Conference Program
| 8th July (Thursday) |
|
|
|
|
| 9:00 |
Opening Remarks
Peter Martini, Marko Jahnke |
|
 |
 |
 |
| 09:15 |
Keynote: "Trends in Malevolence", José Nazario, Arbor Networks
|
|
Abstract: This talk will explore the past, present, and future of Internet security, specifically the rise of the criminal online underworld. Our current situation of botnets for financial gain, rogue ISPs who support these attacks, spam, malware explosions, and the like are due to the past decade of tactical efforts. Understanding these "megatrends" is key to anticipating what will happen next and what kinds of technical - and policy - preparations we should make.
Biography: Dr. José Nazario is the senior manager of security research at Arbor Networks. In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, developing security mechanisms that are then distributed to Arbor's Peakflow platforms via the Active Threat Feed (ATF) threat detection service. Dr. Nazario's research interests include large-scale Internet trends such as reachability and topology measurement, Internet-scale events such as DDoS attacks, botnets and worms, source code analysis tools, and data mining. He is the author of the books "Defense and Detection Strategies against Internet Worms" and "Secure Architectures with OpenBSD." He earned a Ph.D. in biochemistry from Case Western Reserve University in 2002. Prior to joining Arbor Networks, he was an independent security consultant. Dr. Nazario regularly speaks at conferences worldwide, with past presentations at CanSecWest, PacSec, Blackhat, and NANOG. He also maintains WormBlog.com, a site devoted to studying worm detection and defense research.
|
|
|
|
|
|
|
| 11:00 |
Session: Host Security
Session chair: Christian Kreibich
|
|
| 11:00 |
HookScout: Proactive Binary-Centric Hook Detection
Heng Yin, Pongsin Poosankam, Steve Hanna and Dawn Song
|
|
|
|
|
| 11:30 |
Conqueror: Tamper-proof Code Execution on Legacy Systems
Lorenzo Martignoni, Roberto Paleari and Danilo Bruschi
|
|
|
|
|
| 12:00 |
dAnubis - Dynamic Device Driver Analysis Based on Virtual Machine Introspection
Matthias Neugschwandtner, Christian Platzer, Paolo Milani Comparetti and Ulrich Bayer
|
|
|
|
|
|
|
| 13:30 |
Invited Talk: "Modern Spammer Infrastructure", Carel van Straaten, Spamhaus
|
|
Abstract: Modern spammer operations are run on a highly professional level. Knowing that their business is constantly threatened on several levels, some spammer operations go to extraordinary lengths to ensure success. This starts with making sure that enough machines get infected to act as senders in a botnet. Fresh domains are bought daily and spread over multiple registrars while the DNS is hosted in separate networks. Reverse web proxies make sure that the online store is available and at the same time untouchable. A high-risk payment service provider completes the picture and makes sure the money ends up with the online criminals. In this talk we explore the measures taken by spammers to run - and keep running - a large modern spamming operation, including the technology used, how it is set up and maintained, what is done to ensure uptime and robustness, and what weak points can be found and maybe even exploited. We will look at some of the trends we see in infrastructure use and abuse, and investigates the questions of what can the community do to fight the problem and on what we should we focus today to solve the problems of tomorrow.
Biography: Carel van Straaten is an investigator at The Spamhaus Project, where he finds out what makes the spammers' infrastructure tick - and makes sure it stops ticking. Spamhaus is an international non-profit organization based in the UK whose mission is to track the Internet's Spam Gangs, to provide dependable real-time anti-spam protection for Internet networks, and to work with law enforcement agencies to identify and pursue spammers worldwide.
|
|
|
|
|
| 14:45 |
Session: Trends
Session chair: Sven Dietrich
|
|
| 14:45 |
Evaluating Bluetooth as a Medium for Botnet Command and Control
Kapil Singh, Samrit Sangal, Nehil Jain, Patrick Traynor and Wenke Lee
|
|
|
|
|
| 15:10 |
Take a Deep Breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype
Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico and Lorenzo Cavallaro
|
|
|
|
|
| 15:35 |
Covertly Probing Underground Economy Marketplaces
Hanno Fallmann, Gilbert Wondracek and Christian Platzer
|
|
|
|
|
|
|
| 16:15 |
Session: Vulnerabilities
Session chair: Michael Meier
|
|
| 16:15 |
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Adam Doupe, Marco Cova and Giovanni Vigna
|
|
|
|
|
| 16:45 |
Organizing Large Scale Hacking Competitions
Nick Childers, Bryce Boe, Lorenzo Cavallaro, Ludovico Cavedon, Marco Cova, Manuel Egele and Giovanni Vigna
|
|
|
|
|
| 17:15 |
Meeting of GI SIG SIDAR (open for all interested attendees)
|
|
| 17:15 |
Invited Talk: Quo vadis, Sicherheitsausbildung
Martin Mink
|
|
|
|
|
| 9th July (Friday) |
| 09:00 |
Invited Talk: "TRIAGE: the WOMBAT attack attribution approach", Marc Dacier, Symantec/Eurecom
|
|
Abstract: In network traffic monitoring, and more
particularly in the realm of threat
intelligence, the problem of "attack
attribution" refers to the process of actively
attributing new attack events to (un)-known
phenomena, based on some evidence or traces left
on one or several monitoring
platforms. Real-world attack phenomena are often
largely distributed on the Internet, or can
sometimes evolve quite rapidly. This makes them
inherently complex and thus difficult to
analyze. In general, the person in charge must
consider many different attack features (or
criteria) in order to decide about the plausible
root cause of a given attack, or to attribute it
to some given phenomenon. In this talk, we
introduce a global analysis method, named
TRIAGE, that aims at addressing this problem in
a systematic way. TRIAGE has been developed in
the context of the European funded WOMBAT
project; In this talk, we will introduce the
concepts of attack attribution, its intrinsic
complexity, explain the TRIAGE method and will
demonstrate its usefulness thanks to recent
results obtained with practical, real life data
sets.
Biography: Dr. Marc Dacier is an internationally
recognized expert in computer security. At
Symantec, Dr. Dacier is responsible for the
Collaborative Advanced Research department,
whose members are located in Europe (France
and Ireland) and in the United States
(Washington, D.C. and Los Angeles). Before
joining Symantec, Marc taught at Eurecom, one
of Europe's most active academic research
institutions in the field of computer
security. Previously, he was the manager of
the Global Security Analysis Lab at IBM Zurich
Research Laboratory. Marc has served in more
than 60 program committees of major security
conferences and was on the editorial board of
several technical journals. |
|
|
|
|
|
|
| 10:45 |
Session: Intrusion Detection
Session chair: Robin Sommer
|
|
| 10:45 |
An Online Adaptive Approach to Alert Correlation
Hanli Ren, Natalia Stakhanova and Ali Ghorbani
|
|
|
|
|
| 11:15 |
KIDS - Keyed Intrusion Detection System
Sasa Mrdovic
|
|
|
|
|
| 11:45 |
Rump Session
Session Chair: Sven Dietrich
|
|
|
|
| 13:30 |
Web Security
Session Chair: Herbert Bos
|
|
| 13:30 |
Modeling and Containment of Search Worms Targeting Web Applications
Jingyu Hua and Kouichi Sakurai |
|
|
|
|
| 14:00 |
HProxy: Client-side detection of SSL stripping attacks
Nick Nikiforakis, Yves Younan and Wouter Joosen |
|
|
|
|
|
|
|
|
|
|
|
|
Proceedings available from Springer Verlag in the LNCS
series
|
