Co-Chair: Cristina Serban, AT&T Labs, USA
Co-Chair: O. Sami Saydjari, Cyber Defense Agency, USA
Michael Franz, UC Irvine, USA
Sal Stolfo, Columbia University, USA
V.N. Venkatakrishnan, SUNY Stony Brook, USA
Mary Ellen Zurko, IBM Corp., USA
This panel highlights a selection of the most interesting and provocative papers from the 2002 New Security Paradigms Workshop. This workshop was held September 2002 - the URL for more information is http://www.nspw.org. The panel consists of authors of the selected papers, and the session is moderated by the workshop's general chairs. We present selected papers focusing on exciting major themes that emerged from the workshop. These are the papers that will provoke the most interesting discussion at ACSAC.
This panel presents a selection of the best, most interesting, and most provocative work from the ACM-sponsored New Security Paradigms Workshop 2002. For eleven years, the New Security Paradigms Workshop (NSPW) has provided a productive and highly interactive forum for innovative new approaches to computer security. This year's workshop brought a record number of new security paradigms. This reflects the dramatic increase of interest and research in our field.
NSPW is an invitational workshop of deliberately small size, in order to facilitate deep, meaningful discussions of new ideas. Authors are encouraged to present work that might seem risky in other settings. All participants are charged with providing constructive feedback. The resulting brainstorming environment has proven to be an excellent medium for the furthering of "far out" and visionary ideas. Our philosophy is to look for significantly new paradigms and shifts from previous thinking, and facilitate the debate within a constructive environment of experienced researchers and practitioners along with newer participants in the field. In keeping with the NSPW philosophy, this panel challenges many of the dominant paradigms in information security. You can definitely expect it to be highly interactive; in the NSPW tradition, look forward to lively exchanges between the panelists and the audience. So come prepared with an open mind and ready to question and comment on what our panelists present!
Past NSPW conference panels have dealt with a wide variety of subjects including the following. Software engineering of secure systems; penetration tolerance; new directions in cryptography and steganography; alternative models of trust and authorization; user-centered security and end-user defenses; new models for securing "boundless networks"; deficiencies in traditional definitions of security, secrecy, and integrity; security in PDA devices; attack modeling; and offensive information warfare. The last NSPW panel was held at ACSAC 2001 and was well received, very lively and highly praised by the audience, ACSAC organizers and panelists alike.
Here are some of the latest ideas to emerge from NSPW, aside from those you will hear from the rest of the panelists.
The panel will consist of four authors of papers selected by the NSPW 2002 General and Program Chairs, and it will be chaired by the general chair. After the panel chair's introductory remarks, each panelist will then give a 10 to 15 minute presentation. The floor will then be opened for audience questions and discussions. This format has worked extremely well in the past, and we plan to continue the tradition. So come to our panel and discover this year's new paradigms! You'll either immediately like them or dislike them - and you'll get the chance to say so!
Our alternative mobile code representation encodes programs at a level much closer to source. It is much easier to transport source-level semantics in our encoding than in the prevalent low-level approaches. Our encoding also provides safety by construction, as illegal programs cannot even be expressed in it. Other advantages of our encoding are an excellent compression factor, and the ability to safely transport performance-enhancing annotations.
We believe MET and EMT exemplify a new generation of computer security systems based upon behavior profiles that aim to detect attacks, as well as attackers, thus providing a deterrent system for the first time on the internet. EMT computes information about email flows and aggregate statistical information from content fields of emails without revealing those contents. The range of models computed by EMT include the "social cliques" associated with an email account. Clique violations are useful in detecting many errant misuses of email. These misuses can include malicious email attachments, SPAM email, and email security policy violations. Of special interest is opportunity to detect polymorphic virii that are designed to avoid detection by signature-based methods, but which may likely be detected via their behavior, i.e., the manner in which they violate the victim's email profile while propagating.
We describe a new approach towards enterprise-wide enforcement of the privacy promises made. Its core is a new framework for managing collected personal data in a sensitive, trustworthy way. The framework enables enterprises to publish clear privacy promises, to collect and manage user preferences and consent, and to enforce the privacy promises throughout the enterprise. One of the foundations of this framework is the ``sticky policy paradigm'' that defines a customer centric model for managing policies, preferences, and consent.