ID Technical Program   Sunday, April 11, 1999

Opening Remarks
Marcus Ranum, Program Chair

Keynote Address:
Challenges for Anomaly and Misuse Detection
Peter G. Neumann, Principal Scientist Computer Science Laboratory, SRI International The field somewhat mistakenly called "intrusion detection" needs to broaden its scope of endeavor in various respects, and overcome some of the characteristic difficulties that have slowed its progress. This talk will address several such approaches:

• Generalizing the domains of detectability to include other aspects such as reliability, survivability, and financial stability
• Providing unprecedented flexibility and interoperability among different analysis systems
• Integrating with other computer-communication technologies such as heterogeneous network management and the Web
• Incorporating robust tamperproofing and modern software engineering into future systems for analysis and response
• Enabling sound dynamic reconfigurability based on analysis results
• Research directions
• The need for robust open-source systems and ongoing testbed environments
• Greater forcing functions needed on developers of operating system components and applications.

Intrusion Detection and Intrusion Prevention on a Large Network: A Case Study
Tom Dunigan, Greg Hinkel, Oak Ridge National Laboratory

An Eye on Network Intruder-Administrator Shootouts
Luc Girardin, UBS, Ubilab

Why Monitoring Mobile Code Is Harder Than It Sounds
Gary McGraw, Reliable Software Technologies Mobile code is code that traverses a network during its lifetime and is able to execute at the destination machine. The idea behind mobile code is actually quite simple -sending around data that can be automatically executed wherever it arrives, anywhere on the network. The problem is this: running someone else's code on your computer is a risky activity. Who is to say what the code might try to do and whether or not its activities will be malicious? This is not a new problem by any stretch of the imagination. In fact, it's really an old problem with a new twist. There are many well-known systems for creating and using mobile code. From a security perspective, Java clearly leads the pack. Monitoring mobile code presents some interesting challenges. First and foremost is the problem of identifying mobile code before it runs. Naive approaches, which include scanning port 80 traffic for the <APPLET> tag, are known not to work. Another problem is determining which resources mobile code should and should not be allowed to access, and making sure the policy is enforced. Complex policy-oriented systems like JDK 1.2 (based on code signing and access control lists) may actually make things harder.

Intrusion Detection Through Dynamic Software Measurement
Sebastian Elbaum, John C. Munson, University of Idaho

Learning Program Behavior Profiles for Intrusion Detection
Anup Ghosh, Aaron Schwartzbard, Michael Schatz, Reliable Software Technologies

Do you have a topic that you'd like to discuss with others? Our Birds-of-a-Feather sessions may be perfect for you. BoFs are very interactive and informal gatherings for attendees interested in a particular topic. BoFs may be scheduled in advance or on-site at the symposium. Schedule your BoF in advance by telephoning the USENIX Conference Office at 1.949.588.8649, or sending email to: conference@usenix.org