Sjoera Nas (Bits of Freedom, NL)
MD5: e45c8605a87c72f3b83469e0a55992ae
Format: application/pdf
Last Update: June 7th, 2024
Size: 689.37 Kb
Jon Ramsey (SecureWorks, US), Uday Banerjee (SecureWorks, US), Uday Banerjee (SecureWorks, US)
Any organization/department that provides security typically deals with a large volume of alerts and logs generated from a variety of sources. These could originate from firewalls, intrusion detection/prevention devices and agents, vulnerability scanners, etc. It would seem like a good idea to apply as much correlation as possible to this data in order to be able to see things from a bird's eye perspective. Even at this point, a human could use some additional help in deciphering the situation. The authors believe that visualization is a key component to this end. This paper describes general methods and principles that allow the use visualization as an efficient tool for alert analysis. The paper is organized as follows: Section 1 talks about related work in the field of visualization to aid alert analysis and anomaly detection. Section 2 details some fundamental requirements and considerations that must be incorporated into the design of visualizations and related tools. Section 3 discusses a visualization tool used within our organization to aid in alert and anomaly analysis - while highlighting its place within the framework of requirements. Section 4 discusses a sample visualization, and how its design allows for intuitive analysis. Finally, the paper concludes by pointing out a few key areas where improvements could be made to improve existing visualization methodologies.
MD5: 2511f8524c40ed3b3a4330cc0f468cfc
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.02 Mb
MD5: 9b961da0549c111d2303a8f01fc83083
Format: application/pdf
Last Update: June 7th, 2024
Size: 731.78 Kb
Steven Sim Kok Leong (National University of Singapore, SG), Steven Sim Kok Leong (National University of Singapore, SG)
Early warning and detection mechanisms including distributed intrusion detection systems and honeynets are often deployed to detect new worm and virus infected machines. In a large enterprise network, especially in universities with more than 30,000 online nodes, it is often a challenge to cost-effectively contain and remedy these infected or critically vulnerable machines. Universities are unlike corporations because they cannot impose overly restrictive policies that could hamper research and sharing. In corporate environments, network users are primarily rule-abiding employees. However, in university environments, bulk of their network users are student customers.
In this paper, I shall detail an inexpensive strategy currently deployed in the National University of Singapore that has proven pretty effective in containment and remediation of these infected or critically vulnerable machines. The strategy involves in-house integration of opensource early warning and detection mechanisms coupled with self-developed quarantine mechanisms and self-help portals on the technology side as well as user process workflow formalization.
With the framework and infrastructure in place, we are able to contain both infected and vulnerable systems rapidly and sent new virus variants undetected in our environment for our corporate antivirus vendor to come up with new detects. In the period of from Jan 2005 till Sep 2005 alone, we submitted more than 30 binaries.
This strategy plays an important role in aiding the National University of Singapore to become one of three finalists in the MIS Asia Best IT Security Strategy international award 2005.3
I will discuss how management approval for this project was justified, how the project involving multiple groups including helpdesk and network teams was implemented, what successful steps that could be followed and the pitfalls to avoid. Through this paper, I hope that sharing our experience with the strategy that helped us and the pitfalls to avoid can prove valuable to both universities and similar organisations in the FIRST community that do not already have a similar strategy in place but are facing enterprise-level threat mitigation issues and inhibiting cost factors.
MD5: 2cb597ad6a80679776a3c9f8fadadc53
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.56 Mb
Matthew Pemble (RBSG – Royal Bank of Scotland, GB), Matthew Pemble (RBSG – Royal Bank of Scotland, GB)
Matthew Pemble is currently the ISIRT Manager for a major international bank. An experienced Security Architect and Consultant, as well as an Incident and Investigations Manager and Computer Forensics Practitioner, he is a Fellow of the British Computer Society and the Institute for Communications Arbitration & Forensics.
Matthew Pemble is currently the ISIRT Manager for a major international bank. An experienced Security Architect and Consultant, as well as an Incident and Investigations Manager and Computer Forensics Practitioner, he is a Fellow of the British Computer Society and the Institute for Communications Arbitration & Forensics.
MD5: 443f2e5b7790be9c301a5f51eb9fe5df
Format: application/pdf
Last Update: June 7th, 2024
Size: 199.33 Kb
Thorsten Holz (NL)
MD5: 81cd69bbb0fc840b7eec664c7e279a17
Format: application/pdf
Last Update: June 7th, 2024
Size: 440.3 Kb
Piotr Kijewski (Research and Academic Computer Network in Poland, PL), Piotr Kijewski (Research and Academic Computer Network in Poland, PL)
The paper describes methods of automated threat signature generation from network flows. These methods are being implemented as part of the CERT Polska early warning ARAKIS project, and the paper is a follow up to the ARAKIS talk given at the FIRST 2004 Budapest conference. The paper identifies what constitutes a good signature for use in IDS/IPS systems, presents an architecture of the signature extraction system, describes various signature extraction techniques, including our own proposal and presents some results. The level of technical detail is medium. Targeted at an audience with security experience, in particular, knowledge of the underlying principles of intrusion detection and honeynets is helpful.
MD5: 1143d8e778d170a636ecf18c47277319
Format: application/pdf
Last Update: June 7th, 2024
Size: 139.66 Kb
MD5: 2d1541b9b28d5431141bb67ed286b9e1
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.09 Mb
Lari Huttunem (University of Oulu, FI), Pekka Pietikäinen (University of Oulu, FI), Pekka Pietikäinen (University of Oulu, FI)
Botnet discovery can be difficult, since the existence of a network is often discovered only after it used for widespread activity such as a DDoS or a phishing scam. Sharing intelligence on a potential botnet traffic is also problematic mainly due to data privacy issues.
In this paper, we describe some currently used methods for identifying botnets and issues which arise when applying them in practice. We will identify the types of information that could be shared between different stakeholders and the technical means available to gather such data. Finally, we will present causality graphs and describe initial experiences in applying them to analyzing botnet incidents.
MD5: 1a5b6f582337f6424884e6559b0088f3
Format: application/pdf
Last Update: June 7th, 2024
Size: 144.02 Kb
MD5: 56e53f2e33d9a7fcfff4b347e5535e63
Format: application/pdf
Last Update: June 7th, 2024
Size: 206.69 Kb
Aaron Hackworth (Carnegie Mellon University, US), Aaron Hackworth (Carnegie Mellon University, US), Nicholas Ianelli (Carnegie Mellon University, US), Nicholas Ianelli (Carnegie Mellon University, US)
This presentation goes beyond simple explanation of what a botnet is and dives into specific bot technologies and how they are used in the commission of online crime. When the presentation is complete, attendees will have a better understanding of botnet technologies, how these technologies are leveraged to enable physical world crime and what some of the motivating factors that have led malicious code authors to add specific features to their bot malware.
MD5: 1c9628bffd906d3393f868fc70dcff05
Format: application/pdf
Last Update: June 7th, 2024
Size: 624.18 Kb
Diego Zamboni (IBM Zurich Reserch Laboratory, CH), James Riordan (IBM Zurich Reserch Laboratory, CH), James Riordan (IBM Zurich Reserch Laboratory, CH), Yann Duponchel (IBM Zurich Reserch Laboratory, CH)
Billy Goat is a worm detection system widely deployed throughout IBM and several other corporate networks. We describe the tools and constructions that we have used in the implementation and deployments of the system, and discuss contributions which could be useful in the implementation of other similar systems. We also discuss the features and requirements of worm detection systems in general, and how they are addressed by Billy Goat, allowing it to perform reliably in terms of scalability, accuracy, resilience and rapidity in detection and identification of worms without false positives.
MD5: 8032f5adba2f445c884ef2cd444b5848
Format: application/pdf
Last Update: June 7th, 2024
Size: 237.59 Kb
MD5: 22624dfce6415b97e470bb467c9a57ea
Format: application/pdf
Last Update: June 7th, 2024
Size: 475.94 Kb
Jürgen Sander (PRESECURE Consulting, GmbH, DE), Jürgen Sander (PRESECURE Consulting, GmbH, DE)
In the last quarter of 2005, the German CERT-Verbund has started to implement an early
warning information system (EWIS) called CarmentiS. Like in any known early warning
information system, one building block of CarmentiS are decentralized sensor networks,
which are building the backbone of the system. Therefore most of the technical challenges
involved in setting up an EWIS are rather straight foreward, an overview of the basic
concepts of CarmentiS was given at the last FIRST conference in Singapore.
Well, the reason to introduce an additional paper to this topic is the second building block
of CarmentiS – human analysis and of course the combination with classical sensor
networks. The human analyst will add incorporating information sources, which are
otherwise not available or cannot be automatically included and processed. The technical
systems will support the analysts where ever it is possible to be able to concentrate the
analyst viewpoint on the essentials.
In this case the real impediments are not on the technical side, legal and organisational as
well as human issues are in the way, making the building of such systems a real
challenge. Of course, in the full paper the essential technical concepts, interfaces and
services which are offered by CarmentiS will be explored and explained, but focusing on
the following topics:
MD5: 8490e502451786b4f0393bdae84d21f0
Format: application/pdf
Last Update: June 7th, 2024
Size: 549.43 Kb
James C. Wrubel (Carnegie Mellon University, US), James C. Wrubel (Carnegie Mellon University, US)
The CERT Virtual Training Environment (VTE, online at https://www.vte.cert.org) provides self-paced remote access to CERT’s suite of Information Assurance and Computer Forensics training material in virtual classroom and knowledge library formats. VTE follows a ‘read it, see it, do it’ instructional model, offering written training material, captured video of instructor-led lectures and demonstrations, and virtual training labs that are provisioned on-demand directly by students through virtual machine technology. VTE is currently in use by the Army Reserve Information Operations Command, the Marine Forces Pacific Command, and the Department of Homeland Security National Cyber Security Division.
This presentation will cover the following topics:
At the end of the presentation, Mr. Wrubel will offer VTE access accounts valid through January 1, 2007 to any interested audience members.
MD5: a761fabddb9562148b10f1a4b3ed34cf
Format: application/pdf
Last Update: June 7th, 2024
Size: 775.47 Kb
Andrew CormackAndrew Cormack (GB)
Andrew Cormack trained as a Mathematician well before the Internet went mainstream. After five years on a research vessel managing the science IT, he joined the University of Cardiff as Postmaster, where it was suggested he might like to investigate “this world wide web thing” and assess whether it had a future. A few years later he started the UK’s academic CERT as well as managed the EuroCERT project. Since then IT Security was Andrew’s passion. During his career at JISC he transitioned to the organizations Chief Regulatory Advisor and pursued Law studies in which he graduated as a Master of Law.
Andrew’s contributions to the Incident Response community are many and broad: He was one of the initial TRANSITS trainers and thus shaped the careers of hundreds of incident responders. Andrew’s ability to listen beyond the mere words that people speak, combined with his vast knowledge, allowed him over and over again to build bridges to other fields. One particular area of focus was the governance and legal frameworks related to Incident Response, where he helped policy makers recognize the importance of CSIRTs. Andew was a member of ENISA’s Permanent Stakeholder Group and sat on the boards of ORCID and the Internet Watch Foundation. He was a regular attendee and presenter at security conferences, and the Program Chair of the 2019 FIRST annual conference in his native Edinburgh.
Andrew Cormack passed away on April 12 2023, only two weeks after having learned about his induction in the IR Hall of Fame.
MD5: 2aabc53951285f3ee00a53a7b03dfd7b
Format: application/pdf
Last Update: June 7th, 2024
Size: 31.49 Kb
Matthew Geiger (Carnegie Mellon University, US)
Among the challenges faced by forensic analysts are a range of commercial 'disk scrubbers', software packages designed to irretrievably erase files and records of computer activity. These counter-forensic tools have been used to eliminate evidence in criminal and civil legal proceedings and represent an area of continuing concern for forensic investigators.
This paper details the analysis of 13 commercial counter-forensic tools, examining operational shortfalls that can permit the recovery of significant evidentiary data. The research also isolates filesystem fingerprints generated when these tools are used, which can identify the tool, demonstrate its actual use and, in many cases, provide insight into the extent and time of its use.
The result is an indexed resource for forensic analysts, covering 19 tools and tool versions, that can help identify traces of disk-scrubbing activity and guide the search for residual data. In addition, a new forensic utility, named Aperio, is presented. It employs a signature library to automate the hunt for traces of counter-forensic tool use. Aperio can search filesystems presented as images or devices, and provides a detailed audit report of its findings. Together these resources may assist in establishing the usage of counter-forensic tools where such activity has legal implications.
MD5: 33c5e9c0d9deb39bb52745c184d9883d
Format: application/pdf
Last Update: June 7th, 2024
Size: 422.58 Kb
MD5: 527e0af7e2840d13cee75ac6e212acbe
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.07 Mb
Jacques Schuurman
MD5: 7b81bc4710c06837b2c950dd302f5a82
Format: application/pdf
Last Update: June 7th, 2024
Size: 248.68 Kb
Robert Sisk (IBM Corporation, US), Robert Sisk (IBM Corporation, US)
Although security and related tools have improved over the years, all too often the first signs of a compromise appear in the form of a trouble ticket or problem report. Even though many monitoring methods are available, when deployed, security teams quickly find themselves buried in data or very busy with the care and feeding of such tools. This course will review network design and monitoring with the intent of identifying and providing adequate compromise detection, developing appropriate security response to suspicious “eventsâ€, and increasing readiness for forensics investigation. We will do this by identifying and setting security goals, applying simple, but adequate, monitoring methods to meet those goals, and developing some response methods for investigating and mitigating specific attacks. A production network architecture, including "lessons learned" during its development and maintenance, will serve as a case study for facilitated discussion.
Baltimore, US
June 26, 2006 14:00-15:30, June 26, 2006 16:00-17:30
Hosted by CERT CC
MD5: 11c71b6d75b30f4c84548cfd55f8c642
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.9 Mb
Kees Leune (Tilburg University, NL), Kees Leune (Tilburg University, NL), Sebastiaan Tesink (Tilburg University, NL)
Computer security incident response teams need to track incidents as they develop. To support day-to-day operations, teams need to be able to generate quick overviews of ongoing incidents, and they must be supported in their daily work by automating as much routine work as possible. AIRT is a web-based system to provide incident tracking capabilities to computer security incident response teams. Its design goals include to provide a comprehensive incident management console, ability to quickly associate external teams with IP addresses, the ability to create an incident in 30 seconds after receiving it, provisions for PGP signed mail, and more. This paper presents AIRT, its goals, architecture and its functionality.
MD5: fc67e5f59584cb2b18b4e725ea829f99
Format: application/pdf
Last Update: June 7th, 2024
Size: 160.63 Kb
MD5: 480e0d2c044cfc97876a63a8e72f1fe1
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.08 Mb
Johannes Wiik (Agder University, NO), Jose J. Gonzalez (Agder University, NO), Klaus-Peter Kossakowski (Software Engineering Institute, DE), Klaus-Peter Kossakowski (Software Engineering Institute, DE)
MD5: 86667826d1066488f579bdd1d1ed753b
Format: application/pdf
Last Update: June 7th, 2024
Size: 240.96 Kb
MD5: f14e31efe273889653dd0fae0ea1c659
Format: application/pdf
Last Update: June 7th, 2024
Size: 219.17 Kb
Andrew CormackAndrew Cormack (GB), Marco Thorbrügge (ENISA, DE)
Andrew Cormack trained as a Mathematician well before the Internet went mainstream. After five years on a research vessel managing the science IT, he joined the University of Cardiff as Postmaster, where it was suggested he might like to investigate “this world wide web thing” and assess whether it had a future. A few years later he started the UK’s academic CERT as well as managed the EuroCERT project. Since then IT Security was Andrew’s passion. During his career at JISC he transitioned to the organizations Chief Regulatory Advisor and pursued Law studies in which he graduated as a Master of Law.
Andrew’s contributions to the Incident Response community are many and broad: He was one of the initial TRANSITS trainers and thus shaped the careers of hundreds of incident responders. Andrew’s ability to listen beyond the mere words that people speak, combined with his vast knowledge, allowed him over and over again to build bridges to other fields. One particular area of focus was the governance and legal frameworks related to Incident Response, where he helped policy makers recognize the importance of CSIRTs. Andew was a member of ENISA’s Permanent Stakeholder Group and sat on the boards of ORCID and the Internet Watch Foundation. He was a regular attendee and presenter at security conferences, and the Program Chair of the 2019 FIRST annual conference in his native Edinburgh.
Andrew Cormack passed away on April 12 2023, only two weeks after having learned about his induction in the IR Hall of Fame.
MD5: 9b2167f3c7f5787b0d8c2f07aae6b952
Format: application/pdf
Last Update: June 7th, 2024
Size: 403.9 Kb
Audrey Dorofee (Carnegie Mellon University, US), Audrey Dorofee (Carnegie Mellon University, US), Chris Alberts (Carnegie Mellon University, US), Robin Ruefle (Carnegie Mellon University, US), Robin Ruefle (Carnegie Mellon University, US)
This tutorial will discuss the reasons, outcomes, and benefits
of evaluating incident management capabilities such as CSIRTs.
Four different methodologies will be presented that can be
used to evaluate various aspects of incident management capabilities.
During the tutorial, practical exercises will be conducted
that demonstrate various components of each methodology to give
a real-life perspective on performing such evaluations.
Baltimore, US
June 26, 2006 14:00-15:30, June 26, 2006 16:00-17:30
Hosted by CERT CC
MD5: 50284a812831fc8897fa81b3138a0ec2
Format: application/pdf
Last Update: June 7th, 2024
Size: 601.55 Kb
Matt Fisher (SPI Dynamics, US), Matt Fisher (SPI Dynamics, US)
Matt Fisher is a Senior Security Engineer for SPI Dynamics and has over 12 years experience in the information technology industry. He has multiple certifications and has spoken on the topic of Web application security at numerous conferences. Matt was a contributing author for the book titled, “Google Hacking for Penetration Testers” and is registered with the Defense Information Services Agency as a subject matter expert in Web application security.
Matt Fisher is a Senior Security Engineer for SPI Dynamics and has over 12 years experience in the information technology industry. He has multiple certifications and has spoken on the topic of Web application security at numerous conferences. Matt was a contributing author for the book titled, “Google Hacking for Penetration Testers” and is registered with the Defense Information Services Agency as a subject matter expert in Web application security.
Baltimore, US
June 26, 2006 09:10-10:30, June 26, 2006 11:00-12:30
Hosted by CERT CC
MD5: 21409b39b5f47dda92aaedfd1cfa8ef3
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.34 Mb
Franck Veysset (France Télécom R&D, FR), Franck Veysset (France Télécom R&D, FR), Laurent Butti (France Télécom R&D, FR), Laurent Butti (France Télécom R&D, FR)
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. Based on this definition, we will introduce the topic with an overview of the evolution of this technology, from the beginning to the latest advances.
This tutorial will cover in depth examples of use in corporate environments, including low interaction honeypot to gather statistics on malicious activities (worms & viruses…), wifi honeypots, fully operational architectures…
Some demonstrations will be done during the tutorial, presenting most useful resources and open source projects (honeyd, sebek, mwcollect…).
Good interaction with the audience is expected.
Baltimore, US
June 27, 2006 14:00-15:30, June 27, 2006 16:00-17:30
Hosted by CERT CC
MD5: d00bdf680ef0f7e3dba10da1a79a4a12
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.92 Mb
Arjen de Landgraaf (Co-Logic Security, Ltd, NZ), Arjen de Landgraaf (Co-Logic Security, Ltd, NZ)
IT Security has per definition always been a re-active business. It is like having a castle, protecting the crown jewels with locked gates (firewalls) intrusion detection (the watch) and intrusion prevention methods (hot oil and peck, arrows, stones, dead horses etc) Preventing anyone unauthorized to attack and enter.
However, major changes over the last couple of years in requirements of businesses to keep up with the competition and markets demanded a different approach to Web based services, resulting in openness of systems to visitors, customers, and our own teleworkers. Its like having to maintain a 24 hrs market, open to everyone, in the middle of your castle, with stalls of next generation technology, enticing visitors to buy. How do you strip-search 500K unique visitors to your site each month?
Emphasis of demands on today’s web designers and programmers is more and more on becoming open and accessible, visually attractive and smart functions.
The ”New Breed” of web designers and programmers of today is artistic, they learned all on market-focused design, with educational institutes jumping to the demand, delivering new breed courses and degrees. Today’s programmers program “On the Fly”, constantly needing to meet requirements of marketing and sales departments. The demand on them is huge, after all, static websites are out, and dynamic content is in. The “can you do this, can you do that, we need it live this Monday” puts enormous pressure on them to deliver. Deliver quickly.
To the aid of this new breed is an unbelievable enormous pool of programs, scripts, and tools, available on the Internet, and either free or low cost. Re-Use has gained another meaning – what is easier than including code snippets and scripts to have the new Web Application deliver what the Marketing and Sales people require. Today’s web programmers are artists, not the logical, structured breed of developers we used to have working to develop accounting and warehouse management applications.
Artists who may claim paintings of others as their own. If you are an artist, would you admit copying someone elses work?
Also the Teleworkers of today, become one of the main areas of productivity improvement for organizations – after all the physically traveling to and from work is in most cities in the world becoming more and more a burden, or virtually impossible with the huge traffic jams – are not IT persons. They have the same pressure of having to deliver. And their kids may have secretly LimeWire or other sharing software installed on their parents notebook, downloading files, video, music and the rest, for their own satisfaction. They are no IT Security Experts.
All these groups together just do what they can do to make ends meet, to deliver value to their employer, to not have to work through the weekend, to catch up with their workload. And here lies the danger. If You Don’t Know what you Don’t Know, it does not exist. You don’t know even enough to be able to ask the question.
If IT Security staff does not know what it doesn’t know, the Question will never be asked. The Answer to this “Question We Do Not Know To Ask” can mean the difference between an organization’s success, or that of corporate disaster. The difference between either an IT Security Job well done, or an unexpected career change.
MD5: 9e1f406a0ed59ea40c338a9fc7255892
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.25 Mb
Wilfried Woeber (DE)
MD5: 9c752495f14cc0aa99e6cfaa086acd15
Format: application/pdf
Last Update: June 7th, 2024
Size: 128.42 Kb
Richard D. Pethia (Carnegie Mellon University, US), Richard D. Pethia (Carnegie Mellon University, US)
Richard Pethia manages the Networked Systems Survivability (NSS) Program at the Software Engineering Institute (SEI) at Carnegie Mellon University. The program ensures appropriate technology and systems management practices are available to recognize, resist, and recover from attacks on networked systems. The program’s CERT Coordination Center (CERT/CC) has formed a partnership with the Department of Homeland Security to provide a national cyber security system, US-CERT. In 2003, Pethia was awarded the position of SEI Fellow for his vision and leadership in establishing the CERT/CC, for creating and establishing the worldwide network of over 200 CSIRTs and FIRST, for his leadership in creating the NSS Program, and for his partnership with the Department of Homeland Security in the formation of US-CERT. Pethia is also a co-director of Carnegie Mellon University’s CyLab, bringing together the varied cyber security activities at the university.
Richard Pethia manages the Networked Systems Survivability (NSS) Program at the Software Engineering Institute (SEI) at Carnegie Mellon University. The program ensures appropriate technology and systems management practices are available to recognize, resist, and recover from attacks on networked systems. The program’s CERT Coordination Center (CERT/CC) has formed a partnership with the Department of Homeland Security to provide a national cyber security system, US-CERT. In 2003, Pethia was awarded the position of SEI Fellow for his vision and leadership in establishing the CERT/CC, for creating and establishing the worldwide network of over 200 CSIRTs and FIRST, for his leadership in creating the NSS Program, and for his partnership with the Department of Homeland Security in the formation of US-CERT. Pethia is also a co-director of Carnegie Mellon University’s CyLab, bringing together the varied cyber security activities at the university.
MD5: 1d7da2c7ec3f0b066846fad5f3f7a58b
Format: application/pdf
Last Update: June 7th, 2024
Size: 953.95 Kb
Anton Chuvakin (LogLogic, Inc., US), Anton Chuvakin (LogLogic, Inc., US)
Dr Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org) is a recognized security expert and book author. In his current role as a Director of Product Management with LogLogic, a log management and intelligence company, he is involved with defining and executing on a product vision and strategy, driving the product roadmap, conducting research as well as assisting key customers with their LogLogic implementations. He was previously a Chief Security Strategist with netForensics, a security information management company.
A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal http://www.info-secure.org and several blogs.
Dr Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org) is a recognized security expert and book author. In his current role as a Director of Product Management with LogLogic, a log management and intelligence company, he is involved with defining and executing on a product vision and strategy, driving the product roadmap, conducting research as well as assisting key customers with their LogLogic implementations. He was previously a Chief Security Strategist with netForensics, a security information management company.
A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal http://www.info-secure.org and several blogs.
Baltimore, US
June 27, 2006 09:10-10:30, June 27, 2006 11:00-12:30
Hosted by CERT CC
MD5: 1abe1766c1ef489feeacc9000202c266
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.22 Mb
Calvin Miller (District of Columbia Government, US), Charles Iheagwara (District of Columbia Government, US), Farrukh Awan (District of Columbia Government, US), Farrukh Awan (District of Columbia Government, US), Yusuf Acar (District of Columbia Government, US)
This paper discusses general intrusion prevention systems concepts and provides a context-based analysis of the techno-economic imperatives as the driver of this technology. Further, in light of the Gartner 2004 recommendations, the paper examines the security needs and functional requirements for enterprise network IPS deployments. Given the complexity of the implementation environment, the paper will seek to demonstrate the value associated with a well thought out deployment strategy. To this end, the paper introduces performance measures and proposes effective deployment strategies to enhance the performance the IPS. Using field data, we measure the financial benefit of an IPS deployment.
MD5: e6027a5194eb74dd4791d2c361013141
Format: application/pdf
Last Update: June 7th, 2024
Size: 151.05 Kb
MD5: 3c0043aaf07118cbda535a027da70092
Format: application/pdf
Last Update: June 7th, 2024
Size: 139.59 Kb
Peter Haag (The Swiss Education and Research Network, CH), Peter Haag (The Swiss Education and Research Network, CH)
For network security teams of any size, an accurate analysis of the traffic situation is essential. The well-known traffic graphs, do not give enough information especially to investigate security related incidents. To work with netflow data turned out to be a good balance between collecting and processing the data and the information gained from this process.
A lot of tools to collect netflow data are available, but the flexibility to process the flows was either poor, or resulted in expensive commercial systems. The Open Source tools nfdump and NfSen close this gap. They provide a flexible and powerful system to collect and process netflow data for a great variety of tasks.
The presentation starts with a small introduction of netflow and explains how nfdump and NfSen can be used to look at your network traffic, to create easily top N statistics of hosts and networks demanding most bandwidth of your network, as well as to detect host and port scans. It shows how a security incident can be tracked and profiled. Last but not least it gives an overview how to extend NfSen with custom plugins for dedicated tasks specific to your network.
MD5: 9d6aef80bf92db05fba9a2bbd32669b5
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.36 Mb
MD5: fb81dd7c48215bc00de79eef75cec248
Format: application/pdf
Last Update: June 7th, 2024
Size: 7.27 Mb
Kenneth R. van WykGary McGraw (Cigital, Inc., US), Kenneth R. van Wyk (FIRST.Org, US)
Kenneth R. van Wyk is an internationally recognized information security expert and author of the O’Reilly and Associates books, Incident Response and Secure Coding. In addition to providing consulting and training services through his company, KRvW Associates, LLC, (http://www.KRvW.com), he currently holds numerous positions: as a monthly columnist for on-line security portal, eSecurityPlanet (http://www.eSecurityPlanet.com), and a Visiting Scientist at Carnegie Mellon University's Software Engineering Institute (http://www.sei.cmu.edu).
Ken has 20+ years experience as an IT Security practitioner in the academic, military, and commercial sectors. He has held senior and executive technologist positions at Tekmark, Para-Protect, Science Applications International Corporation (SAIC), in addition to the U.S. Department of Defense and Carnegie Mellon and Lehigh Universities.
Ken also served a two-year elected position as a member of the Steering Committee, and a one-year elected position as the Chairman of the Steering Committee, for the Forum of Incident Response and Security Teams (FIRST) organization. At the Software Engineering Institute of Carnegie Mellon University, Ken was one of the founders of the Computer Emergency Response Team (CERT®). He holds an engineering degree from Lehigh University and is a frequent speaker at technical conferences, and has presented papers and speeches for CSI, ISF, USENIX, FIRST, and others. Ken is also a CERT® Certified Computer Security Incident Handler.
Baltimore, US
June 27, 2006 09:10-10:30, June 27, 2006 11:00-12:30
Hosted by CERT CC
MD5: 85bd808215961b2e3401ac63515c500b
Format: application/pdf
Last Update: June 7th, 2024
Size: 887.67 Kb
Klaus Möeller (DE)
MD5: 7f51b10c6c46c7452b0afbf6baeb92b2
Format: application/pdf
Last Update: June 7th, 2024
Size: 98.65 Kb
Jan Meijer
MD5: ec99d90991b5d123dd12039be044a690
Format: application/pdf
Last Update: June 7th, 2024
Size: 244.74 Kb
Przemyslaw Jaroszewski (PL)
Przemyslaw Jaroszewski is a security specialist in CERT Polska. For the past seven years he has been involved in incident response, advocating and coaching in computer security, as well as taking part in various security-related projects. One of his main areas of interest is e-mail security and spam. He was managing processes of development and implementation of a prototype database in the SPOTSPAM project.
jaroszewski-przemek-slides.pdf
MD5: 10dc7056784b506ded34990914822edc
Format: application/pdf
Last Update: June 7th, 2024
Size: 196.44 Kb
Till Dörges (PRESECURE Consulting GmbH, DE), Till Dörges (PRESECURE Consulting GmbH, DE)
Till Dörges joined PRESECURE Consulting GmbH as a researcher in 2002. The two major projects he's currently working on are a network of distributed IDS-sensors (evolved from the EC-funded project "eCSIRT.net") and the also EC-funded research project about proactive security monitoring in a policy-based framework ("POSITIF"). Both projects strongly relate to Intrusion Detection, Honeynets and (Security-) Policies.
He also is the team representative of PRESECURE within the European community of accredited CSIRTs ("Trusted Introducer") as well as for FIRST.
Till Dörges studied Computer Sciences in Hamburg, Toulouse and Leipzig. He holds a French "Maîtrise d'Informatique" and a German "Informatik-Diplom".Till Dörges joined PRESECURE Consulting GmbH as a researcher in 2002. The two major projects he's currently working on are a network of distributed IDS-sensors (evolved from the EC-funded project "eCSIRT.net") and the also EC-funded research project about proactive security monitoring in a policy-based framework ("POSITIF"). Both projects strongly relate to Intrusion Detection, Honeynets and (Security-) Policies.
He also is the team representative of PRESECURE within the European community of accredited CSIRTs ("Trusted Introducer") as well as for FIRST.
Till Dörges studied Computer Sciences in Hamburg, Toulouse and Leipzig. He holds a French "Maîtrise d'Informatique" and a German "Informatik-Diplom".
MD5: ab1a90502514adfe0113503d498aea39
Format: application/pdf
Last Update: June 7th, 2024
Size: 301.18 Kb
MD5: 7d9c227bd99ebbf4d9ef44b460e38192
Format: application/pdf
Last Update: June 7th, 2024
Size: 628.5 Kb
Masato Terada (IPA, JP), Masato Terada (IPA, JP)
Unauthorized access intending to spread malware has been active and causing a lot of damage worldwide. In
order to eliminate vulnerabilities and prevent unauthorized access, it is necessary to improve the way to
distribute security information about computer software and hardware. When a new vulnerability is
discovered or a security advisory is released, the security administrators try to collect information about and
countermeasures against the vulnerability. In this paper, we examines how we can provide a more efficient
security information distribution service for the security administrators that helps them reduce their workload
related to collecting and grouping various information and take care of security incidents.
We propose JVNRSS (JP Vendor Status Notes RSS) as a security information sharing and exchanging
specification. Currently, JPCERT/CC and IPA (Information-technology Promotion Agency) are promoting a
framework to handle vulnerability information in Japan.
They offer JVN, a portal site to provide security
information about the domestic computer software and hardware manufactured by the vendors participating
in the framework. JVNRSS is one of the methods JVN has been using to distribute security information.
JVNRSS is based on RSS 1.0 and uses the "dc:relation" field defined in the Dublin Core as a Relational ID
to correlate security information issued by various sources (Figure 1). JVNRSS uses the reference URL
specified in a security alert, for example, an URL of the Common Vulnerability Exposure, CERT Advisory,
CERT Vulnerability Note and CIAC Bulletin. In this paper, firstly we explain the specification and
application of JVNRSS. Secondly, we'll introduce the result of our feasibility study on JVNRSS (Figure 2)
and lastly we'll propose the RSS Extension for security information sharing.
MD5: 00977e402e88dd6e630072740a435b9e
Format: application/pdf
Last Update: June 7th, 2024
Size: 235.54 Kb
MD5: 2824afaf4d1230888a0044d21099fc9b
Format: application/pdf
Last Update: June 7th, 2024
Size: 1023.69 Kb
Joseph Schwendt (Intel Corporation, US), Joseph Schwendt (Intel Corporation, US), Steve Mancini (Intel Corporation, US), Steve Mancini (Intel Corporation, US)
MD5: a48f038cc05e5c60affbcd21f912f317
Format: application/pdf
Last Update: June 7th, 2024
Size: 212.88 Kb
MD5: 7e04d7e41d6d5339eb23b992c2288a22
Format: application/pdf
Last Update: June 7th, 2024
Size: 493.02 Kb
Barry E. Mullins (Air Force Institute of Technology, US), Capt David J. Chaboya (Air Force Institute of Technology, US), Capt David J. Chaboya (Air Force Institute of Technology, US), Richard A. Raines (Air Force Institute of Technology, US), Rusty O. Baldwin (Air Force Institute of Technology, US)
Organizations frequently rely on the use of Network Intrusion Detection Systems (NIDSs) to identify and prevent intrusions into their computer networks. While NIDSs have proven reasonably successful at detecting attacks, they have fallen short in determining if attacks succeed or fail. This determination is often left to the security analyst or system administrator. Large-scale networks pose a particular challenge for IDS analysts. The process of manually checking systems to determine if an attack is successful becomes burdensome as the size and geographic location of the network increases. Many analysts use network data alone, in particular the server response, to determine the outcome of the attack. Intuitively, the server response is the packet or packets the target computer returns after an attack. However, in the case of buffer overflows, the attacker has the ability to forge or modify this response.
This paper examines two key aspects of network defense: the ability to circumvent detection devices and how network analysts respond to evasion techniques. We examine how social engineering can be used to influence an analyst's decisions and we recommend ways to counter this threat. The intended audience will be responsible for either developing IDS signatures, or analyzing network IDS results. The technical detail is moderate, but does assume some exposure to network traffic analysis, intrusion detection, and exploits in general.
MD5: 27a05976acb9e3d94f946e7f41476112
Format: application/pdf
Last Update: June 7th, 2024
Size: 231.66 Kb
MD5: 19cf5579abc732dc8a45d3c58e300412
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.88 Mb
Tara Flanagan (Cisco Systems Ltd., US)
Tara Flanagan is the Director of Legal Services for Cisco System's world wide services organization, and has supported Cisco's security reporting team (PSIRT) for seven years. Prior to joining Cisco in 1997, she worked as a government contracts attorney and commercial litigator with the Los Angeles law firm of McKenna, Conner and Cuneo. During her tenure as outside counsel, she represented large and small companies engaged in business with the U.S. government (i.e. represented FMC Corporation in lawsuit against the Goodyear Tire and Rubber Company resulting in $32M judgement for FMC), as well as pro bono cases in which she represented children and for which she received several pro bono awards. She holds a B.A. cum laude from Tulane University (New Orleans, LA) and a J.D. cum laude Pepperdine University (Malibu, CA). She is licensed to practice law in California and is registered inhouse counsel in Virginia.
MD5: e8b97a1efa75ca5124af0ab207cc17a9
Format: application/pdf
Last Update: June 7th, 2024
Size: 245.51 Kb
Jun Heo (Korea Information Security Agency, KR), Jun Heo (Korea Information Security Agency, KR), Yoojae Won (Korea Information Security Agency, KR)
This research intends to provide a new risk management methodology that predicts the security of future oriented IT services and help to create a counter strategy in advance. The proposed methodology is founded on domestic as well as foreign methodology and information protection reference model ITU-T X.805 and was executed in 3 parts: security factor distrimination phase, risk calculation phase,and counter strategy deduction phase. In the security factor discrimination phase the ITU-T X.805 is applied to determine the new IT services´s infraestructure, service, application level as well as the protecion subject by management, control and user plane. In the risk calculation phase, the X.805 creates risk scenarios for each module by level/plane and calculates the degree of risk by taking fatality, frequency of occurrence and degree of attack into consideration. In the counter strategy was devised by prioritizing risk and applying counter technologies from the list of required technologies based on the 8 information protection requirements.
MD5: 085ce7785dc398301688d4c793f47f41
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.97 Mb
Robert C. Seacord (Carnegie Mellon University, US), Robert C. Seacord (Carnegie Mellon University, US)
Secure Coding in C and C++ provides practical advice on secure
practices in C and C++ programming. Producing secure programs requires
secure designs. However, even the best designs can lead to insecure
programs if developers are unaware of the many security pitfalls
inherent in C and C++ programming.
This tutorial provides a detailed explanation
of common programming errors in C and C++ and describes how these errors
can lead to code that is vulnerable to exploitation. The tutorial
concentrates on security issues intrinsic to the C and C++ programming
languages and associated libraries. It does not emphasize security issues
involving interactions with external systems such as databases and web
servers, as these are rich topics on their own. The intent is that this
tutorial be useful to anyone involved in developing secure C and C++
programs regardless of the specific application.
Baltimore, US
June 26, 2006 09:10-10:30, June 26, 2006 11:00-12:30
Hosted by CERT CC
MD5: c130fea77034706d904e552e2dbf8f62
Format: application/pdf
Last Update: June 7th, 2024
Size: 502.04 Kb
Peter G. AllorPeter G. AllorPeter G. Allor (Honeywell, US), Peter G. Allor (Honeywell, US)
Peter Allor is a Director for Red Hat Product Security where he has responsibility for the portfolio on Secure Development through Incident Response. He is currently the Chair for the FIRST PSIRT SIG where a number of documents supporting the product security incident response were developed by practitioners for practitioners including a Framework of Services, Maturity and a base Incident Response plan.
Pete has assisted in the formation of the IT-ISAC and ICASI (Industry Consortium for Advancing Security on the Internet) groups for broader response and coordination. He is also a former Member of the FIRST Board of Directors serving as the CFO for five years, guiding CVSS and other SIGs as well as the board liaison for FIRST Conferences. Pete was a founding member of the IT Sector Coordinating Council and has participated on the CyberSecurity Commission for the 44th Presidency as well as supporting his CEO on the National Infrastructure Advisory Council where he led several working groups.
Pete started with Internet Security Systems working their vulnerability disclosures and then was with IBM Security when ISS was acquired. He later moved to Honeywell working their cloud solutions and product as the Product Security Chief prior to moving to Red Hat.
Peter Allor is a Director for Red Hat Product Security where he has responsibility for the portfolio on Secure Development through Incident Response. He is currently the Chair for the FIRST PSIRT SIG where a number of documents supporting the product security incident response were developed by practitioners for practitioners including a Framework of Services, Maturity and a base Incident Response plan.
Pete has assisted in the formation of the IT-ISAC and ICASI (Industry Consortium for Advancing Security on the Internet) groups for broader response and coordination. He is also a former Member of the FIRST Board of Directors serving as the CFO for five years, guiding CVSS and other SIGs as well as the board liaison for FIRST Conferences. Pete was a founding member of the IT Sector Coordinating Council and has participated on the CyberSecurity Commission for the 44th Presidency as well as supporting his CEO on the National Infrastructure Advisory Council where he led several working groups.
Pete started with Internet Security Systems working their vulnerability disclosures and then was with IBM Security when ISS was acquired. He later moved to Honeywell working their cloud solutions and product as the Product Security Chief prior to moving to Red Hat.
MD5: dce34fbfbb7a0f532e328d29d210d34b
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.71 Mb
MD5: 9b2c23246b3e29b2ae673cc1e4c51088
Format: application/pdf
Last Update: June 7th, 2024
Size: 511.99 Kb
Casper Dik
MD5: acf27b9cb33bd98191701b2ec686206a
Format: application/pdf
Last Update: June 7th, 2024
Size: 179.76 Kb
Rogier J.L. Spoor (SURFnet, NL)
Rogier Spoor graduated in Bioprocess Engineering at the Wageningen University and Research Centre. His first job was working as a Technical Linux and Network Engineer. Currently, Rogier works as an Account Advisor at SURFnet and is in charge of the D-IDS project.
MD5: 8fa536c7514a40c88d722b1f253181c9
Format: application/pdf
Last Update: June 7th, 2024
Size: 455.15 Kb
Jochen SchönfelderJan Kohlrausch (DFN-CERT Services GmbH, DE), Jan Kohlrausch (DFN-CERT Services GmbH, DE), Jochen Schönfelder (DFN-CERT, DE)
For the daily work of a CSIRT it is of major importance to know which vulnerabilities are currently abused to compromise computers and to timely warn the constituency if a zero-day exploit is found. Besides the traditional incident response work, honeypots have
shown to become more important to follow these aims.
In this talk we give an overview on the NoAH project and related projects devoted to the deployment of distributed honeypots and show how CSIRTs and other security teams can profit from the deployment of their infrastructure.
MD5: 4e03d2ab0452193798bf7f6046ff5d78
Format: application/pdf
Last Update: June 7th, 2024
Size: 49.16 Kb
MD5: 8125a3c38ee362815292fb954a263621
Format: application/pdf
Last Update: June 7th, 2024
Size: 168.11 Kb
Richard Bejtlich (TaoSecurity, US), Richard Bejtlich (TaoSecurity, US)
Security staff often take a host-centric approach to determining the scope and damage of computer intrusions. Standard forensics techniques are hard-drive centric, with collection and analysis of live data only gradually being adopted. This presentation offers a complementary set of practices focusing on network-centric techniques. In an age of kernel-based rootkits and savvy intruders, sometimes only the network can tell the truth.
MD5: 9b2c23246b3e29b2ae673cc1e4c51088
Format: application/pdf
Last Update: June 7th, 2024
Size: 511.99 Kb
Lawrence R. Rogers (Carnegie Mellon University, US), Lawrence R. Rogers (Carnegie Mellon University, US)
Today’s professional system and network administrators are increasingly challenged to make computer and network security a greater part of their overflowing set of daily activities. In response to this trend, the Software Engineering Institute (SEI1), specifically the CERT® Program2, has designed a three-course curriculum in survivability and information assurance (SIA).
MD5: 65c41a009adaa8fd9a1e98621465e089
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.04 Mb
Keisuke Kamata (JPCERT Coordination Center, JP), Keisuke Kamata (JPCERT Coordination Center, JP), Yuichi Miyagawa (JPCERT Coordination Center, JP)
Information leakage incident (especially for important confidential one) has been increased in Japan. Most of those incidents are caused by a virus named "Antinny" which is a name of virus developed for P2P file sharing software "Winny". Winny is a name of P2P file sharing software. In this presentation, we will explain the serious situation about information leakage incidents in Japan and technical details about Winny.
MD5: 9337d69c6562e97ab11697211552c122
Format: application/pdf
Last Update: June 7th, 2024
Size: 333.64 Kb
Fabien Pouget (French Government, FR), Fabien Pouget (French Government, FR), Guillaume Urvoy-Keller (Institut EURECOM, FR), Marc Dacier (Institut EURECOM, FR)
In this paper, we present a method to detect the existence of sophisticated attack tools in the Internet that combine, in a misleading way, several exploits. These tools apply various attack strategies, resulting into several different attack fingerprints. A few of these sophisticated tools have already been identified, e.g. Welchia. However, devising a method to automatically detect them is very challenging since their different fingerprints are apparently unrelated. We propose a technique to automatically detect their existence through their time signatures. We exemplify the interest of the technique on a large set of real world attack traces and discover a handful of those new sophisticated tools.
MD5: ff0ef3f977f7a2da9716de24270b7f36
Format: application/pdf
Last Update: June 7th, 2024
Size: 383.7 Kb
MD5: 8c68f51d0624b183b9fc68e54dadcded
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.84 Mb
Karel Vietsch (NL)
MD5: 971b9701c3d4a2c8388e948350cc0b3c
Format: application/pdf
Last Update: June 7th, 2024
Size: 269.06 Kb
Don StikvoortDon Stikvoort (Open CSIRT Foundation)
Don Stikvoort is founder of the companies “S-CURE” and “Cross Your Limits”. S-CURE offers senior consultancy in the area of cyber security – specialising in CSIRT matters. Cross Your Limits coaches and trains in the human area. Based in Europe, Don’s client base is global.
After his MSc degree in Physics, he became Infantry platoon commander in the Dutch Army. In 1988 he joined the Dutch national research network SURFnet. In that capacity he was among the pioneers who together created the European Internet since November 1989. He recognised “security” as a future concern in 1991, and was chair of the 2nd CSIRT in Europe (now SURFcert) from 1992-8, and FIRST member since 1992. Today Don is a FIRST Liaison Member.
Together with Klaus-Peter Kossakowski he initiated and built the closer cooperation of European CSIRTs starting in 1993 – this led to the emergence of TF-CSIRT in 2000. In 1998 he finished the "Handbook for Computer Security Incident Response Teams (CSIRTs)" together with Kossakowski and Moira J. West-Brown of CERT/CC. He was active in the IETF and RIPE (co-creator of the IRT-object). Don chaired the Program Committee for the 1999 FIRST conference in Brisbane, Australia, and kick-started the international FIRST Secretariat in the same year. From 2001-2011 his company ran TF-CSIRT’s Trusted Introducer service. He wrote and taught several training modules for the CSIRT community.
In 1998 Don started his first company. A first assignment was to build the network connecting over 10,000 schools in The Netherlands. Many CSIRTs were created with his help and guidance, among which the Dutch national team (NCSC-NL). Second opinions, audits and maturity assessments in this field have become a specialty – and in that capacity Don developed SIM3 in 2008, the maturity model for CSIRTs which is used worldwide today for maturity assessments and certifications. SIM3 has is now under the wings of the “Open CSIRT Foundation” (OCF). Don was one of the founders in 2016 and now chairs its board.
Starting in 1999, Don was certified in NLP, Time Line Therapy®, Coaching and Hypnotherapy, and brought that under the wing of “Cross Your Limits”, which portfolio is life & executive coaching, and training courses in what Don likes to call “human arts”. He also trains communicators, presenters and trainers, including many in the CSIRT field.
Don thrives as motivational and keynote speaker. He enjoys to share his views on how the various worlds of politics, economics, psychology and daily life, but also cyber security, all intertwine and relate – and how deeper understanding and a better ability to express ourselves, increase our ability to bring good change to self as well as the world around us. He has discussed such topics all over the world, from Rome to the Australian Outback. His goal is to challenge his audience to think out-of-the-box, and motivate them to be the difference that makes the difference, along the lines of the old African proverb:
“If you think you’re too small to make a difference, try sleeping in a closed room with a mosquito”.
MD5: f7671402d537a9bf6d60214d3cebc074
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.34 Mb
Jacques Schuurman
MD5: 86c08e0d020da9c0cea5db1320e2fcb5
Format: application/pdf
Last Update: June 7th, 2024
Size: 66.87 Kb
Carlos Fuentes
MD5: d087ec7298d652b77561721d02874fa3
Format: application/pdf
Last Update: June 7th, 2024
Size: 208.87 Kb
Ian Bryant, CSIA
MD5: 5555e9e1e3f2645d3265d242f4433955
Format: application/pdf
Last Update: June 7th, 2024
Size: 247.24 Kb
Charles Yun (Internet 2, US)
MD5: eae81483d865a0b36fa6aab2efb9e48e
Format: application/pdf
Last Update: June 7th, 2024
Size: 87.56 Kb
William Yurcik (University of Texas at Dallas, US), William Yurcik (University of Texas at Dallas, US)
Network traffic dynamics have become an important behavior-based approach to assist security administrators in protecting networks. In this paper/presentation we present VisFlowConnect-IP, a link-based network flow visualization tool that allows operators to detect and investigate anomalous internal and external network traffic. We model the network as a graph with hosts being nodes and traffic flows being edges. We present a detailed description of VisFlowConnect-IP functionality and demonstrate its application to traffic dynamics in order to monitor, discover, and investigate security-relevant events.
MD5: c018093e17975a5a3905c821cbf18482
Format: application/pdf
Last Update: June 7th, 2024
Size: 756.88 Kb
MD5: a3d72fb0f65a759d34cb647861705cd1
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.99 Mb
Fabien Pouget (French Government, FR)
Fabien Pouget has a PhD degree from the Institut Eurecom (ENST Paris), France.
He received his master of Science from the Ecole Nationale Superieure des Telecommunications in 2002 after having worked as internship student in the IBM Research laboratory in Zurich, Switzerland. He joined the Network Security Team (nsteam) at Eurecom the same year. His research and teaching interests include computer and network security. He is involved in many projects on intrusion detection systems and honeypots and his PhD subject dealt with alert correlation.
He co-founded with Pr. Marc Dacier the Leurré.com project (www.leurrecom.org).
He is currently working for the French administrative CSIRT, CERTA.
MD5: 2410a9d0a98c4270bd54b4951e9fca24
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.3 Mb
Cui Xiang (National Computer Network Emergency Response Technical Team / Coordination Center of China, CN), Cui Xiang (National Computer Network Emergency Response Technical Team / Coordination Center of China, CN), Wu Bing (National Computer Network Emergency Response Technical Team / Coordination Center of China, CN), Yonglin Zhou (National Computer Network Emergency Response Technical Team / Coordination Center of China, CN), Zou Xin (National Computer Network Emergency Response Technical Team / Coordination Center of China, CN)
Current strategy against Internet worms is similar to capturing mouse using mousetrap, that is, to clip the occasionally passing mouse and never release until it dies. However, this strategy is less effective than that of spreading pest control chemicalst to cause a plague among cockroach group. For infected cockroach, we don’t expect it dead at once. We hope it goes back nest and infects others, by which way can kill pests at an exponential rate.
The theory of Worm Poisoning is similar with pest-toxicant production technics. The PoisonWorm functions like the pest-toxicant and the poisoned worm is like the infected pest then.
Worm Poisoning (also called Worm Spoofing) is a new-invented technology for worm containment. It tricks malicious worms to spread irrelevant file or code by their own mechanisms. The worm which poisons others and propagates by the poisoned worms is called PoisonWorm. So PoisonWorm is a special worm with active spread motivation, but without self-propagating capability. While it can obtain spread ability when some other malicious worms break out. It will reduce the negative influence of the malicious worm gradually, and won’t cause extra burden to the Internet or its host. A proof-of-concept PoisonWorm has been compiled and tested successfully using MSBlaster, Sasser, Mydoom and Netsky worms as the poisoned worms which proved the feasibility of the idea. PoisonWorm has some common characteristic but essential difference with anti-worm(also called good worm).
In this paper, the concept of Worm Poisoning and PoisonWorm are presented and the feasibility of Worm Poisoning is emphatically testified. A propagation model called SIRP and the side-effect to network traffic of PoisonWorm are given and compared to the classical epidemic Kermack-Mckendrick model. We highlight the feasibility and necessity of PoisonWorm and its application in active defense system against Internet worms. Also the technology of P2P-based unknown worm detection and signature verification is briefly introduced.
MD5: e43c8764b88cf48764d177e649e10a4b
Format: application/pdf
Last Update: June 7th, 2024
Size: 206.66 Kb
Herbert Bos, VU, LOBSTER project
MD5: 7fd845194a436b64ef9f5ebe895b037c
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.1 Mb