GTISC Security Reading Group

GTISC Security Reading Group

Fall 2007

Georgia Tech

Note: The SRG website has been moved to a new place http://research.gtisc.gatech.edu/srg/. (since March 2008)

Overview

Location: Klaus 3402
Time: 1-3pm Every Friday
Website: http://www.cc.gatech.edu/~guofei/srg/
Swiki: http://swiki.cc.gatech.edu:8080/srg/
Maillist: https://mailman.cc.gatech.edu/mailman/listinfo/security-reading-group (Lab member only or by reference)

The GTISC Security Reading Group is a weekly informal seminar for discussing research papers, emerging problems, interesting issues in computer and network security (our main purpose). We need criticize, discuss/brainstorm, in purpose of producing new idea. This is also a stage for individual presentations of current research efforts, trying to get response/comment/criticism.

Currently, it starts as an informal discussion forum and lunch meeting for (and only for) GTISC lab students. This seminar is supervised by professors Wenke Lee, maintained by Guofei Gu. We greatfuly thank Prof. Lee for his generous support for the lunch.

Drop me a line if you have any comments (guofei AT cc.gatech.edu)!

Requirement of Engagement

Everybody is required to read the paper before the seminar, otherwise you will not benefit from the discussion/brainstorming. We are a reading group, and the focus is on the "discussion", not the presentation. The presentation should take less time.
We pick one person we call the moderator for every seminar. The moderator is responsible for:
- Writing a short "draft" summary and slides of the paper before the seminar. The summary should at least include:
  - Problem domain: background, motivation, why this problem is important/novel/interesting
  - Idea of the paper: assumption, main technique, result
  - Comparison with related work (Related work should be in detail in this topic/area, so that later we can use this if writing a relevant paper)
  - Possible future work/direction
  - Pros, cons of the paper (your conclusion)
  - What can we do based on this work: lesson learned from this work? stimulate new related problem? flawed assumption/technique can be improved/extended? technique can be used to other (maybe your own dedicated) domain to solve other problem? what extention can we do for further work? ...
- Reading/Presenting the draft summary during the first 20 minutes of the seminar,
- Preparing a list of 10-15 discussion questions, usually questioning the assumptions and critically evaluating the paper,
- Steering the discussion,
- Incorporating user comments into the draft summary, and
- Sending the final summary to Guofei at most within a week of the seminar.
We also have two people, each prepares a list of pros and cons about the paper and presents it after the summary is read out by the moderator. Everybody moderates at least once and does a few pros or cons.
Everyone should give a final review score on the paper at the end of discussion, roughly, strong accept, weak accept, weak reject or strong reject (as if you are the reviewer). The reviews will be collected by moderator and written into final summary.
Papers are selected based on members' suggestions and discussion.
- The aim is to try to select recent security papers from quality conferences or journals (mainly Oakland, CCS, USENIX, NDSS, RAID, ESORICS, CSFW, ACSAC, SIGCOMM, SOSP, OSDI, Crypto, EuroCrypto, etc, there are some links on my personal website).
- Make sure you check the list of papers that were already presented before you pick your paper.
- The paper for discussion with all relevant info (including the URL and a justification for choosing the paper) should be posted no later than 7 days before the seminar.

Schedule

Paper reading list http://swiki.cc.gatech.edu:8080/srg/

Fall 2007
Date	Moderator	Paper	Pros/Cons	Summary
8/24	Guofei	botnet research
8/31	Roberto	Learning to Detect and Classify Malicious Executables in the Wild. J. Zico Kolter, Marcus A. Maloof. JMLR, Special Issue on Machine Learning for Computer Security, 2006. Malware Analysis through Statistical Classification of Executables
9/7	Andrea, Bryan	Exploring Multiple Execution Paths for Malware Analysis. Andreas Moser, Christopher Kruegel and Engin Kirda. Oakland'07. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. Seshadri et al. SOSP 2007
9/14	Monirul	malware research
9/21	Long	Automated Classification and Analysis of Internet Malware. M.Bailey et al. RAID'07.
9/28	Artem, Kapil	The Ghost In The Browser, Analysis of Web-based Malware. N. Provos et al. HotBots'07. Botnet research
10/5	Manos	On Attack Causality in Internet-Connected Cellular Networks Patrick Traynor, Patrick McDaniel, and Thomas La Porta. Security'07
10/12	Abhinav, Artem	Dynamic Spyware Analysis. Manuel Egele, Christopher Kruegel, Engin Kirda, Heng Yin, and Dawn Song. Usenix Annual Technical Conference 2007.
10/19	Matim, Kapil	Automated Detection of Persistent Kernel Control-Flow Attacks. Nick L. Petroni, Jr. and Michael Hicks. CCS'07 Protomatching Network Traffic for High Throughput Network Intrusion Detection. Shai Rubin, Somesh Jha, and Barton P. Miller. CCS'06
10/26	Ikpeme, Bryan	ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing. Weidong Cui, Marcus Peinado, Helen J. Wang and Michael Locasto. Okaland'07 VM research
11/2	Junjie, Diane	Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis.Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda. CCS'07. SpyProxy: Execution-based Detection of Malicious Web Content. Alexander Moshchuk, Tanya Bragin, Damien Deville, Steven D. Gribble, and Henry M. Levy, USENIX Security'07
11/9	Daniel, Ying	Protecting Browsers from DNS Rebinding Attacks. Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao and Dan Boneh. CCS'07 Stealthy Malware Detection Through VMM-Based "Out-of-the-Box" Semantic View Reconstruction. Xuxian Jiang, Dongyan Xu and Xinyuan Wang.CCS'07
11/16	Martim, Manos	Oslo: Improving the security of trusted computing. Bernhard Kauer. USENIX Security'07 HookFinder: Identifying and Understanding Malware Hooking Behaviors. Heng Yin, Zhenkai Liang and Dawn Song. NDSS 2008
11/23		Thanksgiving!
11/30	Abhinav, Junjie	A Forced Sampled Execution Approach to Kernel Rootkit Identiﬁcation. Jeffrey Wilhelm Tzi-cker Chiueh. RAID'07 Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis. Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song. CCS'07
12/7	David, Bryan	ACSAC'07 practice talk

ĄĄ

Spring 2007
Date	Moderator	Paper	Pros/Cons	Summary
1/12	Monirul	Automatic Diagnosis and Response to Memory Corruption Vulnerabilities. Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai and Chris Bookholt.CCS'05
1/19	Prahlad	Evading Network Anomaly Detection Systems. Job talk
1/26	Manos	DEMEM: Distributed Evidence-Driven Message Exchange Intrusion Detection Model for MANET. Chinyang Henry Tseng, Shiau-Huey Wang, Calvin Ko, Karl N. Levitt. RAID 2006
2/2		USENIX Security'07
2/9	Bryan	A Safety-Oriented Platform for Web Applications. R. S. Cox and J. G. Hansen and S. D. Gribble and H. M. Levy. Oakland'06
2/16	Prahlad
2/23	Abhinav	Splitting Interfaces: Making Trust Between Applications and Operating Systems Configurable. Richard Ta-Min, Lionel Litty, David Lie. OSDI'06
3/2	Claudio	On The Effectivenes of Distributed Worm Monitoring. M. A. Rajab, F. Monrose, A. Terzis. Security'06
3/9	Martim	Secure and Practical Defense Against Code-injection Attacks Using Software Dynamic Translation. Wei Hu etal. VEE '06
3/16	Junjie	Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure. V.T. Lam, S. Antonatos, P. Akritidis, K. G. Anagnostakis. CCS'06
3/23	ĄĄ	Spring break
3/30	Kapil	Backtracking Algorithmic Complexity Attacks Against a NIDS. Randy Smith, Cristian Estan, and Somesh Jha. ACSAC'06
4/6	Guofei	Army of Botnets. Ryan Vogt, John Aycock, Michael Jacobson. NDSS'07
4/13	Roberto	Behavioral Distance Measurement Using Hidden Markov Models. Debin Gao, Michael K. Reiter, and Dawn Song. RAID'06
4/20	Tak	Detection of audio covert channels using statistical footprints of hidden messages. Digital Signal Processing 2006
4/27	Mike	Inferring the source of encrypted HTTP connections. Marc Liberatore, Brian Neil Levine. CCS'06

ĄĄ

Fall 2006
Date	Moderator	Paper	Pros/Cons	Summary
8/25		Organize meeting
9/1	Bryan	Computer forensic: Searching for Processes and Threads in Microsoft Windows Memory Dumps. Andreas Schuster. Digital Forensics Research Workshop, 2006. Digital Forensics Reconstruction and the Virtual Security Testbed ViSe. Andre Arnes, Paul Haas, Giovanni Vigna, and Richard A. Kemmerer. DIMVA '06. Reference: Forensic Discovery. Dan Farmer, and Wietse Venema.	Martim
9/8	Manos	MANET security: Securing MAODV: Attacks and Countermeasures. Sankardas Roy, V. Gopala Addada, Sanjeev Setia and Sushil Jajodia. SECON'05 A Secure Adhoc Routing Approach using Localized Selfhealing Communities. Jiejun Kong, Xiaoyan Hong, Yunjung Yi, Joon-Sang Park, Jun Liu and Mario Gerla. MOBIHOC'05 Reference: A Survey of Secure Wireless Ad Hoc Routing [2004] A Survey of Existing Approaches for Secure MANET [2006]
9/15	Manos	Sensor network security: Sluice: Secure Dissemination of Code Up dates in Sensor Networks. Lanigan, P.E., Gandhi, R., Narasimhan, P. ICDCS 2006 SIGF: A Family of Configurable, Secure Routing Protocols for Wireless Sensor Networks. Anthony Wood, Lei Fang, John Stankovic and Tian He. SASN 2006 Reference: A survey of security issues in mobile ad hoc and sensor networks (p.22-25) [2005] Security services and enhanc ements in the IEEE 802.15.4 wireless sensor networks [2005]
9/22	Takehiro	Wireless security: Central Manager: A Solution to Avoid Denial of Service Attacks for Wireless LANs. Ping Ding. SOLA: Lightweight Security for Access Control in IEEE 802.11. Felix Wu, et al.
9/29	Martim	kernel level mechanisms for host-based security: Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. Tal Garfinkel. NDSS'03 An Architecture for Speciﬁcation-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data. Nick L. Petroni, Jr., Timothy Fraser, AAron Walters, William A. Arbaugh. Security'06.
10/6	Bryan	Formal Models for Computer Security. C. E. Landwehr.ACM Computing Surveys (CSUR) Volume 13 , Issue 3 (September 1981)	ĄĄ	ĄĄ
10/13	Anirudh	BGP security: PHAS: A Prefix Hijack Alert System, M. Lad et. al.; Usenix '06 Modeling Adoptability of Secure BGP Protocols, H. Chan et. al; SIGCOMM '06	ĄĄ	ĄĄ
10/20	Guofei	Botnet analysis/defense: A Multifaceted Approach to Understanding the Botnet Phenomenon. Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis. IMC 2006. An Effective Defense Against Email Spam Laundering. Mengjun Xie, Heng Yin and Haining Wang. CCS'06	ĄĄ	ĄĄ
10/27	Roberto	Anagram: A Content Anomaly Detector Resistant To Mimicry Attack.Ke Wang, Janak J. Parekh, Salvatore J. Stolfo. RAID'06	ĄĄ	ĄĄ
11/3	Kapil	Spyware: Behavior-based Spyware Detection. Engin Kirda, Christopher Kruegel, Greg Banks, Giovanni Vigna, and Richard A. Kemmerer. Security'06 A Crawler-based Study of Spyware in the Web. Alexander Moshchuk, Tanya Bragin, Steven D. Gribble, and Henry M. Levy. NDSS 2006	ĄĄ	ĄĄ
11/10	Sagar	Honeypot: The Nepenthes Platform: An Efficient Approach to Collect Malware Paul Baecher, Markus Koetter,Thorsten Holz etal.RAID 2006 Honeypot-Aware Advanced Botnet Construction and Maintenance Cliff C. Zou and Ryan Cunningham, DSN 2006 Background: Honeytokens: The Other Honeypot, Know your enemy: Tracking Botnets	ĄĄ	ĄĄ
11/17	Prahlad	Privacy and authentication: Doppelganger: Better Browser Privacy Without the Bother. Umesh Shankar and Chris Karlof. CCS'06 Fourth-Factor Authentication: Somebody You Know. John Brainard, Ari Juels, Ronald L. Rivest, Michael Szydlo, and Moti Yung.CCS'06	ĄĄ	ĄĄ
11/24	ĄĄ	Thanksgiving!	ĄĄ	ĄĄ
12/1	David	Worm: The Impact of Stochastic Variance on Worm Propagation and Detection. Nicol. WORM'06 Internet-Scale Malware Mitigation: Combining Intelligence of the Control and Data Plane. Zhang, et al. WORM'06	ĄĄ	ĄĄ
12/8	Paul	ACSAC'06 practice talk: PolyUnpack	ĄĄ	ĄĄ

ĄĄ

Spring 2006
Date	Moderator	Paper	Pros/Cons	Summary
1/13	Paul	DDOS topic: A DoS-limiting Network Architecture. Xiaowei Yang, David Wetherall, and Tom Anderson. SIGCOMM'05. Also refer to SIFF (Oakland'04)	Roberto	summary
1/19		USENIX Security'06
1/27		USENIX Security'06
2/3	Roberto	COTS Diversity Intrusion Detection and Application to Web Servers (RAID'05)	Guofei, Prahlad
2/10	Bryan	Isolating Intrusions By Automatic Experiments. Neuhaus and Zeller. NDSS'06	Sanjeev
2/17	Monirul	Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. James Newsome, Dawn Song. NDSS'05
2/24	Guofei	Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience. Z. Li, M. Sanghi, B. Chavez, Y. Chen and M. Kao. Oakland'06	Roberto
3/3		Dan Wallach's talk
3/10	Yi-An	On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques. Pai Peng, Peng Ning, Douglas S. Reeves. Oakland'06
3/17	David	SubVirt: Implementing malware with virtual machines. Samuel T. King, Peter M. Chen, etal. Oakland'06
3/24		Spring break
3/31	Prahlad	Towards a Framework for the Evaluation of Intrusion Detection Systems. Alvaro A. Cardenas, Karl Seamon and John S. Baras. Oakland'06	Guofei
4/7	Takehiro	Security analysis and improvements for IEEE 802.11i.Changhua He, John C. Mitchell. NDSS'05
4/14	Sanjeev	BLINC: Multilevel Traffic Classification in the Dark. Thomas Karagiannis, Konstantina Papagiannaki and Michalis Faloutsos. Sigcomm'05
4/21	Kapil	Vigilante: End-to-End Containment of Internet Worms. Manuel Costa et al. SOSP'05
4/27		Roberto's Practice talk for Oakland'06

Previous years. A candidate paper list (for 2005)

Fall 2005
Date	Moderator	Paper	Pros/Cons	Summary
9/2		Organize meeting, everyone introduces his work
9/9		cancel due to RAID'05 conference
9/16	Guofei Gu	Network mapping topic: Mapping Internet Sensors with Probe Response Attacks. John Bethencourt, Jason Franklin, and Mary Vernon. USENIX Sec'05. Also refer to "Vulnerabilities of Passive Internet Threat Monitors" by Yoichi Shinoda, etal.	David Dagon, Prahlad Fogla	summary
9/23	Monirul Sharif	DRM topic: A Generic Attack on Checksumming-Based Software Tamper Resistance. Glenn Wurster, Paul van Oorschot, Anil Somayaji. Oakland'05. Also refer to a recent attack "Strengthening software self-checksumming via self-modifying code" by Jonathon T. Giffin, Mihai Christodorescu, and Louis Kruger. ACSAC05.	Paul Royal	summary
9/30		Oakland submission discussion and criticism
10/7	Bryan Payne	Forensic topic: Backtracking Intrusions. Samuel King and Peter Chen. SOSP'03. Detecting Past and Present Intrusions Through Vulnerability-Specific Predicates. Peter Chen, Ashlesha Joshi, Sam King, George Dunlap.SOSP05	Kapil Singh, Takehiro Takahashi	summary
10/14	Roberto Perdisci	Automatic signature generation topic: Polygraph: Automatically Generating Signatures For Polymorphic Worms. James Newsome, Brad Karp, Dawn Song. Oakland'05. Also with detailed comparison with Autograph (Sec04), Earlybird (OSDI04), honeycomb (HotNetsII) and Nemean(Sec05)	Guofei Gu,Monirul Sharif	summary
10/21	David Dagon	IDS evasion topic: Network IDS evasion: Automatic Generation and Analysis of NIDS Attacks.Shai Rubin, Somesh Jha, Barton Miller. ACSAC'04. Testing Intrusion Detection Signatures Using Mutant Exploits. Giovanni Vigna, Will Robertson and Davide Balzarotti. CCS'04. Host IDS evasion: Automating Mimicry Attacks Using Static Binary Analysis. Christopher Kruegel etal. Sec'05.	Bryan Payne, Sanjeev Dwivedi
10/28	Yi-An Huang	Protocol security/anomaly/modeling: SPV: Secure Path Vector Routing for Securing BGP (Sigcomm'04). Athena, a Novel Approach to Efficient Automatic Security Protocol Analysis. D. Song, S. Berezin, and A. Perrig. (JCS'01)	Takehiro Takahashi, Sanjeev Dwivedi	summary
11/4	Takehiro Takahashi	RFID topic: Privacy and Security in Library RFID: Issues, Practices, and Architectures. David Molnar and David Wagner.ccs'04	Paul Royal, Yi-an Huang	summary
11/11	Sanjeev Dwivedi	Sensor network topic: Distributed Detection of Node Replication Attacks in Sensor Networks. Bryan Parno, Adrian Perrig, Virgil Gligor. Oakland'05 ĄĄ	Yi-an Huang,Prahlad Fogla
11/18	Prahlad Fogla	Worm and Stepping stone topic: Worm Origin Identification Using Random Moonwalks.Yinglian Xie, Vyas Sekar, David A. Maltz, Michael K. Reiter, Hui Zhang. Oakland'05. Tracking Anonymous Peer-to-Peer VoIP Calls on the Internet by Xinyuan Wang, Shiping Chen, and Sushil Jajodia. CCS05	Bryan Payne, Roberto Perdisci	summary
11/25		Thanksgiving!
12/2	Kapil Singh	Software security topic: Semantics-Aware Malware Detection. Mihai Christodorescu, Somesh Jha, Sanjit Seshia, Dawn Song, Randal E. Bryant.Oakland'05 Using Model Checking to Find Serious File System Errors. Junfeng Yang, Paul Twohey, and Dawson Engler, Madanlal Musuvathi.OSDI04	Monirul Sharif,David Dagon	summary
12/9		Out for lunch to celebrate the end of semester and the begin of holidays. Thanks Prof. Lee!

Related Links (see my webpage for more)

Other Security Reading Groups: UIUC SRG , Wisc SRG , Dartmouth SRG , CMU SRG , CERIAS SRG, Purdue DS2 , Berkley SRG , UVA SRG , NYU CRG
Computer Security Conference Ranking and Statistic