Advance Program

Twenty-Second Annual Computer Security Applications Conference (ACSAC)

Practical Solutions To Real World Security Problems


December 11-15, 2006
Miami Beach Resort and Spa
Miami Beach, FL, USA

Presented by acsalogonew-lite.gif

Conference and Registration Information

Invitation to ACSAC 22

I would personally like to invite you to attend the 22nd Annual Computer Security Applications Conference (ACSAC). This year the conference travels south to Miami Beach, FL! Though the venue is new, we will continue the format established last year: the Technical Program consisting of refereed papers and panels will be presented Tuesday through Thursday, while a workshop will be held on Monday, and full and half-day tutorials will be offered both Monday and Friday. This advance program provides the details you will need to register, travel and attend, but please also visit, where you can find many useful resources, including full archives of past ACSACs.

We hope to see you in Miami Beach this December!

Dan Thomsen, Conference Chair

Welcome Reception

Please join us on Monday evening (Dec.11, 2006) at 6:00 pm for hors d'oeuvres and drinks and an opportunity to meet others in the security community. This is also a good opportunity for session chairs to meet their speakers!

Important Dates to Remember

November 13, 2006: Last day to reserve a room at the conference hotel at the conference rate.

November 13, 2006: Last day for early/reduced conference registration fee.

November 13, 2006: Last day to cancel your conference registration and obtain a refund less a service charge of $25.00. Cancellations must be in writing. See the Registration Form for complete details.

Conference Location

Hotel Information

The conference will be held at the Miami Beach Resort and Spa (


REGISTER EARLY! ACSAC has reserved a block of rooms at Group Room Rates until November 13. The Single/double price is $108.00/night plus tax. (Prevailing Government per Diem).

All reservations must be made directly with Miami Beach Resort and Spa.

Online Instructions

  1. Go to
  2. Click on Reservations
  3. At the bottom of the screen, click on the Group key
  4. Enter Attendee Code CA7460121

Hotel reservations: +1-866-765-9090.

Please be sure to use the Attendee Code to associate your reservation with the ACSAC conference. This makes the special negotiated room rates available to you, gives the conference a credit which helps to lower the regisration fees.

The room rate is available three days before and after the conference if you would like to stay over one or both weekends.

Cutoff Date: To qualify for the negotiated rates, hotel reservations by attendees must be received on or before Monday, November 13, 2006.

Directions to the Conference Hotel

  • From Miami International Airport:
    • Exit Airport and follow the sign that says “Lejune Road North”
    • From Lejune Road North take the “112 East-Miami Beach” (second lane from right)
    • 112 East Miami Beach after the toll will become I-195 - Miami Beach
    • Once you are on I-195 go straight (always on the left lane) and after you pass the long bridge you will be on Arthur Godfrey Rd (also 41st Street)
    • Keep going until you see Indian Creek Drive, there you’ll make a left
    • Indian Creek will merge with Collins Avenue – proceed to 4833 Collins Avenue

  • From Ft. Lauderdale / Hollywood International Airport:
    • Exit Airport to I-95 South
    • Take I-95 to I-195 Miami Beach
    • Once you are on I-195 go straight (always on the left lane) and after you pass the long bridge you will be on Arthur Godfrey Rd (also 41st Street)
    • Keep going until you see Indian Creek Drive, there you’ll make a left
    • Indian Creek will merge with Collins Avenue – proceed to 4833 Collins Avenue

Transportation to Miami Beach

Miami International Airport ( is the closest airport (approximately 10 miles west of Miami Beach). For information on taxis and shuttle services:

Fort Lauderdale airport is also convenient. It's approximately 30 minutes north of Miami Beach. Information on public transportation:

Official Miami Beach website:

Meals and Special Diet Requests

The Conference Committee has selected lunch menus that we hope everyone will enjoy. We realize that some individuals have special dietary needs. We have made arrangements to offer a vegetarian meal at lunch that will feature some combination of pasta, vegetables, and/or fruits. Please indicate your dietary request on the registration form and upon your arrival, please check your registration packet to ensure that your lunch tickets indicate your dietary request. If there are problems, please contact the conference registration desk.

Special Instructions for Foreign Visitors

If you are traveling from outside the United states, you may need to obtain a visa. Details on requesting a letter of invitation from ACSAC can be found at visa request.

Conference At-A-Glance

Monday, December 11, 2006
8:30-17:00 Workshop: Host Based Security Assessment
8:30-12:00 Tutorial M1 Tutorial M3 Tutorial M4
13:30-17:00 Tutorial M2
Tuesday, December 12, 2006
Time Track 1 Track 2 Track 3
8:30-10:00 Distinguished Practitioner: Dixie Baker, SAIC
10:30-12:00 Applied Distributed Collaboration Client Access in Untrusted Environments Vulnerability Management
13:30-15:00 Network Intrusion Detection Panel: Challenges for Web Services Security Personal Identification Verification
15:30-17:00 Network Security Security in Systems Case Studies
Wednesday, December 13, 2006
Time Track 1 Track 2 Track 3
8:30-10:00 Invited Essayist: Brian Witten, Symantec Corporation
10:30-12:00 Applied Sandboxing Malware Case Studies
13:30-15:00 Applied Detection Techniques Panel: Partnering with Industry and Academia - The DHS S&T Approach to Cyber Security Research, Development, Test, and Evaluation Industrial Control System Security
15:30-17:30 Works in Progress Case Studies
Thursday, December 14, 2006
Time Track 1 Track 2 Track 3
8:30-10:00 Classic Papers: Peter G. Neumann, SRI International
Jeremy Epstein, webMethods Inc.
10:30-12:00 Applied Randomization Intrusion Detection Case Studies
13:30-15:00 Messaging Security Countermeasures Certification and Accreditation
15:30-17:30 Information Flow and Leakage Panel: Highlights from the 2006 New Security Paradigms Workshop Minimum Security Requirements
Friday, December 15, 2006
8:30-12:00 Tutorial F5 Tutorial F6 Tutorial F7

Technical Program

Tuesday, December 12, 2006, 8:30-10:00

Opening Plenary

Introductory remarks:
Dan Thomsen, Cyber Defense Agency, LLC, Conference Chair
Christoph Schuba, Linköpings University, Program Chair

Introduction of the Distinguished Practitioner
Marshall Abrams, The MITRE Corporation

Distinguished Practitioner:
Privacy and Security in Public Health: Maintaining the Delicate Balance between Personal Privacy and Population Safety.
   Dr. Dixie Baker, SAIC

Amidst threats of pandemic influenza and bioterrorist attack, the importance of public health surveillance and preparedness has never been more important. Early detection of biological events, electronic reporting of laboratory test results, efficient exchange of case reports across jurisdictions, and timely alerting of health threats are critical components of effective health protection. Equally important to public health surveillance, preparedness, and response is the timely availability of information relating to individuals' healthcare behaviors and clinical conditions - posing a threat to personal privacy. Public health is challenged to maintain an optimal balance between protecting the nation's health and respecting the personal privacy of its citizens.


About the Speaker:

Dr. Dixie B. Baker is a Technical Fellow and Vice President for Technology at Science Applications International Corporation (SAIC), where she serves as the Chief Technology Officer (CTO) for the Enterprise and Infrastructure Solutions Group (E&ISG). With a total staff of over 12,000 people, E&ISG leads SAIC’s business in homeland security, health and life sciences, energy, environment, and enterprise solutions. As CTO, Dr. Baker serves as the Group’s principal visionary and spokesperson on science and technology issues, develops partnerships and strategic alliances with technology suppliers, oversees research and development investments, and represents SAIC in national and international forums. In addition, Dr. Baker serves as a senior consultant on projects of strategic importance to the Group and to SAIC.

An internationally recognized thought leader in high-assurance architecture and information protection, Dr. Baker has applied her expertise primarily to the health and life sciences for the past ten years. She was the Principal Investigator for the Patient Centered Access to Secure Systems Online (PCASSO) project, a National Library of Medicine sponsored research project that is widely regarded as ground-breaking in providing patients safe and secure Web access to their complete medical records. Her research team’s paper won the ACSAC’s 1997 Best Paper Award. She has provided testimony to the National Committee on Vital and Health Statistics (NCVHS) as input to the development of the Health Insurance Portability and Accountability Act (HIPAA) security standards, and more recently, as guidance toward technology solutions for protecting the confidentiality of health records released to third parties. For the Centers for Disease Control and Prevention (CDC), she defined, and now is helping implement, an architecture that will enable the production, management, distribution, and use of semantically interoperable data-collection instruments for disease surveillance across the U.S.

Dr. Baker has published and lectured extensively in a number of technology and health-related areas, including information protection, high-assurance architecture, electronic medical records, and Internet safety. In 2001, she was awarded the John P. McGovern Lectureship in Information and Communications, presented by the Medical Library Association. In September 2004, at the invitation of the Ministry of Health of the Peoples Republic of China, she presented a keynote address and paper at the IDEAS04DH Workshop on Medical Information Systems, held in Beijing.

Dr. Baker holds a Ph.D. in Education Research Methodologies and an M.S. in Computer Science from the University of Southern California, as well as M.S. and B.S. degrees from Florida State University and The Ohio State University respectively.

Tuesday, December 12, 2006, 10:30-12:00

Track 1: Technical Papers

Title: Applied Distributed Collaboration
Chair: Christoph Schuba, Linköpings University

Shamon: A System for Distributed Mandatory Access Control.
Jonathan McCune, Carnegie Mellon University
Stefan Berger, IBM
Ramon Caceres, IBM
Trent Jaeger, Pennsylvania State University
Reiner Sailer, IBM

A Framework for Collaborative DDoS Defense.
George Oikonomou, University of Delaware
Jelena Mirkovic, University of Delaware
Peter Reiher, University of California, Los Angeles
Max Robinson, The Aerospace Corporation

V-COPS: A Distributed Vulnerability-based Cooperative Alert System.
Shiping Chen, George Mason University
Dongyu Liu, George Mason University
Songqing Chen, George Mason University
Sushil Jajodia, George Mason University

Track 2: Technical Papers

Title: Client Access in Untrusted Environment
Chair: Jay Kahn, The MITRE Corporation

Delegate: A Proxy Based Architecture for Secure Website Access from an Untrusted Machine.
Ravi Chandra Jammalamadaka, University of California, Irvine
Timothy W.van der Horst, Brigham Young University
Sharad Mehrotra, University of California, Irvine
Kent E. Seamons, Brigham Young University
Nalini Venkatasubramanian, University of California, Irvine

Entering Passwords on a Spyware Infected Machine Using a Shared-Secret Proxy.
Dinei Florencio, Microsoft
Cormac Herley, Microsoft

Vulnerability Analysis of MMS User Agents.
Collin Mulliner, University of California, Santa Barbara
Giovanni Vigna, University of California, Santa Barbara

Track 3: Case Studies

Title: Vulnerability Management

Using the National Vulnerability Database in Enterprise Information Security Programs.
Peter Mell, NIST
Tony Sager, NSA

Tuesday, December 12, 2006, 13:30-15:00

Track 1: Technical Papers

Title: Network Intrusion Detection
Chair: Giovanni Vigna, University of California, Santa Barbara

Backtracking Algorithmic Complexity Attacks Against a NIDS.
Randy Smith, University of Wisconsin, Madison
Cristian Estan, University of Wisconsin, Madison
Somesh Jha, University of Wisconsin, Madison

NetSpy: Automatic Generation of Spyware Signatures for NIDS.
Hao Wang, University of Wisconsin, Madison
Somesh Jha, University of Wisconsin, Madison
Vinod Ganapathy, University of Wisconsin, Madison

Detecting policy violations through traffic analysis.
Jeffrey Horton, University of Wollongong
Rei Safavi-Naini, University of Wollongong

Track 2: Panel

Title: Challenges for Web Services Security
Chair: Anoop Singhal, Ph.D., NIST

The advance of Web services technologies promises to have far-reaching effects on the Internet and enterprise networks. Web services based on the eXtensible Markup Language (XML), Simple Object Access Protocol (SOAP), and related open standards, and deployed in Service Oriented Architectures (SOA) allow data and applications to interact without human intervention through dynamic and ad hoc connections. Web services technology can be implemented in a wide variety of architectures, can co-exist with other technologies and software design approaches, and can be adopted in an evolutionary manner without requiring major transformations to legacy applications and databases.

The security challenges presented by the Web services approach are formidable and unavoidable. Many of the features that make Web services attractive, including greater accessibility of data, dynamic application-to-application connections, and relative autonomy (lack of human intervention) are at odds with traditional security models and controls. Difficult issues and unsolved problems exist, such as the following:

  1. Confidentiality and integrity of data transmitted via Web services protocols in service-to-service transactions, including data that transits intermediary (pass-through) services.
  2. Functional integrity of the Web services themselves, requiring both establishment in advance of the trustworthiness of services to be included in service orchestrations or choreographies, and the establishment of trust between services on a by-transaction basis.
  3. Availability in the face of denial of service attacks that exploit vulnerabilities unique to Web service technologies, especially targeting core services, such as discovery service, on which other services rely.


  • Mike McIntosh, IBM Research, Yorktown Heights
  • Prof. Carl Gunter, Department of Computer Science, Univ. of Illinois
  • Jeremy Epstein, Web Methods
  • Rafae Bhatti, CERIAS, Purdue University
  • Karen Groetzel, Manager Software Security, Booz Allen Hamilton, Inc.

Track 3: Case Studies

Title: Personal Identification Verification

FIPS 201: The Standard and Its Effect on the Public and Private Sectors.
Bill MacGregor, NIST
Invited Speaker, GSA
Invited Speaker, Bearing Point

Tuesday, December 12, 2006, 15:30-17:00

Track 1: Technical Papers

Title: Network Security
Chair: Cristina Serban, AT&T

Practical Attack Graph Generation for Network Defense.
Kyle Ingols, MIT Lincoln Laboratory
Richard Lippmann, MIT Lincoln Laboratory
Keith Piwowarski, MIT Lincoln Laboratory

Secure Distributed Cluster Formation in Wireless Sensor Networks.
Kun Sun, Intelligent Automation, Inc.
Pai Peng, Opsware Inc.
Peng Ning, North Carolina State Univeristy
Cliff Wang, Army Research Office

Specification-Based Intrusion Detection in WLANs.
Rupinder Gill, Queensland University of Technology
Jason Smith, Queensland University of Technology
Andrew Clark, Queensland University of Technology

Track 2: Technical Papers

Title: Security in Systems
Chair: Lujo Bauer, Carnegie Mellon University

Understanding Practical Application Development in Security-typed Languages.
Boniface Hicks, Pennsylvania State University
Kiyan Ahmadizadeh, Pennsylvania State University
Patrick McDaniel, Pennsylvania State University

Adder: A Secure Internet Voting System.
Aggelos Kiayias, University of Connecticut
Michael Korman, University of Connecticut
David Walluck, University of Connecticut

A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs.
Lillian Røstad, Norwegian University of Science and Technology
Ole Edsberg, Norwegian University of Science and Technology

Track 3: Case Studies

Title: Case Studies
Chair: Ed Keefe, FBI

Challenges for Secure Web Services.
Anoop Singhal, NIST

Challenge of Email Compliance & Automated Policy Enforcement.
Suhayya (Sue) Abu-Hakima, Entrust

Authentication Methods from the Edge.
Chris Voice, Entrust

Wednesday, December 13, 2006, 8:30-10:00

Invited Essayist Plenary

Introduction of the Invited Essayist
Dan Thomsen, Cyber Defense Agency, LLC

Invited Essayist:
Engineering Sufficiently Secure Computing.
   Brian Witten, Symantec Corporation

We propose an architecture of four complimentary technologies increasingly relevant to a growing number of home users and organizations: cryptography, separation kernels, formal verification, and rapidly improving techniques relevant to software defect density estimation. Cryptographic separation protects information in transmission and storage. Formally proven properties of separation kernel based secure virtualization can bound risk for information in processing. Then, within each strongly separated domain, risk can be measured as a function of people and technology within that domain. Where hardware, software, and their interactions are proven to behave as and only as desired under all circumstances, such hardware and software can be considered to not substantially increase risk. Where the size or complexity of software is beyond such formal proofs, we discuss estimating risk related to software defect densities, and emerging work related to binary analysis with potential for improving software defect density estimation.


About the Speaker:

As Director of Government Research, Mr. Brian Witten leads all federally sponsored research and development within Symantec. Symantec Government Research is charged with the responsibility of developing technology for future Symantec products and services emerging from federally sponsored research solving nationally critical problems. Symantec pursues much of this research in partnership with world renowned universities. An experienced information security expert, Mr. Witten has also worked closely with both established industry leaders and early stage venture backed companies founded on disruptive technology.

Prior to joining Symantec, Mr. Witten worked at the Defense Advanced Research Projects Agency (DARPA), the U.S. military’s central research and development organization charged with sponsoring revolutionary, high-payoff research to maintain the technological superiority of the U.S. military. While at DARPA, he focused on creation of new network security technologies to protect current and future information systems supporting "Network Centric Warfare." At DARPA, Mr. Witten managed an R&D investment portfolio of more than $150 million in U.S. and international efforts.

Mr. Witten began his technology career as on officer in the U.S. Air Force where he first began collaborating with leading academic institutions and commercial firms in information security research while assigned to Rome Laboratories and Air Force Research Labs (AFRL).

Mr. Witten received his B.S. in Electrical and Computer Engineering from the University of Colorado.

Wednesday, December 13, 2006, 10:30-12:00

Track 1: Technical Papers

Title: Applied Sandboxing
Chair: Konstantin Beznosov, University of British Columbia

A Module System for Isolating Untrusted Software Extensions.
Philip Fong, University of Regina
Simon Orr, University of Regina

How to Automatically and Accurately Sandbox MS IIS.
Wei Li, Rether Networks, Inc.
Lap-chung Lam, Rether Networks, Inc.
Tzi-cker Chiueh, Rether Networks, Inc.

Data Sandboxing for Confidentiality.
Khatiwala Tejas, University of Illinois at Chicago
Raj Swaminathan, University of Illinois at Chicago
V.N. Venkatakrishnan, University of Illinois at Chicago

Track 2: Technical Papers

Title: Malware
Chair: Anoop Singhal, National Institute for Standards and Technology

On Detecting Camouflaging Worm.
Wei Yu, Texas A&M University
Xun Wang, Ohio State University
Prasad Calyam, Ohio State University
Dong Xuan, Ohio State University
Wei Zhao, Texas A&M University

Bluetooth Worms: Models, Dynamics, and Defense Implications.
Guanhua Yan, Los Alamos National Laboratory
Stephan Eidenbenz, Los Alamos National Laboratory

Back to the Future: A Framework for Automatic Malware Removal and System Repair.
Francis Hsu, University of California, Davis
Thomas Ristenpart, University of California, San Diego
Hao Chen, University of California, Davis

Track 3: Case Studies

Title: Case Studies
Chair: TBD

Trusted Storage.
Robert Thibadeau, Seagate Research

Putting Trust into the Network: Securing Your Network through Trusted Access Control.
Steve Hanna, Juniper Networks

Employing Encryption to Combat Data Theft.
Derek Tumulak, Ingrian Networks

Wednesday, December 13, 2006, 13:30-15:00

Track 1: Technical Papers

Title: Applied Detection Technologies
Chair: Arthur R. Friedman, OASD(NII)/DoD CIO

Static Detection of Vulnerabilities in x86 Executables.
Greg Banks, University of California, Santa Barbara
Marco Cova, University of California, Santa Barbara
Viktoria Felmetsger, University of California, Santa Barbara
Giovanni Vigna, University of California, Santa Barbara

Foreign Code Detection on the Windows/X86 Platform.
Susanta Nanda, Stony Brook University
Wei Li, Stony Brook University
Tzi-cker Chiueh, Stony Brook University

PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware.
Paul Royal, Georgia Institute of Technology
Mitch Halpin, Georgia Institute of Technology
David Dagon, Georgia Institute of Technology
Robert Edmonds, Georgia Institute of Technology
Wenke Lee, Georgia Institute of Technology

Track 2: Panel

Title: Partnering with Industry and Academia - The DHS S&T Approach to Cyber Security Research, Development, Test, and Evaluation
Chair: Dr. Douglas Maughan, U.S. Department of Homeland Security (DHS), Science and Technology (S&T) Directorate

The Science and Technology (S&T) Directorate in the U.S. Department of Homeland Security (DHS) has the mission to conduct research, development, test and evaluation (RDT&E), and timely transition of cyber security capabilities to operational units within DHS, as well as federal, state, local, and critical infrastructure sector operational end users for homeland security purposes. Collaboration and partnerships with academia, research labs, and private industry is required for success in this mission, and this panel will present some of the partnerships that DHS S&T is currently involved in and supporting. The speakers will present their projects and their experiences of working with DHS S&T and the other partners.

The DNSSEC Deployment Initiative is a community-based, international effort to transition the current state of DNSSEC to large-scale deployment that will strengthen the Internet domain name system against attacks.

The DHS-SRI International Identity Theft Technology Council (ITTC) is a working forum where experts and leaders from the government, private, financial, IT, venture capitalist, and academia and science sectors come together to address the problem of identity theft and related criminal activity on the Internet.

Project LOGIC is a 12-month technology integration and demonstration project jointly supported by industry partners and DHS S&T. The project demonstrates an opportunity to reduce vulnerabilities of oil and gas process control environments by sensing, correlating and analyzing abnormal events to identify and prevent cyber security threats. It is also an illustration of a successful model for collaboration between infrastructure owners, technology providers, research labs, and the Government.

The DETER testbed, jointly supported by NSF and DHS S&T, is a shared testbed infrastructure that is specifically designed for medium-scale repeatable experiments, and especially for experiments that may involve "risky" code such as self-propagating malware.

The Secure Wireless Data Program is a collaboration between the U.S. and Canadian governments and multiple industry partners. SRI International leads an integration of new and innovative security technologies followed by trials to test the solution in real-case scenarios. The program is focused on overlays and complementary technologies that can be used to enhance security with minimal impact on the usability of the basic mobile data platform.


  • Dr. Steve Crocker, Shinkuro
  • Dave Jevans, Anti-Phishing Working Group and IronKey
  • Tom Aubuchon, Chevron Pipeline
  • Terry Benzel, USC-ISI
  • Mark Schertler, Voltage Security OR Dr. Ulf Lindqvist, SRI International

Track 3: Case Studies

Title: Industrial Control System Security

An Overview of Emerging Standards, Guidelines, and Implementation Activities.
Stu Katzke, NIST
Joe Weiss, KEMA

Wednesday, December 13, 2006, 15:30-17:00

Combined Track 1 and 2: Works in Progress Session

Title: Works in Progress (WiP) session:
Chair: Cristina Serban, AT&T

Session contents will be announced shortly before the conference.

Track 3: Case Studies

Title: Case Studies
Chair: TBD

CANADIAN-US Security Enhanced BlackBerry Trial.
Mark Schertler, Voltage

From the Lab to the Boardroom: How to Perform a Security Risk Assessment like a Professional.
Doug Landoll, En Pointe Technologies

XL Global Services: A Compelling Case Study in Data Privacy.
Paul Dunbar, XL Capital

Thursday, December 14, 2006, 8:30-10:00

Classic Papers Plenary

Introduction of the Classic Papers
Tom Haigh, Adventium Labs and the Cyber Defense Agency, LLC

Fifteen Years after TX: A Look Back at High Assurance Multi-Level Secure Windowing.
   Jeremy Epstein, webMethods, Inc.

Research in the late 1980s and early 1990s produced a prototype high assurance multi-level secure windowing system that allowed users to see information of multiple classifications on the same screen, performing cut & paste from low to high windows. This retrospective discusses the motivations for the project, reviews the architecture and implementation of the prototype, discusses developments in the intervening years, and concludes with lessons learned.


About the Speaker:

Mr. Jeremy Epstein has been involved in information security for nearly 20 years, and is a well known researcher in the area. He is currently Senior Director of Product Security at webMethods, where he's responsible for analyzing and improving the security of all products, designing security for new products, assessing third party security products, and complying with security standards. He's also Lead Analyst with Cyber Defense Agency LLC where he leads several DARPA efforts. Prior to joining webMethods and CDA, he led a security research group at Network Associates, and was responsible for the C2 security evaluation of Novell NetWare. The research described in this classic paper was performed when he led a research group at TRW, Inc in the late 1980s and early 1990s. He has published over 20 papers in refereed research conferences including USENIX, IEEE, and ACSAC, as well as several articles in trade magazines. In his spare time, he works to improve security of electronic voting systems as a member of the Virginia legislature's committee on voting equipment recommendations. Mr. Epstein holds a BS in Computer Science from New Mexico Tech, an MS in Computer Sciences from Purdue University, and an ABD from George Mason University.

Risks of Untrustworthiness.
   Peter G. Neumann, SRI International Computer Science Lab

This paper revisits the risks of untrustworthiness, and considers some incidents involving computer-based systems that have failed to live up to what had been expected of them. The risks relate to security, reliability, survivability, human safety, and other attributes, and span a variety of applications and critical infrastructures, such as electric power, telecommunications, transportation, finance, medical care, and elections. The range of causative factors and the diversity of the resulting risks are both enormous. Unfortunately, many of the problems seem to recur far too often. Various lessons therefrom and potential remedies are discussed.


About the Speaker:

Peter G. Neumann ( has doctorates from Harvard and Darmstadt. After 10 years at Bell Labs in Murray Hill, New Jersey, in the 1960s, during which he was heavily involved in the Multics development jointly with MIT and Honeywell, he has been in SRI's Computer Science Lab since September 1971. He is concerned with computer systems and networks, trustworthiness/dependability, high assurance, security, reliability, survivability, safety, and many risks-related issues such as voting-system integrity, crypto policy, social implications, and human needs including privacy. He moderates the ACM Risks Forum, edits CACM's monthly Inside Risks column, chairs the ACM Committee on Computers and Public Policy, and chairs the National Committee for Voting Integrity (

He created ACM SIGSOFT's Software Engineering Notes in 1976, and was its editor for 19 years and still contributes the RISKS section. He has participated in four studies for the National Academies of Science: Multilevel Data Management Security (1982), Computers at Risks (1991), Cryptography's Role in Security the Information Society (1996), and Improving Cybersecurity for the 21st Century: Rationalizing the Agenda (2006). His 1995 book, Computer-Related Risks, is still timely!

He is a Fellow of the ACM, IEEE, and AAAS, and is also an SRI Fellow. He received the National Computer System Security Award in 2002 and the ACM SIGSAC Outstanding Contributions Award in 2005. He is a member of the U.S. Government Accountability Office Executive Council on Information Management and Technology, and the California Office of Privacy Protection advisory council. He co-founded People For Internet Responsibility (PFIR, He has taught courses at Darmstadt, Stanford, U.C. Berkeley, and the University of Maryland. See his website ( for Senate and House testimonies, papers, bibliography, further background, etc.

Thursday, December 14, 2006, 10:30-12:00

Track 1: Technical Papers

Title: Applied Randomization
Chair: Steven J. Greenwald, Independent Consultant

Address-Space Randomization for Windows Systems.
Lixin Li, Global Infotek
James Just, Global Infotek
R. Sekar, Stony Brook University

Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software.
Chongkyung Kil, North Carolina State University
Jinsuk Jun, North Carolina State University
Christopher Bookholt, North Carolina State University
Jun Xu, North Carolina State University
Peng Ning, North Carolina State University

Known/Chosen Key attacks against RISE: Attacking the immune system.
Yoav Weiss, Discretix Technologies Ltd.
Elena Gabriela Barrantes, Universidad de Costa Rica

Track 2: Technical Papers

Title: Intrusion Detection
Chair: Carrie Gates, CA Labs

Automatic Evaluation of Intrusion Detection Systems.
Frédéric Massicotte, Communications Research Center
François Gagnon, Carleton University
Yvan Labiche, Carleton University
Lionel Briand, Carleton University
Mathieu Couture, Carleton University

Offloading IDS Computation to the GPU.
Nigel Jacob, Tufts University
Carla Brodley, Tufts University

Anomaly Based Web Phishing Page Detection.
Ying Pan, Singapore Management University
Xuhua Ding, Singapore Management University

Track 3: Case Studies

Title: Case Studies
Chair: TBD

Certification and Accreditation at National Oceanographic and Atmospheric Administration (NOAA), National Environmental Satellite, Data, and Information Service (NESDIS).
Dan Gambel, Mitretek Systems

Using Predictive Analytics and Modeling to Improve Insider Threat Detection and Cyber Threat Identification.
Peter Frometa, SPSS Inc

The Business of Enterprise Privacy, Compliance.
David Thomspon, Voltage

Thursday, December 14, 2006, 13:30-15:00

Track 1: Technical Papers

Title: Messaging Security
Chair: Jeremy Epstein, webMethods, Inc.

Addressing SMTP-based Mass-Mailing Activity Within Enterprise Networks.
David Whyte, Carleton University
Paul van Oorschot, Carleton University
Evangelos Kranakis, Carleton University

Using Attribute-Based Access Control to Enable Attribute-Based Messaging.
Rakesh Bobba, University of Illinois
Omid Fatemieh, University of Illinois
Fariba Khan, University of Illinois
Carl Gunter, University of Illinois
Himanshu Khurana, University of Illinois

Enhancing Signature-based Collaborative Spam Detection with Bloom Filters.
Jeff Yan, University of Newcastle upon Tyne
Pook Leong Cho, University of Newcastle upon Tyne

Track 2: Technical Papers

Title: Countermeasures
Chair: Rick Smith, University of St. Thomas

Extended protection against stack smashing attacks without performance loss.
Yves Younan, Katholieke Universiteit Leuven
Davide Pozza, Politecnico di Torino
Frank Piessens, Katholieke Universiteit Leuven
Wouter Joosen, Katholieke Universiteit Leuven

PAST : Probabilistic Authentication of Sensor Timestamps.
Ashish Gehani, University of Notre Dame
Surendar Chandra, University of Notre Dame

Towards Database Firewall: Mining the Damage Spreading Patterns.
Kun Bai, Pennsylvania State University, University Park
Peng Liu, Pennsylvania State University, University Park

Track 3: Case Studies

Title: Certification and Accreditation

Understanding the Risks to Enterprises and their Information Technology Infrastructure.
Ron Ross, NIST
Julie Mehan, Hatha Systems

Thursday, December 14, 2006, 15:30-17:00

Track 1: Technical Papers

Title: Information Flow and Leakage
Chair: Ed Schneider, IDA

A General Dynamic Information Flow Tracking Framework for Security Applications.
Lap Chung Lam, Rether Networks, Inc.
Tzi-cker Chiueh, Stony Brook University

Covert and Side Channels due to Processor Architecture.
Zhenghong Wang, Princeton University
Ruby Lee, Princeton University

CryptoPage/HIDE: an Efficient Secure Architecture with Memory Encryption, Integrity and Information Leakage Protection.
Guillaume Duc, ENST Bretagne
Ronan Keryell, ENST Bretagne

Protecting Privacy in Key-Value Search Systems.
Yinglian Xie, Carnegie Mellon University
David O'Hallaron, Carnegie Mellon University
Michael Reiter, Carnegie Mellon University

Track 2: Panel

Title: Highlights from the 2006 New Security Paradigms Workshop (NSPW)
Chair: Carol Taylor, University of Idaho

This panel highlights a selection of the most interesting and provocative papers from the 2006 New Security Paradigms Workshop. The URL for more information is

The panel consists of authors of the selected papers, and the session is moderated by the workshop's general chairs. We present selected papers focusing on exciting major themes that emerged from the workshop. These are the papers that will provoke the most interesting discussion at ACSAC.

Track 3: Case Studies

Title: Minimum Security Requirements

FIPS 200: The Standard and Its Effect on the Public and Private Sectors.
Ron Ross, NIST
Graydon McKee, Unisys (Invited)


Title: Host Based Security Assessment: Standards to Implementations
Chair: Harvey Rubinovitz, The MITRE Corporation
Monday, 11 December 2006, 8:30 a.m. - 4:30 p.m.

In recent years, malware has become one of the major threats to service availability and information security. To reduce the number of infections, security assessments are performed to check a computer’s configuration against a known standard to offers the best security for a given environment. A number of companies and agencies have published their standards and, depending on a system’s ownership, the owners of the system may need to maintain a list of systems with their degree of compliance. For groups that have a large number of computer systems, performing an assessment and determining compliance can be a long process. Another issue is determining which standard should be used to determine compliance.

Federal Information Processing Standards (FIPS) have been established to guide agencies in complying with the Federal Information Security Management Act (FISMA). The National Institute of Standards and Technology (NIST) is actively holding workshops on how FISMA requires organizations to conduct security assessments of federal systems, including those federal systems operated by contractors. Each organization, once agreeing on a standard configuration, needs a way to perform the checks in a systematic fashion. To help with this process, organizations may consider either in-house solutions or commercial products to perform the checks. Many of the products not only check but also enforce standard profiles.

This workshop will focus on the security assessments, including how they may be defined in standards by either government agencies or by commercial organizations, how technology is being implemented and utilized to perform the assessments, and how on-going enforcement is accomplished. The workshop will also examine the need to facilitate the research and development of the next generation of standards and implementations to assist in the creation of more secure configurations. Previous participants have agreed that past workshops have provided a useful and exciting forum for members of the standards and software development worlds to exchange ideas, opinions, and concerns. Due to community interest in security assessments and the rapidly evolving technologies, this year’s workshop should generate much discussion.

Pre-registration is required as there is registration fee to cover the cost of the workshop and lunch and snack. Position papers are encouraged. To register, contact Harvey Rubinovitz, Workshop Chair, The MITRE Corporation, M/S S145, 202 Burlington Road, Bedford, Massachusetts 01730; (781)-271-3076; If you are interested in attended please check off the appropriate box on the conference registration form and add in the workshop fee of $50.


ACSAC is pleased to host seven tutorials this year, distributed between Monday, December 11, and Friday, December 15, 2006. See the descriptions that follow for more details about each tutorial, its instructor(s) and when it will be given.

Attendees enrolled in any of the following tutorials are provided lunch on the day of their tutorial.

Although everyone attending a tutorial will be provided a copy of the materials used by the instructor, only those who pre-register for the tutorial will be guaranteed the tutorial materials at the beginning of the tutorial instruction. See the registration form for more information. Please note the tutorial registration fees are for tutorials only; registration for the technical portion of the Conference is separate.

Tutorial M1

Building Biometric Authentication Systems: Pitfalls and How to Avoid Them
Speaker: Dr. Jan Jürjens, The Open University
Time: Monday Morning 12/11/2006 Half-Day Tutorial

Biometric techniques are increasingly used to identify, verify, and authenticate people. Building authentication systems that rely on these techniques is however still very challenging: It is difficult to estimate the reliability of the current biometric sensors and matching algorithms. It is hard to adequately calibrate these algorithms to achieve the trade-off between false positive and false negative rates most suitable for a given application. And it is very challenging to correctly build systems that employ biometric authentication systems so that the overall system will be secure.

Based on practical experiences from related industrial R&D projects, the tutorial gives a hands-on introduction into how to correctly build biometric authentication systems and how to securely embed them into the system context. The tutorial will report on experiences and lessons learnt, and on common pitfalls in designing such systems. Tutorial participants will gain up-to-date knowledge on the state of the art in biometric authentication and on how to use this technology securely. A textbook on secure systems development used during the tutorial is distributed to each participant.

Prerequisites: Some basic knowledge in computer security would be helpful.

High-Level Outline

The tutorial covers the following subtopics.

  • Introduction: What Is Biometric Authentication and how does it work?
  • Which Biometric Authentication Technique is best for my application?
  • How do I calibrate it correctly for the right trade-off between false positives and false negatives?
  • Architectures for Biometric Authentication Systems
  • Common Pitfalls in Designing and Implementing Biometric Authentication Systems and How to avoid them
  • Security Testing Biometric Authentication Systems
  • Operational Security of Biometric Authemtication Systems: What to look out for.

Each topic is covered in about 20-30 min.

About the Instructor

Dr. Jan Jurjens is a Senior Lecturer (equiv. US Assoc. Prof.) at the Open University (the British long-distance university in Milton Keynes near London). He is the author of a book on Secure Systems Development with UML (Springer 2004) and an introductory book on IT-Security (Springer 2006) and about 50 papers and 10 invited talks in refereed international books, journals, and conferences, mostly on computer security and software engineering. He has created and lectured courses on secure systems development at the University of Oxford, the Technical University of Munich, Carlos III Univ. Madrid, and the University of Innsbruck, as well as over 30 tutorials on secure software engineering at international conferences. He is the initiator and current chair of the working group on Formal Methods and Software Engineering for Safety and Security (FoMSESS) within the German Society for Informatics (GI). He is a member of the executive board of the Division of Safety and Security (Fachbereich Sicherheit) within the GI, the executive boad of the committee on Modeling (QFA Modellierung) of the GI, the advisory board of the Bavarian Competence Center for Safety and Security (KoSiB), the working group on e-Security of the Bavarian regional government, the IFIP Working Group 1.7 "Theoretical Foundations of Security Analysis and Design", and the IFIP Working Group on Critical Infrastructure Protection which is currently being founded. He has been leading various security-related projects with industry.

Jan Jurjens studied Mathematics and Computer Science at the Univ. of Bremen (Germany) and the Univ. of Cambridge (GB). He has done research towards a PhD at the Univ. of Edinburgh (GB), Bell Laboratories (Palo Alto, USA), and the Univ. of Oxford (GB), received a DPhil (Doctor of Philosophy) in Computing from the Univ. of Oxford. Before joining the faculty at the Open University, he directed the Competence Center for IT-Security at the group on Software & Systems Engineering at the Technical University of Munich.

Tutorial M2

Defenses Against Viruses, Worms, and Malicious Software
Speaker: Dr. Tom Chen, Southern Methodist University
Time: Monday Afternoon 12/11/2006 Half-Day Tutorial

The Internet has created a fertile environment for viruses and worms since virtually every computer is now interconnected into a global community. About every PC user has an experience with a virus or worm at some time or another. Unlike many types of security attacks directed at compromising a specific target, the self-replicating nature of viruses and worms creates a large-scale attack on the general community. The Internet itself is also affected by the resulting congestion.

This tutorial will give an overview of computer viruses, worms, and Trojan horses. The tutorial is organized into three major parts. The first part introduces the audience to the self-replicating mechanisms of viruses and worms, and describes how malicious software programs function. The possible effects on hosts and networks is described with real-life examples.

The second part of the tutorial gives an overview of current host-based and network-based defenses. Hosts are protected by antivirus software and operating system patching. Network-based defenses consist of various network equipment such as firewalls, intrusion detection systems, server proxies, and routers. In addition to explaining each type of defense, the limitations of each defense are pointed out. The limitations are important to understanding why malware outbreaks continue to be a major problem today and into the foreseeable future.

The third part of the tutorial gives an overview of some current research areas in improving defenses. The automation of defenses will be critical in the face of new worms that can be much faster than today’s manual, reactive defenses. Automated defenses will first depend on accurate detection of new outbreaks. New outbreaks must be detected before a virus/worm signature is available, so new behavior-based detection methods must be used. Unfortunately, behavior-based detection can result in a high number of false positives, so current research is seeking to improve the accuracy of behavior-based detection. After detection of a new outbreak, automated defenses will exercise some action to quarantine the worm. Examples proposed by Cisco and Microsoft will be described. Also, the use of tarpits and rate throttling to slow down outbreaks will be explained.

Prerequisites: None specified.

High Level Outline

  1. Introduction
    Historical and recent cases
  2. Malware Basics
    Computer viruses, Worms, Trojan horses, Vulnerabilities and exploits, Replication mechanisms, Payloads, Congestion effects
  3. Current Defenses
    Antivirus software and patching, Firewalls, Intrusion detection systems, Router access control lists, Mail server proxies, Limitations of current defenses
  4. Early Detection and Warning
    Host-based detection, Honeypots and black holes, Network-based intrusion detection, Early warning systems
  5. Dynamic Quarantining
    Quarantine requirements, Cisco Network Admission Control, Microsoft Network Access Protection, Honeypots and tarpits, Rate throttling
  6. References and Further Reading

About the Instructor

Thomas M. Chen is an associate professor in the Department of Electrical Engineering at Southern Methodist University in Dallas, Texas. He received the BS and MS degrees in electrical engineering from the Massachusetts Institute of Technology in 1984, and the PhD in electrical engineering from the University of California, Berkeley, in 1990. He is currently the editor-in-chief of IEEE Communications Magazine, a senior technical editor for IEEE Network, a past associate editor for ACM Transactions on Internet Technology, and past founding editor of IEEE Communications Surveys. He served as the treasurer for the IEEE Technical Committee on Security and Privacy 2004-2005. He is a member of the Technical Advisory Board for the Voice over IP Security Alliance. Prior to joining SMU, he was a senior member of the technical staff at GTE Laboratories (now Verizon) working on ATM research. He is the co-author of ATM Switching Systems (Artech House, 1995). He was the recipient of the IEEE Communications Society’s Fred W. Ellersick best paper award in 1996. His research interests include network security, traffic modeling, network performance, and network management.

Tutorial M3

Live Forensics
Speakers: Dr. Frank Adelstein, ATC-NY and Dr. Golden Richard, University of New Orleans
Time: Monday 12/11/2006 Full-Day Tutorial

Traditional digital forensics focuses on analyzing a copy (or “image”) of a disk to extract information, such as deleted files, file fragments, web browsing history, and to build a timeline that provides a partial view of what happened on the computer. Live forensics, an emerging area in which information is gathered on running systems, offers some distinct advantages over traditional “dead” forensics, which focuses on disk images. Live forensics can provide information on the running state of the machine that cannot be gathered by static methods, such as running processes, memory dumps, open network connections, and unencrypted versions of encrypted files. This information can both serve as digital evidence and help direct or focus traditional analysis methods.

This tutorial covers the area of live forensics, including the types of information that can be gathered, how the evidence can be analyzed, and how it can work in conjunction with traditional methods, as well as satisfy forensic requirements. We will briefly review static disk analysis techniques, briefly cover network packet analysis, and then discuss gathering information on a live machine. The tutorial includes demonstrations. At the end, the students should understand what live state information is available on a computer, some of the different methods to gather the information, and the “best practices” that should be observed when performing a live analysis.

Prerequisites: None. This tutorial focuses on the emerging area of forensic analysis of live systems. The tutorial does not assume students have a background in forensics and will spend approximately 25% of the time reviewing the basic ideas of digital forensics. The rest of the course will focus on gathering and analyzing live data (network and host based forensics). Those familiar with “traditional” or static forensic analysis but who are interested in live forensics should also benefit from the course. This course will not cover legal issues.

High Level Outline

  1. Introduction
  2. Traditional Forensics Background (1.5 hours)
  3. Network Analysis (1.0 hours)
  4. Live Forensics (2.5 hours)
  5. Big Demo/Scenario of putting it all together (0.5 hours)
  6. Summary/Wrap up

About the Intructors

Dr. Frank Adelstein is the technical director of computer security at ATC-NY in Ithaca, NY. He is the principal designer of a live forensic investigation product (marketed as Online Digital Forensic Suite™ and LiveWire Investigator™) and has worked in the area of live investigation for the last 5 years. He has also been the principal investigator on numerous research and development projects including security, wireless networking, intrusion detection, and training.

Professor Golden G. Richard III is an Associate Professor at the University of New Orleans, where he developed the Information Assurance curriculum and coordinated the effort to have the University of New Orleans certified by the National Science Foundation as a Center of Academic Excellence. He teaches courses in digital forensics, computer security, and operating systems internals. He is also a co-founder of Digital Forensic Solutions, LLC and is the author of the digital forensics tool “Scalpel.”

Richard and Adelstein are the chair and vice-chair of the Digital Forensic Research Workshop, the premier workshop on research advances in the area of digital forensics. They have co-authored the book “Fundamentals of Mobile and Pervasive Computing” (from McGraw-Hill).

Tutorial M4

Security Engineering
Speaker: Dr. Steven J. Greenwald, Independent Consultant
Time: Monday 12/11/2006 Full-Day Tutorial

Based on Ross Anderson’s carefully researched and eminently practical book Security Engineering: A Guide to Building Dependable Distributed Systems, this tutorial will cover how to make distributed systems more secure with the help of both technological mechanisms and management strategies. It will cover the entire field of computer security, although it is, of course, severely limited by the one-day format.

Real-world examples of how information systems have been defeated will be covered, as well as the uses of technology, policy, psychology, and legal issues.. Practical examples such as the security of ATM machines, multi-level security, information warfare, hardware security, e-commerce, intellectual property protection, biometrics, and tamper resistance will be covered. Each section will examine what goes wrong.

Prerequisites: None.

High Level Outline

  1. A Quick Overview of Security Engineering Basics (1 hour).
  2. Conventional Computer Security Issues (1 hour).
  3. Hardware Engineering Aspects of Information Security (1 hour).
  4. Attacks on Networks (1 hour).
  5. Electronic Commerce (1 hour).
  6. Policy, Management, and Assurance (1 hour)
  7. Conclusions and General Q&A (½ hour).

About the Instructor

Dr. Steven J. Greenwald is an Independent Consultant in the field of Information Systems Security specializing in distributed security, formal methods, security policy modeling, and related areas. He also works with organizational security policy consulting, evaluation, training, and auditing.

Dr. Greenwald is also a Research Fellow of Virginia’s Commonwealth Information Security Center (CISC) and an adjunct professor at James Madison University (an NSA Designated Center of Academic Excellence in Information Security Assurance) where he teaches several graduate courses for their M.S. degree in Computer Science concentrating in INFOSEC.

Dr. Greenwald served as the 2001 General Chair of the New Security Paradigms Workshop (NSPW), has been past Program Chair for NSPW, and also serves on the program committees of other conferences. He is a member of the Association for Computing Machinery and the IEEE Computer Society. More information about him, including his publications, can be found at his web site at

Tutorial F5

Next-Generation Wireless Risks & Defenses
Speaker: Mr. Richard Rushing, AirDefense
Time: Friday 12/15/2006 Full-Day Tutorial

As wireless networks continue to grow, the ever-present danger of new, more sophisticated hacking tools is also on the upswing. Simultaneously the knowledge needed to use these tools to hack into wireless networks is decreasing. Hackers, armed with new tools such as LIVE CD's and a host of others, are launching increasingly more sophisticated attacks on the networks and clients. Networks that a year ago were said to be unbreakable can now be broken in less than 10 minutes. The risk of wireless clients and the hostile environments of hotspots are making it more difficult for enterprise networks to stay secure.

This session will look at the current and future generation of wireless attack tools. This set of attack tools out on the Internet can damage, destroy, and infiltrate most wireless networks. This session will enable network and security administrators of organizations to build defenses and strategies against attacks and wireless network breaches or infections.

Topics covered at-a-glance:

  • BlueXing and New Bluetooth Attacks
  • WEP Attacks and Injection
  • LeapCrack, Bruteforce tools, Old Dictionary Attacks get new life
  • PEAP Exploits and how to prevent the MITM issues with clients
  • Probing Stations and how to prevent from become Snarfed
  • Protect the network from DoS Attacks
  • Layer 3 Attacks, from ARP spoofing, what is possible from the Air
  • 802.1x Exploits and Vulnerabilities

Prerequisites: None.

High Level Outline

  1. Introduction
  2. Wireless Networking
  3. Wireless Vulnerabilities and Tools Time
  4. Breaking Wireless
  5. Stealth Wireless Attacks
  6. Other Attack Vectors
  7. Layered Approach to Security
  8. Recommended Wireless Security Strategy
  9. Questions and Answers

About the Instructor

Richard Rushing is a recognized IT security expert with 20 years experience as a system analyst, engineer, consultant and architect. Richard has set security standards and policies for entire organizations and taught workshops on IDS, Security Protocols, and Network Security. Richard was most recently Chief Technical Officer of VeriSign's Network Security Services division where he identified and developed products and services to maintain VeriSign's focus on leading-edge security solutions. A much-in-demand speaker on information security, Richard has presented at leading security conferences, including Networld+Interop, RSA, Computer Security Institute, SANS Security Conferences, InfoSec and CyberTerrorism.

Tutorial F6

Using the Certification and Accreditation Process to Manage Enterprise Risk
Speaker: Dr. Ron Ross, National Institute of Standards and Technology and Dr. Julie Meehan, Hatha Systems
Time: Friday 12/15/2006 Full-Day Tutorial

This tutorial provides an in depth look at the process of certification and accreditation of information systems as a critical activity in managing enterprise risk. The fundamental concepts of security certification and accreditation as described in NIST Special Publication 800-37 will be discussed in the context of an integrated risk management framework. The integrated risk framework includes the principal components of an enterprise information security program to include categorizing the information system according to system criticality/sensitivity, selecting appropriate security controls (i.e., safeguards and countermeasures) for the system, determining security control effectiveness, and determining residual risk to the enterprise's mission or business case. Each phase of the NIST four-phase certification and accreditation process will be described as well as the roles and responsibilities of individuals within the enterprise participating in the process. The tutorial also examines the U.S. Department of Defense approach to certification and accreditation. Upon completion of the tutorial, attendees will have a fundamental understanding of the major components of an information security program, how the certification and accreditation process fits into the program, and what types of information are required by authorizing officials to make credible risk-based decisions on whether to place information systems into operation or continue their operation.

Prerequisites: None.

High Level Outline

  1. Introduction
  2. The Fundamentals
  3. The NIST 800-37 C&A Process
  4. The Department of Defense C&A Process
  5. Summary

About the Instructor

Dr. Ron Ross is a senior computer scientist and information security researcher at the National Institute of Standards and Technology (NIST). His areas of specialization include security requirements definition, security testing and evaluation, and information assurance. Dr. Ross currently leads the Federal Information Security Management Act (FISMA) Implementation Project for NIST, which includes the development of key security standards and guidelines for the federal government, contractors supporting the federal government, and the critical information infrastructure. His recent publications include Federal Information Processing Standards (FIPS) Publication 199 (the security categorization standard), FIPS Publication 200 (the minimum security requirements standard), NIST Special Publication 800-53 (the security controls guideline), NIST Special Publication 800-53A (the security assessment guideline), and NIST Special Publication 800-37 (the system certification and accreditation guideline). Dr. Ross is also the principal architect of the risk management framework and nine-step process that integrates the suite of NIST security standards and guidelines into a comprehensive enterprise-wide information security program. Dr. Ross is a frequent speaker at public and private sector venues including federal agencies, state and local governments, and Fortune 500 companies. In addition to his responsibilities at NIST, Dr. Ross supports the U.S. State Department in the international outreach program for information security and critical infrastructure protection.

Dr. Ross previously served as the Director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency. A graduate of the United States Military Academy at West Point, Dr. Ross served in a variety of leadership and technical positions during his twenty-year career in the United States Army. While assigned to the National Security Agency, he received the Scientific Achievement Award for his work on an inter-agency national security project and was awarded the Defense Superior Service Medal upon his departure from the agency. Dr. Ross is a two-time recipient of the Federal 100 award for his leadership and technical contributions to critical information security projects affecting the federal government. During his military career, Dr. Ross served as a White House aide and as a senior technical advisor to the Department of the Army. Dr. Ross is a graduate of the Program Management School at the Defense Systems Management College and holds both Masters and Ph.D. degrees in Computer Science from the United States Naval Postgraduate School.

Tutorial F7

Acquisition and Analysis of Large Scale Network Data V.3
Speaker: Dr. John McHugh, Dalhousie University
Time: Friday 12/15/2006 Full-Day Tutorial

Detecting malicious activity in network traffic is greatly complicated by the large amounts of noise, junk, and other questionable traffic that can serve as cover for these activities. With the advent of low cost mass storage devices and inexpensive computer memory, it has become possible to collect and analyze large amounts of network data covering periods of weeks, months, or even years. This tutorial will present techniques for collecting and analyzing such data, both from network flow data that can be obtained from many routers or derived from packet header data and directly from packet data such as that collected by TCPDump, Ethereal, and Network Observer. This version of the course will contain examples from publicly available packet data such as the Dartmouth Crawdad wireless data repository and will deal with issues such as the acquisition of data in IP-unstable environments such as those involving DHCP.

Because of the quantity of the data involved, we develop techniques, based on filtering of the recorded data stream, for identifying groups of source or destination addresses of interest and extracting the raw data associated with them. The address groups can be represented as sets or multisets (bags) and used to refine the analysis. For example, the set of addresses within a local network that appear as source addresses for outgoing traffic in a given time interval approximates the currently active population of the local network. These can be used to partition incoming traffic into that which might be legitimate and that which is probably not since it is not addressed to active systems. Further analysis of the questionable traffic develops smaller partitions that can be identified as scanners, DDoS backscatter, etc. based on flag combinations and packet statistics. Traffic to and from hosts whose sources appear in both partitions can be examined for evidence that its destinations in the active set have been compromised. The analysis can also be used to characterize normal traffic for a customer network and to serve as a basis for identifying anomalous traffic that may warrant further examination.

Prerequisites: General familiarity with IP network protocols. Elementary familiarity with simple statistical measures.

High Level Outline

  1. Introduction (45 Minutes)
  2. Data Collection (45 Minutes)
  3. The SiLKtools Analysis Suite (90 Minutes)
  4. Advanced Analysis (90 Minutes)
  5. Case studies (60 Minutes)
  6. General Questions and Discussion (30 minutes)

About the Instructor

Dr. John McHugh holds the Canada Research Chair in Privacy and Security at Dalhousie University in Halifax, NS where he leads the Privacy and Security Laboratory. Prior to joining Dalhousie, he was a senior member of the technical staff with the CERT Situational Awareness Team, where he did research in survivability, network security, and intrusion detection. Recently, he has been involved in the analysis of large scale network flow data. He was a professor and former chairman of the Computer Science Department at Portland State University in Portland, Oregon. His research interests include computer security, software engineering, and programming languages. He has previously taught at The University of North Carolina and at Duke University. He was the architect of the Gypsy code optimizer and the Gypsy Covert Channel Analysis tool. Dr. McHugh received his PhD degree in computer science from the University of Texas at Austin. He has a MS degree in computer science from the University of Maryland, and a BS degree in physics from Duke University.

Awards and Opportunities

Best Paper Award

An annual prize for the Outstanding Paper is based on both the written paper and the oral presentation at the conference. A plaque and honorarium will be presented to the winning author.

To determine the Outstanding Paper, a set of best paper candidates is selected based on the recommendation of the Program Committee. A subcommittee then attends the presentation of each candidate paper and meets to select the winning paper. If the timing of paper presentations permits, the award is announced at the next available opportunity during the conference.

Best Student Paper Award

The winner of the student paper award is selected by the Student Awards Committee in consultation with ACSA. The winning paper may have multiple authors but the primary content of the paper must have been developed by students; students must provide written confirmation to the Student Awards Chair that they meet this policy. A student is defined as anyone who has a current course load of at least 9 credit hours or equivalent as explained by the student or who is enrolled in a degree-granting program and is not employed in a professional capacity outside of the university more than 20 hours per week.

ACSA Conferenceship Program

ACSA offers a Conferenceship Program for selected students who need assistance to attend the Annual Computer Security Applications Conference. Conferenceships can be requested by any student and will be awarded to students that will get the most from ACSAC. However, conferenceship will be awarded first to students that are author of papers and that have a co-author also attending ACSAC. The conferenceship will cover registration, 4 nights at the conference hotel, and $400 (North America Student)/$700 (International Student). The amount above is to cover airline tickets and other expenses, and require a copy of the airline ticket receipt.

To be considered for the Conferenceship Program, please submit the following information to the Student Awards Chair at your name, your address, and the name of the institution at which you are a student; a list of applicable course work that you have completed or are currently enrolled in; your current grade point average; a short narrative discussing why you are interested in the security field, relevant areas of interest, the type of career you plan on pursuing, and two letters of recommendation from faculty. This material is typically due by October 1.

Works in Progress (WiP) Session

The Works In Progress (WIP) Session is intended as a forum to introduce new ideas, report on ongoing work that may or may not be complete, and to state positions on controversial issues or open problems. Additional submissions may be given to WiP Chair at or the Program Chair at

Conference Committee

  • Dan Thomsen, Cyber Defense Agency, LLC (Conference Chair)
  • Christoph Schuba, Linköpings University (Program Chair)

  • Rafae Bhatti, IBM Almaden Research Center (Site Arrangements Co-Chair)
  • Laura Corriss, Barry University (Site Arrangements)
  • Dan Faigin, The Aerospace Corporation (Tutorials Chair)
  • Arthur Friedman, OASD(NII)/DoD CIO (Registration)
  • Carrie Gates, CA Labs (Publicity)
  • Tom Haigh, Cyber Defense Agency, LLC (Guest Speaker Liaison)
  • Noel Hardy, Aspect Security (Recording Secretary)
  • Tracy Hawkins, NSA (Registration)
  • Paul Jardetzky, Network Applicances, Inc. (Panel Chair)
  • Jay Kahn, The MITRE Corporation (Distribution Chair)
  • Charles Payne, Adventium Labs (Program Co-Chair)
  • Steven Rome, Booz Allen Hamilton, Inc. (Case Studies)
  • Harvey H. Rubinovitz, The MITRE Corporation (Workshop Chair)
  • Pierangela Samarati, Università degli Studi di Milano (Program Co-Chair)
  • Andre dos Santos, University of Puerto Rico at Mayagüez (Student Awards Chair)
  • Ed Schneider, Institute for Defense Analysis (Treasurer)
  • Linda Schliper, Trusted Computer Solutions Mailing Lists)
  • Cristina Serban, AT&T (Works in Progress Chair)
  • Rick Smith, University of St. Thomas, Minnesota (Publicity)
  • Robert H'obbes' Zakon, Zakon Group LLC (Web Advisor)

Program Committee

  • Christoph Schuba (PC Chair), Linköpings University
  • Charles Payne (PC Co-Chair), Adventium Labs
  • Pierangela Samarati (PC Co-Chair), Università degli Studi di Milano

  • Tuomas Aura, Microsoft Research, UK
  • Lujo Bauer, Carnegie Mellon University
  • Terry Benzel, USC - ISI
  • Konstantin Beznosov, University of British Columbia
  • Rafae Bhatti, Florida International University
  • Marc Dacier, Eurecom Institute
  • Carrie Gates, CA Labs
  • Dieter Gollmann, Hamburg University of Technology
  • Wesley Higaki, Symantec Corporation
  • Cynthia Irvine, Naval Postgraduate School
  • Paul Jardetzky, Network Applicances, Inc.
  • Jan Jürjens, TU München
  • Myong Kang, Naval Research Laboratory
  • James Kempf, DoCoMo Labs USA
  • Angelos Keromytis, Columbia University
  • Carl Landwehr, University of Maryland
  • Peng Liu, Pennsylvania State University
  • Javier Lopez, University of Malaga
  • Bryan Lyles, Telcordia Technologies
  • Patrick McDaniel, Pennsylvania State University
  • John McDermott, Naval Research Laboratory
  • Joon Park, Syracuse University
  • Anoop Singhal, National Institute for Standards and Technology
  • Andre Dos Santos, University of Puerto Rico at Mayagüez
  • Giovanni Vigna, University of California Santa Barbara
  • Simon Wiseman, QinetiQ
  • Diego Zamboni, IBM Zürich Research Laboratory

ACSAC Steering Committee

  • Marshall Abrams, The MITRE Corporation
  • Jeremy Epstein, webMethods, Inc.
  • Daniel Faigin, The Aerospace Corporation
  • Steve Rome, Booz Allen Hamilton
  • Ron Ross, National Institute of Standards
  • Ravi Sandhu, George Mason University
  • Christoph Schuba, Linköpings University
  • Ann Marmor-Squires, The Sq Group
  • Dan Thomsen, Cyber Defense Agency, LLC


  • Marshall Abrams, The MITRE Corporation (ACSA Chair & Treasurer)
  • Jeremy Epstein, webMethods, Inc. (ACSA Vice President)
  • Daniel Faigin, The Aerospace Corporation (ACSA Secretary)
  • Steven Greenwald, Independent Consultant
  • Steve Rome, Booz Allen Hamilton (ACSA President)
  • Harvey Rubinovitz, The MITRE Corporation, (ACSA Assistant Treasurer)
  • Ann Marmor-Squires, The Sq Group (Chair Emerita)
  • Mary Ellen Zurko, IBM Corporation

About the Sponsor


ACSA had its genesis in the first Aerospace Computer Security Applications Conference in 1985. That conference was a success and evolved into the Annual Computer Security Applications Conference (ACSAC). ACSA was incorporated in 1987 as a non-profit association of computer security professionals who have a common goal of improving the understanding, theory, and practice of computer security. ACSA continues to be the primary sponsor of the annual conference.

In 1989, ACSA began the Distinguished Practitioner Series at the annual conference. Each year, an outstanding computer security professional is invited to present a lecture of current topical interest to the security community.

In 1991, ACSAC began the Best Paper by a Student Award, presented at the Annual conference. This award is intended to encourage active student participation in the conference. The award winning student author receives an honorarium and all conference expenses. Additionally, our Student Conferenceship program assists selected students in attending the Conference by paying for the conference fee and tutorial expenses. Applicants must be undergraduate or graduate students, nominated by a faculty member at an accredited university or school, and show the need for financial assistance to attend this conference.

An annual prize for the Outstanding Paper has been established for the Annual Computer Security Applications Conference. The winning author receives a plaque and an honorarium. The award is based on both the written and oral presentations.

ACSA initiated the Marshall D. Abrams Invited Essay in 2000 to stimulate development of provocative and stimulating reading material for students of Information Security, thereby forming a set of Invited Essays. Each year's Invited Essay addresses an important topic in Information Security not adequately covered by the existing literature.

This year’s ACSAC continues the Classic Papers feature begun in 2001. The classic papers are updates of some of the seminal works in the field of Information Security that reflect developments in the research community and industry since their original publication. ACSA continues to be committed to serving the security community by finding additional approaches for encouraging and facilitating dialogue and technical interchange. In the past, ACSA has sponsored small workshops to explore various topics in Computer Security (in 2000, the Workshop on Innovations in Strong Access Control; in 2001, the Workshop on Information Security System Rating and Ranking; in 2002, the Workshop on Application of Engineering Principles to System Security Design). In 2003, ACSA became the sponsor of the already established New Security Paradigms Workshop (NSPW). ACSA also maintains a Classic Papers Bookshelf that preserves seminal works in the field and a web site focusing on Strong Access Control/Multi-Level Security (

For more information on ACSA and its activities, please visit ACSA is always interested in suggestions from interested professionals and computer security professional organizations on other ways to achieve its objectives of encouraging and facilitating dialogue and technical interchange.

To learn more about the conference, visit the ACSAC web page at

To be added to the Conference Mailing List, visit us on the World Wide Web at

For questions, contact the committee members using the following E-mail addresses:

ACSAC wishes to thank ATSEC for being an ACSAC Platinum sponsor.


Revision: r1.9 - 27 Sep 2006