Salsa-CSI2 Conference Call
February 1, 2007
*Attending*
Chris Misra, U. Mass (Chair)
Brian Smith-Sweeney, NYU
Phil Deneault, WPI
Doug Pearson, Indiana/REN-ISAC
Russell Fulton U of Auckland, New Zealand
Steve Olshansky, Internet2
Renee Frost, Internet2
Dean Woodbeck, Internet2 (scribe)
*Action Items*
[AI] {All} Email Chris with any names for invitations to the CSI2
working group meeting.
[AI]{Doug} Doug will incorporate comments on the REN-ISAC meeting and
send out a revised agenda . Taking comments until Wednesday, Feb. 7.
[AI] {Chris} Place on the agenda for the next call: boundary
conditions for sharing data from shared darknet.
[AI] {Doug} In terms of programmatic interfaces with REN-ISAC data:
{Doug} will determine concerns of Information resources at REN-ISAC;
{Phil} will post his code to the list; {Brian} will discuss the
hashing idea with his resources.
[AI] {Chris} Add WCLSCAN to agenda.
*Carryover Action Items*
[AI] {Doug} Organize a call to have a discussion with those who want
to actively participate in getting data from their institution to the
shared darknet.
[AI] {Doug, Nick} Talk off-line about how to filter some of the
extraneous information that is showing up in their darknets. Doug will
also send some of his data to Nick.
[AI] {Phil} Post to the list a summary of ideas concerning how to
approach a data retention policy.
[AI] {Doug} Send requirements definitions developed by the Indiana
Univ. senior project students to CSI2 list.
[AI] {Chris and Doug} Connect with NoX GigaPOP folks for Arbor information.
[AI] {Chris} Create project plan on using UMass for first data source
for shared darknet.
[AI] {Nick} Normalizing data and noise reduction -- put together
suggestions of what makes sense to be done at the end-user site and
what makes sense to do centrally (to list and to wiki).
*Discussion Items*
**RENOIR**
Brian asked about how encryption keys will be handled – where will
they be stored and how necessary is it to have this level of
encryption in these tickets? Phil has set up the encryption on the
client side. The only question if whether we want to keep it on the
client side. He needs to know this to develop the flow functions for
ticket creation and modifications. Chris said this will be on the
agenda for the face-to-face CSI2 meeting in March.
**CSI2 Working Group Meeting**
Hotel arrangements are almost final for the CSI2 working group
meeting, March 5-6, in Cambridge MA. Hotel and registration costs are
covered; there are some funds available for travel, as well. There are
10-11 registrants so far.
[AI]{All} Any other suggestions of people to invite should go to
Chris.
Chris posted a draft agenda to the list and received some comments
back. He asked for any other agenda items. Phil suggested the topic of
mechanisms for sharing or not sharing the bot net list.
**REN-ISAC Member Meeting**
Registration for the meeting (April 12, 2007) is now open. Doug has a
draft agenda for the meeting.
• intro/state of the ISAC
• intro/update on the tech advisory group and the executive advisory group
• vendor relationships
• service/development underway
o DNS poking/prodding/reporting service
o passive DNS replication server
o malware sandbox – looking at a build-your-own or going through a vendor
o feedback from members on service ideas
o CSI2 – shared darknet and RENOIR
o Rob Thomas—invited talk
o plans for organizational direction for REN-ISAC
o spam mitigation
[AI}{Doug} will incorporate agenda comments and send out a revised
version. He will leave it open for comments until Wednesday, Feb. 7
**Shared Darknet**
Chris asked where are we on the project Is there anything need to do
as working group to push this along? Brian – just waiting for the
script for the conversion from Netflow to csv. Other than that, it
seems like we are almost there.
Doug mentioned that we need to discuss the guidelines for sharing or
not sharing the information that is collected. For example, he has
requests from researchers who are interested in the data. Chris asked
if anyone who is considering submitting data have any feelings one or
way the other about sharing. Phil said he doesn't have a problem, but
can see how others might not want to participate if the data is being
shared, regardless of anonymity. In general, people are in favor of
sharing with clear boundaries. [AI} {All} On the next call, the
working group will discuss boundary conditions for sharing, led by
Brian or Phil.
**WCLSCAN**
Doug shared links to WCLSCAN – a Japanese network monitoring project.
They have multiple boxes scattered around, each listening to a single
address, but in darknet style. They report observations back to the
mother system. They do some mathematical analysis on the observations.
They provide a list of the top 15 port observations with a Bayes
number. Anything above 0.7 is a raised eyebrow. It is an interesting
project in that they are doing the mathematical analysis of frequency
of port scanning.
Doug put a sensor in at his location and is contributing data to the
project. He is trying to see what might be useful for REN-ISAC. For
example, could reporting the Bayes number be a useful addition to the
daily reports? [AI] {Chris} Add WCLSCAN to agenda.
*******************************
The next call is scheduled for Thursday, February 15, at 2:30 pm EST