C A L L F O R P A R T I C I P A T I O N
======================================================================

DIMVA 2010

Seventh International Conference on
Detection of Intrusions and Malware & Vulnerability Assessment

Organized by GI SIG SIDAR
In Cooperation with
IEEE Computer Society Task Force on Information Assurance

Bonn, Germany
July 8-9 2010

http://www.dimva.org/dimva2010
info (at) dimva (dot) org [email concealed]

----------------------------------------------------------------------

The annual DIMVA conference serves as a premier forum for advancing
the state of the art in intrusion detection, malware detection, and
vulnerability assessment. Each year DIMVA brings together
international experts from academia, industry and government to
present and discuss novel research in these areas. DIMVA is organized
by the special interest group Security - Intrusion Detection and
Response (SIDAR) of the German Informatics Society (GI). The
conference proceedings will appear in Springer's Lecture Notes in
Computer Science (LNCS) series.

High-class Keynotes

DIMVA 2010 conference program will include 3 high-class keynotes. The
confirmed speakers are: Jose Nazario (Arbor Networks), Carel van
Straaten (Spamhaus), and Marc Dacier (Symantec/Eurecom).

Rump session

As in previous years, DIMVA 2010 will hold a Rump Session: a series
of short and entertaining talks where attendees can present recent
research results, work in progress, or other topics of interest to
the community. Please contact the Rump Session Chair for submission
questions.

Sponsorship Opportunities

We solicit interested organizations to serve as sponsors for DIMVA
2010; please contact the sponsorship chair for information regarding
corporate sponsorship.

Gold Sponsor: Qualys, http://www.qualys.com
Sponsor: FGA Global, http://www.fgaglobal.com

Preliminary Program

Thursday, July 8
9:00-9:15 Opening remarks

9:15-10:30 Keynote
Jose Nazario
Arbor Networks

10:30-11:00 Coffee break

11:00-12:30 Session 1 - Host Security

HookScout: Proactive Binary-Centric Hook Detection
Heng Yin, Pongsin Poosankam, Steve Hanna,
and Dawn Song

Conqueror: Tamper-proof Code Execution on Legacy
Systems
Lorenzo Martignoni, Roberto Paleari,
and Danilo Bruschi

dAnubis - Dynamic Device Driver Analysis Based on
Virtual Machine Introspection
Matthias Neugschwandtner, Christian Platzer,
Paolo Milani Comparetti, and Ulrich Bayer

12:30-13:30 Lunch

13:30-14:45 Invited Talk
Carel van Straaten
Spamhaus

14:45-16:00 Session 2 - Trends

Evaluating Bluetooth as a Medium for Botnet Command
and Control
Kapil Singh, Samrit Sangal, Nehil Jain, Patrick
Traynor, and Wenke Lee

Take a Deep Breath: a Stealthy, Resilient and
Cost-Effective Botnet Using Skype
Antonio Nappa, Aristide Fattori, Marco Balduzzi,
Matteo Dell'Amico, and Lorenzo Cavallaro

Covertly Probing Underground Economy Marketplaces
Hanno Fallmann, Gilbert Wondracek,
and Christian Platzer

16:00-16:15 Coffee break

16:15-17:15 Session 3 - Vulnerabilities

Why Johnny Can't Pentest: An Analysis of Black-box
Web Vulnerability Scanners
Adam Doupe, Marco Cova, and Giovanni Vigna

Organizing Large Scale Hacking Competitions
Nick Childers, Bryce Boe, Lorenzo Cavallaro,
Ludovico Cavedon, Marco Cova, Manuel Egele,
and Giovanni Vigna

17:15-17:45 Meeting of GI SIG SIDAR (open for all interested
attendees)

Friday, July 9

9:00-10:15 Invited Talk
Marc Dacier
Symantec/Eurecom

10:15-10:45 Coffee break

10:45-11:45 Session 4 - Intrusion Detection

An Online Adaptive Approach to Alert Correlation
Hanli Ren, Natalia Stakhanova and Ali Ghorbani

KIDS - Keyed Intrusion Detection System
Sasa Mrdovic

11:45-12:30 Rump Session

12:30-13:30 Lunch

13:30-14:30 Session 5 - Web Security

Modeling and Containment of Search Worms
Targeting Web Applications
Jingyu Hua and Kouichi Sakurai

HProxy: Client-side detection of SSL stripping
attacks
Nick Nikiforakis, Yves Younan and Wouter Joosen

14:30-14:45 Concluding remarks

Organizing Committee

General Chair: Marko Jahnke, Fraunhofer FKIE, Wachtberg,
Germany (info (at) dimva (dot) org [email concealed])
Program Chair: Christian Kreibich, International Computer
Science Institute, Berkeley, USA
(pc-chair (at) dimva (dot) org [email concealed])
Local Chair: Jens Toelle, Fraunhofer FKIE, Wachtberg,
Germany (info (at) dimva (dot) org [email concealed])
Rump Session Chair: Sven Dietrich, Stevens Institute of Technology,
USA (rump-chair (at) dimva (dot) org [email concealed])
Sponsorship Chair: Felix Leder, University of Bonn, Germany
(sponsor-chair (at) dimva (dot) org [email concealed])
Publicity Chair: Sebastian Schmerl, Technical University of
Cottbus, Germany (publicity-chair (at) dimva (dot) org [email concealed])

Program Committee

* Michael Bailey, University of Michigan, USA
* Herbert Bos, Vrije Universiteit Amsterdam, Netherlands
* Juan Caballero, CMU/UC Berkeley, USA
* Herve Debar, Telecom SudParis, France
* Sven Dietrich, Stevens Institute of Technology, USA
* Holger Dreger, Siemens CERT, Germany
* Ulrich Flegel, SAP Research, Germany
* Carrie Gates, CA Labs, USA
* Chris Grier, University of California, Berkeley, USA
* Guofei Gu, Texas A&M University, USA
* Thorsten Holz, Vienna University of Technology, Austria
* Piotr Kijewski, NASK/CERT Polska, Poland
* Engin Kirda, Eurecom, France
* Christopher Kruegel, University of California, Santa Barbara, USA
* Wenke Lee, Georgia Institute of Technology, USA.
* Corrado Leita, Symantec Research Labs, France
* Kirill Levchenko, University of California, San Diego, USA
* Pavel Laskov, University of Tuebingen, Germany
* Ludovic Me, Supelec, France
* Michael Meier, Technical University of Dortmund, Germany
* Tyler Moore, Harvard University, USA
* Lexi Pimenidis, iDev GmbH, Germany
* Moheeb Rajab, Google/Johns Hopkins University, USA
* Sebastian Schmerl, Technical University of Cottbus, Germany
* Robin Sommer, ICSI/LBNL, USA
* Henry Stern, Cisco/Ironport, USA
* Diego Zamboni, HP Professional Services, Mexico

Steering Committee

Chairs:

* Ulrich Flegel, SAP Research, Germany
* Michael Meier, Technical University of Dortmund, Germany

Members:

* Roland Bueschkes, RWE, Germany
* Danilo M. Bruschi, Universita degli Studi di Milano, Italy
* Herve Debar, Telecom SudParis, France
* Bernhard Haemmerli, Acris GmbH & HSLU Lucerne, Switzerland
* Marc Heuse, Baseline Security Consulting, Germany
* Klaus Julisch, IBM Zurich Research Lab, Switzerland
* Christopher Kruegel, UC Santa Barbara, USA
* Pavel Laskov, University of Tuebingen, Germany
* Robin Sommer, ICSI/LBNL, USA
* Diego Zamboni, HP Professional Services, Mexico

--
_____________________________________________________________________
Sebastian Schmerl Tel: +49 (0) 355 69 20 29
sbs (at) informatik.tu-cottbus (dot) de [email concealed] Fax: +49 (0) 355 69 21 27
BTU Cottbus

Computer Networks and Communication System
P.O.Box 10 13 44, 03013 Cottbus, Germany
http://www-rnks.informatik.tu-cottbus.de/~sbs
_____________________________________________________________________

0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?É0?!0?  
Ç0
 *?H?÷


0q10 UDE10U
Deutsche Telekom AG10UT-TeleSec Trust Center1#0!UDeutsche Telekom Root CA 20
061219102900Z
190630235900Z0Z10 UDE10U

DFN-Verein10UDFN-PKI1$0"UDFN-Verein PCA Global - G010?
"0
 *?H?÷



?
0?

?

é?Ãg?ù
®õTÃ?P5=bénLí?×[?"tÔ ë4ÖìÀ1?â¦ÒR (#??t?^[àâxÁxËË(59{-EÐí z|¿JÃ?é\+1{ó?$C?8?jh?îÜOx«ÒÆ?v­îÞ&èï
¯tÁ ¢ökνÓÍ0Oõåã¤Èb??'0
e`MíÑ #*?5X'ÓvÆq¶Äíÿ5?}o3³ÛÅÂ??¡?]AkØÒõLýÊQ¬Ù½ï??»Úë?VVCÏáÕ=¦'0ÍITÛÉ4
?quÅlê§?ù!'¯>£99Hj?­É?ûÃò½

£Ù0Ö0pUi0g0e c a?_http://pki.tel
esec.de/cgi-bin/service/af_DownloadARL.crl?-crl_format=X_509&-issuer=DT_
ROOT_CA_20UI·ÆÏè=êD{)÷ñ
p>Þd0U#0?1ÃyºõS×à?z-l
³+30U

ÿ
0U

ÿ0

ÿ
0
 *?H?÷


?

;áZwÀHÜ©쁯Z?ð½(?¦ÊYpì(òç®?,çò]1ö+t½½?²¹÷gÉ9¢y;áîkx?3~;
_&'uSe?3cîÏsð?#I!Pu#¡â??=?3éw ¢½æ¡?)@ö?s2X
k¦Ú?lÀ?»fdV$N®
?25
[é??ÙrYO±??ñt?VåÃø\óîG³SpçåM?i?(á ??^ÈêXù¤ÔZhý(>?¶Xµö¡,7Wg«#hc¥ï?k\ýKVö«@?4Ô?lì?Å
3r´oT,ØQÇÌ¿0ÓCrñ2¿?ÎIc¨÷ò0?Z0?B 
?ï­0
 *?H?÷


0Z10 UDE10U

DFN-Verein10UDFN-PKI1$0"UDFN-Verein PCA Global - G010
071220134606Z
190630000000Z0É10 UDE10UBrandenburg10UCottbus1907U
0Brandenburgische Technische Universitaet Cottbus10U
Rechenzentrum10UBTU-CA (G01 2008)1#0! *?H?÷


ca-btu (at) tu-cottbus (dot) de0 [email concealed]?
"0
 *?H?÷



?
0?

?

»B(?÷û¤?)
ÏÄú½Ô(m??ãl¼w«óiܝ3ÞdVx?ýÙ}E¸°Á?oÌ?£â?PÙ?tÇøt
½¯@ðÉ?¡jÊÁa?«B?ó,qt^Ô??Yåc?MÈàp?8?X·Þö=òeä£Ój?ã??M-mNÇÉõÇ$.Þ?vÏ t§²Æ´?¼ÑUs?pfV??Ãû*,eÞ:??Hùvÿ¦îYÚq¶<ä
¡U96t?o?^A¾h?ç? ;Πlýo?ï¸
Sse?¸
CT?¿ú?n¯ÊøYú??V/eÊ3»Ö8nÃ

£?
¶0?
²0U

ÿ0

ÿ

0
U
0UX²j­?1s¥Û99RgDÚ>0U#0?I·ÆÏè=êD{)÷ñ
p>Þd0U0ca-btu (at) tu-cottbus (dot) de0 [email concealed]?U?0~0= ; 9?7http://cdp1.pc
a.dfn.de/global-root-ca/pub/crl/cacrl.crl0= ; 9?7http://cdp2.pca.dfn.de/
global-root-ca/pub/crl/cacrl.crl0¢+


?0?0G+
0?;http://
cdp1.pca.dfn.de/global-root-ca/pub/cacert/cacert.crt0G+
0?;http:/
/cdp2.pca.dfn.de/global-root-ca/pub/cacert/cacert.crt0
 *?H?÷


?


oeqè?¦Éü´%?Ù³?àY-?q¦?Zï|ÅÉj/mO~k}[?Än?dÙþïç¶ããÚ¨¤?Ë£B?5IXMÎH?f

´Ç{|æÉÊå~I?4 ê«$É??ª°U¥AÈ|T+4ô£p>4²?:$?Þj´)KmÌ:Ô?ÿÿ!?Õ#La Dñ&º˴Ƚ^Æí:·À??¿2Àý?{Ø|??hæX±e¿HKEÝL±q.%Ãz\w¡X`à$!?é,º?[­ÀÄ¥BcOîëÑECû[]äªæ?<
¥©µ=ýààñµ?Âvú\??ìÚâl0?0? 
)ÎÄ0
 *?H?÷


0É10 UDE10UBrandenburg10UCottbus1907U
0Brandenburgische Technische Universitaet Cottbus10U
Rechenzentrum10UBTU-CA (G01 2008)1#0! *?H?÷


ca-btu (at) tu-cottbus (dot) de0 [email concealed]
091123090909Z
121122090909Z0ô10 UDE10UBrandenburg10UCottbus1907U
0Brandenburgische Technische Universitaet Cottbus1907U0Lehrstuhl Rechnernetze und Kommunikationssysteme10USebastian Schmerl1+0) *?H?÷


sbs (at) informatik.tu-cottbus (dot) de0 [email concealed]?
"0
 *?H?÷



?
0?

?

Û/Óö??4y?\7??Ô?½~ÐxètÄÊ??µh?æ-1Xjô¦
f½?«im?|¬á?Ã|?´Ç.ñ+51ä?
"ó#/Ó/Ð)??)æünZM,??:Nû÷È5íi¹[?Û,æÚ:JÏóÄÄ?,;3ã­Ø[CZ<Õ?<
.JÚõ£
Q?!Z··%Ü·,h3ÆÊÚ5V?úzs¥?»7?¼¾gÜö˱
Ð^?=<?¿C4Â?Þì.ñ?3ûñp ?Sö?[t¸ô?É?WÖ¦?èðé}Æw¢­¸4î?ªkS?ûULR??Áè)

£?
à0?
Ü0 U00Uà0)U%"0 +
+

+

?70U%?.| »ÈÑ óáÒä??¸0U#0?X²j­?1s¥Û99RgDÚ>0'U 0sbs (at) informatik.tu-cottbus (dot) de0 [email concealed]?U?0~0= ; 9?7http://cdp1.pca.dfn
.de/btu-cottbus-ca/pub/crl/cacrl.crl0= ; 9?7http://cdp2.pca.dfn.de/btu-c
ottbus-ca/pub/crl/cacrl.crl0¢+


?0?0G+
0?;http://cdp1.
pca.dfn.de/btu-cottbus-ca/pub/cacert/cacert.crt0G+
0?;http://cdp2
.pca.dfn.de/btu-cottbus-ca/pub/cacert/cacert.crt0
 *?H?÷


?

/ÓðòÓÚÎ{ÔÝÃæk?aQ?W$¾ÝÉ?÷F¶Ê?úÖÄý3T¿ø:®f|ÑWZóyR:têÕ?Â?ÁëãWLF(
Öµ±RÉ?ó©nfÃè»ú?«ÆjM?Uo^?W?ø½-¯??Êì#Ý"?ÑG¡b¹1?ÿ%]?¢?ë½=Ø_±÷¸êW
¥ç+Ôb±Z/}/¼?`V§xt[÷q<q¥Ì =¦¯Sn??ã;õ͹÷"_,W|Eºs»?]CÓàdqTÓ¹[?aúUñnÄt%Áç\b?T¸HM»vzÁò?? ?5/?Ô:r?àH¬oÿ¾4P+àU$²´½W0?0? 
)ÎÄ0
 *?H?÷


0É10 UDE10UBrandenburg10UCottbus1907U
0Brandenburgische Technische Universitaet Cottbus10U
Rechenzentrum10UBTU-CA (G01 2008)1#0! *?H?÷


ca-btu (at) tu-cottbus (dot) de0 [email concealed]
091123090909Z
121122090909Z0ô10 UDE10UBrandenburg10UCottbus1907U
0Brandenburgische Technische Universitaet Cottbus1907U0Lehrstuhl Rechnernetze und Kommunikationssysteme10USebastian Schmerl1+0) *?H?÷


sbs (at) informatik.tu-cottbus (dot) de0 [email concealed]?
"0
 *?H?÷



?
0?

?

Û/Óö??4y?\7??Ô?½~ÐxètÄÊ??µh?æ-1Xjô¦
f½?«im?|¬á?Ã|?´Ç.ñ+51ä?
"ó#/Ó/Ð)??)æünZM,??:Nû÷È5íi¹[?Û,æÚ:JÏóÄÄ?,;3ã­Ø[CZ<Õ?<
.JÚõ£
Q?!Z··%Ü·,h3ÆÊÚ5V?úzs¥?»7?¼¾gÜö˱
Ð^?=<?¿C4Â?Þì.ñ?3ûñp ?Sö?[t¸ô?É?WÖ¦?èðé}Æw¢­¸4î?ªkS?ûULR??Áè)

£?
à0?
Ü0 U00Uà0)U%"0 +
+

+

?70U%?.| »ÈÑ óáÒä??¸0U#0?X²j­?1s¥Û99RgDÚ>0'U 0sbs (at) informatik.tu-cottbus (dot) de0 [email concealed]?U?0~0= ; 9?7http://cdp1.pca.dfn
.de/btu-cottbus-ca/pub/crl/cacrl.crl0= ; 9?7http://cdp2.pca.dfn.de/btu-c
ottbus-ca/pub/crl/cacrl.crl0¢+


?0?0G+
0?;http://cdp1.
pca.dfn.de/btu-cottbus-ca/pub/cacert/cacert.crt0G+
0?;http://cdp2
.pca.dfn.de/btu-cottbus-ca/pub/cacert/cacert.crt0
 *?H?÷


?

/ÓðòÓÚÎ{ÔÝÃæk?aQ?W$¾ÝÉ?÷F¶Ê?úÖÄý3T¿ø:®f|ÑWZóyR:têÕ?Â?ÁëãWLF(
Öµ±RÉ?ó©nfÃè»ú?«ÆjM?Uo^?W?ø½-¯??Êì#Ý"?ÑG¡b¹1?ÿ%]?¢?ë½=Ø_±÷¸êW
¥ç+Ôb±Z/}/¼?`V§xt[÷q<q¥Ì =¦¯Sn??ã;õ͹÷"_,W|Eºs»?]CÓàdqTÓ¹[?aúUñnÄt%Áç\b?T¸HM»vzÁò?? ?5/?Ô:r?àH¬oÿ¾4P+àU$²´½W1??0??

0Ò0É10 UDE10UBrandenburg10UCottbus1907U
0Brandenburgische Technische Universitaet Cottbus10U
Rechenzentrum10UBTU-CA (G01 2008)1#0! *?H?÷


ca-btu (at) tu-cottbus (dot) de [email concealed])ÎÄ0 + ??0 *?H?÷

1 *?H?÷


0 *?H?÷

1
100520180135Z0# *?H?÷

1*?bP
Zý?­T '¥h]^Ã-£Å0_ *?H?÷

1R0P0 `?H
e
0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0ã +

?71Õ0Ò0É10 UDE10UBrandenburg10UCottbus1907U
0Brandenburgische Technische Universitaet Cottbus10U
Rechenzentrum10UBTU-CA (G01 2008)1#0! *?H?÷


ca-btu (at) tu-cottbus (dot) de [email concealed])ÎÄ0å*?H?÷

1Õ Ò0É10 UDE10UBrandenburg10UCottbus1907U
0Brandenburgische Technische Universitaet Cottbus10U
Rechenzentrum10UBTU-CA (G01 2008)1#0! *?H?÷


ca-btu (at) tu-cottbus (dot) de [email concealed])ÎÄ0
 *?H?÷



?
¾??{&ëWºISch}¶&©î??Âñßq ¸6?D
Á«À6;Ë·dò0ÇkwèB?è:~g±*?JFÓÉý¢?¹Á3?CÕp?Ð¥6??û+Ö­èMZ8Bª'¹Äeë??ÎÂQxÈu_Íâ?j?ß<?×vE?ÒÔbêl?®ÕÞÆ
?í&ÁròiÃ?0¥¥?õ?°£»ª ©Ç7IÃÕÐ?Qè|ôNFØZCÇ?æ6\©·èç>hXèqÑl?TÍ}Ç0'ì8
a3uÈ?ú?4?0iïÿ@Æ??$ßÖ?ü??VÁ{«²?135X?"QA^K

[ reply ]