Check out the new USENIX Web site.
Workshop on Intrusion Detection and Network Monitoring
Table of Contents Questions? Contact the USENIX Conference Office
[Sunday, April 11]   [Monday, April 12]

ID Technical Program   Monday, April 12, 1999

9:00am - 10:30am    
IDS Systems
Session Chair: Charles Antonelli, University of Michigan
Automated Intrusion Detection Methods Using NFR
Wenke Lee, Christopher Park, Salvatore J. Stolfo, Columbia University

Experience with EMERALD Thus Far
Phillip A. Porras, Peter G. Neumann, Teresa Lunt, SRI International

Defending Against the Wily Surfer -Web-Based Attacks and Defenses
Dan Klein, LoneWolf Systems

10:30am - 11:00am     Break

11:00am - 12:30pm
Network Data Processing and Storage
Session Chair: Dan Geer, CERTCO
Preprocessor Algorithm for Network Management Codebook
Minaxi Gupta, Mani Subramanian, Georgia Institute of Technology

The Packet Vault: Secure Storage of Network Data
Charles J. Antonelli, Matthew Undy, Peter Honeyman, Center for Information Technology Integration, University of Michigan

Real-Time Intrusion Detection and Suppression in ATM Networks
Ricardo Bettati, Wei Zhao, Dan Teodor, Texas A&M University

12:30pm - 2:00pm     Hosted Luncheon

2:00pm - 3:30pm
Invited Talks
Session Chair: Norm Laudermilch, UUNet/Worldcom

Design and Integration Principles for Large-Scale Infrastructure Protection
Edward Amoroso, AT&T
Basic intrusion detection design and integration principles are outlined for practical large-scale infrastructure protection schemes. Issues in the development of middleware for multi-vendor interoperability, algorithms for high-volume alarm processing, and visualization techniques for intrusion display are included.

Experiences Learned from Bro
Vern Paxson, Network Research Group, Lawrence Berkeley National Labs
Bro is a system for detecting network intruders in realtime by passively monitoring a network link. Its design emphasizes high-speed (FDDI-rate) monitoring, real-time notification, clear separation between mechanism and policy, and extensibility. To achieve these ends, Bro is divided into an "event engine" that reduces a kernel-filtered network traffic stream into a series of higher-level events, and a "policy script interpreter" that interprets event handlers written in a specialized language used to express a site's security policy. Bro has been in production use since early 1996. We discuss the structure of the system and the lessons learned from our experiences, with an emphasis on some of the key challenges for future intrusion detection systems.

3:30pm - 4:00pm     Break

4:00pm - 5:30pm
Statistics and Anomalies
Session Chair: Marcus Ranum, Network Flight Recorder, Inc.
A Statistical Method for Profiling Network Traffic
David Marchette, Naval Surface Warfare Center, Dahlgren Division

Transaction-Based Anomaly Detection
Roland Buschkes, Mark Borning, Aachen University of Technology

5:00pm - 5:30pm     Works-in-Progress Reports (WIPs)
Session Chair: Marcus Ranum, Network Flight Recorder, Inc.
Do you have interesting work you would like to share, or a cool idea that is not yet ready to be published? The USENIX audience provides valuable discussion and feedback. Short, pithy, and fun, Works-in-Progress Reports (WIPs) introduce interesting new or ongoing work. We are particularly interested in presentation of student work. Prospective speakers should send a short one- or two-paragraph report, to

A schedule of presentations will be posted at the conference and the speakers will be notified in advance. Works-in-Progress Reports are five-minute presentations; the time limit will be strictly enforced.


[Sunday, April 11]   [Monday, April 12]

Conference on Network Administration  Networking Tutorials  Workshop on Intrusion Detection and Networking Monitoring
Program at-a-Glance -  Activities & Services -  Hotel & Travel Info -  Registration -
Networking '99
Events Calendar