (Most likely, the slates run Pen for Windows 3.1.)
Julie will contact clinicomp and ask them for a list of clients that use NT, in healthcare. we want audit data. we want clients with information security awareness. Perhaps the vendor would use our research to improve their security features and improve the marketability of their products.

Debrief CMAD (0:30) Chris
Per converstation with Jennifer & Jim, we will change Julie's task to cover data-driven attacks (e.g. ActiveX, Java) and compromised software as the lower priority sub-task.
what is a data driven attack? The complexity of documents (data) (e.g., ActiveX, Java, Postscript, JavaScript, HTML) create opportunities for malicious attacks via "data-only" documents. Julie will delve into Java and ActiveX. Does a data-driven attack make long term changes to the victim? julie will check out Simpson Garfinkel www page.
Steven raised the question whether NT auditing provides all the data that we need? This launched a discussion of on-line v. off-line misuse detection algorithms. we defined an on-line misuse detection vs. off-line. The difficulties of off-line MD is that if insufficient information

Re: obtaining real audit data. we need to establish collaboration relationships well in advance of when we actually need the data. We anticipate needing audit data at the beginning of the summer research session. we will add on modules to NT systems to enhance the efficacy of NT built-in audit module.

Jennifer was glad that we had obtained the NT 3.5 evaluation report; kudos to Cheryl for placing the order.

Meeting notes, monthly reports (0:05) Chris
we've asked Cheryl to help us scribe our meetings. comments may be forthcoming from Jim & Jennifer

KDD (0:10) Steven
postponed to future meeting.

Topics for next agenda (0:05) Brant

3pm Tuesday, 26 Nov 96. Invite Matt.
should we submit paper to "Infomation Technology in Community Health" Jan 8, 1997.
identify times during Xmas break to do in-depth technical meetings.
KDD
NT Evaluation report