Fraunhofer FKIE GI Gesellschaft für Informatik
			e.V. University of Bonn
  In technical co-operation with
Technical Committee on Security and Privacy

Seventh Conference on
Detection of Intrusions and Malware & Vulnerability Assessment

DIMVA 2010

July 8-9th, 2010
Bonn, Germany
DIMVA 2009 Conference of SIG SIDAR
of the German Informatics Society (GI).
in conjunction with SPRING5
Gold Sponsor:
Media Partner:
Submission guidelines Call for Participation Committees
Travel information Conference program Registration

Conference Program

Thursday, July 8

9:00-9:15 Opening remarks
9:15-10:30 Keynote
  Trends in Malevolence
José Nazario, Senior Manager of Security Research, Arbor Networks
10:30-11:00 Coffee break
11:00-12:30 Session 1 — Host Security
  Session chair: Christian Kreibich
  HookScout: Proactive Binary-Centric Hook Detection
Heng Yin, Pongsin Poosankam, Steve Hanna and Dawn Song
  Conqueror: Tamper-proof Code Execution on Legacy Systems
Lorenzo Martignoni, Roberto Paleari and Danilo Bruschi
  dAnubis - Dynamic Device Driver Analysis Based on Virtual Machine Introspection
Matthias Neugschwandtner, Christian Platzer, Paolo Milani Comparetti and Ulrich Bayer
12:30-13:30 Lunch
13:30-14:45 Invited Talk
  Modern Spammer Infrastructure
Carel van Straaten
14:45-16:00 Session 2 — Trends
  Session chair: Sven Dietrich
  Evaluating Bluetooth as a Medium for Botnet Command and Control
Kapil Singh, Samrit Sangal, Nehil Jain, Patrick Traynor and Wenke Lee
  Take a Deep Breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype
Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico and Lorenzo Cavallaro
  Covertly Probing Underground Economy Marketplaces
Hanno Fallmann, Gilbert Wondracek and Christian Platzer
16:00-16:15 Coffee break
16:15-17:15 Session 3 — Vulnerabilities
  Session chair: Michael Meier
  Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Adam Doupe, Marco Cova and Giovanni Vigna
  Organizing Large Scale Hacking Competitions
Nick Childers, Bryce Boe, Lorenzo Cavallaro, Ludovico Cavedon, Marco Cova, Manuel Egele and Giovanni Vigna
17:15-18:15 Meeting of GI SIG SIDAR (open for all interested attendees)
  Invited Talk: Quo vadis, Sicherheitsausbildung? (in German)
  Martin Mink, TU Darmstadt

Friday, July 9

9:00-10:15 Invited Talk
  TRIAGE: the WOMBAT attack attribution approach
Marc Dacier
10:15-10:45 Coffee break
10:45-11:45 Session 4 — Intrusion Detection
  Session chair: Robin Sommer
  An Online Adaptive Approach to Alert Correlation
Hanli Ren, Natalia Stakhanova and Ali Ghorbani
  KIDS - Keyed Intrusion Detection System
Sasa Mrdovic
11:45-12:30 Rump Session
  Session chair: Sven Dietrich
12:30-13:30 Lunch
13:30-14:30 Session 5 — Web Security
  Session chair: Herbert Bos
  Modeling and Containment of Search Worms Targeting Web Applications
Jingyu Hua and Kouichi Sakurai
  HProxy: Client-side detection of SSL stripping attacks
Nick Nikiforakis, Yves Younan and Wouter Joosen
14:30-14:45 Concluding remarks

Invited Talks

Trends in Malevolence
José Nazario, Arbor Networks
This talk will explore the past, present, and future of Internet security, specifically the rise of the criminal online underworld. Our current situation of botnets for financial gain, rogue ISPs who support these attacks, spam, malware explosions, and the like are due to the past decade of tactical efforts. Understanding these "megatrends" is key to anticipating what will happen next and what kinds of technical—and policy—preparations we should make.

Dr. Jose Nazario is the senior manager of security research at Arbor Networks. In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, developing security mechanisms that are then distributed to Arbor's Peakflow platforms via the Active Threat Feed (ATF) threat detection service. Dr. Nazario's research interests include large-scale Internet trends such as reachability and topology measurement, Internet-scale events such as DDoS attacks, botnets and worms, source code analysis tools, and data mining. He is the author of the books "Defense and Detection Strategies against Internet Worms" and "Secure Architectures with OpenBSD." He earned a Ph.D. in biochemistry from Case Western Reserve University in 2002. Prior to joining Arbor Networks, he was an independent security consultant. Dr. Nazario regularly speaks at conferences worldwide, with past presentations at CanSecWest, PacSec, Blackhat, and NANOG. He also maintains, a site devoted to studying worm detection and defense research.

Modern Spammer Infrastructure
Carel van Straaten, Spamhaus
Modern spammer operations are run on a highly professional level. Knowing that their business is constantly threatened on several levels, some spammer operations go to extraordinary lengths to ensure success. This starts with making sure that enough machines get infected to act as senders in a botnet. Fresh domains are bought daily and spread over multiple registrars while the DNS is hosted in separate networks. Reverse web proxies make sure that the online store is available and at the same time untouchable. A high-risk payment service provider completes the picture and makes sure the money ends up with the online criminals. In this talk we explore the measures taken by spammers to run—and keep running—a large modern spamming operation, including the technology used, how it is set up and maintained, what is done to ensure uptime and robustness, and what weak points can be found and maybe even exploited. We will look at some of the trends we see in infrastructure use and abuse, and investigates the questions of what can the community do to fight the problem and on what we should we focus today to solve the problems of tomorrow.

Carel van Straaten is an investigator at The Spamhaus Project, where he finds out what makes the spammers' infrastructure tick—and makes sure it stops ticking. Spamhaus is an international non-profit organization based in the UK whose mission is to track the Internet's Spam Gangs, to provide dependable real-time anti-spam protection for Internet networks, and to work with law enforcement agencies to identify and pursue spammers worldwide.

TRIAGE: the WOMBAT attack attribution approach
Marc Dacier, Collaborative Advanced Research, Symantec
In network traffic monitoring, and more particularly in the realm of threat intelligence, the problem of "attack attribution" refers to the process of actively attributing new attack events to (un)-known phenomena, based on some evidence or traces left on one or several monitoring platforms. Real-world attack phenomena are often largely distributed on the Internet, or can sometimes evolve quite rapidly. This makes them inherently complex and thus difficult to analyze. In general, the person in charge must consider many different attack features (or criteria) in order to decide about the plausible root cause of a given attack, or to attribute it to some given phenomenon. In this talk, we introduce a global analysis method, named TRIAGE, that aims at addressing this problem in a systematic way. TRIAGE has been developed in the context of the European funded WOMBAT project; In this talk, we will introduce the concepts of attack attribution, its intrinsic complexity, explain the TRIAGE method and will demonstrate its usefulness thanks to recent results obtained with practical, real life data sets.

Dr. Marc Dacier is an internationally recognized expert in computer security. At Symantec, Dr. Dacier is responsible for the Collaborative Advanced Research department, whose members are located in Europe (France and Ireland) and in the United States (Washington, D.C. and Los Angeles). Before joining Symantec, Marc taught at Eurecom, one of Europe's most active academic research institutions in the field of computer security. Previously, he was the manager of the Global Security Analysis Lab at IBM Zurich Research Laboratory. Marc has served in more than 60 program committees of major security conferences and was on the editorial board of several technical journals.

Proceedings available from Springer Verlag in the LNCS series Springer LNCS

Local organization by Fraunhofer FKIE and University of Bonn.
For questions about the registration, website, and local organization, please send an email to
For questions about the conference program, please send an email to