Check out the new USENIX Web site.
Workshop on Intrusion Detection and Network Monitoring
Table of Contents Questions? Contact the USENIX Conference Office
[Sunday, April 11]   [Monday, April 12]

ID Technical Program   Sunday, April 11, 1999

9:00am - 10:30am     Opening Session

Opening Remarks
Marcus Ranum, Program Chair

Keynote Address:
Challenges for Anomaly and Misuse Detection

Peter G. Neumann, Principal Scientist Computer Science Laboratory, SRI International The field somewhat mistakenly called "intrusion detection" needs to broaden its scope of endeavor in various respects, and overcome some of the characteristic difficulties that have slowed its progress. This talk will address several such approaches:

  • Generalizing the domains of detectability to include other aspects such as reliability, survivability, and financial stability
  • Providing unprecedented flexibility and interoperability among different analysis systems
  • Integrating with other computer-communication technologies such as heterogeneous network management and the Web
  • Incorporating robust tamperproofing and modern software engineering into future systems for analysis and response
  • Enabling sound dynamic reconfigurability based on analysis results
  • Research directions
  • The need for robust open-source systems and ongoing testbed environments
  • Greater forcing functions needed on developers of operating system components and applications.
 Peter G. Neumann has worked on survivability since the mid-1950s, on system security starting with Multics in 1965, on intrusion detection since 1983, and on reliability, safety and risks more recently. He is author of the Addison-Wesley book Computer-Related Risks and moderates the RISKS Forum newsgroup (comp.risks). He also is a Fellow of ACM, IEEE, and AAAS. He holds a 1961 PhD from Harvard and a 1960 Dr. rerum naturarum Technische Hochschule from Darmstadt. See his Web site at for Congressional testimonies, RISKS information, and further background.

10:30am - 11:00am     Break

11:00am - 12:30pm
Analysis and Large Networks
Session Chair: Fred Avolio, Avolio Consulting
Analysis Techniques for Detecting Coordinated Attacks and Probes
Tim Aldrich, Stephen Northcutt, Bill Ralph, Naval Surface Warfare Center Dahlgren Division

Intrusion Detection and Intrusion Prevention on a Large Network: A Case Study
Tom Dunigan, Greg Hinkel, Oak Ridge National Laboratory

An Eye on Network Intruder-Administrator Shootouts
Luc Girardin, UBS, Ubilab

12:30pm - 2:00pm     Lunch (on your own)

2:00pm - 3:30pm
Invited Talks
Session Chair: Marcus Ranum, Network Flight Recorder, Inc.

Why Monitoring Mobile Code Is Harder Than It Sounds
Gary McGraw, Reliable Software Technologies
Mobile code is code that traverses a network during its lifetime and is able to execute at the destination machine. The idea behind mobile code is actually quite simple -sending around data that can be automatically executed wherever it arrives, anywhere on the network. The problem is this: running someone else's code on your computer is a risky activity. Who is to say what the code might try to do and whether or not its activities will be malicious? This is not a new problem by any stretch of the imagination. In fact, it's really an old problem with a new twist. There are many well-known systems for creating and using mobile code. From a security perspective, Java clearly leads the pack. Monitoring mobile code presents some interesting challenges. First and foremost is the problem of identifying mobile code before it runs. Naive approaches, which include scanning port 80 traffic for the <APPLET> tag, are known not to work. Another problem is determining which resources mobile code should and should not be allowed to access, and making sure the policy is enforced. Complex policy-oriented systems like JDK 1.2 (based on code signing and access control lists) may actually make things harder.

3:30pm - 4:00pm     Break

4:00pm - 5:30pm
Software and Processes
Session Chair: Tina Darmohray, SystemExperts, Corp.
On Preventing Intrusions by Process Behavior Monitoring
R. Sekar, Iowa State University; Thomas Bowen, Mark Seagal, Bellcore

Intrusion Detection Through Dynamic Software Measurement
Sebastian Elbaum, John C. Munson, University of Idaho

Learning Program Behavior Profiles for Intrusion Detection
Anup Ghosh, Aaron Schwartzbard, Michael Schatz, Reliable Software Technologies

7:00pm - 9:00pm     Birds-of-a-Feather Sessions

Do you have a topic that you'd like to discuss with others? Our Birds-of-a-Feather sessions may be perfect for you. BoFs are very interactive and informal gatherings for attendees interested in a particular topic. BoFs may be scheduled in advance or on-site at the symposium. Schedule your BoF in advance by telephoning the USENIX Conference Office at 1.949.588.8649, or sending email to:


[Sunday, April 11]   [Monday, April 12]

Conference on Network Administration  Networking Tutorials  Workshop on Intrusion Detection and Networking Monitoring
Program at-a-Glance -  Activities & Services -  Hotel & Travel Info -  Registration -
Networking '99
Events Calendar