CREDS CREDS: Cyber-security Research Ethics Dialog & Strategy

Date: Saturday, May 17, 2014
Website: www.caida.org/workshops/creds/1405

Workshop objectives and goals:
The future of online trust, innovation & self-regulation is threatened by a widening gap between users’ expectations, formed by laws and norms, and the capacity for great benefits and harms generated by technological advances. As this gap widens, so too does ambiguity between asserted rights and threats. How do we close this gap and thereby lower risks, while also instilling trust in online activities? The solution embraces fundamental principles of ethics to guide our decisions in the midst of information uncertainty.

This workshop anchors off of discussions, themes, and momentum generated from the inaugural CREDS 2013 workshop. Specifically, it targets the shifting roles, responsibilities, and relationships between Researchers, Ethical Review Boards, Government Agencies, Professional Societies, and Program Committees in incentivizing and overseeing ethical research. Its objective is to spawn dialogue and practicable solutions around the following proposition: Building a more effective research ethics culture is a prerequisite for balancing research innovation (i.e., academic freedom, reduced burdens and ambiguities) with public trust (i.e., respect for privacy and confidentiality, accountability, data quality), so we explore the pillars of such a culture as well as the strategies that might be adopted to incorporate them into research operations.

CREDS II invites case studies, research experience and position papers that explore the following questions: • What leadership should be engaged (i.e., institutional, government, peer groups), and what should their respective roles and responsibilities be? • What education and awareness is needed? • What information sharing/coordination needs to be improved: among researchers, among oversight entities, and between researchers and oversight entities? • What knowledge and technology-transfer mechanisms can meet stated needs?

DUMA DUMA: 4th International Workshop on Data Usage Management

Date: Saturday, May 17, 2014
Website: https://sites.google.com/site/ieeespduma14

Workshop objectives and goals:
Data usage control generalizes access control to what happens to data in the future and after it has been given away or accessed. Spanning the domains of privacy, the protection of intellectual property and compliance, typical current requirements include "delete after thirty days," "don't delete within five years," "notify whenever data is given away," and "don't print." However, in the near future more general requirements may include "do not use for employment purposes," "do not use for tracking," as well as "do not use to harm me in any way." Major challenges in this field include policies, the relationship between end user actions and technical events, tracking data across layers of abstraction and logical as well as physical systems, policy enforcement, protection of the enforcement mechanisms and guarantees.

Following three successful events - the Dagstuhl Seminar on Distributed Usage Control, the W3C Privacy and Data Usage Control Workshop, and the WWW 2012 Workshop on Data Usage Management on the Web - the goal of the 4th International Workshop on Data Usage Management is to discuss current technical developments in usage control and, in particular, foster collaboration in the area of usage representation (policies is one mechanism), provenance tracking, misuse identification, and distributed usage enforcement. Though enabling privacy through careful and controlled dissemination of sensitive information is an obvious fallout of usage control, this workshop is interested in understanding data usage control as a whole. The workshop is also interested in discussing domain-specific solutions (which typically exist in semi-controlled environments) and their generalization to more open environments such as the Web.

MoST MoST: Mobile Security Technologies

Date: Saturday, May 17, 2014
Website: http://mostconf.org

Workshop objectives and goals:
With the development of new mobile platforms, such as Android and iOS, mobile computing has shown exponential growth in popularity in recent years. To benefit from the availability of constantly-growing consumer base, new services and applications are being built from the composition of existing ones at breakneck speed. This rapid growth has also been coupled with new security and privacy concerns and challenges. For instance, more and more sensitive content is being collected and shared by third-party applications that, if misused, can have serious security and privacy repercussions. Consequently, there is a growing need to study and address these new challenges.

The goal of the MoST workshop is to bring together researchers, practitioners, policy makers, and hardware and software developers of mobile systems to explore the latest understanding and advances in the security and privacy for mobile devices, applications, and systems. The scope of MoST 2014 includes, but is not limited to, security and privacy specifically for mobile devices and services related to: Device hardware, Operating systems, Middleware, Mobile web, Secure and efficient communication, Secure application development tools and practices, Privacy, Vulnerabilities and remediation techniques, Usable security, Identity and access control, Risks in putting trust in the device vs. in the network/cloud, Special applications, such as medical monitoring and records, Mobile advertisement, Secure applications and application markets, and Economic impact of security and privacy technologies. We are seeking both short position papers (2-4 pages) and longer papers (a maximum of 10 pages).

IWCC IWCC: International Workshop on Cyber Crime

Date: Sunday, May 18, 2014
Website: http://stegano.net/IWCC2014/

Workshop objectives and goals:
Today's world's societies are becoming more and more dependent on open networks such as the Internet - where commercial activities, business transactions and government services are realized. This has led to the fast development of new cyber threats and numerous information security issues which are exploited by cyber criminals. The inability to provide trusted secure services in contemporary computer network technologies has a tremendous socio-economic impact on global enterprises as well as individuals. Moreover, the frequently occurring international frauds impose the necessity to conduct the investigation of facts spanning across multiple international borders. Such examination is often subject to different jurisdictions and legal systems. A good illustration of the above being the Internet, which has made it easier to perpetrate traditional crimes. It has acted as an alternate avenue for the criminals to conduct their activities, and launch attacks with relative anonymity. The increased complexity of the communications and the networking infrastructure is making investigation of the crimes difficult. Traces of illegal digital activities are often buried in large volumes of data, which are hard to inspect with the aim of detecting offences and collecting evidence. Nowadays, the digital crime scene functions like any other network, with dedicated administrators functioning as the first responders. This poses new challenges for law enforcement policies and forces the computer societies to utilize digital forensics to combat the increasing number of cybercrimes. Forensic professionals must be fully prepared in order to be able to provide court admissible evidence. To make these goals achievable, forensic techniques should keep pace with new technologies.

The aim of this workshop is to bring together the research accomplishments provided by the researchers from academia and the industry. The other goal is to show the latest research results in the field of digital forensics and to present the development of tools and techniques which assist the investigation process of potentially illegal cyber activity. We encourage prospective authors to submit related distinguished research papers on the subject of both: theoretical approaches and practical case reviews. The workshop will be accessible to both non-experts interested in learning about this area and experts interesting in hearing about new research and approaches.

LangSec LangSec: A Workshop On Language Theoretic Security

Date: Sunday, May 18, 2014
Website: http://spw14.langsec.org

Workshop objectives and goals:
The LangSec workshop solicits contributions related to the growing area of language--theoretic security. LangSec offers a coherent explanation for the "science of insecurity" as more than an ad hoc collection of software mistakes or design flaws. This explanation is predicated on the connection between fundamental computability principles and the continued existence of software flaws. LangSec posits that the only path to trustworthy software that takes untrusted inputs is treating all valid or expected inputs as a formal language and treating the respective input-handling routines as a recognizer for that language. The LangSec approach to system design is primarily concerned with achieving practical assurance: development that is rooted in fundamentally sound computability theory, but is expressed as efficient and practical systems components. One major objective of the workshop is to develop and share this viewpoint with attendees and the broader systems security community to help establish a foundation for research based on LangSec principles.

The overall goal of the workshop is to bring more clarity and focus to two complementary areas: (1) practical software assurance and (2) vulnerability analysis (identification, characterization, and exploit development). The LangSec community views these activities as related and highly structured engineering disciplines and seeks to provide a forum to explore and develop this relationship.

WRIT WRIT: 2nd Workshop on Research for Insider Threat

Date: Sunday, May 18, 2014
Website: http://www.sei.cmu.edu/community/writ2014/

Workshop objectives and goals:
The threat of damage caused by authorized users, or insiders, is one of the most challenging security issues facing most organizations today. Insiders often attack using authorized access and with actions very similar to non-malicious behavior. Modern insiders are further enabled by immense data storage capabilities, advanced searching algorithms, and the difficulty of building, deploying, and managing comprehensive insider threat monitoring systems. Furthermore, insider attacks can also include those unintentionally enabled by users who fall victim to external attacks such as phishing or drive-by downloads.

Cybersecurity professionals face significant challenges in preventing, detecting, and responding to insider attacks, and often turn to insider threat researchers for answers. Unfortunately, insider threat researchers also face serious barriers to conducting scientifically and operationally valid work, such as access to real-world data and ground-truth about malicious insider activity. Therefore, it is imperative that cybersecurity researchers and professionals work together to find solutions that protect organizations from insider threats. Technical approaches to this problem are emerging, but studies show little significant progress has been made in reducing the actual numbers or impacts of insider attacks. There are two main reasons for the relative lack of success in identifying insider threats:

  • The problem is not well understood. In addition to the complex challenges surrounding collection, correlation, and detection of technical indicators, researchers must also understand underlying human motivations and behaviors. This is not a traditional area of study for IT security researchers; configuring technical solutions to monitor for human deception is challenging.
  • Data on insider attacks is difficult to obtain-
    • Ground truth data: Organizations suffering insider attacks are often reluctant to share data about those attacks publicly. Studies show over 70% of attacks are not reported externally, including many of the most common, low-level attacks. This leads to uncertainty that available data accurately represents the true nature of the problem.
    • Baseline data: The rate of insider attacks is relatively unknown; furthermore, the behaviors of non-malicious users are also not available in large data sets.
WRIT will highlight the challenges and trends specific to the insider threat problem from multiple viewpoints, such as information technology, behavioral sciences, or criminology. Furthermore, the workshop will review emerging approaches and explore experimental possibilities for measuring the efficacy of proposed solutions. The workshop will be accessible to non-experts interested in learning about the insider threat problem as well as experts interested in learning about new research and approaches.

W2SP W2SP: Web 2.0 Security and Privacy

Date: Sunday, May 18, 2014
Website: http://w2spconf.com/2014/

Workshop objectives and goals:
W2SP brings together researchers, practitioners, web programmers, policy makers, and others interested in the latest understanding and advances in the security and privacy of the web, browsers and their eco-system. We have had seven years of successful W2SP workshops. The scope of W2SP 2012 includes, but is not limited to: Trustworthy cloud-based services, privacy and reputation in social networks, security and privacy as a service, usable security and privacy, security for the mobile web, identity management and psuedonymity, web services/feeds/mashups, provenance and governance, security and privacy policies for composable content, next-generation browser technology, secure extensions and plug-ins, advertisement and affiliate fraud, measurement study for understanding web security and privacy.

We are seeking both short position papers (2-4 pages) and longer papers (a maximum of 10 pages). Authors are encouraged to use the IEEE conference proceedings templates. W2SP will continue to be open-access: all papers will be made available on the workshop website, and authors will not need to forfeit their copyright.

Workshop News
Registration Now Open!
March 7, 2014
Registration is now open! Please visit our registration site for more information.
Hotel Information Posted
March 7, 2014
Information on how to reserve your room at a discounted rate for the S&P Workshops is available on the Travel page.
Travel Information Posted
February 26, 2014
Information about Student Travel Grants is available on the Travel page.
Workshops Announced
September 27, 2013
Details regarding the 7 workshops are featured on our Workshops page.
Workshop submission deadline is September 13
August 28, 2013
See the Call for Workshops page for details.
Sponsored by
IEEE Computer Society Technical Committee on Security and Privacy: website

The Security and Privacy Workshops (SPW 2014)
May 17-18, 2014
The Fairmont Hotel, San Jose, California

The Security and Privacy Workshops precede the 35th IEEE Symposium on Security and Privacy

Last Update: May 12, 2014