{"title":"Progress Toward Securing the Routing Infrastructure","authors":"S. Murphy, Samuel Weiler","doi":"10.1109/CATCH.2009.41","DOIUrl":"https://doi.org/10.1109/CATCH.2009.41","url":null,"abstract":"After more than a decade of proposals to secure inter-domain routing, the Internet Engineering Task Force (IETF) has undertaken work in the last two years to secure the origination of a route to a block of IP addresses, which is the foundation of inter-domain routing. This paper discusses the decisions taken in that work, as well as discussion of incremental deployment and remaining issues still under debate.","PeriodicalId":130933,"journal":{"name":"2009 Cybersecurity Applications & Technology Conference for Homeland Security","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-03-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115507106","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Static Analysis of Software Executables","authors":"David Melski, T. Teitelbaum, T. Reps","doi":"10.1109/CATCH.2009.42","DOIUrl":"https://doi.org/10.1109/CATCH.2009.42","url":null,"abstract":"In recent years, there has been a growing need for tools that an analyst can use to understand the workings of COTS software as well as malicious code. Static analysis provides techniques that can help with such problems; however, there are several obstacles that must be overcome, including the absence of source code and the difficulty of analyzing machine code. We have created CodeSurfer/x86, a prototype tool for browsing, inspecting, and analyzing x86 executables. From an x86 executable, CodeSurfer/x86 recovers intermediate representations that are similar to what would be created by a compiler for a program written in a high-level language. These facilities provide a platform for the development of additional tools for analyzing the security properties of executables. CodeSurfer/x86 analyses are automatically generated from a formal specification of the x86 instruction semantics. This makes the analyses more accurate and robust, and makes it easier to retarget the tool to analyze executables for other platforms besides x86.","PeriodicalId":130933,"journal":{"name":"2009 Cybersecurity Applications & Technology Conference for Homeland Security","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-03-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129208315","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Trusted Distributed Repository of Internet Usage Data for Use in Cyber Security Research","authors":"C. Scheper, S. Cantor, Renee Karlsen","doi":"10.1109/CATCH.2009.13","DOIUrl":"https://doi.org/10.1109/CATCH.2009.13","url":null,"abstract":"This paper discussed about the protected repository for the defense of infrastructure against cyber threats (PREDICT) that has been established to create a trusted framework for sharing data for research and testing. By facilitating data sharing within the research community, PREDICT seeks to accelerate the creation of cyber security solutions that support effective threat assessment and increase cyber security capabilities.","PeriodicalId":130933,"journal":{"name":"2009 Cybersecurity Applications & Technology Conference for Homeland Security","volume":"137 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-03-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124666863","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A. Kiayias, Justin Neumann, D. Walluck, Owen McCusker
{"title":"A Combined Fusion and Data Mining Framework for the Detection of Botnets","authors":"A. Kiayias, Justin Neumann, D. Walluck, Owen McCusker","doi":"10.1109/CATCH.2009.9","DOIUrl":"https://doi.org/10.1109/CATCH.2009.9","url":null,"abstract":"This paper describes a combined fusion and miningframework applied to the detection of stealthy botnets.The framework leverages a fusion engine thattracks hosts through the use of feature-based profilesgenerated from multiple network sensor types. Theseprofiles are classified and correlated based on a setof known host profiles, e.g., web servers, mail servers,and bot behavioral characteristics. A mining enginediscovers emergent threat profiles and delivers themto the fusion engine for processing. We describe thedistributed nature of botnets and how they are createdand managed. We then describe a combined fusion andmining model that builds on recent work in the cybersecurity domain. The framework we present employsan adaptive fusion system driven by a mining systemfocused on the discovery of new threats. We concludewith a discussion of experimental results, deploymentissues, and a summary of our arguments.","PeriodicalId":130933,"journal":{"name":"2009 Cybersecurity Applications & Technology Conference for Homeland Security","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-03-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130797025","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"BGP Routing Integrity Checker and Prefix-List Filter Generation Tool","authors":"R. Stapleton-Gray","doi":"10.1109/CATCH.2009.15","DOIUrl":"https://doi.org/10.1109/CATCH.2009.15","url":null,"abstract":"ISPs receive requests from their customers to advertise BGP prefixes on behalf of those customers; analyzing requests to flag incorrect prefixes imposes a significant burden on ISPs, who require a tool to perform “sanity checks” on such requests. Packet Clearing House was asked to develop such a tool, and the initial implementation, released in January 2007,is now being re-engineered to add capabilities and capacity.","PeriodicalId":130933,"journal":{"name":"2009 Cybersecurity Applications & Technology Conference for Homeland Security","volume":"62 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-03-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114194966","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The Cyber Scenario Modeling and Reporting Tool (CyberSMART)","authors":"J. Marshall","doi":"10.1109/CATCH.2009.46","DOIUrl":"https://doi.org/10.1109/CATCH.2009.46","url":null,"abstract":"This paper introduces the CyberSMART software tool for use in cyber incident preparedness exercises. CyberSMART provides the cyber exercise community with a web-based tool for gathering data from numerous sources and for effectively using that data to plan complex functional and tabletop exercises. This work was supported by the United States Department of Homeland Security, Science and Technology Directorate under contract number NBCHC060088, in partnership with the National Cyber Security Division.","PeriodicalId":130933,"journal":{"name":"2009 Cybersecurity Applications & Technology Conference for Homeland Security","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-03-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123370949","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The PhishBouncer Experience","authors":"P. Pal, M. Atighetchi","doi":"10.1109/CATCH.2009.12","DOIUrl":"https://doi.org/10.1109/CATCH.2009.12","url":null,"abstract":"This extended abstract summarizes the technical results developed under the PhishBouncer project (October 2005 to May 2007), where the authors collaborated with researchers from Symantec Research Lab (SRL). The goal of this project was to develop middleware-based technology to defend unsuspecting users against Phishing attacks. More specifically, the project explored mechanisms to intercept and inspect HTTP and HTTPS traffic to detect and block interaction with Phish sites, and mechanisms for quickly disseminating the Phishing URL. A part of the work started in this project has continued at SRL under separate funding, that aspect of the work is kept out scope of this paper. The project started out by conceiving a total anti-Phishing solution package, but made technical advances in a number of its separate aspects, such as smart proxy insertion and rapid update dissemination, which transcend the specific problem space.","PeriodicalId":130933,"journal":{"name":"2009 Cybersecurity Applications & Technology Conference for Homeland Security","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-03-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127258518","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Incrementally-Deployable Security for Interdomain Routing","authors":"J. Rexford, J. Feigenbaum","doi":"10.1109/CATCH.2009.35","DOIUrl":"https://doi.org/10.1109/CATCH.2009.35","url":null,"abstract":"The Internet’s interdomain-routing system is extremely vulnerable to accidental failure, configuration errors, and malicious attack. Any successful approach to improving interdomain-routing security must satisfy two requirements for incremental deployability: backwards compatibility with the existing routing protocol and installed base of routers and incentive compatibility with the desire of each domain to improve its part of the routing system even if other domains have not taken similar steps. We propose an incrementally deployable approach based on a Routing Control Platform (RCP) that makes routing decisions on behalf of the routers in a domain, without requiring changes to the routers or protocols. The RCP runs anomaly-detection algorithms that identify, and avoid, suspicious routes, allowing a domain (or a small group of cooperating domains) to significantly improve interdomain routing security.","PeriodicalId":130933,"journal":{"name":"2009 Cybersecurity Applications & Technology Conference for Homeland Security","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-03-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128101633","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
J. Mirkovic, S. Fahmy, P. Reiher, Roshan K. Thomas
{"title":"How to Test DoS Defenses","authors":"J. Mirkovic, S. Fahmy, P. Reiher, Roshan K. Thomas","doi":"10.1109/CATCH.2009.23","DOIUrl":"https://doi.org/10.1109/CATCH.2009.23","url":null,"abstract":"DoS defense evaluation methods influence how well test results predict performance in real deployment. This paper surveys existing approaches and criticizes their simplicity and the lack of realism. We summarize our work on improving DoS evaluation via development of standardized benchmarks and performance metrics. We end with guidelines on efficiently improving DoS evaluation, in the short and in the long term.","PeriodicalId":130933,"journal":{"name":"2009 Cybersecurity Applications & Technology Conference for Homeland Security","volume":"453 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-03-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115833233","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Effective Flow Filtering for Botnet Search Space Reduction","authors":"R. Walsh, D. Lapsley, W. Strayer","doi":"10.1109/CATCH.2009.22","DOIUrl":"https://doi.org/10.1109/CATCH.2009.22","url":null,"abstract":"The use of sophisticated techniques is essential to detect and identify the presence of botnet flows, but these techniques can be expensive in computational and memory resources. A critical first pass is to filter out all traffic that is highly unlikely to be part of a botnet, allowing the more complex algorithms to run over a much smaller set of flows. This paper presents our studies and experience in filtering flows to reduce the botnet search space, and shows that a series of simple filters can provide as much as a 37-fold reduction in the flow set.","PeriodicalId":130933,"journal":{"name":"2009 Cybersecurity Applications & Technology Conference for Homeland Security","volume":"155 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-03-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127576350","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}