Notes for October 20, 1999

1. Greetings and Felicitations!
2. Puzzle of the Day
3. Flaw Hypothesis Methodology
   1. System analysis
   2. Hypothesis generation
   3. Hypothesis testing
   4. Generalization
4. System Analysis
   1. Learn everything you can about the system
   2. Learn everything you can about operational procedures
   3. Compare to models like PA, RISOS
5. Hypothesis Generation
   1. Study the system, look for inconsistencies in interfaces
   2. Compare to previous systems
   3. Compare to models like PA, RISOS
6. Hypothesis testing
   1. Look at system code, see if it would work (live experiment may be unneeded)
   2. If live experiment needed, observe usual protocols
7. Generalization
   1. See if other programs, interfaces, or subjects/objects suffer from the same problem
   2. See if this suggests a more generic type of flaw
8. Peeling the Onion
   1. You know very little (not even phone numbers or IP addresses)
   2. You know the phone number/IP address of system, but nothing else
   3. You have an unprivileged (guest) account on the system.
   4. You have an account with limited privileges.
9. Examples
   1. Go through Michigan Terminal System penetration
   2. Go through Burroughs B6700 penetration
10. Intrusion Detection Systems
    1. Anomaly detectors: look for unusual patterns
    2. Misuse detectors: look for sequences known to cause problems
    3. Specification detectors: look for actions outside specifications
11. Anomaly Detection
    1. Original type: used login times
    2. Can be used to detect viruses, etc. by profiling expected number of writes
    3. Basis: statistically build a profile of users' expected actions, and look for actions which do not fit into the profile
    4. Issue: periodically modify the profile, or leave it static?
    5. User vs. group profiles
    6. Problems