Sixth Conference on
Detection of Intrusions and Malware & Vulnerability Assessment

DIMVA 2009

July 9-10 2009
Milan, Italy
Conference of SIG SIDAR
of the German Informatics Society (GI).


Submission guidelines
Call for Papers
Travel information
Conference program
Registration form

DIMVA 2009: Program

9th July (Thursday)
8:30    Registration
9:00    Welcome
9:00    Opening Remarks
Danilo Bruschi and Ulrich Flegel
slides pictures
9:15    Session: Malware and SPAM
Chair: Toralv Dirro, McAfee Avert Labs
9:15    A Case Study on Asprox Infection Dynamics
Youngsang Shin,  Steven Myers,  Minaxi Gupta
Indiana University
slides PDF paper pictures
9:45    How good are malware detectors at remediating infected systems?
Emanuele Passerini,  Roberto Paleari,  Lorenzo Martignoni
Universitŕ degli Studi di Milano
PDF paper pictures
10:15    Towards Proactive Spam Filtering
Jan Göbel,  Thorsten Holz,  Philipp Trinius
University of Mannheim
slides PDF paper pictures
10:45    Coffee Break
11:15    Session: Emulation-based Detection
Chair: Peter Szor, Symantec Corporation
11:15    Shepherding Loadable Kernel Module through On-demand Emulation
Chaoting Xuan1,  John Copeland1,  Raheem Beyah2
1Georgia Institute of Technology, 2Department of Computer Science, Georgia State University
slides PDF paper pictures
11:45    Yataglass: Network-level Code Emulation for Analyzing Memory-scanning Attacks
Makoto Shimamura and Kenji Kono
Keio University
slides PDF paper pictures
12:15    Defending Browsers against Drive-by Downloads: Mitigating Heap-spraying Code Injection Attacks
Manuel Egele1,  Peter Wurzinger1,  Christopher Kruegel2,  Engin Kirda3
1Technical University Vienna, Austria, 2University of California, Santa Barbara, 3Institute Eurecom, France
slides PDF paper pictures
12:45    Lunch
14:00    Keynote: "How to Steal a Botnet and What Can Happen When You Do", Richard Kemmerer, University of California, Santa Barbara
Chair: Ulrich Flegel, SAP Research
Abstract:Botnets, which are networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security threats on the Internet. A particularly sophisticated and insidious type of bot is Torpig, which is a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this talk, we report on our efforts to take control of the Torpig botnet for ten days. Over this period, we observed more than 180 thousand infections and recorded more than 70 GB of data that the bots collected.
While botnets have been hijacked before, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with reasonable accuracy) to identify unique bot infections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server during the ten day period. This shows that botnet estimates that are based on IP addresses are likely to report inflated numbers. Second, the Torpig botnet is large, targets a variety of applications, and gathers a rich and diverse set of information from the infected victims. This allowed us to perform interesting data analysis that goes well beyond simply counting the number of stolen credit cards. In this talk we will discuss the analysis that we performed on the data collected and the lessons learned from the analysis, as well as the process of obtaining (and losing) the botnet.
slides pictures
15:15    Coffee Break
15:45    Session: Software Diversity
Chair: John McHugh, University of North Carolina and Dalhousie University Halifax
15:45    Polymorphing Software by Randomizing Data Structure Layout
Zhiqiang Lin,  Ryan Riley,  Dongyan Xu
Purdue University
slides PDF paper pictures
16:15    On the Effectiveness of Software Diversity: A Systematic Study on Real-World Vulnerabilities
Jin Han,  Debin Gao,  Robert H. Deng
Singapore Management University
slides PDF paper pictures
16:45    SIG SIDAR Open Meeting
Chair: Michael Meier, Technical University of Dortmund

Co-Chair: Thorsten Holz, University of Mannheim


10th July (Friday)
8:30    Registration
9:00    Keynote: "A New Era in Security Collaboration: Turning the Tables on Botnets", Henry Stern, Cisco IronPort Systems LLC
Chair: Danilo Bruschi, Universita degli Studi di Milano
Abstract: Dropping packets is one of the easiest and most effective methods of mitigating the effects of a network attack from a known source. Without any third-party information, it is next to impossible to apply this defense against a botnet-based attacker. A large number of hosts, each initiating a very small number of attacks, has the potential to cause a significant amount of damage in aggregate.
For the past several years, the botnet-based attacker has held the upper hand against defenders working in isolation. While the size of a botnet population is very large, the population of defenders that they attempt to attack is significantly larger. Network defenders need to share data about attacks with one another to turn the tables on the botnet-based attackers.
Cisco's latest Intrusion Prevention System (IPS) software release, IPS 7.0, adds Global Threat Correlation. This allows all 200000 deployed IPS sensors to optionally share their security event data with Cisco Security Intelligence Operations (CSIO). CSIO correlates this attack data and pushes actionable information back to the deployed IPS sensors, allowing them to effectively block botnet-based attacks.
We will offer an in-depth look at the implementation of Cisco's Global Threat Correlation technology with a focus on how Cisco has solved many of the scalability issues associated with aggregating data on this scale. We will conclude with a discussion of many of the open research issues in security event aggregation.
10:15    Coffee Break
10:45    Session: Harnessing Context
Chair: Engin Kirda, Eurécom
10:45    Using Contextual Information for IDS Alarm Classification
Francois Gagnon1,  Frédéric Massicotte2,  Babak Esfandiari1
1Carleton University, 2CRC
slides PDF paper pictures
11:15    Browser Fingerprinting from Coarse Traffic Summaries: Techniques and Implications
Ting-Fang Yen1,  Xin Huang2,  Fabian Monrose2,  Michael K. Reiter2
1Carnegie Mellon University, 2University of North Carolina at Chapel Hill
slides PDF paper pictures
11:45    A Service Dependency Modeling Framework for Policy-based Response Enforcement
Nizar Kheir1,  Hervé Debar1,  Jouni Viinikka1,  Nora Cuppens-Boulahia2,  Frédéric Cuppens2
1Orange, 2Telecom-Bretagne
slides PDF paper pictures
12:15    Lunch
13:30    Rump Session
Chair: Sven Dietrich, Stevens Institute of Technology
13:30    Visualization of Malware Behavior
Philipp Trinius
slides pictures
13:45    Are botnets used to run phishing over the phone?
Frederico Maggi
slides pictures
13:50    Automatically Generating Models for Botnet Detection
Peter Würzinger
slides pictures
14:00    Tracking Intelligence Project
Angelo Dell'Aera
slides pictures
14:10    Browser SSL-Fingerprinting
Christian Bockermann
slides pictures
14:15    Bypassing Kernel-Integrity Protection Mechanisms
Thorsten Holz
slides pictures
14:30    Coffee Break
15:00    Session: Anomaly Detection
Chair: Pavel Laskov, University of Tübingen
15:00    Learning SQL for Database Intrusion Detection using Context-Sensitive Modelling
Christian Bockermann,  Martin Apel,  Michael Meier
Technical University of Dortmund
slides PDF paper
15:30    Selecting and Improving System Call Models for Anomaly Detection
Alessandro Frossi,  Federico Maggi,  Gian Luigi Rizzo,  Stefano Zanero
Politecnico di Milano
slides PDF paper
16:00    CIPHER 5 Capture the Flag
Chair: Lexi Pimenidis, iDev GmbH
16:00    Results and Winner
16:30    Farewell
16:30    Concluding Remarks
Ulrich Flegel and Michael Meier