Fraunhofer FKIE GI Gesellschaft für Informatik
			e.V. University of Bonn
  In technical co-operation with
Technical Committee on Security and Privacy

Seventh Conference on
Detection of Intrusions and Malware & Vulnerability Assessment

DIMVA 2010

July 8-9th, 2010
Bonn, Germany
DIMVA 2009 Conference of SIG SIDAR
of the German Informatics Society (GI).
in conjunction with SPRING5
Gold Sponsor:
Media Partner:
Submission guidelines Call for Participation Committees
Travel information Conference program Registration

Conference Program

8th July (Thursday)
8:30    Registration
9:00    Welcome
9:00    Opening Remarks
Peter Martini, Marko Jahnke
slides PDF paper pictures
09:15    Keynote: "Trends in Malevolence", José Nazario, Arbor Networks
Abstract: This talk will explore the past, present, and future of Internet security, specifically the rise of the criminal online underworld. Our current situation of botnets for financial gain, rogue ISPs who support these attacks, spam, malware explosions, and the like are due to the past decade of tactical efforts. Understanding these "megatrends" is key to anticipating what will happen next and what kinds of technical - and policy - preparations we should make.
Biography: Dr. José Nazario is the senior manager of security research at Arbor Networks. In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, developing security mechanisms that are then distributed to Arbor's Peakflow platforms via the Active Threat Feed (ATF) threat detection service. Dr. Nazario's research interests include large-scale Internet trends such as reachability and topology measurement, Internet-scale events such as DDoS attacks, botnets and worms, source code analysis tools, and data mining. He is the author of the books "Defense and Detection Strategies against Internet Worms" and "Secure Architectures with OpenBSD." He earned a Ph.D. in biochemistry from Case Western Reserve University in 2002. Prior to joining Arbor Networks, he was an independent security consultant. Dr. Nazario regularly speaks at conferences worldwide, with past presentations at CanSecWest, PacSec, Blackhat, and NANOG. He also maintains, a site devoted to studying worm detection and defense research.
slides pictures
10:30    Coffee Break
11:00    Session: Host Security
Session chair: Christian Kreibich
11:00    HookScout: Proactive Binary-Centric Hook Detection
Heng Yin, Pongsin Poosankam, Steve Hanna and Dawn Song
slides PDF paper pictures
11:30    Conqueror: Tamper-proof Code Execution on Legacy Systems
Lorenzo Martignoni, Roberto Paleari and Danilo Bruschi
slides PDF paper pictures
12:00    dAnubis - Dynamic Device Driver Analysis Based on Virtual Machine Introspection
Matthias Neugschwandtner, Christian Platzer, Paolo Milani Comparetti and Ulrich Bayer
slides PDF paper pictures
12:30    Lunch
13:30    Invited Talk: "Modern Spammer Infrastructure", Carel van Straaten, Spamhaus
Abstract: Modern spammer operations are run on a highly professional level. Knowing that their business is constantly threatened on several levels, some spammer operations go to extraordinary lengths to ensure success. This starts with making sure that enough machines get infected to act as senders in a botnet. Fresh domains are bought daily and spread over multiple registrars while the DNS is hosted in separate networks. Reverse web proxies make sure that the online store is available and at the same time untouchable. A high-risk payment service provider completes the picture and makes sure the money ends up with the online criminals. In this talk we explore the measures taken by spammers to run - and keep running - a large modern spamming operation, including the technology used, how it is set up and maintained, what is done to ensure uptime and robustness, and what weak points can be found and maybe even exploited. We will look at some of the trends we see in infrastructure use and abuse, and investigates the questions of what can the community do to fight the problem and on what we should we focus today to solve the problems of tomorrow.
Biography: Carel van Straaten is an investigator at The Spamhaus Project, where he finds out what makes the spammers' infrastructure tick - and makes sure it stops ticking. Spamhaus is an international non-profit organization based in the UK whose mission is to track the Internet's Spam Gangs, to provide dependable real-time anti-spam protection for Internet networks, and to work with law enforcement agencies to identify and pursue spammers worldwide.
slides pictures
14:45    Session: Trends
Session chair: Sven Dietrich
14:45    Evaluating Bluetooth as a Medium for Botnet Command and Control
Kapil Singh, Samrit Sangal, Nehil Jain, Patrick Traynor and Wenke Lee
PDF paper pictures
15:10    Take a Deep Breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype
Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico and Lorenzo Cavallaro
slides PDF paper pictures
15:35    Covertly Probing Underground Economy Marketplaces
Hanno Fallmann, Gilbert Wondracek and Christian Platzer
slides PDF paper pictures
16:00    Coffee break
16:15    Session: Vulnerabilities
Session chair: Michael Meier
16:15    Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Adam Doupe, Marco Cova and Giovanni Vigna
slides PDF paper pictures
16:45    Organizing Large Scale Hacking Competitions
Nick Childers, Bryce Boe, Lorenzo Cavallaro, Ludovico Cavedon, Marco Cova, Manuel Egele and Giovanni Vigna
slides PDF paper pictures
17:15    Meeting of GI SIG SIDAR (open for all interested attendees)
17:15    Invited Talk: Quo vadis, Sicherheitsausbildung
Martin Mink
slides pictures


9th July (Friday)
09:00    Invited Talk: "TRIAGE: the WOMBAT attack attribution approach", Marc Dacier, Symantec/Eurecom
Abstract: In network traffic monitoring, and more particularly in the realm of threat intelligence, the problem of "attack attribution" refers to the process of actively attributing new attack events to (un)-known phenomena, based on some evidence or traces left on one or several monitoring platforms. Real-world attack phenomena are often largely distributed on the Internet, or can sometimes evolve quite rapidly. This makes them inherently complex and thus difficult to analyze. In general, the person in charge must consider many different attack features (or criteria) in order to decide about the plausible root cause of a given attack, or to attribute it to some given phenomenon. In this talk, we introduce a global analysis method, named TRIAGE, that aims at addressing this problem in a systematic way. TRIAGE has been developed in the context of the European funded WOMBAT project; In this talk, we will introduce the concepts of attack attribution, its intrinsic complexity, explain the TRIAGE method and will demonstrate its usefulness thanks to recent results obtained with practical, real life data sets.
Biography: Dr. Marc Dacier is an internationally recognized expert in computer security. At Symantec, Dr. Dacier is responsible for the Collaborative Advanced Research department, whose members are located in Europe (France and Ireland) and in the United States (Washington, D.C. and Los Angeles). Before joining Symantec, Marc taught at Eurecom, one of Europe's most active academic research institutions in the field of computer security. Previously, he was the manager of the Global Security Analysis Lab at IBM Zurich Research Laboratory. Marc has served in more than 60 program committees of major security conferences and was on the editorial board of several technical journals.
10:15    Coffee Break
10:45    Session: Intrusion Detection
Session chair: Robin Sommer
10:45    An Online Adaptive Approach to Alert Correlation
Hanli Ren, Natalia Stakhanova and Ali Ghorbani
slides PDF paper pictures
11:15    KIDS - Keyed Intrusion Detection System
Sasa Mrdovic
slides PDF paper pictures
11:45    Rump Session
Session Chair: Sven Dietrich
12:30    Lunch
13:30    Web Security
Session Chair: Herbert Bos
13:30    Modeling and Containment of Search Worms Targeting Web Applications
Jingyu Hua and Kouichi Sakurai
slides PDF paper pictures
14:00    HProxy: Client-side detection of SSL stripping attacks
Nick Nikiforakis, Yves Younan and Wouter Joosen
slides PDF paper pictures
14:30    Concluding Remarks
slides pictures

Proceedings available from Springer Verlag in the LNCS series Springer LNCS