Call for papers: EC2ND 2009

July 7th, 2009

European Conference on Computer Network Defense

The 5th European Conference on Computer Network Defence will take place in November 2009 at the Politecnico di Milano technical university in Milano, Italy.

The theme of the conference is the protection of computer networks. The conference will draw participants from academia and industry in Europe and beyond to discuss hot topics in applied network and systems security.

EC2ND invites submissions presenting novel ideas at an early stage with the intention to act as a discussion forum and feedback channel for promising, innovative security research. While our goal is to solicit ideas that are not completely worked out, and might have challenging and interesting open questions, we expect submissions to be supported by some evidence of feasibility or preliminary quantitative results.

Topics include but are not limited to:

  • Intrusion Detection
  • Denial-of-Service
  • Privacy Protection
  • Security Policy
  • Peer-to-Peer and Grid Security
  • Network Monitoring
  • Web Security
  • Vulnerability Management and Tracking
  • Network Forensics
  • Wireless and Mobile Security
  • Cryptography
  • Network Discovery and Mapping
  • Incident Response and Management
  • Malicious Software
  • Web Services Security
  • Legal and Ethical Issues

The conference will be technically co-sponsored by the IEEE ComputerSociety – Italy Chapter .

Submitting a Paper

You are hereby invited to submit papers up to 6-8 pages, 8.5″ x 11″, two-column format. We particularly encourage position papers on preliminary work that shows promise, rather than mature and well-polished papers. Surprising results and thought-provoking ideas will be strongly favored. All submissions will be reviewed by the Program Committee . Authors of accepted papers will be given the optionof including their paper in the proceedings of the conference.

We suggest you to format your paper according to IEEE-CS guidelines .

Important Dates

  • Submissions due: September 15th, 2009
  • Reviews due: October 1st, 2009
  • Notification of Acceptance: October 15th, 2009
  • Final papers due: November 1st, 2009

General Chair

  • Stefano Zanero, Politecnico di Milano, Italy

Click to continue reading “Call for papers: EC2ND 2009″

Call for papers: EuroSec 2009

November 24th, 2008

EuroSec is a workshop associated with the Annual ACM SIGOPS EuroSys conference. The workshop aims to bring together researchers, practitioners,  system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. The focus of the workshop is on novel, practical, systems-oriented work.

EuroSec seeks contributions on all aspects of systems security. Topics of interest include (but are not limited to):

  • new attacks, evasion techniques, and defenses
  • operating systems security
  • network/distributed systems security
  • hardware architectures
  • trusted computing and its applications
  • identity management, anonymity
  • small trusted computing bases
  • mobile systems security
  • measuring security
  • malicious code analysis and detection
  • Web security
  • systems-based forensics
  • systems work on fighting spam/phishing

In accordance with the spirit of the EuroSys conference we also seek:

  • Quantified or insightful experience with existing systems
  • Reproduction or refutation of  previous results
  • Negative results
  • Early ideas

You are hereby invited to submit papers of up to 8 single-spaced pages (including figures, tables and references). Submission information:

For convenience, we allow authors to indicate potential conflicts of interest (e.g., to exclude PC members from within their research group).  EuroSec explicitly encourages members of the systems community to explore leading-edge topics and ideas before they are presented at a major conference. All submissions will be reviewed by the Program Committee. Only original, novel work will be considered for publication. Accepted papers will be published in the proceedings of EuroSec in the  ACM Digital Library. EuroSec will be held on the 31st  of March, 2009, in Nuremberg, Germany.

Important dates

  • Paper Submission Deadline: January 19th, 2009
  • Notification of Acceptance : February 16th, 2009
  • Final Paper Due: March 2nd, 2009
  • Workshop Date: March 31st, 2009


  • Program Co-chairs:
    • Evangelos Markatos (FORTH and Univ. of Crete)
    • Manuel Costa (Microsoft Research Cambridge)
  • Publicity Co-chairs:
    • Thorsten Holz (Universitat Mannheim)
    • Sotiris Ioannidis (FORTH)

Click to continue reading “Call for papers: EuroSec 2009″

NoAH: a versatile tool for every ISP’s toolbox

July 9th, 2008

The primary purpose of NoAH system is detection of unauthorized activity on organizational data networks. It does this by monitoring the activity on all the unused IPs in your network. Any attempted connection to an unused IP address is assumed to be unauthorized or malicious activity. In the case where the system IP is in use the system (honey@home) can monitor unused service ports of the system and report activity.

Even though the aim of the project is to help NRENs and ISPs companies, feedback from them is crucial, since the main attacks committed through their networks. Using NoAH system can help detect, monitor and report suspect activities in real-time.

NoAH system main features:

  • Provide source of data for security analysis.
  • Produce attacks signatures for further use (integration with IDS, firewalls and other network protection tools).
  • It has few false positives, low cost and low risk.
  • It does not capture legitimate users traffic (No sensitive data).
  • Help the security teams understand the threats they face and how to defend against them.
  • Raw data available for the administrators.
  • Easy to adapt new honeypots on the company’s network.
  • Open-source software.
  • Contribute to a large network of Honeypots.

NoAH floats its ideas at TNC 2008

July 7th, 2008

The 2nd NoAH workshop was held on 20 May 2008 in Bruges, Belgium. This was organised as two parallel sessions within the wider TERENA Networking Conference (TNC 2008), and attracted more than 60 participants. The objective was to present the current activities of the European Commission-funded NoAH project, as well as other relevant work related to honeypots.

Click to continue reading “NoAH floats its ideas at TNC 2008″

Story of an Attack

June 16th, 2008

Our windows 2000 server honeypot in the NoAH testbed was attacked on 2nd June 2008. This is the story of this attack. The rough picture is:

  • The attacker connected from to our win2k server honeypot.
  • Aim was to exploit a vulnerability in the WINS service at port 42.
  • Date was 2nd June 2008 18:45 GMT +0200.
  • The attack was not detected by the snort IDS.
  • Argos raised an alert of type “RET”.
  • The EBP contained the value 0×90909090 which results obviously from a stack buffer overflow. Thus, a false positive can be excluded.

Click to continue reading “Story of an Attack”

Argos 0.4.1 released

May 22nd, 2008

The new version of Argos (0.4.1) contains bug fixes related with taint tracking. It is recommended to update to the latest version of Argos, since it solves issues with reported false positives. Checking the CALL instruction for tainted operands, has also been re-enabled, since it seems it does not cause problems with windows systems anymore. The use of a whitelist is not necessary as well, since the false positives reported by 2.6.* linux kernels are also solved. Finally, crashes reported with windows 2000 guest systems, seem to be also solved.

If any of the users discovers false positives, after these changes please notify the developers immediately. You can get argos from the VU gforge site.


Update for windows Honey@home software

May 16th, 2008

Honey@home logoAn updated version of windows Honey@home has been released. The new version has been developed using the Microsoft .NET 2.0 framework. New features in this version include an installation wizard, a registration wizard, settings manager and automatic updating.

The application is available from the Honey@home website. Continue reading for more details on the new features.

Click to continue reading “Update for windows Honey@home software”

Eudaemon: Argos-like protection on the desktop

May 6th, 2008

“Essentially, Eudaemon is a ‘good spirit’ that possesses processes in order to protect them form evil.”

Despite all of the attractive properties of Argos and the various signature generators, we are still missing some attacks: those on the client-side. Honeypots have as a disadvantage that they mostly act like servers and wait for attackers to contact them. However, client-side attacks are on the rise. In such attacks, the client visits a malicious website and is infected by the content. Honeypots never see such attacks.

Moreover, the Argos honeypot only protects the exact configuration that it is actually running on top of its emulator. If the production machines have a slightly different configuration (e.g., a different version of the OS, applications, or plugins), Argos may miss attacks. So, ideally we would like to protect the `real’ machines.

In the Eudaemon project, some of the groundwork is done for implementing techniques to bring Argos-like honeypot technology to the desktop of normal users. In other words: client-side protection. This is a major challenge as the emulator that implements all the required instrumentation to detect attacks incurs a slowdown of a factor 15-20. As a result, running a desktop PC in instrumented mode constantly is probably not acceptable.

Instead, the idea is to take over running processes and force them to continue running in honeypot mode when needed or when possible. For instance, in the former case one may run a browser in honeypot mode when we click on an unknown URL in an email message. The browser is then protected against browser attacks by malicious server content. In the latter case, one may switch all of the user’s networking applications to honeypot mode when the machine is idle. For instance, we may switch to honeypot mode as a screensaver.

The mechanism for doing this is described in the Eudaemon paper presented at EUROSYS 2008 in Glasgow. [bibtex]

WIT: Write Integrity Testing

April 23rd, 2008

Cool stuff from the people at MSR Cambridge. Their latest Oakland paper on write integrity checking provides a nice solution for various memory exploits that may otherwise lead to a machine being compromised. Their method uses point-to-analysis at compile time to generate the control flow graph as well as the set of objects that can be written by each instruction. It then instruments these instructions to make sure that they do not write into with objects that are not in the set (and also to ensure that indirect control flow transfers are valid). Runtime overhead is very small. I guess the main catch is that you have to sit on the source code – which is not the case for anyone other than Microsoft. Nevertheless, very good work.

NoAH Router ready to catch attacks

March 31st, 2008

The NoAH Router developed in the context of NoAH has successfully passed the last tests and is now ready to catch attacks on the Internet.

The innovative concept of NoAH Router allows to detect suspicious flows that are currently not seen by the existing Honeypots. Being installed on a router installed at the heart of the Internet, it can identify and redirect flows coming from scanning bots even if the targeted machines are not under monitoring.

During the next phase, the capacity of the NoAH Router for preventing zero-day attacks will be evaluated in a live environment. Keep an eye on the blog for further updates on the NoAH router.