Computer Security Applications, 2000. ACSAC '00. 16th Annual Conference

11-15 Dec. 2000

Filter Results

Displaying Results 1 - 25 of 46
  • Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00) [front matter]

    Publication Year: 2000
    Request permission for reuse | PDF file iconPDF (248 KB)
    Freely Available from IEEE
  • Security against compelled disclosure

    Publication Year: 2000, Page(s):2 - 10
    Cited by:  Papers (1)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (897 KB)

    Various existing and pending legislation can be used to force individuals and organisations to disclose confidential information. Courts may order a wide variety of data to be turned over by either party in civil and criminal cases. Government agencies are explicitly tasked with protecting national economic security. Organised crime will target information just like any other valuable asset. In a ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security agility in response to intrusion detection

    Publication Year: 2000, Page(s):11 - 20
    Cited by:  Papers (11)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1091 KB)

    Cooperative frameworks for intrusion detection and response exemplify a key area of today's computer research: automating defenses against malicious attacks that increasingly are taking place at grander speeds and scales to enhance the survivability of distributed systems and maintain mission critical functionality. At the individual host-level, intrusion response often includes security policy re... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Two state-based approaches to program-based anomaly detection

    Publication Year: 2000, Page(s):21 - 30
    Cited by:  Papers (16)  |  Patents (1)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (882 KB)

    This paper describes two intrusion detection algorithms, and gives experimental results on their performance. The algorithms detect anomalies in execution audit data. One is a simply constructed finite-state machine, and the other monitors statistical deviations from normal program behavior. The performance of these algorithms is evaluated as a function of the amount of available training data, an... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Denial of service protection the nozzle

    Publication Year: 2000, Page(s):32 - 41
    Cited by:  Papers (2)  |  Patents (7)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (765 KB)

    A denial of service attack is a dominating conversation with a network resource designed to preclude other conversations with that resource. This type of attack can cost millions of dollars when the target is a critical resource such as a Web server or domain name server. Traditional methods, such as firewalls and intrusion detection systems have failed to provide adequate protection from this typ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Virtual enterprise networks: the next generation of secure enterprise networking

    Publication Year: 2000, Page(s):42 - 51
    Cited by:  Papers (1)  |  Patents (2)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1001 KB)

    We present a vision of computing environments in which enterprise networks are built using untrusted public infrastructures. The vision allows for networks to dynamically change depending on the need of their users, rather than forcing the users to build organizations around networks. This vision is realized through a design abstraction called virtual enterprise networking, or short Supernetworkin... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Enabling secure on-line DNS dynamic update

    Publication Year: 2000, Page(s):52 - 58
    Cited by:  Papers (4)  |  Patents (1)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (615 KB)

    Domain Name System (DNS) is the system for the mapping between easily memorizable host names and their IP addresses. Due to its criticality, security extensions to DNS have been proposed in an Internet Engineering Task Force (IETF) working group to provide authentication. We point out two difficulties in the current DNSSEC (DNS Security Extension) standards in the handling of DNS dynamic updates: ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Layering boundary protections: an experiment in information assurance

    Publication Year: 2000, Page(s):60 - 66
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (729 KB)

    The DARPA Information Assurance Program has the aim of developing and executing experiments that test specific hypotheses about defense in depth and dynamic defense capabilities. This paper describes the development and execution of an experiment in layering. The basic hypothesis was that layers of defense, when added in a careful and systematic way to a base system lead to increased protection ag... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Extending Java for package based access control

    Publication Year: 2000, Page(s):67 - 76
    Cited by:  Patents (4)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (821 KB)

    This paper describes an extension of the Java language that provides programmable security. The approach augments the Java syntax with constructs for specifying various access control policies for Java packages, including DAC, MAC, RBAC and TBAC. A primitive ticket based mechanism serves as the foundation for programmable security. The implementation incorporates a preprocessor for language transl... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Secure smart homes using Jini and UIUC SESAME

    Publication Year: 2000, Page(s):77 - 85
    Cited by:  Papers (11)  |  Patents (3)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1257 KB)

    We discuss our approach to constructing a dynamic and secure smart home environment and tackling the challenges associated with it. We envision a smart home as an active environment populated with smart, dynamically configurable consumer devices capable of interacting with humans and other smart devices. In such a dynamic and active environment, there is a great need for an agile, lightweight, dis... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Defining, computing and interpreting trust

    Publication Year: 2000, Page(s): 88
    Request permission for reuse | PDF file iconPDF (91 KB)
    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Implementing security policies using the Safe Areas of Computation approach

    Publication Year: 2000, Page(s):90 - 99
    Cited by:  Papers (4)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1136 KB)

    The World Wide Web is playing a major role in reducing business costs and in providing convenience to users. Digital libraries capitalize on this technology to distribute documents that are stored in their servers. Online banks capitalize on this technology to reduce their operating costs and to offer 24 hour services to their clients. These two services are examples of services that require a hig... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Policy mediation for multi-enterprise environments

    Publication Year: 2000, Page(s):100 - 106
    Cited by:  Papers (1)  |  Patents (2)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (591 KB)

    Existing software infrastructures and middleware provide uniform security services across heterogeneous information networks. However few, if any, tools exist that support access control policy management for and between large enterprise information networks. Insiders often exploit gaps in policies to mount devastating attacks. This paper presents a Policy Machine and Policy Mediation Architecture... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Protection profiles for remailer mixes. Do the new evaluation criteria help?

    Publication Year: 2000, Page(s):107 - 118
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1120 KB)

    Early IT security evaluation criteria such as the TCSEC and the ITSEC suffered much criticism for their lack of coverage of privacy-related requirements. Recent evaluation criteria, such as the CC and the ISO-ECITS now contain components assigned to privacy. This is a step towards enhanced privacy protection, especially for non-experts. We examined the suitability and use of these components and t... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Binding identities and attributes using digitally signed certificates

    Publication Year: 2000, Page(s):120 - 127
    Cited by:  Papers (21)  |  Patents (6)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (630 KB)

    A certificate is digitally signed by a certificate authority (CA) to confirm that the information in the certificate is valid and belongs to the subject. Certificate users can verify the integrity and validity of a certificate by checking the issuing CA's digital signature in the certificate and, if necessary, chasing certificate chain and revocation lists. Usually, we use certificates to provide ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Applications in health care using public-key certificates and attribute certificates

    Publication Year: 2000, Page(s):128 - 137
    Cited by:  Papers (3)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (997 KB)

    Security infrastructures are increasingly used in the health care and welfare sector, particularly for providing security such as confidentiality, authenticity, integrity, non-repudiation and auditing. Especially within the health care sector, there is a need for different kinds of certificates, namely public-key certificates and attribute certificates. This necessity is caused by the huge range o... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Scalable policy driven and general purpose public key infrastructure (PKI)

    Publication Year: 2000, Page(s):138 - 147
    Cited by:  Papers (1)  |  Patents (5)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (833 KB)

    This paper describes a flexible and general purpose PKI platform. Providing an easily interoperable security infrastructure. Developed at AT&T Labs, the architecture is part of the UCAID/Internet2 efforts in PKI and scalable security. The architecture can host multiple certificate authorities (CAs) from different vendors in a uniform and scalable manner. This facilitates scalable operation wit... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A policy-based access control mechanism for the corporate Web

    Publication Year: 2000, Page(s):150 - 158
    Cited by:  Papers (4)  |  Patents (3)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (789 KB)

    Current Web technologies use access control lists (ACLs) for enforcing regulations and practices governing businesses today. Having the policy hard-coded into ACLs causes management and security problems which have sofar prevented intranets from achieving their full potential. This paper is about a concrete design of a mechanism that supports policies for regulating access to information via corpo... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Dynamic access control through Petri net workflows

    Publication Year: 2000, Page(s):159 - 167
    Cited by:  Papers (28)  |  Patents (3)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (713 KB)

    Access control is an important protection mechanism for information systems. An access control matrix grants subjects privileges to objects. Today, access control matrices are static they rarely change over time. This paper shows how to make access control matrices dynamic by means of workflows. Access rights are granted according to the state of the workflow. By this practice the risk of data mis... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Framework for role-based delegation models

    Publication Year: 2000, Page(s):168 - 176
    Cited by:  Papers (91)  |  Patents (3)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (623 KB)

    The basic idea behind delegation is that some active entity in a system delegates authority to another active entity to carry out some functions on behalf of the former. Delegation in computer systems can take many forms: human to human, human to machine, machine to machine, and perhaps even machine to human. We focuses on the human to human form of delegation using roles. As we show, there are ma... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A network audit system for host-based intrusion detection (NASHID) in Linux

    Publication Year: 2000, Page(s):178 - 187
    Cited by:  Papers (2)  |  Patents (2)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (728 KB)

    Recent work has shown that conventional operating system audit trails are insufficient to detect low-level network attacks. Because audit trails are typically based upon system calls or application sources, operations in the network protocol stack go unaudited. Earlier work has determined the audit data needed to detect low-level network attacks. We describe an implementation of an audit system wh... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Less harm, less worry or how to improve network security by bounding system offensiveness

    Publication Year: 2000, Page(s):188 - 195
    Cited by:  Papers (1)  |  Patents (1)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (725 KB)

    We describe a new class of tools for protecting computer systems from security attacks. Their distinguished feature is the principle they are based on. Host or network protection is not achieved by strengthening their defenses but by weakening the enemy's offensive capabilities. A prototype tool has been implemented that demonstrates that such an approach is feasible and effective. We show that so... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A self-extension monitoring for security management

    Publication Year: 2000, Page(s):196 - 203
    Cited by:  Papers (3)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (790 KB)

    In the coming age of information warfare, information security patterns take on a more offensive than defensive stance. However most existing security systems remain passive and do not provide an active form of security protection. It is necessary to develop an active form of offensive approach to security protection in order to guard vital information infrastructures and thwart hackers. This pape... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Collaboration: can it be done securely?

    Publication Year: 2000, Page(s): 206
    Request permission for reuse | PDF file iconPDF (49 KB)
    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security architecture for federated cooperative information systems

    Publication Year: 2000, Page(s):208 - 216
    Cited by:  Papers (1)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (798 KB)

    We describe the design and implementation of a security architecture for a cooperative information system implemented with CORBA technologies. We first define a role-based policy for a specific case study. We then show how this policy is enforced by an architecture made of a selection of commercial off the shelf components and a small number of developed components. Finally, we focus on the intero... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.