Guofei Gu's Computer Security Conference Ranking and Statistics page gives a good outline of the conferences and workshops in the computer security field. Just a quick look gives one the idea of the breadth of the field of computer security. There's so much out there from authentication to cryptography to secure software development to malware and intrusion detection. There's no wonder we don't have a good handle on computer security as end-users - the academics are all over the place, too. Maybe that's just an indicator of how difficult of a problem computer security is.
So, there are parts of this community that I am not as interested in, from a research perspective. For instance, I'm no cryptographic researcher. Heck, those guys are like real math geeks. I think cryptography is cool, and I have a lot of interest in USING cryptography. I may have an academic interest in the usability of cryptography in organizations and in complex, interconnected systems - but as far as the cryptographic algorithms go - I'm leaving that to the math geeks. So, that knocks 2 of Gu's top 6 conferences for me.
The ACM Conference on Computer and Communications Security looks very interesting. This year (in just a couple of weeks) the conference will be in Alexandria, VA. Dr. Patrick McDaniel, from CSE is one of the technical program chairs. He also has two students presenting a paper this year, "Rootkit-Resistant Disks" presented by Kevin Butler and Stephen McLaughlin. So, just taking a look at who is presenting a this conference has already given me some insight into a community that I want to be involved in. I might even see if I can break away to attend this conference - since it is relatively nearby.
The Usenix Security Symposium also looks interesting. The technical sessions ranged last year from in-depth concepts like cold-boot attacks on encryption keys to more widely generalized topics. Check out this lead-in: "In a field with few design principles ("defense in depth"? separate duties?), few rules of thumb, no laws named after people more influential than Murphy, no Plancks or Avogadros to hold Constant, and little quantification of any sort (we count only bad things), it appears the best we can do right now is to tell stories." See Mark Seiden's talk for more. I know I'll be listening to the MP3 or watching the video later. OMG! This is great stuff. Someone actually acknowledges where we really are in terms of policy, process and the industry (in terms of application and implementation) as whole. Last year's symposium had a number of co-located events - like the Security Metrics 3.0 Conference and Workshop on Hot Topics in Security '08. Both of these conferences have wonderful topic sessions - like topics in authentication, security, use of encryption, password usage, and lots of other cool stuff. Oh, and guess who from Penn State presented there last year? You guessed it - Patrick McDaniel! Hmm... maybe the community (or at least a part of it) is closer than I thought.
Finally, the last conference community I'd like to be a part of, eventually, is the IEEE Computer Society Technical Committee on Security and Privacy. This is a more high-level conceptual group. Although last year's program included a number of "in the trenches" kinds of papers - the focus is on the future directions of these topics, not on the nuts and bolts. So, trust and privacy in Web 2.0 is a common theme from last year's conference. So, I'm sure I'll get to this conference eventually, but because it is focused on a higher level rather than more mechanical, I'm probably not going to be publishing here anytime soon.
So, that's the long and short of it. I'll have to use Gu's list to check out the conferences that are lower rated. There's probably lots of interesting stuff there, too!
Leave a comment