Re: [Dots] Target-Attack-type expansion: more discussion

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Thu, 04 April 2019 11:02 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2522012007C for <dots@ietfa.amsl.com>; Thu, 4 Apr 2019 04:02:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rp5yfb3VvRrx for <dots@ietfa.amsl.com>; Thu, 4 Apr 2019 04:01:59 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A025E12048A for <dots@ietf.org>; Thu, 4 Apr 2019 04:00:05 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1554375139; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-ms-exchange-senderadcheck:x-microsoft-antispam-message-info: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=g JSWCRDbPKiWSPl+Voden5DEJASgBedZEPAt+vb5q+ o=; b=LUiRbV93H9SbGR477GGvqNU6TBnsACKdmVbFsdRHt3eS Pro2hOp7Jpr1zIn+s09rERyfV0TEK8xqLc0tM210/z7LdTq8OJ ujw5FfRkE59AfGg5hHnuOEOWo8DJpzlyoWNQ2lpf/D0VkluODl rnM9XryiunBphToiRcnyXADbF/M=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 2dfa_b5b3_714ae378_7a0e_493e_ba77_e07c145cffaa; Thu, 04 Apr 2019 04:52:18 -0600
Received: from DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 4 Apr 2019 04:56:51 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Thu, 4 Apr 2019 04:56:51 -0600
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (10.44.176.242) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 4 Apr 2019 04:56:42 -0600
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2886.namprd16.prod.outlook.com (20.178.234.206) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.15; Thu, 4 Apr 2019 10:56:49 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::4873:7200:9e57:9e62]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::4873:7200:9e57:9e62%4]) with mapi id 15.20.1771.014; Thu, 4 Apr 2019 10:56:49 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: =?utf-8?B?VMO2bWEgR2F2cmljaGVua292?= <ximaera@gmail.com>, =?utf-8?B?6ZmI576O546y?= <chenmeiling@chinamobile.com>
CC: dots <dots@ietf.org>
Thread-Topic: [Dots] Target-Attack-type expansion: more discussion
Thread-Index: AQHU5iDQ6TWHn/afGUmC8veMiViwa6YnkBCAgARLEJA=
Date: Thu, 4 Apr 2019 10:56:49 +0000
Message-ID: <BYAPR16MB2790E7B8166FC1CA2FB34CC2EA500@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <2afa5c9df0626fd-00007.Richmail.00004070460264152429@chinamobile.com> <CALZ3u+YTx2b=QMTM_UzgX254cgcgAWYxnwA=-VwHhD03ygragw@mail.gmail.com>
In-Reply-To: <CALZ3u+YTx2b=QMTM_UzgX254cgcgAWYxnwA=-VwHhD03ygragw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d977943b-7df3-45b5-2b0f-08d6b8ec3d20
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(7193020); SRVR:BYAPR16MB2886;
x-ms-traffictypediagnostic: BYAPR16MB2886:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <BYAPR16MB28862E801548CD9A3062C255EA500@BYAPR16MB2886.namprd16.prod.outlook.com>
x-forefront-prvs: 0997523C40
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(396003)(39860400002)(136003)(346002)(32952001)(199004)(189003)(13464003)(86362001)(6306002)(316002)(26005)(5660300002)(9686003)(4326008)(6246003)(53936002)(7696005)(966005)(7736002)(72206003)(74316002)(486006)(81166006)(186003)(81156014)(476003)(478600001)(14454004)(80792005)(11346002)(66066001)(14444005)(33656002)(305945005)(256004)(106356001)(8676002)(110136005)(105586002)(71190400001)(55016002)(3846002)(99286004)(6116002)(8936002)(229853002)(68736007)(6436002)(2906002)(25786009)(6506007)(53546011)(52536014)(97736004)(102836004)(66574012)(446003)(71200400001)(76176011)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2886; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: mGxzKdYp8Kw1SvA8aHGvBskZ92BGeV1a1nNMUgbL+0r9DoYMLG66XsTHdqCun+4F+vHP3a7AYquZkoxA9YntCa155mpD1vTg8PG8HfFpiwUYfK8y/6wF8Wp0COiC/bd7gSCkH2la10M8sRE35p3TLU/6Ha6J41u1Ut2RRgn5hpIFQjJH/GtG2QsPXvjTksS6QSbBxCIiIGu1Rmb/wXxSfeAxTTwl0TRlZAOR8EvFyTGRyZLpqLw/3Bl8JCNox0bRNY+cwfMra2x3CvfdbeFk/Zpcgz4ja4I+zrdbFc1qqRs2zGp5B/OE8Co7cbnt16BcPDQPKF/NkbD+lGaMByEbQ0ic9W4YgvDp4WeF+D7BU6rL4FikZyKJfkJhkk1b6MfqPZv+73aE9/H6PLZ92dwyIogPIcn6PruJ9P04cjK2/Nc=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d977943b-7df3-45b5-2b0f-08d6b8ec3d20
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Apr 2019 10:56:49.5353 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2886
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6517> : inlines <7047> : streams <1817675> : uri <2825684>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Paor7XPMGwTpKpYyNmjhbgAMv8E>
Subject: Re: [Dots] Target-Attack-type expansion: more discussion
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 11:02:03 -0000

Agree with your response. If the attack type is described in some representation (e.g. text description) the WG decides, Natural Language Processing (e.g. word embedding) can be used to map the attack description to an attack type. It solves two problems (1) Avoids the need to create mapping tables manually (2) Avoid the need to standardize attack types which keep evolving.  

Cheers,
-Tiru

> -----Original Message-----
> From: Dots <dots-bounces@ietf.org> On Behalf Of Töma Gavrichenkov
> Sent: Monday, April 1, 2019 10:43 PM
> To: 陈美玲 <chenmeiling@chinamobile.com>
> Cc: dots <dots@ietf.org>
> Subject: Re: [Dots] Target-Attack-type expansion: more discussion
> 
> 
> 
> Peace,
> 
> On Fri, Mar 29, 2019 at 12:15 PM 陈美玲 <chenmeiling@chinamobile.com>
> wrote:
> > I'd like to continue discussion of these topics in the mail
> 
> For clarification, the quotations below that line are from the draft [1], not from
> the mailing list thread.
> 
> 
> > Therefore, it is necessary to unify the attack definition, form a
> > standard attack definition
> 
> I do not anticipate that happening in the foreseeable future. Mainly, because of
> the differences between traffic classifying and filtering engines. Also, because
> the state of scientific research on the problem space is quite poor.
> 
> > we give out a complete format for DDoS attacks as below
> 
> >From the text and also from the slides [2] it is not clear what
> exactly you list under "protocol level".
> It appears like something very close to the OSI layering, however,
> 
> a) in this case the proper word would be "layer", not "level",
> b) the attribution seems quite arbitrary.
> 
> E.g. ICMP flood is coupled with "Network_Layer" while it could also affect the
> data link layer if e.g. there's no "no arp packet-priority enable" on an interface
> in a Cisco switched network.
> The same with memcached reflection which could cause an effect on the layer
> 2 through 4 performance of a network (and I'd even go as far as to say that L4
> being affected is the least likely case).
> 
> ***
> 
> All in all, as I tried to point out during the session, I've personally seen a similar
> problem of conversion between different item classification methods being
> solved before in 3GPP world, where e.g.
> HP OpenView and Huawei M2000/J2000 had almost entirely different concepts
> of event type, status, and severity, yet communicated just fine through
> software-defined mapping tables provided by the respective vendors.
> Sometimes, it's best to follow that path, and a good thing is: you don't need a
> years-long IETF process for that to go live.
> 
> References:
> [1]: https://tools.ietf.org/html/draft-meiling-dots-attack-type-expansion-00
> [2]: https://datatracker.ietf.org/meeting/104/materials/slides-104-dots-attack-
> bandwidth-and-attack-type-expansion-01
> 
> --
> Töma
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots