Check out the new USENIX Web site.
USENIX Security Symposium, August 4-8, 2003, Washington, DC, USA
USENIX '03 Home  | USENIX Home  | Events  | Publications  | Membership



At a Glance


Technical Sessions

Ask the Experts







Program PDF



Author Instructions

Speaker Instructions

Call for Papers

Past Proceedings

Register Now!     TUTORIALS

To meet your needs, the Tutorial Program at the 12th USENIX Security Symposium provides in-depth, immediately useful instruction in the latest techniques, effective tools, and best strategies. USENIX tutorials survey the topic, then dive right into the specifics of what to do and how to do it. Instructors are well-known experts in their fields, selected for their ability to teach complex subjects. Attend USENIX tutorials at Security '03 and take valuable skills back to your company or organization. Register now to guarantee your first choice—seating is limited.

Monday, August 4, 2003    
M1 Intrusion Detection and Prevention Systems NEW
M2 Logging & Security: Building an Enterprise Logging Infrastructure
M3 WiFi Security: The Trials and Tribulations of Designing, Deploying, and Using WiFi Networks Securely NEW
M4 DDoS Attacks and Defenses: Overview, Taxonomy, and Future Directions NEW
Tuesday, August 5, 2003
T1 Building Honey Pots for Intrusion Detection
T2 Hacking and Securing Web-Based Applications NEW
T3 Network Security Protocols: Theory and Current Standards
T4 Using FreeBSD's Advanced Security Features NEW
Our Guarantee

If you're not happy, we're not happy. If you feel a tutorial does not meet the high standards you have come to expect from USENIX, let us know by the first break and we will change you to any other available tutorial immediately.

Continuing Education Units (CEUs)
USENIX provides Continuing Education Units for a small additional administrative fee. The CEU is a nationally recognized standard unit of measure for continuing education and training and is used by thousands of organizations. Each full-day tutorial, or two half-day tutorials, qualifies for 0.6 CEUs. You can request CEU credit by completing the CEU section on the registration form. USENIX provides a certificate for each attendee taking a tutorial for CEU credit and maintains transcripts for all CEU students. CEUs are not the same as college credits. Consult your employer or school to determine their applicability.

Monday, August 4, 2003

Marcus Ranum, Consultant

Who should attend: Network or security managers responsible for an IDS roll-out, security auditors interested in assessing IDS capabilities, security managers involved in IDS product selection.

Overview: This workshop covers the real-world issues you'll encounter as part of doing an Intrusion Detection Roll-out or product selection. Attendees will learn the advantages and disadvantages of popular approaches to Intrusion Detection Systems (IDSes), how to deal with false positives and noise, where to deploy IDSes, how to test them, how to build out-of-band IDS management networks, and how they interact with switches, routers, and firewalls.

Topics include:

  • Technologies
    • IDS and IPS: what they are and how they work
    • Burglar alarms and honeypots - low-rent IDS
    • Misuse detection and anomaly detection
    • False Positives, Noise, and False alarms
    • Does freeware stack up to the commercial products?
  • Deployment Issues
    • Where to place IDS within the network
    • Alert tuning: what it is and how it works
    • How to estimate the size of an IDS deployment
    • How to size and design a logging / management architecture
    • Tools and tricks for logging and event correlation
    • A typical IDS roll-out
    • How to test an IDS for correct function
    • IDS benchmarks: bogus and bogusest
  • Management Issues
    • How to justify the expenditures on an IDS to management
    • Cyclical maintenance
    • Alert management procedures

Marcus J. Ranum ( is a world-renowned expert on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementor of the first commercial firewall product. Since the late 1980's, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. Widely known as a teacher and industry visionary, he has been the recipient of both the TISC Clue award and the ISSA lifetime achievement award.

Tina Bird, Stanford University

Who should attend: System administrators and network managers responsible for monitoring and maintaining the health and well-being of computers and network devices in an enterprise environment. Although some review is provided, participants should be familiar with the UNIX and Windows operating systems and basic network security.

Overview: The purpose of this tutorial is to illustrate the importance of a network-wide centralized logging infrastructure, to introduce several approaches to monitoring audit logs, and to explain the types of information and forensics that can be obtained with well-managed logging systems.

Every device on your network--routers, servers, firewalls, application software--spits out millions of lines of audit information a day. Hidden within the data that indicate normal day-to-day operation (and known problems) are the first clues that systems are breaking down, attackers are breaking in, and end users are breaking up. If you manage that data flow, you can run your networks more effectively.

Topics include:

  • The extent of the audit problem: How much data are you generating every day, and how useful is it?
  • Logfile content: Improving the quality of the data in your logs
  • Logfile generation: syslog and its relatives, including building a central loghost, and integrating MS Windows systems into your UNIX log system
  • Log management: Centralization, parsing, and storing all that data
  • Legal issues: What you can do to be sure you can use your logfiles for human resources issues and for legal prosecutions

This class won't teach you how to write Perl scripts to simplify your logfiles. It will teach you how to build a log management infrastructure, how to figure out what your log data means, and what in the world you do with it once you've acquired it.

Tina Bird as a Computer Security Officer for Stanford University, works on the design and Tina Bird implementation of security infrastructure; providing security alerts for the 40,000-host network; healthcare information security; and extending Stanford's logging infrastructure. Tina moderates the Log Analysis and VPN mailing lists; with Marcus Ranum, she runs Tina has a B.S. in physics from the University of Notre Dame and a master's degree and Ph.D. in astrophysics from the University of Minnesota.

William Arbaugh, University of Maryland, College Park

Who should attend: Designers, administrators, and power users of WiFi networks who need to design, deploy, and/or operate a WiFi network. Previous experience with or knowledge of wireless networking is helpful but not required.

Overview: This tutorial will present the security problems with current and legacy WiFi equipment, and then explain the more recent and proposed standard changes designed to mitigate and in some cases eliminate those problems, e.g., WiFi Protected Access (WPA) and Robust Security Network (RSN). Following the explanations, a detailed design example will be presented and the participants will be shown how to design, deploy, and test wireless architectures using legacy, WPA, and RSN equipment.

Finally, participants will be shown how to build and test an architecture using open source software.

Topics include:

  • Known attacks against legacy WiFi equipment and the open source tools used for the attacks
  • WiFi Protected Access and RSN: what are the changes, and what do they mean?
  • Designing a secure WiFi network
  • Deploying a secure WiFi network using open source tools
  • Testing your WiFi network using open source tools

William A. Arbaugh has spent over 15 years performing security research and engineering. Arbaugh and his students were among the first to identify security flaws in the IEEE 802.11 standard, as well as several proposed fixes to the standard. He and his students are actively involved in the IEEE and the IETF standards processes, doing their best to ensure that future standards are more robust. He and Jon Edney are the authors of a forthcoming book (Addison-Wesley, Fall 2003) entitled Wi-Fi Protected Access: Wireless Security and 802.11.

Jelena Mirkovic and Peter Reiher, UCLA

Who should attend: Researchers intending to contribute to DDoS defense, and field and security officers who need to understand and deal with DDoS attacks.

Overview: Distributed denial of service (DDoS) attacks are a great threat to the Internet, because their diffuse nature makes it difficult to control or stop them. This tutorial will describe how DDoS attacks work, based on analysis of actual attacks and the tools used to perpetrate them.

Topics include:

  • The best uses of the tools available today
  • Research that is likely to produce more powerful tools
  • Probable future trends in DDoS attacks
  • A taxonomy for classifying DDoS attack and defense mechanisms, which will aid in understanding the scope of the threat and the possible range of responses

Jelena Mirkovic is completing her doctorate at UCLA. She has designed and implemented a source-end DDoS defense system that stops outgoing DDoS attacks while preserving legitimate traffic. She has also participated in a number of DDoS research projects and panels and has authored several DDoS-related papers.

Peter Reiher is an adjunct associate professor at UCLA. His reseach focuses on distributed systems and security. Dr Reiher was a co-recipient of the Award for the Top 100 R&D Projects in the United States. He is the co-author of Disseminating Security Updates at Internet Scale (Kluwer Academic Pub, 2002), and Conductor: Distributed Adaptation for Heterogeneous Networks (Kluwer Academic Pub, 2002).

Tuesday, August 5, 2003

Marcus Ranum, Consultant

Who should attend: System and network managers with administrative skills and a security background. Attendees will benefit if they have at least basic UNIX system administration skills.

Overview: This class provides a technical introduction to the art of
building honey pot systems for intrusion detection and burglar-alarming networks. Attendees will learn how to assemble their own honey pot, install it, maintain it, keep it secure, and analyze the data from it.

Topics include:

  • Introduction
    • IDSes
    • Fundamentals of burglar alarms
    • Fundamentals of honey pots
    • Fundamentals of log-data analysis
    • Spoofing servers
  • Overview of honey pot design
    • Tools and techniques
    • Services
    • Port listeners
    • Arpd and arp spoofing
    • Honeyd: populating the world with fake systems
    • LaBrea tarpit and tarpitting
    • Spoofing server implementation walkthrough
    • Multiway address/traffic manipulation
    • Logging architecture: syslogs, XML logs, statistical processing
    • Simple tricks for information visualization
  • Management
    • How to get help in analyzing attacks
    • Keeping up to date
    • Legal Issues
    • Entrapment
    • Privacy
    • Liability

Marcus J. Ranum ( is a world-renowned expert on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementor of the first commercial firewall product. Since the late 1980's, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. Widely known as a teacher and industry visionary, he has been the recipient of both the TISC Clue award and the ISSA lifetime achievement award.

David Rhoades, Maven Security Consulting, Inc.

Who should attend: People who are auditing Web application security, developing Web applications, or managing the development of a Web application.

Overview: Although numerous commercial and freeware tools assist in locating network-level security vulnerabilities, these tools are incapable of locating application-level issues. This course will demonstrate how to identify security weaknesses for Web-enabled services that could be exploited by remote users.

With numerous real-world examples, this course is based on fact and experience, not theory. The material applies to Web portals, e-commerce, online banking, shopping, subscription-based services, and any Web-enabled application.

Topics include:

  • Information-gathering attacks: How hackers read between the lines
  • User sign-on process: Many sites contain serious flaws which expose them to the threat of bad publicity and loss of customer confidence
  • User sign-off process: Are users really signed off?
  • OS & Web server weaknesses: buffer overflows and default material
  • Encryption: Finding the weakest link
  • Session tracking
    • URL rewriting, basic authentication, and cookie: strengths and weaknesses
    • Session cloning, IP hopping, and other subtle dangers
    • A recipe for strong session IDs
  • Authentication: server, session, transactional
  • Transaction-level issues
    • Hidden form elements
    • Unexpected user input
    • GET vs. POST
    • JavaScript filters
    • Improper server logic

David Rhoades is president of Maven Security Consulting Inc. Since 1996 David has been providing information protection services for various Fortune 500 customers. His work has taken him across the United States, and to Europe and Asia, where he has lectured and consulted in various areas of information security. David holds a B.S. in computer engineering from Pennsylvania State University and is an instructor for the SANS Institute, the MIS Training Institute, and Sensecurity (based in Singapore).

Radia Perlman, Sun Microsystems

Who should attend: Anyone who wants to understand the theory behind network security protocol design, with an overview of the alphabet soup of standards and cryptography. This tutorial is especially useful for anyone who needs to design or implement a network security solution, but it is also useful to anyone who needs to understand existing offerings in order to deploy and manage them. Although the tutorial is technically deep, no background other than intellectual curiosity and a good night's sleep in the recent past is required.

Overview: First, without worrying about the details of particular standards, we discuss the pieces out of which all these protocols are built.

We then cover subtle design issues, such as how secure email interacts with distribution lists, how designs maximize security in the face of export laws, and the kinds of mistakes people generally make when designing protocols.

Armed with this conceptual knowledge of the toolkit of tricks, we describe and critique current standards.

Topics include:

  • What problems are we trying to solve?
  • Cryptography
  • Key distribution
    • Trust hierarchies
    • Public key (PKI) vs. secret key solutions
  • Handshake issues
    • Diffie-Hellman
    • Man-in-middle defense
    • Perfect forward secrecy
    • Reflection attacks
  • PKI standards
    • X.509
    • PKIX
  • Real-time protocols
    • SSL/TLS
    • IPsec (including AH, ESP, and IKE)
  • Secure email
  • Web security
    • URLs
    • Cookies
Radia Perlman is a Distinguished Engineer at Sun Microsystems. She is known for her contributions to bridging (spanning tree algorithm) and routing (link state routing), as well as security (sabotage-proof networks). She is the author of Interconnections: Bridges, Routers, Switches, and Internetworking Protocols, and co-author of Network Security: Private Communication in a Public World, two of the top 10 networking reference books, according to Network Magazine. She is one of the 25 people whose work has most influenced the networking industry, according to Data Communications Magazine. She holds about 50 issued patents, an S.B. and S.M in mathematics and a Ph.D. in computer science from MIT and an honorary doctorate from KTH, the Royal Institute of Technology in Sweden.

Mike DeGraw-Bertsch, Consultant

Who should attend: System administrators and managers responsible for securing IT assets whose requirements have outgrown their existing infrastructure. Participants should be familiar with basic system security, but expertise is not required. UNIX administration experience is expected, but work with FreeBSD is not assumed.

Overview: With complex new threats, shrinking budgets, and smaller staffs, just keeping up with today's security threats sometimes seems impossible. Enter FreeBSD, a widely distributed, secure, and free derivative of BSD UNIX, with powerful new functionality from the TrustedBSD project, including filesystem firewalls and Access Control Lists.

This tutorial addresses the risks companies face, discusses how to evaluate and lessen those risks, and shows how to use FreeBSD's new—and sometimes not-so-new—features to create cost-effective, secure computing environments. It also delves into FreeBSD's new functionality, looking at the security that's been added and the associated performance and ease-of-use costs. Participants will gain a general understanding of risk evaluation and threat mitigation techniques and will learn how FreeBSD's security features work, what they add and what they cost, and how to apply them.

Topics include:

  • Assessing risks
  • How TrustedBSD addresses the common criteria for IT security evaluation
  • Using FreeBSD's ports system to easily keep up with patches and security releases
  • Jails and virtual machines
  • File system and IP firewalls
  • Mandatory Access Controls and discretionary access controls
  • Pluggable Authentication Modules (PAM) and One-Time Passwords In Everything (OPIE)
  • Configuration walkthroughs for a secure:
    • firewall
    • log host
    • combination mail server, file server, and Kerberos server
    • client

Mike DeGraw-Bertsch has been working with FreeBSD for ten years and has been active in security for the last five years. He has written articles for the O'Reilly Network and SysAdmin Magazine and is writing UNIX Systems and Network Security for Springer-Verlag. Mike is a security and networking consultant and spends his free time as an ice hockey goalie.

?Need help? Use our Contacts page.

Last changed: 11 Aug. 2003 aw