Monday 14-Oct-96, 5-6pm
Paper: NT viruses (0:15) Julie
Debrief VMTH meeting (0:15) Raymond
Schedule Milestones (0:15) Steven
ORD wants milestones, e.g., lit search, prototypes
Share books and papers(0:10) Chris
Wrap Up (0:05) Chris
Review assignments
discuss NSA project
Topics for next agenda
Meeting Notes for Misuse Project
14-Oct-96
Attendees: Steven Templeton, Chris, Julie, Raymond, Brant, Karl
Notes taken by Brant Hashii
Paper: NT viruses
Julie presented:
Understanding Virus Behavior in the Windows NT Environment
http://www.symantec.com/avcenter/reference/vbnt.html
Differences between Windows NT and other Microsoft platforms:
Virus Behavior in Windows NT:
Additionally:
DOS file Viruses
Windows 3.1 Viruses
Macro Viruses (ORD calls data-driven)
Native Windows NT Viruses
Conclusion
Other observations:
Debrief VMTH meeting
We reviewed Chris's paper on Detecting Misuse in a Healthcare network
VTMH only logs updates. Do we want to suggest audit changes? Yes, but not immediately. Everyone doesn't log in as themselves. Hopefully, they will accelerate the plan to do this.
Plan to invite VMTH here. Try for the 21st at 12:30.
They are the best people to work with, but is it rich enough? maybe not
Some stuff is sensitive. For example, you could change information on a racehorse to harm the animial, etc.
The VTMH policy is not as rich as we would like, but they are self-contained and are more willing to change than those in human medicine where we would not get far prototyping. Also, we can act as if something is more sensitive than it actually is.
We agreed to keep working with VMTH while looking at others. Karl has a contact at Stanford that he will contact.
Raymond and Brant knows MUMPS. Hopefully, we will just get data and not have to modify source code. They will modify and we provide the specs. The question was asked, if they do not have the resources, can we provide a programmer for them. This is probably not in the budget, although Chris is willing to do it.
Milestones
Prototypes are due Oct 97
Report is due Jun 97
ASAC is in July and the IEEE Oakland conference is in early Dec.
The period of intensive literature search will go throughOct to June resulting in a survey. Although it will actually go on all year.
Policy development for VTMH will go through Oct to Feb resulting in a policy report. As with any policy the rules must be listed along side the threats. So this includes misuse examples. It also includes audit and logging requirements. We will not do more than one policy. A general policy language might come later, after learning about a specific policy.
Session characteristics, viruses, and misuse characteristics will go on simultaneously. Hopefully, session characteristics will have a preliminary report by the Oakland conference. Access logs can be gotten from the VTMH within a month. Then preliminary session characteristics can be compared to existing data.
Other milestones:
Share books and papers
Chris distributed Reuters Medical News, the paper he is currently working on about Detecting Misuse in a Healthcare network, confidential information about a VMTH visit, an intoruction to the VMTH computer system, and he had a couple of copies of Inference and Aggregation Security Attack Analysis by Gary W. Smith.
Raymond had a paper on statistical misuse detection.
Brant will create a binder with CORBA stuff.
Wrap Up
The NSA should not have a separate meeting for now. There is overlap of people and possibly topics.
There has been zero progress on equipment.
Agenda for next meeting: