Intro to the Class

no reading yet

Julie Amero case

Cliff Stoll, "Stalking the Wily Hacker," CACM 31(5), May 1988.

Bill Cheswick, "Evening with Berferd," Proc. of the Winter USENIX Conference, 1990.

Tsutomu Shimomura. Testimony before the United States House of Representatives Committee on Science, Subcommittee on Technology, February 11, 1997.

Andrew H. Gross, "Analyzing Computer Intrusions," Ph.D Dissertation, University of California, San Diego, 1997. (§1.1 only)

Further reading:

Cliff Stoll, The Cuckoo's Egg, Pocket Books, 1989.

Tsutomu Shimomura and John Markoff, Takedown, Hyperion Press, 1996.

Brian Carrier, "Getting Physical with the Digital Investigation Process," J. of Digital Evidence 2(2), Nov. 2003.

Sean Peisert, Matt Bishop, Sidney Karin, and Keith Marzullo, "Principles-Driven Forensic Analysis," Proc. of NSPW'05, September 2005.

Sean Peisert, Matt Bishop, and Keith Marzullo, "Computer Forensics In Forensis," Proc. of IEEE-SADFE'08, May 2008.

Steven J. Greenwald, "High Assurance Digital Forensics: A Panelist's Perspective," Proc. of SADFE'09, May 2009.

Matt Bishop, Sean Peisert, Candice Hoke, Mark Graff, and David Jefferson, "E-Voting and Forensics: Prying Open the Black Box," Proc. of EVT/WOTE'09, August 2009.

Matt Bishop, Mark Graff, Candice Hoke, David Jefferson, and Sean Peisert, "Resolving the Unexpected in Elections: Election Officials' Options, Tech Report, October 2008.

Further reading:

Fred Chris Smith and Rebecca Gurley Bace, A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony As An Expert Technical Witness, Addison Wesley Professional, 2003.

National Research Council of the National Academies. Strengthening Forensic Science in the United States: A Path Forward, National Academies Press, 2009.

A. Yasinsac, D. Wagner, M. Bishop, T. Baker, B. de Medeiros, G. Tyson, M. Shamos, and M. Burmester, Software Review and Security Analysis of the ES&S iVotronic 8.0.1.2 Voting Machine Firmware, Security and Assurance in Information Technology Laboratory, Florida State University, Tallahassee, FL, February 2007.

Brian Carrier, Sleuth Kit

Gene H. Kim and Eugene H. Spafford, "The design and implementation of Tripwire: a file system integrity checker," Proc of 2nd ACM CCS, 1994.

Andrew H. Gross, "Analyzing Computer Intrusions," Ph.D Dissertation, University of California, San Diego, 1997. (§4–5 only)

Further reading:

Dan Farmer and Wietse Venema, Forensic Discovery, Addison Wesley Professional, 2004. (text available freely online)

Brian Carrier, File System Forensic Analysis, Addison Wesley Professional, 2005.

Matt Bishop, Auditing Files on a Network of UNIX Machines, Proc. of the USENIX UNIX Security Workshop, 1988.

NIST Forensic Sciences Standards

NIST Computer Forensics Tool Testing Program

Matt Bishop, "A Standard Audit Trail Format," Proc of the 1995 National Information Systems Security Conference, 1995.

Bruce Schneier and John Kelsey, "Secure Audit Logs to Support Computer Forensics," ACM TISSEC 2(2), May 1999.

Sun's Basic Security Module (BSM)

Samuel T. King and Peter M. Chen, "Backtracking Intrusions," ACM TOCS 23(1), February 2005.

Sean Peisert, Matt Bishop, Sidney Karin, and Keith Marzullo, "Analysis of Computer Intrusions Using Sequences of Function Calls," IEEE TDSC 4(2), April–June 2007.

Ashvin Goel, Wu-chang Feng, David Maier, Wu-chi Feng, and Jonathan Walpole, "Forensix: A Robust, High-Performance Reconstruction System," Proc. of the International Conference on Distributed Computing Systems, 2005.

Further reading:

Chris Eagle, The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler, No Starch Press, 2008.

Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson, "Practical network support for IP traceback," Proc of ACM SIGCOMM'00, 2000.

Peter Sommer, "Intrusion Detection Systems as Evidence," Proc. of RAID, 1998.

Peter Stephenson, "The Application of Intrusion Detection Systems in a Forensic Environment," (extended abstract), Proc. of RAID, 2000.

Further reading:

James A. Hoagland, Christopher Wee, and Karl N. Levitt, "Audit Log Analysis Using the Visual Audit Browser," Technical Report CSE-95-11, UC Davis, 1995.

Samuel T. King, Z. Morley Mao, Dominic G. Lucchetti, and Peter M. Chen, Enriching Intrusion Alerts Through Multi-Host Causality," Proc. of NDSS, 2005.

Wei Wang and Thomas E. Daniels, "A Graph Based Approach Toward Network Forensics Analysis," ACM TISSEC 12(1), 2008.

George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza A. Basrai and Peter M. Chen, "ReVirt: enabling intrusion analysis through virtual-machine logging and replay," Proc of OSDI, 2002.

Samuel T. King, George W. Dunlap, and Peter M. Chen, "Debugging Operating Systems with Time-Traveling Virtual Machines," Proc of USENIX'05, April 2005.

Further reading:

Satish Narayanasamy, Gilles Pokam and Brad Calder, "BugNet: Recording Application Level Execution for Deterministic Replay Debugging," Proc. of ICSA, 2005.

Daniela A. S. de Oliveira, Jedidiah R. Crandall, Gary M. Wassermann, S. Felix Wu, Zhendong Su, and Frederic T. Chong, "ExecRecorder: VM-Based Full-System Replay for Attack Analysis and System Recovery. Workshop on Architectural and System Support for Improving Software Dependability," Proc. of ASID, 2006.

Yin Zhang and Vern Paxson, "Detecting Stepping Stones," Proc. of the 9th USENIX Security, 2000.

David L. Donoho, Ana Georgina Flesia, Umesh Shankar, Vern Paxson, Jason Coit, and Stuart Staniford, "Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay," Proc of RAID, 2002.

Brian Payne, "Secure and Flexible Monitoring of Virtual Machines," Proc of ACSAC, 2007.

Brian Hay and Kara Nance, "Forensic Examination of Volatile System Data Using Virtual Introspection," ACM SIGOPS, 42(3), 2008.

Matt Bishop, "A Model of Security Monitoring," Proc. of ACSAC, December 1989.

Further reading:

Bryan D. Payne, Martim Carbone, Monirul Sharif, and Wenke Lee, "Lares: An Architecture for Secure Active Monitoring Using Virtualization," Proc of IEEE S&P (Oakland), 2008.

Kara Nance, Brian Hay, and Matt Bishop, "Virtual Machine Introspection," IEEE Security & Privacy, 6(5):32-37, September/October 2008.

Matt Bishop, "A Model of Security Monitoring," Proc. of ACSAC, December 1989.

Matt Bishop, Christopher Wee, and Jeremy Frank, "Goal-Oriented Logging and Auditing," 1996 (re-published as Computer Security: Art and Science §24.3)

Sean Peisert, Matt Bishop, Sidney Karin, and Keith Marzullo, "Toward Models for Forensic Analysis," Proc. of SADFE'07, April 2007.

Further reading:

Sean Peisert and Matt Bishop, "How to Design Computer Security Experiments," Proc of WISE, 2007.

John McHugh, "Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by the Lincoln Laboratory," ACM TISSEC, 3(4), November 2000.

Stefan Axelsson, "The Base-Rate Fallcy and the Difficulty of Intrusion Detection," ACM TISSEC, 3(3), August 2000.

Kymie M.C. Tan and Roy A. Maxion, "'Why 6?'—Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector," Proc of IEEE S&P, Oakland, 2002.

Andrew H. Gross, "Analyzing Computer Intrusions," Ph.D Dissertation, University of California, San Diego, 1997. (§2–3 only)

Fred B. Schneider, "Enforceable Security Policies," ACM TISSEC, 3(1), Feb. 2000.

Mark M. Pollitt, "An Ad Hoc Review of Digital Forensic Models," Proc. of SADFE, 2007. (available via Smartsite under "Resources")

Further reading:

Úlfar Erlingsson and Fred B. Schneider, "SASI Enforcement of Security Policies: A Retrospective," Proc. of NSPW, 1999.

Kevin W. Hamlen, Greg Morrisett, and Fred B. Schneider, "Computability Classes for Enforcement Mechanisms," ACM TOPLAS, 28(1), 2005.

Florian Buchholz and Clay Shields, "Providing Process Origin Information to Aid in Computer Forensic Investigations," J. of Computer Security 12(5), September 2004.

Benjamin A. Kuperman, A Categorization of Computer Security Monitoring Systems and the Impact on the Design of Audit Sources, PhD Dissertation, Purdue University, 2004. (§3–5 only)

Christian W. Probst and René R. Hansen, "Analysing Access Control Specifications," Proc of SADFE, 2009. (available via Smartsite under "Resources")

Christian W. Probst, Jeffrey Hunker, Matt Bishop, and Dieter Gollmann, Countering Insider Threats (Dagstuhl Seminar Proceedings), 2008.

Further reading:

Dan Farmer and Wietse Venema, Forensic Discovery, Addison Wesley Professional, 2004. (§ 5, 6, and 8 only)

Peter G. Neumann, "Combatting Insider Misuse, with Relevance to Integrity and Accountability in Elections and Other Applications," Dagstuhl Workshop on Insider Threats, 2008.

Matt Bishop, Sophie Engle, Deborah A. Frincke, Carrie Gates, Frank L. Greitzer, Sean Peisert, and Sean Whalen, "A Risk Management Approach to the 'Insider Threat,'" Insider Threats in Cyber Security, Springer Verlag, 2010.

Jason Franklin, Vern Paxson, Stefan Savage, and Adrian Perrig, "An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants" Proc of. ACM CCS, 2007.

Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson, and Stefan Savage, "Spamalytics: An Empirical Analysis of Spam Marketing Conversion, CACM 52(9):99-107, 2009.

Further reading:

Matt Bishop, Sophie Engle, Sean Peisert, Sean Whalen, and Carrie Gates, "We Have Met the Enemy and He is Us," Proc. of NSPW, 2008.

Matt Bishop, Sophie Engle, Sean Peisert, Sean Whalen, and Carrie Gates, "Case Studies of an Insider Framework," Proc of HICSS, 2009.

Sara Sinclair and Sean W. Smith, "Preventative Directions For Insider Threat Mitigation Via Access Control," Insider Attack and Cyber Security: Beyond the Hacker, Springer-Verlag, 2008.

David S. Anderson, Chris Fleizach, Stefan Savage, and Geoffrey M. Voelker, "Spamscatter: Characterizing Internet Scam Hosting Infrastructure," Proc. of USENIX Security , 2007.

Christian Kreibich, Chris Kanich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson, and Stefan Savage, "Spamcraft: An Inside Look at Spam Campaign Orchestration," Proc. of LEET, 2009.