CCSL+CISL Publications

Publications can also be found on the publications pages of individual lab members.

2024

  • Owl: An augmented password-authenticated key exchange scheme
    Feng Hao, Samiran Bag, Liqun Chen, P.C. van Oorschot
    Financial Cryptography 2024. Cryptology ePrint Archive 2023/768
  • Side-channel attacks: A short tour
    F. Piessens, P.C. van Oorschot
    IEEE Security & Privacy 22(2):75-80 (Mar-Apr 2024)
  • A Fragility Metric for Software Diversity
    N. Mansourzadeh, A. Somayaji, J. Jaskolka
    Annual Symposium on Information Assurance (ASIA'24)
  • Detecting Command Injection Vulnerabilities in Linux-Based Embedded Firmware with LLM-based Taint Analysis of Library Functions
    J. Ye, X. Fei, X. de Carné de Carnavalet, L. Zhao, L. Wu, M. Zhang
    Elsevier Computers & Security (COSE)
  • A Survey of Hardware Improvements to Secure Program Execution
    L. Zhao, H. Shuang, S. Xu, W. Huang, R. Cui, P. Bettadpur, D. Lie
    ACM Computing Surveys (CSUR)
  • Racing for TLS Certificate Validation: A Hijacker’s Guide to the Android TLS Galaxy
    S. Pourali, X. Yu, L. Zhao, M. Mannan, A. Youssef
    USENIX Security Symposium (2024)
  • Exposed by Default: A Security Analysis of Home Router Default Settings
    J. Ye, X. de Carné de Carnavalet, L. Zhao, M. Zhang, L. Wu, W. Zhang
    ACM ASIA Conference on Computer and Communications Security (AsiaCCS'24)

2023

  • Influences of displaying permission-related information in web single sign-on login decisions
    Srivathsan G. Morkonda, S. Chiasson, P.C. van Oorschot
    Computers & Security.
  • A survey and analysis of TLS interception mechanisms and motivations
    X. de Carné de Carnavalet, P.C. van Oorschot
    ACM Computing Surveys vol.55 issue 13s, article no.269, pp.1-40.
  • The Flaw Within: Identifying CVSS Score Discrepancies in the NVD
    S. Zhang, M. Cai, M. Zhang, L. Zhao, X. de Carné de Carnavalet
    IEEE International Conference on Cloud Computing Technology and Science (CloudCom'23).
  • Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat Case.
    S. Baskaran, L. Zhao, M. Mannan, A. Youssef
    Symposium on Research in Attacks, Intrusions and Defenses (RAID'23).
  • Memory errors and memory safety: A look at Java and Rust
    P.C. van Oorschot
    IEEE Security & Privacy 21(3):62-68, May-Jun 2023.
  • Memory errors and memory safety: C as a case study
    P.C. van Oorschot
    IEEE Security & Privacy 21(2):70-76, Mar-Apr 2023.
  • Security Best Practices: A Critical Analysis Using IoT as a Case Study
    David Barrera, Christopher Bellman, and P.C. van Oorschot
    ACM Transactions on Privacy and Security, 26(2):13:1–13:30, 2023.
  • A Close Look at a Systematic Method for Analyzing Sets of Security Advice
    David Barrera, Christopher Bellman, and P.C. van Oorschot
    Journal of Cybersecurity, 9(1), Oxford University Press, 2023
  • VIET: A Tool for Extracting Essential Information from Vulnerability Descriptions for CVSS Evaluation
    S. Zhang, M. Zhang, L. Zhao
    IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec'23)
  • vWitness: Certifying Web Page Interactions with Computer Vision
    H. Shuang, L. Zhao, D. Lie
    IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'23)
  • A Hybrid Decision-making Approach to Security Metrics Aggregation in Cloud Environments.
    M. Lei, L. Zhao, M. Pourzandi, F. Farrahi Moghaddam
    IEEE International Conference on Cloud Computing Technology and Science (CloudCom'22)
  • Escaping Vendor Mortality: A New Paradigm for Extending IoT Device Longevity
    Conner Bradley, David Barrera
    NSPW (2023)
  • Why do Internet Devices Remain Vulnerable? A Survey with System Administrators
    Tamara Bondar, Hala Assal, AbdelRahman Abdou.
    NDSS MADWeb (2023)
  • Applying Accessibility Metrics to Measure the Threat Landscape for Users with Disabilities
    John Breton, AbdelRahman Abdou.
    NDSS MADWeb (2023)

2022

  • Towards Characterizing IoT Software Update Practices
    Conner Bradley and David Barrera.
    International Symposium on Foundations & Practice of Security (2022)
  • If-This-Then-Allow-That (to Phone Home): A Trigger-Based Network Policy Enforcement Framework for Smart Homes
    Anthony Tam, Furkan Alaca, David Barrera.
    International Symposium on Foundations & Practice of Security (2022)
  • Certificate Root Stores---An Area of Unity or Disparity?
    Jegan Purushothaman, Ethan Thompson, AbdelRahman Abdou.
    CSET (2022)
  • Cyber security education: reinvention required.
    Paul C. van Oorschot.
    Cyber Today magazine (Australia), 2022 Edition 1, pages 41-45. Australian Information Security Association.
  • SoK: Password-authenticated key exchange - Theory, practice, standardization and real-world lessons.
    F. Hao, Paul C. van Oorschot.
    AsiaCCS (2022)
  • A view of security as 20 subject areas in four themes.
    Paul C. van Oorschot.
    IEEE Security & Privacy 20(1):102-108 (Jan-Feb 2022).
  • Characterizing the Adoption of Security.txt Files and their Applications to Vulnerability Notification.
    William Findlay, AbdelRahman Abdou.
    NDSS MADWeb (2022)

2021

  • Comparative Analysis and Framework Evaluating Mimicry-Resistant and Invisible Web Authentication Schemes.
    Furkan Alaca, AbdelRahman Abdou, Paul C. van Oorschot.
    IEEE Trans. Dependable Secur. Comput. (Vol.18. Num.2. pp:534-549. 2021)
  • Towards 5G-ready Security Metrics.
    L. Zhao, M. Shafayat Oshman, M. Zhang, F. Farrahi Moghaddam, S. Chander, M. Pourzandi.
    IEEE ICC (2021)
  • Is Real-time Phishing Eliminated with FIDO? Social Engineering Downgrade Attacks against FIDO Protocols.
    Enis Ulqinaku, Hala Assal, AbdelRahman Abdou, Sonia Chiasson, Srdjan Capkun.
    USENIX Security Symposium (2021)
  • The EDIT Survey: Identifying Emergency Department Information Technology Knowledge and Training Gaps.
    Daniel Kollek, David Barrera, Elizabeth Stobert, Valérie Homier.
    Journal of Disaster Medicine and Public Health Preparedness (2021)
  • Comparative Analysis of DoT and HTTPS Certificate Ecosystems.
    Ali Jahromi, AbdelRahman Abdou.
    NDSS MADWeb (2021)
  • Empirical Scanning Analysis of Censys and Shodan.
    Christopher Bennett, AbdelRahman Abdou, Paul C. van Oorschot.
    NDSS MADWeb (2021)
  • Toward Unseating the Unsafe C Programming Language.
    Paul C. van Oorschot.
    IEEE Secur. Priv. (Vol.19. Num.2. pp:4-6. 2021)
  • Emilia: Catching Iago in Legacy Code.
    Rongzhen Cui, Lianying Zhao, David Lie.
    NDSS (2021)

2020

  • bpfbox: Simple Precise Process Confinement with eBPF.
    William Findlay, Anil Somayaji, David Barrera.
    ACM CCSW (2020)
  • SERENIoT: Distributed Network Security Policy Management and Enforcement for Smart Homes.
    Corentin Thomasset, David Barrera.
    ACSAC (2020)
  • SoK: Delegation and Revocation, the Missing Links in the Web's Chain of Trust.
    Laurent Chuat, AbdelRahman Abdou, Ralf Sasse, Christoph Sprenger, David Basin, Adrian Perrig.
    IEEE EuroS&P (2020)
  • Understanding Cybersecurity Practices in Emergency Departments.
    Elizabeth Stobert, David Barrera, Valerie Homier, Daniel Kollek.
    ACM CHI (2020)
  • Towards In-Band Non-Cryptographic Authentication.
    Nour Dabbour, Anil Somayaji.
    NSPW (2020)
  • Computer Security and the Internet - Tools and Jewels
    Paul C. van Oorschot.
    Springer. Information Security and Cryptography. (2020)
  • Comparative Analysis and Framework Evaluating Web Single Sign-on Systems.
    Furkan Alaca, Paul C. van Oorschot.
    ACM Comput. Surv. (Vol.53. Num.5. pp:112:1-112:34. 2020)
  • Untangling Security and Privacy.
    Paul C. van Oorschot.
    IEEE Secur. Priv. (Vol.18. Num.2. pp:4-6. 2020)
  • Blockchains and Stealth Tactics for Teaching Security.
    Paul C. van Oorschot.
    IEEE Secur. Priv. (Vol.18. Num.5. pp:3-5. 2020)
  • CAPS: Smoothly Transitioning to a More Resilient Web PKI.
    Stephanos Matsumoto, Jay Bosamiya, Yucheng Dai, Paul C. van Oorschot, Bryan Parno.
    ACSAC (2020)
  • Is Hardware More Secure Than Software?
    Lianying Zhao, David Lie.
    IEEE Secur. Priv. (Vol.18. Num.5. pp:8-17. 2020)

2019

  • UWB-ED: Distance Enlargement Attack Detection in Ultra-Wideband.
    Mridula Singh, Patrick Leu, AbdelRahman Abdou, Srdjan Capkun.
    USENIX Security Symposium (2019)
  • Software Security and Systematizing Knowledge.
    Paul C. van Oorschot.
    IEEE Secur. Priv. (Vol.17. Num.3. pp:4-6. 2019)
  • The Internet of Things: Security Challenges.
    Paul C. van Oorschot, Sean W. Smith.
    IEEE Secur. Priv. (Vol.17. Num.5. pp:7-9. 2019)
  • Analysis, Implications, and Challenges of an Evolving Consumer IoT Security Landscape.
    Christopher Bellman, Paul C. van Oorschot.
    PST (2019)
  • Onboarding and Software Update Architecture for IoT Devices.
    Hemant Gupta, Paul C. van Oorschot.
    PST (2019)
  • Using Inputs and Context to Verify User Intentions in Internet Services.
    He Shuang, Wei Huang 0027, Pushkar Bettadpur, Lianying Zhao, Ivan Pustogarov, David Lie.
    APSys (2019)
  • One-Time Programs Made Practical.
    Lianying Zhao, Joseph I. Choi, Didem Demirag, Kevin R. B. Butler, Mohammad Mannan, Erman Ayday, Jeremy Clark.
    Financial Cryptography (2019)
  • TEE-aided Write Protection Against Privileged Data Tampering.
    Lianying Zhao, Mohammad Mannan.
    NDSS (2019)

2018

  • Comparative Analysis of Control Plane Security of SDN and Conventional Networks.
    AbdelRahman Abdou, Paul C. van Oorschot, Tao Wan.
    IEEE Commun. Surv. Tutorials (Vol.20. Num.4. pp:3542-3559. 2018)
  • Server Location Verification (SLV) and Server Location Pinning: Augmenting TLS Authentication.
    AbdelRahman Abdou, Paul C. van Oorschot.
    ACM Trans. Priv. Secur. (Vol.21. Num.1. pp:1:1-1:26. 2018)
  • Secure Client and Server Geolocation over the Internet.
    AbdelRahman Abdou, Paul C. van Oorschot.
    login Usenix Mag. (Vol.43. Num.1. pp:19-25. 2018)
  • TARANET: Traffic-Analysis Resistant Anonymity at the Network Layer.
    Chen Chen, Daniele Enrico Asoni, Adrian Perrig, David Barrera, George Danezis, Carmela Troncoso.
    EuroS&P (2018)
  • Learning over subconcepts: Strategies for 1-class classification.
    Shiven Sharma, Anil Somayaji, Nathalie Japkowicz.
    Comput. Intell. (Vol.34. Num.2. pp:440-467. 2018)
  • Technological and Human Factors of Malware Attacks: A Computer Security Clinical Trial Approach.
    Fanny Lalonde Lévesque, Sonia Chiasson, Anil Somayaji, José M. Fernandez 0001.
    ACM Trans. Priv. Secur. (Vol.21. Num.4. pp:18:1-18:30. 2018)
  • After the BlockCLoud Apocalypse.
    Mark Burgess, Anil Somayaji.
    NSPW (2018)
  • Science of Security: Combining Theory and Measurement to Reflect the Observable.
    Cormac Herley, Paul C. van Oorschot.
    IEEE Secur. Priv. (Vol.16. Num.1. pp:12-22. 2018)
  • Letter to the Editor.
    John D. McLean, Cormac Herley, Paul C. van Oorschot.
    IEEE Secur. Priv. (Vol.16. Num.3. pp:6-10. 2018)
  • A Discussion on Security Education in Academia.
    Kevin R. B. Butler, Robert K. Cunningham, Paul C. van Oorschot, Reihaneh Safavi-Naini, Ashraf Matrawy, Jeremy Clark.
    CCS (2018)
  • BP: Formal Proofs, the Fine Print and Side Effects.
    Toby C. Murray, Paul C. van Oorschot.
    SecDev (2018)

2017

  • A survey on forensic event reconstruction systems.
    Abes Dabir, AbdelRahman Abdou, Ashraf Matrawy.
    Int. J. Inf. Comput. Secur. (Vol.9. Num.4. pp:337-360. 2017)
  • CPV: Delay-Based Location Verification for the Internet.
    AbdelRahman Abdou, Ashraf Matrawy, Paul C. van Oorschot.
    IEEE Trans. Dependable Secur. Comput. (Vol.14. Num.2. pp:130-144. 2017)
  • Location Verification of Wireless Internet Clients: Evaluation and Improvements.
    AbdelRahman Abdou, Ashraf Matrawy, Paul C. van Oorschot.
    IEEE Trans. Emerg. Top. Comput. (Vol.5. Num.4. pp:563-575. 2017)
  • Accurate Manipulation of Delay-based Internet Geolocation.
    AbdelRahman Abdou, Ashraf Matrawy, Paul C. van Oorschot.
    AsiaCCS (2017)
  • The SCION internet architecture.
    David Barrera, Laurent Chuat, Adrian Perrig, Raphael M. Reischuk, Pawel Szalachowski.
    Commun. ACM (Vol.60. Num.6. pp:56-65. 2017)
  • Internet Kill Switches Demystified.
    Benjamin Rothenberger, Daniele Enrico Asoni, David Barrera, Adrian Perrig.
    EUROSEC (2017)
  • Can I believe you?: Establishing Trust in Computer Mediated Introductions.
    Borke Obada-Obieh, Anil Somayaji.
    NSPW (2017)
  • On the security and usability of dynamic cognitive game CAPTCHAs.
    Manar Mohamed, Song Gao 0010, Niharika Sachdeva, Nitesh Saxena, Chengcui Zhang, Ponnurangam Kumaraguru, Paul C. van Oorschot.
    J. Comput. Secur. (Vol.25. Num.3. pp:205-230. 2017)
  • Science, Security and Academic Literature: Can We Learn from History?
    Paul C. van Oorschot.
    MTD@CCS (2017)
  • SoK: Science, Security and the Elusive Goal of Security as a Scientific Pursuit.
    Cormac Herley, Paul C. van Oorschot.
    IEEE Symposium on Security and Privacy (2017)

2016

  • Modeling Data-Plane Power Consumption of Future Internet Architectures.
    Chen Chen, David Barrera, Adrian Perrig.
    CIC (2016)
  • Source Accountability with Domain-brokered Privacy.
    Taeho Lee, Christos Pappas, David Barrera, Pawel Szalachowski, Adrian Perrig.
    CoNEXT (2016)
  • Picking a (Smart)Lock: Locking Relationships on Mobile Devices.
    Elizabeth Stobert, David Barrera.
    WAY@SOUPS (2016)
  • Pushing on string: the 'don't care' region of password strength.
    Dinei Florêncio, Cormac Herley, Paul C. van Oorschot.
    Commun. ACM (Vol.59. Num.11. pp:66-74. 2016)
  • Device fingerprinting for augmenting web authentication: classification and analysis of methods.
    Furkan Alaca, Paul C. van Oorschot.
    ACSAC (2016)
  • Revisiting password rules: facilitating human management of passwords.
    Leah Zhang-Kennedy, Sonia Chiasson, Paul C. van Oorschot.
    eCrime (2016)
  • Deceptive Deletion Triggers Under Coercion.
    Lianying Zhao, Mohammad Mannan.
    IEEE Trans. Inf. Forensics Secur. (Vol.11. Num.12. pp:2763-2776. 2016)
  • Hypnoguard: Protecting Secrets across Sleep-wake Cycles.
    Lianying Zhao, Mohammad Mannan.
    CCS (2016)

2015

  • Taxing the Queue: Hindering Middleboxes From Unauthorized Large-Scale Traffic Relaying.
    AbdelRahman Abdou, Ashraf Matrawy, Paul C. van Oorschot.
    IEEE Commun. Lett. (Vol.19. Num.1. pp:42-45. 2015)
  • Accurate One-Way Delay Estimation With Reduced Client Trustworthiness.
    AbdelRahman Abdou, Ashraf Matrawy, Paul C. van Oorschot.
    IEEE Commun. Lett. (Vol.19. Num.5. pp:735-738. 2015)
  • What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks.
    AbdelRahman Abdou, David Barrera 0003, Paul C. van Oorschot.
    PASSWORDS (2015)
  • HORNET: High-speed Onion Routing at the Network Layer.
    Chen Chen, Daniele Enrico Asoni, David Barrera, George Danezis, Adrian Perrig.
    ACM Conference on Computer and Communications Security (2015)
  • On Building Onion Routing into Future Internet Architectures.
    Daniele Enrico Asoni, Chen Chen, David Barrera, Adrian Perrig.
    iNetSeC (2015)
  • Measuring the health of antivirus ecosystems.
    Fanny Lalonde Lévesque, Anil Somayaji, Dennis Batchelder, José M. Fernandez 0001.
    MALWARE (2015)
  • Passwords and the evolution of imperfect authentication.
    Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, Frank Stajano.
    Commun. ACM (Vol.58. Num.7. pp:78-87. 2015)
  • Quantifying the security advantage of password expiration policies.
    Sonia Chiasson, Paul C. van Oorschot.
    Des. Codes Cryptogr. (Vol.77. Num.2-3. pp:401-408. 2015)
  • An Empirical Evaluation of Security Indicators in Mobile Web Browsers.
    Chaitrali Amrutkar, Patrick Traynor, Paul C. van Oorschot.
    IEEE Trans. Mob. Comput. (Vol.14. Num.5. pp:889-903. 2015)
  • Heuristics for the evaluation of captchas on smartphones.
    Gerardo Reynaga, Sonia Chiasson, Paul C. van Oorschot.
    BCS HCI (2015)
  • Gracewipe: Secure and Verifiable Deletion under Coercion.
    Lianying Zhao, Mohammad Mannan.
    NDSS (2015)

2014

  • Location verification on the Internet: Towards enforcing location-aware access policies over Internet clients.
    AbdelRahman Abdou, Ashraf Matrawy, Paul C. van Oorschot.
    CNS (2014)
  • Baton: certificate agility for android's decentralized signing infrastructure.
    David Barrera, Daniel McCarney, Jeremy Clark, Paul C. van Oorschot.
    WISEC (2014)
  • Risk prediction of malware victimization based on user behavior.
    Fanny Lalonde Lévesque, José M. Fernandez 0001, Anil Somayaji.
    MALWARE (2014)
  • Security Analysis and Related Usability of Motion-Based CAPTCHAs: Decoding Codewords in Motion.
    Yi Xu, Gerardo Reynaga, Sonia Chiasson, Jan-Michael Frahm, Fabian Monrose, Paul C. van Oorschot.
    IEEE Trans. Dependable Secur. Comput. (Vol.11. Num.5. pp:480-493. 2014)
  • A three-way investigation of a game-CAPTCHA: automated attacks, relay attacks and usability.
    Manar Mohamed, Niharika Sachdeva, Michael Georgescu, Song Gao 0010, Nitesh Saxena, Chengcui Zhang, Ponnurangam Kumaraguru, Paul C. van Oorschot, Wei-bang Chen.
    AsiaCCS (2014)
  • An Administrator's Guide to Internet Password Research.
    Dinei Florêncio, Cormac Herley, Paul C. van Oorschot.
    LISA (2014)
  • Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts.
    Dinei Florêncio, Cormac Herley, Paul C. van Oorschot.
    USENIX Security Symposium (2014)

2013

  • A High-Temperature Fiber Sensor Using a Low Cost Interrogation Scheme.
    David Barrera, Salvador Sales.
    Sensors (Vol.13. Num.9. pp:11653-11659. 2013)
  • Deadbolt: locking down android disk encryption.
    Adam Skillen, David Barrera, Paul C. van Oorschot.
    SPSM@CCS (2013)
  • A clinical study of risk factors related to malware infections.
    Fanny Lalonde Lévesque, Jude Nsiempba, José M. Fernandez 0001, Sonia Chiasson, Anil Somayaji.
    CCS (2013)
  • Towards narrative authentication: or, against boring authentication.
    Anil Somayaji, David Mould, Carson Brown.
    NSPW (2013)
  • Evaluation in the absence of absolute ground truth: toward reliable evaluation methodology for scan detectors.
    Mansour Alsaleh, Paul C. van Oorschot.
    Int. J. Inf. Sec. (Vol.12. Num.2. pp:97-110. 2013)
  • Markets for zero-day exploits: ethics and implications.
    Serge Egelman, Cormac Herley, Paul C. van Oorschot.
    NSPW (2013)
  • SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements.
    Jeremy Clark, Paul C. van Oorschot.
    IEEE Symposium on Security and Privacy (2013)
  • Explicit authentication response considered harmful.
    Lianying Zhao, Mohammad Mannan.
    NSPW (2013)

2012

  • A network-based approach to the multi-activity combined timetabling and crew scheduling problem: Workforce scheduling for public health policy implementation.
    David Barrera, Nubia Velasco, Ciro-Alberto Amaya.
    Computers & Industrial Engineering (Vol.63. Num.4. pp:802-812. 2012)
  • Tapas: design, implementation, and usability evaluation of a password manager.
    Daniel McCarney, David Barrera, Jeremy Clark, Sonia Chiasson, Paul C. van Oorschot.
    ACSAC (2012)
  • ThinAV: truly lightweight mobile cloud-based anti-malware.
    Chris Jarabek, David Barrera, John Aycock.
    ACSAC (2012)
  • Understanding and improving app installation security mechanisms through empirical analysis of android.
    David Barrera, Jeremy Clark, Daniel McCarney, Paul C. van Oorschot.
    SPSM@CCS (2012)
  • Methodology for a Field Study of Anti-malware Software.
    Fanny Lalonde Lévesque, Carlton R. Davis, José M. Fernandez 0001, Sonia Chiasson, Anil Somayaji.
    Financial Cryptography Workshops (2012)
  • Software Diversity: Security, Entropy and Game Theory.
    Saran Neti, Anil Somayaji, Michael E. Locasto.
    HotSec (2012)
  • Graphical passwords: Learning from the first twelve years.
    Robert Biddle, Sonia Chiasson, Paul C. van Oorschot.
    ACM Comput. Surv. (Vol.44. Num.4. pp:19:1-19:41. 2012)
  • The Future of Authentication.
    Dirk Balfanz, Richard Chow, Ori Eisen, Markus Jakobsson, Steve Kirsch, Scott Matsumoto, Jesus Molina, Paul C. van Oorschot.
    IEEE Secur. Priv. (Vol.10. Num.1. pp:22-27. 2012)
  • A Research Agenda Acknowledging the Persistence of Passwords.
    Cormac Herley, Paul C. van Oorschot.
    IEEE Secur. Priv. (Vol.10. Num.1. pp:28-36. 2012)
  • Revisiting network scanning detection using sequential hypothesis testing.
    Mansour Alsaleh, Paul C. van Oorschot.
    Secur. Commun. Networks (Vol.5. Num.12. pp:1337-1350. 2012)
  • Revisiting Defenses against Large-Scale Online Password Guessing Attacks.
    Mansour Alsaleh, Mohammad Mannan, Paul C. van Oorschot.
    IEEE Trans. Dependable Secur. Comput. (Vol.9. Num.1. pp:128-141. 2012)
  • Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism.
    Sonia Chiasson, Elizabeth Stobert, Alain Forget, Robert Biddle, Paul C. van Oorschot.
    IEEE Trans. Dependable Secur. Comput. (Vol.9. Num.2. pp:222-235. 2012)
  • Reducing Unauthorized Modification of Digital Objects.
    Paul C. van Oorschot, Glenn Wurster.
    IEEE Trans. Software Eng. (Vol.38. Num.1. pp:191-204. 2012)
  • Passwords for Both Mobile and Desktop Computers: ObPwd for Firefox and Android.
    Mohammad Mannan, Paul C. van Oorschot.
    login Usenix Mag. (Vol.37. Num.4. pp:28-37. 2012)
  • Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road?
    Chaitrali Amrutkar, Patrick Traynor, Paul C. van Oorschot.
    ISC (2012)
  • The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes.
    Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, Frank Stajano.
    IEEE Symposium on Security and Privacy (2012)
  • Security and Usability Challenges of Moving-Object CAPTCHAs: Decoding Codewords in Motion.
    Yi Xu, Gerardo Reynaga, Sonia Chiasson, Jan-Michael Frahm, Fabian Monrose, Paul C. van Oorschot.
    USENIX Security Symposium (2012)

2011

  • Secure Software Installation on Smartphones.
    David Barrera, Paul C. van Oorschot.
    IEEE Security & Privacy (Vol.9. Num.3. pp:42-48. 2011)
  • Accommodating IPv6 Addresses in Security Visualization Tools.
    David Barrera, Paul C. van Oorschot.
    Information Visualization (Vol.10. Num.2. pp:107-116. 2011)
  • Back to the Future: Revisiting IPv6 Privacy Extensions.
    David Barrera, Glenn Wurster, Paul C. van Oorschot.
    ;login: (Vol.36. Num.1. pp:16-26. 2011)
  • Mercury: Recovering Forgotten Passwords Using Personal Devices.
    Mohammad Mannan, David Barrera, Carson D. Brown, David Lie, Paul C. van Oorschot.
    Financial Cryptography (2011)
  • Countering unauthorized code execution on commodity kernels: A survey of common interfaces allowing kernel code modification.
    Trent Jaeger, Paul C. van Oorschot, Glenn Wurster.
    Comput. Secur. (Vol.30. Num.8. pp:571-579. 2011)
  • Exploiting predictability in click-based graphical passwords.
    Paul C. van Oorschot, Julie Thorpe.
    J. Comput. Secur. (Vol.19. Num.4. pp:669-702. 2011)
  • Leveraging personal devices for stronger password authentication from untrusted computers.
    Mohammad Mannan, Paul C. van Oorschot.
    J. Comput. Secur. (Vol.19. Num.4. pp:703-750. 2011)
  • User Study, Analysis, and Usable Security of Passwords Based on Digital Objects.
    Robert Biddle, Mohammad Mannan, Paul C. van Oorschot, Tara Whalen.
    IEEE Trans. Inf. Forensics Secur. (Vol.6. Num.3-2. pp:970-979. 2011)
  • Network scan detection with LQS: a lightweight, quick and stateful algorithm.
    Mansour Alsaleh, Paul C. van Oorschot.
    AsiaCCS (2011)
  • Exploration and Field Study of a Password Manager Using Icon-Based Passwords.
    Kemal Bicakci, Nart Bedin Atalay, Mustafa Yuceel, Paul C. van Oorschot.
    Financial Cryptography Workshops (2011)
  • A multi-word password proposal (gridWord) and exploring questions about science in security research and usable security evaluation.
    Kemal Bicakci, Paul C. van Oorschot.
    NSPW (2011)

2010 and Earlier

  • A methodology for empirical analysis of permission-based security models and its application to android.
    David Barrera, Hilmi Günes Kayacik, Paul C. van Oorschot, Anil Somayaji.
    ACM Conference on Computer and Communications Security (2010)
  • The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet.
    Joan Calvet, Carlton R. Davis, José M. Fernandez 0001, Jean-Yves Marion, Pier-Luc St-Onge, Wadie Guizani, Pierre-Marc Bureau, Anil Somayaji.
    ACSAC (2010)
  • Object-level recombination of commodity applications.
    Blair Foster, Anil Somayaji.
    GECCO (2010)
  • Visual Security Policy for the Web.
    Terri Oda, Anil Somayaji.
    HotSec (2010)
  • Purely automated attacks on passpoints-style graphical passwords.
    Paul C. van Oorschot, Amirali Salehi-Abari, Julie Thorpe.
    IEEE Trans. Inf. Forensics Secur. (Vol.5. Num.3. pp:393-405. 2010)
  • Exploring usability effects of increasing security in click-based graphical passwords.
    Elizabeth Stobert, Alain Forget, Sonia Chiasson, Paul C. van Oorschot, Robert Biddle.
    ACSAC (2010)
  • System security, platform security and usability.
    Paul C. van Oorschot.
    STC@CCS (2010)
  • A control point for reducing root abuse of file-system privileges.
    Glenn Wurster, Paul C. van Oorschot.
    CCS (2010)
  • FiGD: An Open Source Intellectual Property Violation Detector.
    Carson D. Brown, David Barrera, Dwight Deugo.
    SEKE (2009)
  • Security visualization tools and IPv6 addresses.
    David Barrera, Paul C. van Oorschot.
    VizSEC (2009)
  • Analysis of the 1999 DARPA/Lincoln Laboratory IDS evaluation data with NetADHICT.
    Carson Brown, Alex Cowperthwaite, Abdulrahman Hijazi, Anil Somayaji.
    CISDA (2009)
  • Evaluating Security Products with Clinical Trials.
    Anil Somayaji, Yiru Li, Hajime Inoue, José M. Fernandez 0001, Richard Ford.
    USENIX CSET (2009)
  • Reducing threats from flawed security APIs: The banking PIN case.
    Mohammad Mannan, Paul C. van Oorschot.
    Comput. Secur. (Vol.28. Num.6. pp:410-420. 2009)
  • Internet geolocation: Evasion and counterevasion.
    James A. Muir, Paul C. van Oorschot.
    ACM Comput. Surv. (Vol.42. Num.1. pp:4:1-4:23. 2009)
  • User interface design affects security: patterns in click-based graphical passwords.
    Sonia Chiasson, Alain Forget, Robert Biddle, Paul C. van Oorschot.
    Int. J. Inf. Sec. (Vol.8. Num.6. pp:387-398. 2009)
  • Browser interfaces and extended validation SSL certificates: an empirical study.
    Robert Biddle, Paul C. van Oorschot, Andrew S. Patrick, Jennifer Sobey, Tara Whalen.
    CCSW (2009)
  • Multiple password interference in text passwords and click-based graphical passwords.
    Sonia Chiasson, Alain Forget, Elizabeth Stobert, Paul C. van Oorschot, Robert Biddle.
    CCS (2009)
  • Passwords: If We're So Smart, Why Are We Still Using Them?
    Cormac Herley, Paul C. van Oorschot, Andrew S. Patrick.
    Financial Cryptography (2009)
  • TwoStep: An Authentication Method Combining Text and Graphical Passwords.
    Paul C. van Oorschot, Tao Wan.
    MCETECH (2009)
  • Improving Security Visualization with Exposure Map Filtering.
    Mansour Alsaleh, David Barrera, Paul C. van Oorschot.
    ACSAC (2008)
  • The Evolution of System-Call Monitoring.
    Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji.
    ACSAC (2008)
  • SOMA: mutual approval for included content in web pages.
    Terri Oda, Glenn Wurster, Paul C. van Oorschot, Anil Somayaji.
    CCS (2008)
  • Discovering Packet Structure through Lightweight Hierarchical Clustering.
    Abdulrahman Hijazi, Hajime Inoue, Ashraf Matrawy, Paul C. van Oorschot, Anil Somayaji.
    ICC (2008)
  • On predictive models and user-drawn graphical passwords.
    Paul C. van Oorschot, Julie Thorpe.
    ACM Trans. Inf. Syst. Secur. (Vol.10. Num.4. pp:5:1-5:33. 2008)
  • On Purely Automated Attacks and Click-Based Graphical Passwords.
    Amirali Salehi-Abari, Julie Thorpe, Paul C. van Oorschot.
    ACSAC (2008)
  • Influencing users towards better passwords: persuasive cued click-points.
    Sonia Chiasson, Alain Forget, Robert Biddle, Paul C. van Oorschot.
    BCS HCI (1) (2008)
  • CROO: A Universal Infrastructure and Protocol to Detect Identity Fraud.
    Deholo Nali, Paul C. van Oorschot.
    ESORICS (2008)
  • Exploring User Reactions to New Browser Cues for Extended Validation Certificates.
    Jennifer Sobey, Robert Biddle, Paul C. van Oorschot, Andrew S. Patrick.
    ESORICS (2008)
  • Weighing Down "The Unbearable Lightness of PIN Cracking".
    Mohammad Mannan, Paul C. van Oorschot.
    Financial Cryptography (2008)
  • Centered Discretization with Application to Graphical Passwords.
    Sonia Chiasson, Jayakumar Srinivasan, Robert Biddle, Paul C. van Oorschot.
    UPSEC (2008)
  • Localization of credential information to address increasingly inevitable data breaches.
    Mohammad Mannan, Paul C. van Oorschot.
    NSPW (2008)
  • The developer is the enemy.
    Glenn Wurster, Paul C. van Oorschot.
    NSPW (2008)
  • Persuasion for Stronger Passwords: Motivation and Pilot Study.
    Alain Forget, Sonia Chiasson, Paul C. van Oorschot, Robert Biddle.
    PERSUASIVE (2008)
  • Improving text passwords through persuasion.
    Alain Forget, Sonia Chiasson, Paul C. van Oorschot, Robert Biddle.
    SOUPS (2008)
  • Digital Objects as Passwords.
    Mohammad Mannan, Paul C. van Oorschot.
    HotSec (2008)
  • Privacy-enhanced sharing of personal content on the web.
    Mohammad Mannan, Paul C. van Oorschot.
    WWW (2008)
  • Learning DFA representations of HTTP for protecting web applications.
    Kenneth L. Ingham, Anil Somayaji, John Burge, Stephanie Forrest.
    Comput. Networks (Vol.51. Num.5. pp:1239-1255. 2007)
  • Immunology, diversity, and homeostasis: The past and future of biologically inspired computer defenses.
    Anil Somayaji.
    Inf. Secur. Tech. Rep. (Vol.12. Num.4. pp:228-234. 2007)
  • A methodology for designing accurate anomaly detection systems.
    Kenneth L. Ingham, Anil Somayaji.
    LANC (2007)
  • NetADHICT: A Tool for Understanding Network Traffic.
    Hajime Inoue, Dana Jansens, Abdulrahman Hijazi, Anil Somayaji.
    LISA (2007)
  • The future of biologically-inspired security: is there anything left to learn?
    Anil Somayaji, Michael E. Locasto, Jan Feyereisl.
    NSPW (2007)
  • On interdomain routing security and pretty secure BGP (psBGP).
    Paul C. van Oorschot, Tao Wan, Evangelos Kranakis.
    ACM Trans. Inf. Syst. Secur. (Vol.10. Num.3. pp:11. 2007)
  • Tracking Darkports for Network Defense.
    David Whyte, Paul C. van Oorschot, Evangelos Kranakis.
    ACSAC (2007)
  • Graphical Password Authentication Using Cued Click Points.
    Sonia Chiasson, Paul C. van Oorschot, Robert Biddle.
    ESORICS (2007)
  • Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer.
    Mohammad Mannan, Paul C. van Oorschot.
    Financial Cryptography (2007)
  • Security and usability: the gap in real-world online banking.
    Mohammad Mannan, Paul C. van Oorschot.
    NSPW (2007)
  • VideoTicket: detecting identity fraud attempts via audiovisual certificates and signatures.
    Deholo Nali, Paul C. van Oorschot, Andy Adler.
    NSPW (2007)
  • A second look at the usability of click-based graphical passwords.
    Sonia Chiasson, Robert Biddle, Paul C. van Oorschot.
    SOUPS (2007)
  • Usability of anonymous web browsing: an examination of Tor interfaces and deployability.
    Jeremy Clark, Paul C. van Oorschot, Carlisle Adams.
    SOUPS (2007)
  • Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords.
    Julie Thorpe, Paul C. van Oorschot.
    USENIX Security Symposium (2007)
  • Self-Signed Executables: Restricting Replacement of Program Binaries by Malware.
    Glenn Wurster, Paul C. van Oorschot.
    HotSec (2007)
  • A monitoring system for detecting repeated packets with applications to computer worms.
    Paul C. van Oorschot, Jean-Marc Robert 0001, Miguel Vargas Martin.
    Int. J. Inf. Sec. (Vol.5. Num.3. pp:186-199. 2006)
  • On countering online dictionary attacks with login histories and humans-in-the-loop.
    Paul C. van Oorschot, Stuart G. Stubblebine.
    ACM Trans. Inf. Syst. Secur. (Vol.9. Num.3. pp:235-258. 2006)
  • Addressing SMTP-Based Mass-Mailing Activity within Enterprise Networks.
    David Whyte, Paul C. van Oorschot, Evangelos Kranakis.
    ACSAC (2006)
  • A Protocol for Secure Public Instant Messaging.
    Mohammad Mannan, Paul C. van Oorschot.
    Financial Cryptography (2006)
  • Analysis of BGP prefix origins during Google's May 2005 outage.
    Tao Wan, Paul C. van Oorschot.
    IPDPS (2006)
  • A Usability Study and Critique of Two Password Managers.
    Sonia Chiasson, Paul C. van Oorschot, Robert Biddle.
    USENIX Security Symposium (2006)
  • Exposure Maps: Removing Reliance on Attribution During Scan Detection.
    David Whyte, Paul C. van Oorschot, Evangelos Kranakis.
    HotSec (2006)
  • Hardware-Assisted Circumvention of Self-Hashing Software Tamper Resistance.
    Paul C. van Oorschot, Anil Somayaji, Glenn Wurster.
    IEEE Trans. Dependable Secur. Comput. (Vol.2. Num.2. pp:82-92. 2005)
  • Mitigating Network Denial-of-Service Through Diversity-Based Traffic Management.
    Ashraf Matrawy, Paul C. van Oorschot, Anil Somayaji.
    ACNS (2005)
  • Highlights from the 2005 New Security Paradigms Workshop.
    Simon N. Foley, Abe Singer, Michael E. Locasto, Stelios Sidiroglou, Angelos D. Keromytis, John P. McDermott, Julie Thorpe, Paul C. van Oorschot, Anil Somayaji, Richard Ford, Mark Bush, Alex Boulatov.
    ACSAC (2005)
  • Securing Email Archives through User Modeling.
    Yiru Li, Anil Somayaji.
    ACSAC (2005)
  • Towards Network Awareness.
    Evan Hughes, Anil Somayaji.
    LISA (2005)
  • Pass-thoughts: authenticating with our minds.
    Julie Thorpe, Paul C. van Oorschot, Anil Somayaji.
    NSPW (2005)
  • A Generic Attack on Checksumming-Based Software Tamper Resistance.
    Glenn Wurster, Paul C. van Oorschot, Anil Somayaji.
    IEEE Symposium on Security and Privacy (2005)
  • Detecting Intra-enterprise Scanning Worms based on Address Resolution.
    David Whyte, Paul C. van Oorschot, Evangelos Kranakis.
    ACSAC (2005)
  • Countering Identity Theft Through Digital Uniqueness, Location Cross-Checking, and Funneling.
    Paul C. van Oorschot, Stuart G. Stubblebine.
    Financial Cryptography (2005)
  • Pretty Secure BGP, psBGP.
    Tao Wan, Evangelos Kranakis, Paul C. van Oorschot.
    NDSS (2005)
  • DNS-based Detection of Scanning Worms in an Enterprise Network.
    David Whyte, Evangelos Kranakis, Paul C. van Oorschot.
    NDSS (2005)
  • Message authentication by integrity with public corroboration.
    Paul C. van Oorschot.
    NSPW (2005)
  • On instant messaging worms, analysis and countermeasures.
    Mohammad Mannan, Paul C. van Oorschot.
    WORM (2005)
  • How to Win and Evolutionary Arms Race.
    Anil Somayaji.
    IEEE Secur. Priv. (Vol.2. Num.6. pp:70-72. 2004)
  • S-RIP: A Secure Distance Vector Routing Protocol.
    Tao Wan, Evangelos Kranakis, Paul C. van Oorschot.
    ACNS (2004)
  • Towards Secure Design Choices for Implementing Graphical Passwords.
    Julie Thorpe, Paul C. van Oorschot.
    ACSAC (2004)
  • Addressing Online Dictionary Attacks with Login Histories and Humans-in-the-Loop (Extended Abstract).
    Stuart G. Stubblebine, Paul C. van Oorschot.
    Financial Cryptography (2004)
  • Securing the Destination-Sequenced Distance Vector Routing Protocol (S-DSDV).
    Tao Wan, Evangelos Kranakis, Paul C. van Oorschot.
    ICICS (2004)
  • Secure Public Instant Messaging.
    Mohammad Mannan, Paul C. van Oorschot.
    PST (2004)
  • Graphical Dictionaries and the Memorable Space of Graphical Passwords.
    Julie Thorpe, Paul C. van Oorschot.
    USENIX Security Symposium (2004)
  • Revisiting Software Protection.
    Paul C. van Oorschot.
    ISC (2003)
  • A White-Box DES Implementation for DRM Applications.
    Stanley Chow, Philip A. Eisen, Harold Johnson, Paul C. van Oorschot.
    Digital Rights Management Workshop (2002)
  • White-Box Cryptography and an AES Implementation.
    Stanley Chow, Philip A. Eisen, Harold Johnson, Paul C. van Oorschot.
    Selected Areas in Cryptography (2002)
  • Automated Response Using System-Call Delay.
    Anil Somayaji, Stephanie Forrest.
    USENIX Security Symposium (2000)
  • Cryptographic Information Recovery Using Key Recover.
    Michael Smith 0022, Paul C. van Oorschot, Michael Willett.
    Comput. Secur. (Vol.19. Num.1. pp:21-27. 2000)
  • Parallel Collision Search with Cryptanalytic Applications.
    Paul C. van Oorschot, Michael J. Wiener.
    J. Cryptol. (Vol.12. Num.1. pp:1-28. 1999)
  • On the Security of Iterated Message Authentication Codes.
    Bart Preneel, Paul C. van Oorschot.
    IEEE Trans. Inf. Theory (Vol.45. Num.1. pp:188-199. 1999)
  • Addressing the Problem of Undetected Signature Key Compromise.
    Mike Just, Paul C. van Oorschot.
    NDSS (1999)
  • Coding Theory And Cryptology.
    Alfred J. Menezes, Paul C. van Oorschot.
    Handbook of Discrete and Combinatorial Mathematics. (pp:1023-1068. 1999)
  • Intrusion Detection Using Sequences of System Calls.
    Steven A. Hofmeyr, Stephanie Forrest, Anil Somayaji.
    J. Comput. Secur. (Vol.6. Num.3. pp:151-180. 1998)
  • Computer Immunology.
    Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji.
    Commun. ACM (Vol.40. Num.10. pp:88-96. 1997)
  • Building Diverse Computer Systems.
    Stephanie Forrest, Anil Somayaji, David H. Ackley.
    Workshop on Hot Topics in Operating Systems (1997)
  • Principles of a computer immune system.
    Anil Somayaji, Steven A. Hofmeyr, Stephanie Forrest.
    NSPW (1997)
  • Special Issue: Selected Areas in Cryptography - Introduction.
    Evangelos Kranakis, Paul C. van Oorschot.
    Des. Codes Cryptogr. (Vol.12. Num.3. pp:213. 1997)
  • Security analysis of the message authenticator algorithm (MAA).
    Bart Preneel, Vincent Rumen, Paul C. van Oorschot.
    Eur. Trans. Telecommun. (Vol.8. Num.5. pp:455-470. 1997)
  • A Sense of Self for Unix Processes.
    Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, Thomas A. Longstaff.
    IEEE Symposium on Security and Privacy (1996)
  • Handbook of Applied Cryptography.
    Alfred Menezes, Paul C. van Oorschot, Scott A. Vanstone.
    CRC Press. (1996)
  • Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude.
    Paul C. van Oorschot, Michael J. Wiener.
    CRYPTO (1996)
  • On the Security of Two MAC Algorithms.
    Bart Preneel, Paul C. van Oorschot.
    EUROCRYPT (1996)
  • On Diffie-Hellman Key Agreement with Short Exponents.
    Paul C. van Oorschot, Michael J. Wiener.
    EUROCRYPT (1996)
  • MDx-MAC and Building Fast MACs from Hash Functions.
    Bart Preneel, Paul C. van Oorschot.
    CRYPTO (1995)
  • Design Choices and Security Implications in Implementing Diffie-Hellman Key Agreement.
    Paul C. van Oorschot.
    IMACC (1995)
  • Modern key agreement techniques.
    Rainer A. Rueppel, Paul C. van Oorschot.
    Comput. Commun. (Vol.17. Num.7. pp:458-465. 1994)
  • On Key Distribution via True Broadcasting.
    Mike Just, Evangelos Kranakis, Danny Krizanc, Paul C. van Oorschot.
    CCS (1994)
  • Parallel Collision Search with Application to Hash Functions and Discrete Logarithms.
    Paul C. van Oorschot, Michael J. Wiener.
    CCS (1994)
  • On unifying some cryptographic protocol logics.
    Paul F. Syverson, Paul C. van Oorschot.
    IEEE Symposium on Security and Privacy (1994)
  • Extending Cryptographic Logics of Belief to Key Agreement Protocols.
    Paul C. van Oorschot.
    CCS (1993)
  • An Alternate Explanation of two BAN-logic "failures".
    Paul C. van Oorschot.
    EUROCRYPT (1993)
  • Authentication and Authenticated Key Exchanges.
    Whitfield Diffie, Paul C. van Oorschot, Michael J. Wiener.
    Des. Codes Cryptogr. (Vol.2. Num.2. pp:107-125. 1992)
  • Subgroup Refinement Algorithms for Root Finding in GF(q).
    Alfred Menezes, Paul C. van Oorschot, Scott A. Vanstone.
    SIAM J. Comput. (Vol.21. Num.2. pp:228-239. 1992)
  • Pair-Splitting Sets in
    Albrecht Beutelspacher, Dieter Jungnickel, Paul C. van Oorschot, Scott A. Vanstone.
    SIAM J. Discret. Math. (Vol.5. Num.4. pp:451-459. 1992)