Salsa-CSI2 Conference Call August 17, 2006

Minutes Salsa-CSI2 Conference Call
August 17, 2006

*Attending*

Chris Misra, U. Mass (Chair)
Nick DePetrilio, OSHEAN
Doug Pearson, Indiana/REN-ISAC
Phil Deneault, WPI
Steve Olshansky, Internet2
Dean Woodbeck, Internet2 (scribe)

*Action Items*

[AI] {Phil} Develop public-quality material on RENOIR for sharing with
folks from Japan and others.

[AI] {Chris} Send presentation on RENOIR (from last spring) to Steve
for posting on the web site.

[AI] {Chris} Talk with Doug about hardware (related to RENOIR).

[AI] {Nick} Post documentation on noise reduction to wiki.

[AI] {All} Go to wiki and read Brian's post and Phil's response.

*Carryover Action Items*

[AI] {Chris} Project plan on using UMass for first data source to
shared darknet.

[AI] {Nick} Normalizing data and noise reduction -- put together
suggestions of what makes sense to be done at the end-user site and
what makes sense to do centrally (to list and to wiki).

*Discussion*

Shared darknet -- There is a relatively small set of input types for
the shared darknet. Doug has David working on translations between
NetFlow and Argus and IMS sensors and the shared darknet format. Chris
mentioned that a schema of the dragnet data from CMU would be useful,
since that is being done with Argus data. We could then check what we
are doing against that data.

Transport types and techniques – The plan is to start with simple SCP
and evolve from that. The focus is on getting the data moved to get
going, and figuring out any problems/issues from there. If another
type of transport is needed, that can be done later. The focus needs
to be on making this work.

Distributed IDS – Nick has two universities up and running in his lab
and those institutions have installed DShield on their internal
networks. The plan is to have six universities connected by the end of
the year, each with DShield running.

We will leave "data processing" on the agenda for next time since no
one on this call volunteered to lead the topic.

REN-ISAC – Doug reported that REN-ISAC is making progress on the use
of the Arbor tool by GigaPoPs.

Also, Doug was recently in Japan, at a workshop sponsored by NICT, the
organization that operates Japan Gigabit Network. There may be some
opportunities for collaboration. NICT operates collectors that may be
able to feed into the shared darknet. NICT is also working on an
incident handling workbench that includes a system much like RENOIR.
Doug hopes to receive an outline and diagrams of the system.
http://www.jgn.nict.go.jp/e/

The Japanese group is focusing on the correlation of events, while we
are working on the incident hub information sharing. There might be
some linkages, with two groups working on two different parts of the
same problem.

Phil will develop some public-quality information on RENOIR for the
web site. Also, Chris will provide a copy of the presentation he did
on RENOIR at the member meeting last spring. Both will get their
material to Steve O. to post on the CSI2 page.

RENOIR – Going to work with the SOAP interface. Phil reported he has
identified the type of functionality that needs to be done.

Doug will get with Dave and develop charts or flow diagrams on what in
place in terms of how various inputs get into notification piece.

Chris will talk with Doug about hardware and the plan going forward on RENOIR

Noise Reduction – Nick – will upload documentation on IPAudit and
Argus tools to the wiki.

Brian has posted information to the wiki on what needs to be done to
get data from a site. Phil posted his thoughts on the need for human
intervention to review the data and decide what to post. Go to the
wiki and read Brian's post and Phil's response.

The plan for the next face-to-face is still to meet in April at the
security professionals meeting in Denver.

Next call: Sept. 14