Boaz Barak, Oded
Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vadhan,
and Ke Yang.
On the
(im)possibility of obfuscating programs.
In CRYPTO '01: Proceedings of the 21st Annual International Cryptology
Conference on Advances in Cryptology, pages 1–18, London, UK, 2001.
Springer-Verlag.
Fuat Baran, Howard Kaye,
and Margaritta Suarez.
Security breaches: Five recent incidents at Columbia university.
In UNIX Security Workshop II, pages 151–171, Berkeley, CA,
August 1990. Usenix Association.
Arash Baratloo, Timothy
Tsai, and Navjot Singh.
Transparent run-time defense against stack smashing attacks.
In Christopher Small, editor, USENIX 2000 Technical Conference
Proceedings, Berkeley, CA, June 2000. Usenix Association.
Leland L. Beck.
A security machanism for statistical database.
ACM Transactions on Database Systems, 5(3):316–3338, 1980.
(doi:10.1145/320613.320617)
Anish Bhinami.
Securing the commercial internet.
Communications of the ACM, 39(6):29–35, June 1996.
S. Buchegger and
J.-Y. Le Boudec.
Nodes bearing grudges: towards routing security, fairness, and robustness in
mobile ad hoc networks.
In 10th Euromicro Workshop on Parallel, Distributed and Network-based
Processing, pages 403–410, 2002.
(doi:10.1109/EMPDP.2002.994321)
G. Buehrer, B.W. Weide,
and P.A. Sivilotti.
Using parse tree validation to prevent SQL injection attacks.
In Proceedings of the 5th international Workshop on Software Engineering
and Middleware, pages 106––113. ACM Press, September 2005.
(doi:10.1145/1108473.1108496)
David M. Chess and
Steve R. White.
An
undetectable computer virus.
In Virus Bulletin Conference, September 2000.
Online http://www.research.ibm.com/antivirus/SciPapers/VB2000DC.pdf.
Current June 2002.
F.Y. Chin and
G. Ozsoyoglu.
Auditing and inference control in statistical databases.
IEEE Transactions on Software Engineering, SE-8(6):574–582,
November 1982.
Stanley Chow, Philip A.
Eisen, Harold Johnson, and Paul C. van Oorschot.
White-box
cryptography and an aes implementation.
In SAC '02: Revised Papers from the 9th Annual International Workshop on
Selected Areas in Cryptography, pages 250–270, London, UK, 2003.
Springer-Verlag.
Fred Cohen.
Computer viruses: Theory and experiments.
Computers & Security, 6(1):22–35, February 1987.
Fred Cohen.
Computational aspects of computer viruses.
Computers & Security, 8(4):325–344, June 1989.
Commission of the European Communities.
Glossary of information systems security.
DGXIII, INFOSEC Programme/S2001, 1993.
Commission of the European Communities.
Risk analysis methods database.
DGXIII, INFOSEC Programme/S2014, 1993.
W.R. Cook and S. Rai.
Safe query objects: statically typed objects as remotely executable queries.
In ICSE 2005: 27th International Conference on Software
Engineering, pages 97–106, 2005.
(doi:10.1109/ICSE.2005.1553552)
George Coulouris, Jean
Dollimore, and Tim Kindberg.
Distributed Systems: Concepts and Design.
Addison Wesley, 1995.
Crispan Cowan, Perry
Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole.
Buffer overflows: Attacks and defenses for the vulnerability of the decade.
In Proceedings of the DARPA Information Survivability Conference and
Exposition, pages 1119–1129, Washington, DC, January 2000. DARPA,
IEEE Computer Society.
(doi:10.1109/DISCEX.2000.821514)
United Kingdom Central Computer
and Telecommunication Agency, United Kingdom.
CCTA Risk Analysis and Management Method: User Manual., version
3.0 edition, 1996.
HMSO.
David A. Curry.
Improving the security of your Unix system.
Final Report ITSTD-721-FR-90-21, SRI International, 33 Ravenswood Avenue,
Menlo Park, CA 94025-3493, USA, April 1990.
Fabrica Nacional
de Moneda y Timbre.
PITA: The time stamping service in a PKI.
Online ftp://ftp.cordis.lu/pub/infosec/docs/pita.doc, 1998.
INFOSEC Project ETS-II Lot 5.1.
Dorothy Denning and
Peter MacDoran.
Location-based authentication.
Computer Security Alert 154, Computer Security Institute, 1996.
Dorothy Elizabeth Robling
Denning.
An intrusion detection model.
IEEE Transactions on Software Engineering, 13(2):222–232,
February 1987.
Peter J. Denning.
Computer viruses.
American Scientist, pages 236–238, May-June 1988.
Tim Dierks and
Christopher Allen.
The TLS protocol version 1.0.
Internet Draft draft-ietf-tls-protocol-03.txt, Internet Engineering Task Force,
May 1997.
Eric Dubois and Suchun Wu.
A framework for dealing with and specifying security requirements in
information systems.
In Sokratis K. Katsikas and Dimitris Gritzalis, editors, Information
Systems Security: Facing the information society of the 21st century,
pages 88–99. Chapman & Hall, 1996.
Tom Duff.
Experience with viruses on UNIX systems.
Computing Systems, 2(2):155–171, Spring 1989.
J. H. P. Eloff,
L. Labuschagne, and K. P. Badenhorst.
A comparative framework for risk analysis methods.
Computers & Security, 12(6):597–603, October 1993.
Alan O. Freier, Philip
Karlton, and Paul C. Kocher.
The SSL protocol version 3.0.
Internet Draft draft-ietf-tls-ssl-version3-00.txt, Internet Engineering Task
Force, November 1996.
Claus Fritzner, Leif
Nilsen, and Asmund Skomedal.
Protecting security information in distributed systems.
In 1991 IEEE Symposium on Security and Privacy, pages 245–254.
IEEE Computer Society Press, 1991.
S. M. Furnell, P. S.
Downland, and P. W. Sanders.
Dissecting the ``hacker manifesto''.
Information Management and Computer Security, 7(2):69–75,
1999.
Simson Garfinkel
and Gene Spafford.
Web Security and Commerce.
O'Reilly and Associates, Sebastopol, CA, 1997.
Gartner Research.
The price of information security, June 2001.
Naji Habra, B. Le
Charlier, A. Mounji, and I. Mathieu.
ASAX: Software architecture and rule-based language for universal audit trail
analysis.
In ESORICS 92, November 1992.
Vivek Haldar, Deepak
Chandra, and Michael Franz.
Dynamic taint
propagation for Java.
In ACSAC '05: Proceedings of the 21st Annual Computer Security
Applications Conference, pages 303–311, Washington, DC, USA, 2005.
IEEE Computer Society.
(doi:10.1109/CSAC.2005.21)
W. G. Halfond and
A. Orso.
Preventing SQL injection attacks using AMNESIA.
In ICSE 2006: Proceedings of the 28th International Conference on
Software Engineering, pages 795––798. ACM Press, May 2006.
William G.J. Halfond,
Jeremy Viegas, and Alessandro Orso.
A classification of SQL-injection attacks and countermeasures.
In Proceedings of the International Symposium on Secure Software
Engineering, March 2006.
Andrew Hutchison,
Matthias Kaiserswerth, and Peter Trommler.
Secure world wide web access to server groups.
In CMS '96 IFIP TC6/TC11 2nd joint working Conference on Communications
and Multimedia Security, pages 234–243. Chapman & Hall, 1996.
M. E. Kabay.
The NCSA Guide ot Enterprise Security: Protecting Information
Assets.
McGraw-Hill, 1996.
C. Kahn, P. Porras,
S. Staniford-Chen, and B. Tung.
A common intrusion detection framework.
Available online http://www.gidos.org, July 1998.
C. Ko, M. Ruschitzka, and
K. Levitt.
Execution monitoring of security-critical programs in distributed systems: A
specification-based approach.
In 1997 IEEE Symposium on Security and Privacy, pages 175–187.
IEEE, 1997.
Sin Yeung Lee, Wai Lup Low,
and Pei Yuen Wong.
Learning fingerprints
for a database intrusion detection system.
In Dieter Gollmann, Günter Karjoth, and Michael Waidner, editors,
ESORICS '02: Proceedings of the 7th European Symposium on Research in
Computer Security, pages 264–280, London, UK, 2002. Springer-Verlag.
Lecture Notes In Computer Science 2502.
U. Lindqvist and
P. A. Porras.
Detecting computer and network misuse with the production-based expert system
toolset (P-BEST).
In IEEE Symposium on Security and Privacy. IEEE, May 1999.
Douglas Maughan, Mark
Schertler, Mark Schneider, and Jeff Turner.
Internet security association and key management protocol (ISAKMP).
Internet Draft draft-ietf-ipsec-isakmp-07.txt, Internet Engineering Task Force,
February 1997.
Gary McGraw and Edward
Felten.
Java Security Hostile Applets, Holes, and Antidotes.
J. Wiley & Sons, 1996.
M. Douglas McIlroy.
Virology 101.
Computing Systems, 2(2):173–184, Spring 1989.
Kraig Meyer, Stuart
Schaeffer, and Dixie Baker.
Addressing threats in World Wide Web technology.
In 11th Annual Computer Security Applications Conference, pages
123–132. IEEE Computer Society Press, 1995.
Peter G. Neumann.
Computer-communications security risks: Melissa is just the tip of a titanic
iceberg.
Available online http://www.csl.sri.com/users/neumann/house99.html (July 2001).
Written testimony, for the U.S. House Science Committee Subcommittee on
Technology, hearing on 15 April 1999.
Peter G. Neumann.
The challenges
of insider misuse.
In Workshop on Preventing, Detecting, and Responding to Malicious Insider
Misuse, August 1999.
Available online http://www.csl.sri.com/users/neumann/pgn-misuse.html (July
2001).
V. Paxson.
A system for detecting network intruders in real-time.
In 7th USENIX Security Symposium, Berkeley, CA, January 1998.
Usenix Association.
Frédéric
Perriot, Peter Ferrie, and Péter Ször.
W32/Simile.
Online http://www.virusbtn.com/resources/viruses/indepth/simile.xml.
Current June 2002, 2002.
Charles Pfleeger.
Security in Computing.
Prentice-Hall, 1996.
J. Pieprzyk and
B. Sadeghiyan.
Design of Hashing Algorithms.
Springer Verlag, 1993.
Lecture Notes in Computer Science 756.
M. J. Ranum,
K. Landfield, M. Stolarchuck, M. Sienkiewicz, A. Lambeth, and E. Wall.
Implementing a generalized tool for network monitoring.
In 11th Systems Administration Conference (LISA '97), Berkeley,
CA, October 1997. Usenix Association.
Pauline Ratnasingham.
EDI security — re-evaluation of controls and its implications on the
organizations.
Computers & Security, 16(8):650–656, 1997.
E. Rescorla and
A. Schiffman.
The secure hypertext transfer protocol.
Internet Draft draft-ietf-wts-shttp-04.txt, Internet Engineering Task Force,
March 1997.
Ravi Sandhu, Edward
Coyne, Hal Feinstein, and Charles Youman.
Role-based access control: A multi-dimensional view.
In 10th Annual Computer Security Applications Conference, pages
54–62. IEEE Computer Society Press, 1994.
Brian Schimpf.
Securing web access with dce.
In ISOC 1997 Symposium on Network and Distributed System Security,
pages 102–108. IEEE Computer Society Press, 1997.
R. Sekar and
P. Uppuluri.
Synthesizing fast intrusion detection/prevention systems from high-level
specifications.
In 8th USENIX Security Symposium, Berkeley, CA, 1999. Usenix
Association.
Prabhat K. Singh and
Arun Lakhotia.
Analysis and detection of computer viruses and worms: An annotated
bibliography.
ACM SIGPLAN Notices, 37(2):29–35, February 2002.
Ben Smeets and
Thomas Johansson.
Secure Storage and Retrieval in Medical Information Systems.
Lund University, 1997.
Eugene H. Spafford,
Kathleen A. Heaphy, and David J. Ferbrache.
A computer virus primer.
In Peter J. Denning, editor, Computers Under Attack: Intruders, Worms,
and Viruses, chapter 20, pages 316–355. Addison-Wesley, 1990.
Eugene H. Spafford.
The Internet worm: Crisis and aftermath.
Communications of the ACM, 32(6):678–687, June 1989.
Zhendong Su and Gary
Wassermann.
The essence of command injection attacks in web applications.
In Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on
Principles of Programming Languages POPL '06, pages 372––382. ACM
Press, January 2006.
(doi:10.1145/1111037.1111070)
Fredrik Valeur, Darren
Mutz, and Giovanni Vigna.
A learning-based approach to the detection of SQL attacks.
In Klaus Julisch and Christopher Kruegel, editors, Intrusion and Malware
Detection and Vulnerability Assessment:Second International Conference, DIMVA
2005, pages 123–140, July 2005.
Lecture Notes in Computer Science 3548.
(doi:10.1007/11506881_8)
Gary Wassermann and
Zhendong Su.
An analysis framework for security in web applications.
In SAVCBS 2004: Proceedings of the FSE Workshop on Specification and
Verification of Component-Based Systems, pages 70–78, 2004.
Judson D. Weeks, Adam
Cain, and Briand Sanderson.
CCI-based Web security.
In Fourth International World Wide Web Conference, pages 381–395.
O'Reilly & Associates, December 1995.
Richard G. Wilsher and
Helmut Kurth.
Security assurance in information systems.
In Sokratis K. Katsikas and Dimitris Gritzalis, editors, Information
Systems Security: Facing the information society of the 21st century,
pages 74–87. Chapman & Hall, 1996.
Ira Winkler.
Corporate Espionage.
Prima Publishing, Rocklin, CA, 1997.