Salsa-CSI2 Call - May 24, 2007

Salsa-CSI2 Conference Call
May 24, 2007

**Attending**
Chris Misra, U. Mass (Chair)
Brian Smith-Sweeney, NYU
Phil Denault, WPI
Elliott Kendall, Brandeis Univ.
Joel Rosenblatt, Columbia Univ.
Doug Pearson, Indiana and REN-ISAC
Steve Olshansky, Internet2
Dean Woodbeck, Internet2 (scribe)

**Action Items**
[AI] {Brian} will add a shared darknet proposal to the wiki regarding gateway requirements for data sharing.
[AI] {Chris} will place the potential grant funding (as discussed on the call) on the agenda for the next call.

*Carryover Action Items*
[AI] {Doug and Elliott} will talk about possible Brandeis interest in participating in the shared darknet.
[AI] {Doug} will follow-up with MIT about the use of GRE tunnels for submitting data to the shared darknet.
[AI] {Chris} will touch base with Joe St. Sauver on the process for developing a tools taxonomy.
[AI] {All} Refine thoughts on the information Brian provided to the email list concerning a tools taxonomy and identifying effective tools, and defining the problem space of a shifting landscape.
[AI] {Chris} Add WCLSCAN (a Japanese network monitoring project) to agenda.
[AI] {TBD} Normalizing data and noise reduction -- put together suggestions of what makes sense to be done at the end-user site and what makes sense to do centrally (to list and to wiki).

**Meetings Review**
Security Professionals Conference (SPC) – Generally good sessions, including a good session on hacking and one by Cornell on incident handling and response.

REN-ISAC member meeting – Doug Pearson reported near unanimous feedback that the next meeting be longer. Tentative plans are to again append it to the SPC next year. SPC is also looking at an NSF cybersecurity conference as a wrap-around event next year - May 4-6, 2008, Arlington, VA. http://www.educause.edu/conference/security/

Internet2 Member Meeting – The next member meeting is October 8-11 in San Diego. Doug said REN-ISAC will have a session at that meeting. http://events.internet2.edu/2007/fall-mm/

**Shared Darknet**
David Ripley ran the first shared darknet report that included data from a place other than Indiana.

Brian Smith-Sweeney reviewed the sharing guidelines for the shared darknet, which he posted on the CSI2 wiki. The guidelines discuss how institutions, researchers, REN-ISAC members and others can access the shared darknet data at one of four levels:

Unfiltered source data – this means unfiltered by REN-ISAC. It may be filtered by a local host before it is transmitted to REN-ISAC.
Anonymized source data – the destination IP address is masked.
Aggregated reporting data – information about a particular host without any raw flow information.
Trend/statistical data – all individual data is unavailable.

The goal is to allow access to data, appropriate to the individual’s need and level of trust/vetting, without compromising confidentiality. Members of the CSI2 working group are asked to review the “Proposed Sharing/Privilege Outline” on the wiki and provide any feedback or concerns to Brian.

There was a discussion about whether REN-ISAC or CSI2 has a stance on stripping out local traffic prior to submitting shared darknet data to REN-ISAC. The original intent was that institutions would only report darknet traffic that originates from outside of the institution. It is expected that almost all shared darknet participants will do so.

Doug said he would be interested in whether contributions are coming from behind ACLs or firewalls, because that would affect how REN-ISAC reports aggregate numbers. There was also interest in have REN-ISAC provide port information and information about ASNs – some ASNs seem to dominate multiple log-in attempts.

Brian reviewed the table on the wiki page that indicates which types of data would be accessible by different user groups. For example, shared darknet participants would have access to all four types of data. As the document stands, REN-ISAC members could not access unfiltered source data, but could see everything else. But does that make sense? Doug suggested the data be open to REN-ISAC members and those providing shared darknet data, provided that they have a reasonable justification for why they need the data. REN-ISAC would still provide aggregate analysis reporting and would notify .edu’s of any potentially compromised machines within their control, regardless of whether they are REN-ISAC members.

But would this make it less likely that people would use the data? Perhaps any REN-ISAC member should have access to the data, even in a filtered way.

[AI] {Brian} will add a proposal to the wiki regarding some sort of gateway requirement for data sharing.

**Hashing**
Chris has a part-timer for the summer building code to do some of the data hashing. Phil has the write-up and diagram for the hashing proposal – email him if you would like a copy.

**RENOIR**
Phil has started the coding for revisions to RENOIR. He has outsourced the SOAP server development to a student as a summer project. In the meantime he is developing the web interface and database.

**Funding Source**
Doug reviewed a grant announcement that might be a fit with RENOIR or other CSI2 projects. There is a June 27 deadline for a five-page paper describing a project and a September 17 deadline for full proposals. The grants vary from 12- to 36-months.

[AI] {Chris} will place this on the agenda for the next call.

The next call is June 7 at 2:30 pm (EDT)