Salsa-CSI2 October 26, 2006

Salsa-CSI2 Conference Call
October 26, 2006

*Attending*
Chris Misra, U. Mass (Chair)
Doug Pearson, Indiana/REN-ISAC
Brian Smith-Sweeney, NYU
Mark Poepping, Carnegie-Mellon
Steve Olshansky, Internet2
Dean Woodbeck, Internet2 (scribe)

*Action Items*
[AI {Chris} Develop proposed agenda for the post-conference REN-ISAC meeting at the security professionals meeting in Denver (April 2007)
[AI] {Doug} Send requirements definitions developed by the Indiana Univ. senior project students to CSI2 list.

*Carryover Action Items*

[AI] {Doug} Distribute NICT information.

[AI] {Chris and Doug} Connect with NoX GigaPOP folks for Arbor information.

[AI] {Phil} Develop public-quality material on RENOIR for sharing with folks from Japan and others.

[AI] {Chris} Create project plan on using UMass for first data source for shared darknet.

[AI] {Nick} Normalizing data and noise reduction -- put together suggestions of what makes sense to be done at the end-user site and what makes sense to do centrally (to list and to wiki).

*Discussion*
There was a general discussion about a grant awarded to Internet2 which will support the work of the working group, including related workshops and other events to provide information sharing. The funding must be used by June 30, 2007. This grant will support a half-day seminar immediately following the security professionals conference in April 2007. Tentative plans are to target the seminar content to REN-ISAC members and for the CSI2 group to provide the agenda. Chris will spearhead the development of the agenda.

Per Doug, some potential topics include a proposed partnership with a major software vendor and what that could accomplish. Another thought: a talk addressing the dark side of the economy such as credit card privacy issues, phishing, and botnets.

Another thought: a discussion of new tools and services that REN-ISAC is planning to bring forward -- for example, a tool to use to probe for weaknesses in .edu DNS systems to help improve security. Brian Smith-Sweeney suggested discussion of trends in malware and attacker behavior and how they may be changing the effectiveness of current tools. Brian agreed to facilitate such a session if needed.

Mark Poepping asked whether REN-ISAC data is available for use by faculty or other researchers. Doug responded that, at this point, the data is not available, except in aggregated form. Nor, at this point, is there a formal way for REN-ISAC to form partnerships with researchers.

Shared Darknet – Chris reported he is still moving forward on getting data into the shared darknet. There was a general discussion about the demarcation between data that which can be public and that which is not. Chris said he is submitting data that is not sensitive locally. Doug mentioned that users and members of the closed, trusted community can know the source of the data, but security measures must be in place so that destination IP addresses cannot be determined. REN-ISAC sends the information to the specific site owner, but only sends aggregated data and trend information to the entire closed community. Even the aggregated data is not available to the public at-large.

Chris said his plan is not to anonymize the data sent to the shared darknet, but to give the full flow of his local darknet to REN-ISAC. Doug said REN-ISAC would prefer the destination information be stripped out so there is no danger of an inadvertent disclosure by REN-ISAC.

On the other hand, Brian wondered if useful information could be lost when the local person strips out data. It depends on how much data is thrown away and which data is forwarded.

In other REN-ISAC news, Doug reported that he not yet ready to talk about using SSH keys for data sharing (bot-net tracker data right now). Right now people have to Wget that data from REN-ISAC. The plan for SSH keys is not sorted out yet.

Since REN-ISAC started, we have talked about a cybersecurity registry for higher education with contact info, institutional info, the netblock the institution owns, and the like. There is a computer science senior project at Indiana with six students working on the registry. They are currently working on a requirements definition. Doug said he would be interested in feedback from CSI2, looking at the requirements definition and the schema developed. Doug will send this information to the CSI2 list

The REN-ISAC member survey report was recently released and posted to REN-ISAC list. REN-ISAC is waiting for additional comment from the community, then will develop a response.

Brian has Python code for IPAudit that was modified by someone at NYU and wondered if that would be useful for the list. This will be discussed during the next call when Nick is available.

Doug discussed a reference to a research paper recently done by faculty at Wisconsin about distributed intrusion detection systems. It appears to have high relevance to our work in shared darknet. He will distribute a link to the paper to the CSI2 list.

The next face-to-face meeting will be a CSI2 dinner on the Tuesday night of the security professionals meeting in April.

The next call is scheduled for November 9, 2006.