honeyblog - paper

"A Practical Attack to De-Anonymize Social Network Users"

nospam@example.com (Thorsten Holz) — Mon, 01 Feb 2010 16:43:00 +0100

In the last couple of months, we have worked on a technique to de-anonymize users based on the way they interact with social networks. The idea behind our attack is the fact that the group memberships of a user (i.e., the groups of a social network to which a user belongs) is often sufficient to uniquely identify this user. This means that there are only a few (or in the best case only one) users of a social network that are a member of exactly the same groups.

The attack scenario is the following: a malicious website wants to de-anonymize a user, i.e., find out the real name and identity of a visitor. The attack is implemented in two phases. In a first phase, we crawl the groups of a social network to determine the members of the different groups. This is our database from which we can generate a group fingerprint per user. In the second phase, we use the well-known technique of history stealing to probe the browser's history for links to group, thus determining the group fingerprint of the visitor. Wen can then compare this fingerprint to our database and de-anonymize the visitor. Even when unique identification is not possible, then the attack might still significantly reduce the size of the set of candidates that the victim belongs to.

As a proof-of-concept, we implemented the attack for XING, a well-known "Social Network for Business Professionals". Please note that this attack is not specific to XING or any other social network - it is generally applicable to different kinds of modern web applications that contain unique links for user that can be probed via history stealing. We crawled the ~7000 public groups of XING and found about 1.8 million members that belong to at least one group. These users are vulnerable to our attack and we have a demo website to participate in our experiment. Note that this test is only successful if you are a member of XING and a member of at least one group. If you regularly participate in groups the chances are higher that we can successfully de-anonymize you :-)

The following pictures show the different stages of the proof-of-concept attack:

We have published a technical report that summarizes our preliminary results at http://www.iseclab.org/papers/sonda-TR.pdf. In the next couple of weeks, we will finish the work on the paper and present our results at the 31st IEEE Symposium on Security & Privacy in May. A demo of the attack is available at http://www.iseclab.org/people/gilbert/experiment/.

Data Set For Malware Clustering/Classification

nospam@example.com (Thorsten Holz) — Fri, 29 Jan 2010 14:08:00 +0100

About one month ago I blogged about our research on malware clustering and classification. We have now also released the full data set from our experiments, such that other people can reproduce the results and compare our approach to theirs. You can find all information at http://pi1.informatik.uni-mannheim.de/malheur/, together with a description of the different data.

Quick overview of the data:

Our reference data set is extracted from our large database of malware binaries maintained at CWSandbox. The malware binaries have been collected over a period of three years from a variety of sources. From the overall database, we select binaries which have been assigned to a known class of malware by the majority of six independent anti-virus products. We append the overall anti-virus label to the filename of each report. Although anti-virus labels suffer from inconsistency, we expect the selection using different scanners to be reasonable consistent and accurate. To compensate for the skewed distribution of classes, we discard classes with less than 20 samples and restrict the maximum contribution of each class to 300 binaries. The selected malware binaries are then executed and monitored using CWSandbox, resulting in a total of 3.133 behavior reports in MIST format.

The application data set consists of seven chunks of malware binaries obtained from the anti-malware vendor Sunbelt Software. The binaries correspond to malware collected during seven consecutive days in August 2009 and originate from a variety of sources. Sunbelt Software uses these very samples to create and update signatures for their VIPRE anti-malware product as well as for their security data feed ThreatTrack. The complete test data set consists of 33.698 behavior reports in MIST format.

The full technical report is available at http://honeyblog.org/junkyard/paper/malheur-TR-2009.pdf.

Update: I changed the terms within the description to use the correct description.

Call for Papers: LEET'10

nospam@example.com (Thorsten Holz) — Mon, 25 Jan 2010 09:03:00 +0100

The submissions deadline for the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '10) is quickly approaching. Please submit your work by Thursday, February 25, 2010, 11:59 p.m. PST. The full call for papers is available at http://www.usenix.org/events/leet10/cfp/, see an overview below:

Topics
Now in its third year, LEET continues to provide a unique forum for the discussion of threats to the confidentiality of our data, the integrity of digital transactions, and the dependability of the technologies we increasingly rely on. We encourage submissions of papers that focus on the malicious activities themselves (e.g., reconnaissance, exploitation, privilege escalation, rootkit installation, attack), our responses as defenders (e.g., prevention, detection, and mitigation), or the social, political, and economic goals driving these malicious activities and the legal and ethical codes guiding our defensive responses.

Overview
Information technology (IT) adds $2 trillion annually to the US economy alone. While these technologies have enabled significant global economic growth, they have become rich targets for malicious activity. The US Federal Bureau of Investigation (FBI) indicated that cyber crime reached an all-time high in 2008; cyber crime now ranks as the FBI's third highest priority, behind such dramatic threats as counter-terrorism and counter-espionage. Much of this malicious activity is driven by economic incentives, but recently we have seen the emergence of highly visible, politically motivated attacks. While the motivations for malicious behavior and the technical mechanisms that enable them remain rich areas of research, it is clear that today our global society is faced with a wide range of cyber criminal activities: spam, phishing, denial of service, click fraud, etc.

Workshop Format
LEET aims to be a true workshop, with the twin goals of fostering the development of preliminary work and helping to unify the broad community of researchers and practitioners who focus on worms, bots, spam, spyware, phishing, DDoS, and the ever-increasing palette of large-scale Internet-based threats. Intriguing preliminary results and thought-provoking ideas will be strongly favored; papers will be selected for their potential to stimulate discussion in the workshop. Each author will have 15 minutes to present his or her work, followed by 15 minutes of discussion with the workshop participants.

"Studying Aspects of the Underground Economy"

nospam@example.com (Thorsten Holz) — Wed, 20 Jan 2010 06:53:00 +0100

Today I gave a talk at the International Computer Science Institute (ICSI) that focussed on some of the research I did in the past year. The slides are now available.

Abstract:
With the growing digital economy, it comes as no surprise that criminal activities in digital business have lead to a digital underground economy. Because it is such a fast-moving field, tracking and understanding this underground economy is difficult and most information in this area is vague. In this talk, we discuss several approaches to study the structure of these underground markets. In particular, we present a method with which it is possible to directly analyze the amount of data harvested through keylogger-based attacks in a highly automated fashion. Based on real-world data, we can get a glimpse into the digital underground economy. However, many open questions remain that will be discussed in the last part of the talk.

You can get the slides at http:///honeyblog.org/junkyard/presentations/10_underground-economy_ICSI.pdf.

Call for Papers: WEIS'10

nospam@example.com (Thorsten Holz) — Mon, 18 Jan 2010 19:15:00 +0100

I am happy to serve on the program committee of the 9th Workshop on the Economics of Information Security (WEIS). The Call for Papers is now available. WEIS will take place on June 7-8, 2010 at Harvard University, Cambridge, MA, USA

Important dates are:

Submissions due: February 22, 2010
Notification of acceptance: April 2, 2010
Workshop: June 7-8, 2010

Information security continues to grow in importance, as threats proliferate, privacy erodes, and attackers find new sources of value. Yet the security of information systems depends on more than just technology. Good security requires an understanding of the incentives and tradeoffs inherent to the behavior of systems and organizations. As society’s dependence on information technology has deepened, policy makers, including the President of the United States, have taken notice. Now more than ever, careful research is needed to accurately characterize threats and countermeasures, in both the public and private sectors.

The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science. Prior workshops have explored the role of incentives between attackers and defenders, identified market failures dogging Internet security, and assessed investments in cyber-defense. This workshop will build on past efforts using empirical and analytic tools to not only understand threats, but also strengthen security through novel evaluations of available solutions. How should information risk be modeled given the constraints of rare incidence and high interdependence? How do individuals’ and organizations’ perceptions of privacy and security color their decision making? How can we move towards a more secure information infrastructure and code base while accounting for the incentives of stakeholders?

The full Call for Papers is available at http://weis2010.econinfosec.org/cfp.html.

Walowdac – Analysis of a Peer-to-Peer Botnet

nospam@example.com (Thorsten Holz) — Sun, 03 Jan 2010 12:26:00 +0100

One of the most interesting botnets of 2009 was Waledac: the botnet implements a peer-to-peer-based communication channel and it can be seen as the successor of Storm Worm, since it implemented many similar ideas (e.g., a very similar language for spam templates was used). The researchers from Trend Micro had published an analysis of the botnet and we also examined the botnet. The result is a paper entitled "Walowdac - Analysis of a Peer-to-Peer Botnet": instead of passively observing the network, we implemented an active infiltration component. We emulate the protocol of a bot and are able to observe the inner communication aspects of the network. As a result, we obtain an in-depth overview of the botnet that enables us to study different aspects of the network, e.g., efficiency of the spam campaigns or number of active bots. As a small peak of the results, the following pictures shows the number of active bots in different countries on a specific day in August 2009. We can for example observe diurnal patterns and clearly see the effects of timezones on the size of the botnet:

Abstract:
A botnet is a network of compromised machines under the control of an attacker. Botnets are the driving force behind several misuses on the Internet, for example spam mails or automated identity theft. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. We present our infiltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. To achieve this we implemented a clone of the Waledac bot named Walowdac. It implements the communication features of Waledac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. With the help of this tool we observed a minimum daily population of 55,000 Waledac bots and a total of roughly 390,000 infected machines throughout the world. Furthermore, we gathered internal information about the success rates of spam campaigns and newly introduced features like the theft of credentials from victim machines.

The paper was joint work with Ben Stock, Jan Göbel, Markus Engelberth, and Felix C. Freiling. The full paper is available at http://honeyblog.org/junkyard/paper/waledac-ec2nd09.pdf and it was published at EC2ND 2009.

ADSandbox: Sandboxing JavaScript to fight Malicious Websites

nospam@example.com (Thorsten Holz) — Wed, 30 Dec 2009 14:01:00 +0100

Another project we were working on recently is automated analysis of JavaScript: many of the current drive-by download attacks are triggered by heap-spraying with the help of JavaScript. In order to develop new kinds of honeyclients and to potentially also protect end-users from this threat, we developed a dynamic approach to analyze JavaScript. The basic idea is to instrument a JavaScript interpreter and profile the execution of the code. With the help of certain heuristics, we can then detect malicious code. Full details are available in the paper. The paper itself will appear at the 25th ACM Symposium On Applied Computing (SAC'10) in March 2010.

Abstract:
We present ADSandbox, an analysis system for malicious websites that focusses on detecting attacks through JavaScript. Since, in contrast to Java, JavaScript does not have any built-in sandbox concept, the idea is to execute any embedded JavaScript within an isolated environment and log every critical action. Using heuristics on these logs, ADSandbox decides whether the site is malicious or not. In contrast to previous work, this approach combines generality with usability, since the system is executed directly on the client running the web browser before the web page is displayed. We show that we can achieve false positive rates close to 0% and false negative rates below 15% with a performance overhead of only a few seconds, what is a bit high for real time application, but supposes a great potential for future versions of our tool.

This paper was joint work with Andreas Dewald and Felix C. Freiling. You can get the paper at http://honeyblog.org/junkyard/paper/adsandbox-sac10.pdf.

Automatic Analysis of Malware Behavior using Machine Learning

nospam@example.com (Thorsten Holz) — Mon, 28 Dec 2009 12:15:00 +0100

In the last couple of years, several honeypot solutions to automatically "collect" malware samples were developed. With these tools, it is possible to obtain copies of malware samples without any human interaction. As a result, we are able to collect quite a few malware samples per day, which then also need to be analyzed. Thus, several sandbox solutions were developed that automate the analysis step by performing dynamic, behavior-based analysis. The result of the dynamic analysis is typically a report that summarizes the observed behavior. The next logical step is to use that information to perform malware classification and malware clustering: at the end of that process, we can then obtain information about which samples perform basically the same kind of activity. We can then automatically find variants of well-known threats, identify new malware families, and reduce the manual effort needed to analyze the large number of incoming malware samples.

In the last couple of months, we worked on malware classification and malware clustering. The results are summarized in a technical report. In the article, we introduce a learning-based framework for automatic analysis of malware behavior. To apply this framework in practice, it suffices to collect a large number of malware samples and monitor their behavior using a sandbox environment. By embedding the observed behavior in a vector space, reflecting behavioral patterns in its dimensions, we are able to apply learning algorithms, such as clustering and classification, for analysis of malware behavior. Both techniques are important for an automated processing of malware samples and we show in several experiments that our techniques significantly improve previous work in this area. For example, the concept of prototypes allows for efficient clustering and classification, while also enabling a security researcher to focus manual analysis on prototypes instead of all malware samples. Moreover, we introduce a technique to perform behavior-based analysis in an incremental way that avoids run-time and memory overhead inherent to previous approaches.

Abstract
Malicious software — so called malware — poses a major threat to the security of computer systems. The amount and diversity of its variants render classic security defenses ineffective, such that millions of hosts in the Internet are infected with malware in form of computer viruses, Internet worms and Trojan horses. While obfuscation and polymorphism employed by malware largely impede detection at file level, the dynamic analysis of malware binaries during run-time provides an instrument for characterizing and defending against the threat of malicious software.
In this article, we propose a framework for automatic analysis of malware behavior using machine learning. The framework allows for automatically identifying novel classes of malware with similar behavior (clustering) and assigning unknown malware to these discovered classes (classification). Based on both, clustering and classification, we propose an incremental approach for behavior-based analysis, capable to process the behavior of thousands of malware binaries on a daily basis. The incremental analysis significantly reduces the run-time overhead of current analysis methods, while providing an accurate discovery and discrimination of novel malware variants.

The full technical report is available at http://honeyblog.org/junkyard/paper/malheur-TR-2009.pd. It was joint work with Konrad Rieck, Philipp Trinius, and Carsten Willems. And the word cloud was generated using http://www.wordle.net/.

Call for Papers: EuroSec 2010

nospam@example.com (Thorsten Holz) — Wed, 25 Nov 2009 16:29:24 +0100

The next edition of the European Workshop on System Security (EuroSec 2010) will take place on the 13th of April, 2010, in Paris, France. Please find below the call for papers.

About EuroSec:
EuroSec is a new workshop associated with the Annual ACM SIGOPS EuroSys conference. The workshop aims to bring together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. The focus of the workshop is on novel, practical, systems-oriented work.

Important dates:

Paper submission: February 7, 2010 (Hard deadline, no extensions), 5pm, PST
Acceptance notification: March 1, 2010
Final paper due: March 12, 2010
Workshop: April 13, 2010

Continue reading "Call for Papers: EuroSec 2010"

"Visual Analysis of Malware Behavior Using Treemaps and Thread Graphs"

nospam@example.com (Thorsten Holz) — Fri, 21 Aug 2009 15:45:00 +0200

I continue the series of recently or upcoming papers with a paper we will publish at VizSec'09 entitled "Visual Analysis of Malware Behavior Using Treemaps and Thread Graphs". In the recent years, we saw a lot of progress in the area of automated malware analysis. Nowadays tools such as CWSandbox, Anubis, ThreatExpert, or Norman Sandbox are available. These tools analyze a given binary and generate a report which contains a summary of the observed behavior while executing the sample. Such reports are often quite long, it is for example not uncommon for a CWSandbox report to be longer than 100 lines. An analyst thus has to read the report in order to get an understanding of what a given sample is doing. In this paper we present an approach to visualize the behavior report with treemaps and behavior graphs (i.e., visualizing the behavior of the individual threads over time). This helps to get a quick overview of what a given sample does and also samples from one malware family have a similar looking treemap/behavior graph.

As an example, consider the following three pictures which each show the treemap generated for three distinct samples of the Bagle worm:

Each picture shows a treemap of the behavior: the x-axis depicts the type of action performed, e.g., whether the sample performed actions related to the filesystem, the registry, or the network. The y-axis devides the actions into operations, i.e., whether it was a read or write access to the registry. As you can see, the behavior of the Bagle sample is (more or less) consistent across different samples from the same family. Below you can find the visualization of two Swizzor samples and one Allaple sample.

Samples from the same family have a similar visualization, while samples from different families look different. This could help an analyst to quickly identify if the sample is interesting or just another small variant of a well-known family. This research will be integrated in the frontend of http://cwsandbox.org.

Abstract: We study techniques to visualize the behavior of malicious software (malware). Our aim is to help human analysts to quickly assess and classify the nature of a new malware sample. Our techniques are based on a parametrized abstraction of detailed behavioral reports automatically generated by sandbox environments. We then explore two visualization techniques: treemaps and thread graphs. We argue that both techniques can effectively support a human analyst (a) in detecting maliciousness of software, and (b) in classifying malicious behavior.

"Towards Proactive Spam Filtering"

nospam@example.com (Thorsten Holz) — Fri, 31 Jul 2009 12:08:00 +0200

A common technique employed by spammers is to send spam mails with the help of botnets. In a typical setting, the spammer uses so called template-based spamming: the attacker sends the bots a spam template that describes the structure of the spam message to be sent. Furthermore, the attacker sends meta-data like recipient list, subject list, and a list of URLs that are used to ﬁll in variables in the template. The bots then construct an email based on the template and the meta-data, and send this email to the targets. As a result, the actual work of handling the SMTP communication is moved from the control server to the bots. Nowadays this technique is used by most large spam botnets, like Waledac, Bobax, Rustock, Cutwail, and a lot of the other major spam botnets as Joe Stewart explained in detail.

Since spammers nowadays use such a tactic, we can also collect spam mails in a more efficient way: Instead of waiting at the end-user's mailboxes or spamtraps for mail messages to arrive and then decide whether or not this is spam, we directly interact with the servers that are used to send spam messages. The basic idea is that we execute spambots, i.e., malicious software dedicated to sending spam emails, in a controlled (honeypot) environment and collect all email messages sent by the bots. This enables us to directly interfere with botnet control servers to collect current spam messages sent by a speciﬁc botnet.

We describe this idea in more detail in a short paper that was published at DIMVA'09. The paper is also available on this blog.

Abstract: With increasing security measures in network services, remote exploitation is getting harder. As a result, attackers concentrate on more reliable attack vectors like email: victims are infected using either malicious attachments or links leading to malicious websites. Therefore eﬃcient ﬁltering and blocking methods for spam messages are needed. Unfortunately, most spam ﬁltering solutions proposed so far are reactive, they require a large amount of both ham and spam messages to eﬃciently generate rules to diﬀerentiate between both. In this paper, we introduce a more proactive approach that allows us to directly collect spam message by interacting with the spam botnet controllers. We are able to observe current spam runs and obtain a copy of latest spam messages in a fast and eﬃcient way. Based on the collected information we are able to generate templates that represent a concise summary of a spam run. The collected data can then be used to improve current spam ﬁltering techniques and develop new venues to eﬃciently ﬁlter mails.

"Bypassing Kernel Code Integrity Protection Mechanisms"

nospam@example.com (Thorsten Holz) — Sat, 18 Jul 2009 08:13:00 +0200

A paper that we will publish next month at USENIX Security'09 is entitled "Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms". In return-oriented programming, an attacker re-uses existing code: he searches for short instruction sequences (typically only one instruction) which are followed by a RET. By cleverly chaining these sequences, an attacker can build a gadget that then performs an actual computation, e.g., the gadget adds two operands. By combining these gadgets, an attacker can then perform arbitrary computations. Return-oriented programming was popularized by Shacham (CCS'07 paper targeting Linux/x86, CCS'08 paper targeting Solaris/SPARC). In our paper we present a system to automatically find useful instructions, build gadgets, and then generate a return-oriented program for Windows as the target OS. In a case study, we show how this system can be used to implement a return-oriented rootkit, bypassing typical kernel code integrity mechanisms. The main insight here is that integrity mechanisms protect against injection of code - however, if the attacker re-uses existing code, these approaches typically fail.

Abstract: Protecting the kernel of an operating system against attacks, especially injection of malicious code, is an important factor for implementing secure operating systems. Several kernel integrity protection mechanism were proposed recently that all have a particular shortcoming: They cannot protect against attacks in which the attacker re-uses existing code within the kernel to perform malicious computations. In this paper, we present the design and implementation of a system that fully automates the process of constructing instruction sequences that can be used by an attacker for malicious computations. We evaluate the system on different commodity operating systems and show the portability and universality of our approach. Finally, we describe the implementation of a practical attack that can bypass existing kernel integrity protection mechanisms.

The paper contains all the details and the results of our experiments are also available. The main part of this work was performed by Ralf Hund, it was the topic of his thesis. Furthermore, Felix Freiling helped with the project. And the word cloud was generated with the help of Wordle

"Automatically Generating Models for Botnet Detection"

nospam@example.com (Thorsten Holz) — Fri, 17 Jul 2009 01:55:00 +0200

One of the papers that we will publish at the European Symposium on Research in Computer Security (ESORICS'09) focusses on the problem of detecting bots within a given network. Previous research focussed for example on detecting bots using human-generated signatures and anomaly detectors (e.g., BotHunter) or correlating the activity of individual hosts in order to find machines that react in lockstep (e.g., BotMiner or TAMD). We present a system that automatically generates signatures which encapsulate the behavior of an infected machine. The important observation is that the principle behind bots is that they receive a command from the botherder and then respond in a specific way. Using real-world traces of many botnets we show that it is possible to spot the bot responses in the network traces using a change point detection algorithm. Based on this information we can then identify the commands and we use all information to then encode a signature which we map into Bro rules. Experiments in different networks show that this approach outperforms BotHunter. More information about the approach is available in the paper and all the gory details are published in a technical report.

Abstract: A botnet is a network of compromised hosts that is under the control of a single, malicious entity, often called the botmaster. We present a system that aims to detect bots, independent of any prior information about the command and control channels or propagation vectors, and without requiring multiple infections for correlation. Our system relies on detection models that target the characteristic fact that every bot receives commands from the botmaster to which it responds in a speciﬁc way. These detection models are generated automatically from network trafﬁc traces recorded from actual bot instances. We have implemented the proposed approach and demonstrate that it can extract effective detection models for a variety of different bot families. These models are precise in describing the activity of bots and raise very few false positives.

This work is a collaboration with Peter Wurzinger, Leyla Bilge, Jan Goebel, Christopher Kruegel, and Engin Kirda. And the word cloud on the top of the posting is generated with the help of http://www.wordle.net/.

Ready or Not?

nospam@example.com (Thorsten Holz) — Mon, 13 Apr 2009 16:36:00 +0200

Several days ago, I finally handed in my dissertation with the title "Tracking and Mitigation of Malicious Remote Control Networks". The thesis was reviewed by Prof. Freiling and Prof. Kruegel and my defense is at the end of the month. The thesis itself deals with different methods to study malicious remote control networks, i.e., a mechanism that enables an attacker the control over a large number of compromised machines for illicit activities. Typical examples of this kind of remote control networks are botnets and fast-flux service networks. The thesis summarizes the work from the last few years and the resulting publications.
Once my defense is over I will post a link to my thesis, it is not yet public. For now I'm really happy that my PhD studies are (almost) over, looking forward to new challenges in the future :-)

And another good news arrived today via e-mail:

On behalf of the 18th USENIX Security Symposium (USENIX Security '09) program committee, I am delighted to inform you that your paper #108 has been accepted to appear in the conference.

Title: Return-Oriented Rootkits: Bypassing Kernel Code Integrity
Protection Mechanisms
Authors: Ralf Hund (University of Mannheim)
Thorsten Holz (University of Mannheim)
Felix Freiling (University of Mannheim)

This year's selection process was very selective, and your paper was one of only 26 papers accepted out of 176 submissions. Congratulations!

LEET'09 Taking Place Soon

nospam@example.com (Thorsten Holz) — Tue, 07 Apr 2009 08:38:00 +0200

Join us at the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (LEET'09), which will take place in Boston, MA, on April 21, 2009. LEET '09 will focus on the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, and the social and economic networks driving these threats. Sessions include Malware Analysis, Ethics in Botnet Research, Malware Behavior, and more.

The full program is available at http://www.usenix.org/events/leet09/tech/.

LEET '09 will also include a session for Work-in-Progress reports. We encourage you to submit an abstract or proposal for a 5-minute presentation on your preliminary work to leet09wips@usenix.org.

Connect with the broad community of researchers and practitioners who focus on worms, bots, spam, spyware, phishing, DDoS, and the ever-increasing palette of large-scale Internet-based threats in fostering the development of preliminary work in this diverse area and stimulating discussion of thought-provoking ideas.

Find out more and register today at http://www.usenix.org/leet09/