Skip navigation

CERIAS Alumnus Wins ACM SIGSAC Doctoral Dissertation Award

CERIAS Faculty, Alumnus Named as a Distinguished Members of ACM

CERIAS Prof. Aniket Kate (CS) and Students Research Highlighted at CCS 2017 Conference

CERIAS Faculty and Students Project Becomes Commercial Spinoff, Receives over $1M in Funding

CERIAS Hits High Mark in Externally Funded Security Research

Another good one gone too soon

Mikhail Atallah to Give Distinguished Lecture

CERIAS Researchers Won Distinguished Paper Award from 2017 USENIX Security Symposium

Purdue Earns Top Cybersecurity Study Ranking Among Universities

CERIAS Student Recruiting Reception

Tips to Avoid Being Scammed in Donating to Hurricane Harvey victims

Bertino Elected to ISSA Hall of Fame

CERIAS Joins Discovery Park

A Blast from the Past

CFP: Celebrating Anniversaries of CERIAS/COAST At Purdue University

Executive Women’s Forum Security Research Assistantship

CERIAS is partnering with the Executive Women’s Forum to offer a research assistantship (RA) to an outstanding student from a historically underrepresented minority. The Research assistantship will begin with the Fall 2017 semester and will cover full tuition and fees remittance (including insurance and employment benefits), plus a RA salary to cover living expenses. The recipient will also receive funding to attend the Executive Women’s Forum annual conference (October 24-26, 2017) in Scottsdale, Arizona.

The goal of the EWF Assistantship program is to encourage an increase the number of women and other underrepresented minorities studying information security, assurance, privacy, resiliency or risk management. The CERIAS/Executive Women’s Research Assistantship recipient, known as “EWF Fellow,” will conduct research with a CERIAS affiliated faculty member and will have the opportunity to be mentored by an EWF participant who is at a senior level in the information assurance field.

Award Provisions:

Assistantships will awarded beginning with the fall 2017 term and will automatically continue into following spring semester assuming the student maintains good academic standing with Purdue University and demonstrates research progress.

Research Assistantship:

Awardees will be expected to provide 10 hours of research on their project each week during the semester. The University recognizes this commitment as a ¼-time grad research assistantship..

Recipients will be expected to:
a) Attend the 2017 EWF Conference in Arizona. (CERIAS to provide travel funding).
b) Present their research during the CERIAS Student Poster session at the CERIAS Research Symposium.
c) Write a paper summarizing the research, and submit the paper for publication selection in a scholarly journal, standards forum, or presented at a tier one conference. EWF support must be acknowledged on all posters, submitted papers and AV presentations

Eligibility Criteria:

  • The EWF Research Assistantship program welcomes applications from all qualified individuals and strongly encourages minorities, women, and persons with disabilities to apply.
  • Students must be studying in a computing related area; there is no preferred department or college.
  • You must have a cumulative GPA of 3.0 or higher (on a 4.00 scale) and be in good academic standing with Purdue University at the time of application. New incoming gradiate students will need to provide their undergraduate transcript(s).

Application Details and Process:

A review panel comprised of CERIAS and the Executive Women’s Forum will evaluate applications. Assessments will be based on the student’s academic record, research interests, and reference letters. Students will have time to review the final award conditions before acceptance of the award.

Applicants should submit the following items as a single file:

  • A research statement (abstract), not to exceed 1000 words, stating what they’d like to accomplish during the academic year. Applicants are strongly encouraged to articulate the practical value of their proposed research.
  • A current resume or C.V.
  • Copies of their academic transcripts from all post‐secondary education completed.
  • Two letters of recommendation from professors or professional supervisors able to evaluate the applicant’s scholarly aptitude.

Additional Notes:

  • Incomplete applications will not be considered. We cannot guarantee notification of incompleteness so please make sure all required information is submitted together.
  • Applications can be sent electronically to:

Important Dates:

Completed applications should be dropped off or mailed to:

CERIAS Purdue University
656 Oval Dr., Recitation room 217
West Lafayette, IN 47906-2086
c/o CERIAS/EWF Security RA
  • Application deadline will be 5:00 p.m., August, 28, 2017.
  • As part of the application process, some candidates may be contacted for either on-campus or telephone interviews.
  • The final award announcement will be made in early-September.

Prof. Spafford Receives Kristian Beckman Award

Invited Talk

Closing Keynote

Panel Discussion - “Securing Smart Communities”

TechTalk: “Memory Hard Functions and Password Hashings”

Cyber Security Fireside Chat

TechTalk: Towards Secure Large-Scale networked Systems: Scalable Distributed Algorithms…

CERIAS Tech Talk: “Control-Flow Hijacking: Are we Making Progress?”

Panel Discussion: “Securing Vehicles & Machinery”

Day 2 Keynote

Day 2 - Welcome

Panel Discussion: “Security Through Artificial Intelligence”

Women in CyberSecurity Report

INSuRE Program Overview

CERIAS TechTalk: “Making the Internet Fast Again…At The Cost of Security”

Panel Discussion: “Security Through Formal Methods and Secure Architecture”

Day 1 Keynote

Day 1 - Welcome

CERIAS Researcher wins NSF Early Career Development Award

CERIAS Annual Information Security Symposium - April 18 - 19, 2017


2017 Featured Speakers


Brig Gen. Greg Touhill, (USAF Ret.)

Former U.S. Chief Information Security Officer
Photo of David Meltzer - Chief Technology Officer at Tripwire

David Meltzer

Chief Technology Officer at Tripwire

Photo of Ron Ross, Fellow at the National Institute for Standards and Technology (NIST)

Dr. Ron Ross

Fellow at the National Institute for Standards and Technology (NIST)

Women in InfoSec Networking Event

Wafaa Mamilli

Wafaa Mamilli

Vice President, Chief Information Security Officer, Eli Lilly and Company

Purdue CERIAS Researchers Find Vulnerability in Google Protocol

CSI: Walmart

CERIAS to Hold 18th Annual Information Security Symposium on April 18-19

Xukai Zou

Aniket Kate

Inseok Hwang

Stephen Elliott

Ricardo Calix

Bharat Bhargava

Daniel Aliaga

Ford Motor Company Video Tech Talk

CIA Hacking Tools Raise Huge Concerns

Eli Lilly and Company

Time passes, and we lose friends

Discovery Park Announces Big Idea Challenge Winners

Want to Chat Securely? Here’s What to Look for in an App

Discovery Park Seeks to Advance Research in Global Security, Health, and Sustainability

Bertino Selected for Purdue Innovator’s Hall of Fame

Poster Creation and Session Information 2017

Last updated 2017-03-27

Poster Session Date/Time/Location

Date: April 18, 2017

Time: 6:30pm

Location: PMU Ballroom

DEADLINE FOR SUBMISSION: April 3rd, 2017 at 5:00pm

CERIAS will print large, high-quality posters for the 2016 symposium poster session. These posters will be printed on a large-format ink jet printer and prepared for display. CERIAS will cover the cost of preparing the posters if you send the poster to us by the deadline. We strongly encourage you to take advantage of this offer. All posters submitted by the deadline will also be included in materials to be given to attendees and CERIAS staff will place your poster in the appropriate location prior to the session.

Electronic Presentations

If you are planning an electronic presentation, please bring all your equipment, including a screen if needed. Indicate that you need electricity when you register as a presenter.

Poster Overview

Please note the deadline for remitting your poster to us is April 3rd, 2017 @ 5:00 p.m. This deadline is firm. If you fail to meet this deadline, your poster will not be included on the symposium materials, and you will need to create your poster with your own resources and deliver the poster to the designated poster session location.

CERIAS will remove all posters from the room and store them following the session. Please contact us at any time if you wish to use the poster or keep it in your office or lab.

We ask that you follow these procedures and meet the deadlines:

Poster Submission Rules

  • We will only print posters that meet the following requirements:

    • Posters must be 30.5” x 40” (30 and one half inches wide, 40 inches tall)
    • Posters must use the template provided below.
    • Template graphical elements (including the header and footer) may not be modified or obscured in any way.
    • Posters must be provided either in PDF (preferred) or PowerPoint
    • Posters must be submitted by April 3rd, 2017 @ 5:00pm. Posters received after this deadline will not be accepted for printing but may still be presented at the Symposium Poster Session
  • A maximum of 2 posters can be created per presentation

  • Finalize your presentation information and register as a presenter BEFORE submitting your poster. Put the poster ID key # you are given in the subject of your submission email. Poster submissions that do not include a poster ID key # will be rejected.

Each submission must include:

  • The presentation title
  • A short abstract
  • A list of all authors/creators
  • A list of all presenters who will attend the poster session (all of whom must register as presenters)
  • A single person to be responsible for poster submission — multiple sources may result in confusion and lead to errors

Posters will be registered when you:

  • Submit your poster and all related information at the same time
  • Email your posters to Put your poster ID (provided when you register as a poster presenter) in the “Subject:” line of all email correspondence regarding this poster.
  • Campus mail a printed copy of your poster (scaled down to 8.5”x11”) to Mike Focosi/CERIAS/REC, so that we can make certain no formatting is lost in transfer.

If the deadline is not met:

  • Printing costs are the responsibility of the research project

Design Guidelines

  • Never use text smaller than 24pt
  • Use sans-serif fonts like Arial or Helvetica


Information for Poster Presenters 2017

Last updated: 2017-02-08

DEADLINE FOR SUBMISSION: April 3rd, 2017 at 5:00pm

CERIAS will print large, high-quality posters for the 2017 symposium poster session. These posters will be printed on a large-format ink jet printer and prepared for display. CERIAS will cover the cost of preparing the posters if you send the poster to us by the deadline. We strongly encourage you to take advantage of this offer. All posters submitted by the deadline will also be included in materials to be given to attendees and CERIAS staff will place your poster in the appropriate location prior to the session.

Step 1

Review the poster creation tips, guidelines, templates and session information.

Step 2

Register your poster so CERIAS can print, mount and display your research at the session.

Step 3

Register as an Attendee

Jennifer Neville

Dongyan Xu

David Gleich

Bowei Xi

Bill Cleveland

David Ebert

Bruno Ribeiro

Arif Ghafoor

Alok Chaturvedi

Sunil Prabhakar

Mohammad Sadoghi Hamedani

Karthik Kannan

Chris Clifton

CERIAS Big Data Video Summit

Bertino Part of Collaboration Between U.S., U.K. Governments, Industry and Academia

About CERIAS: Spaf Gets CERIAS

(Source:, 1999) Eugene Spafford sees security as serious business…nicknames, aphorisms and practical jokes notwithstanding. BY ANDY BRINEY

Imagine you’re about to meet Eugene Spafford for the first time. If you’ve worked in the field of information security for any time at all, you’ve probably heard something about the man: his role in the development of Usenet, or his work at Purdue University’s COAST Lab, or his contributions to programs like COPS and Tripwire. Maybe you’ve read Practical Unix & Internet Security or Web Commerce & Security, books he co-authored with Simson Garfinkel. Or, perhaps you heard about his recent appointment as director of CERIAS (pronounced “serious”), Purdue’s new Center for Education and Research in Information Assurance and Security, a first-of-its-kind initiative funded in part by a three-year, $4.9 million Lilly Endowment grant this past January.

You also know that most people refer to him as “Spaf”—probably even some of your co-workers, who, like you, have never actually met him. Ah, but there lies the rub: Spafford doesn’t know you, and you’re the one about to meet him. So you’re inclined to address him as “Professor Spafford” or “Dr. Spafford.” Or at least “Eugene.” Certainly not “Gene.” Definitely not “Spaf.”

The reason for your initial uncertainty— aside from a simple desire to be polite—probably has something to do with Spafford’s appearance. With his colorful bow ties and graying red beard, he definitely looks like a highbrow intellectual, and after a dozen years on the faculty of Purdue’s Computer Science Department—including the last six as project director of the Computer Operations, Audit and Security Technology (COAST) lab—he has no doubt earned the right to be called “Prof. Spafford,” by anyone inside or outside the academy.

But the bigger reason for your uncertainty probably has to do with Spafford’s reputation as a hard-nosed purist who refuses to compromise on his ideals—things like duty, professional ethics and social responsibility. In his campus office in West Lafayette, Ind., there’s a quote from Mark Twain hanging on the wall. “Always do right,” it says. “This will gratify some people and astonish the rest.” Spafford has a clear vision of what is right and wrong in the world of information technology and security, and he’s not shy about telling anyone about it.

Of course, that puts some people off, especially those who know him only through the tone-dead medium of electronic messaging. Thousands of people first “met” Spafford online during his 12-year stint as overseer of the Usenet “new users” postings, a volunteer job that brought him a great deal of satisfaction…and aggravation. From 1982 to 1994, he wrote FAQs for newbies, issued advice on ’Netiquette and even helped design new Usenet group categories and naming structures. But as Usenet exploded in the late ’80s and early ’90s, it quickly became unmanageable, despite his best intentions. Some users began pushing him to designate newsgroups “designed to offend or annoy others, or with a lack of concern about the possible effects it might have on the ’Net as a whole,” he says. At one point, after taking a stand against anonymous remailers, he started receiving death threats from miscreants calling him at 3 a.m. blathering on about censorship. He knew then it was time to quit.

Today, an ongoing battle with a repetitive stress injury (RSI)—a painful numbing of the wrist nerves brought on by years of keyboard jockeying—has sharply curtailed his ability to type at all. When he does, the messages are usually short and to the point. When you take this all together—complex ideas not easily communicated in short messages across a cold medium—Spafford can come off as a little demagogic. “There’s a lot of people who think I’m inflexible, or that I’m harsh and severe,” he admits. “The electronic medium is hard to use.”

Beyond Bytes

So, as you prepare to meet Spafford in person, there’s all this baggage hanging out there, including this silly issue of how to address him. As it turns out, all the pretense is quite silly, because one-on-one, Spafford is a friendly, effortless conversationalist who can draw you into any topic of discussion, leading you along like the consummate teacher. By all rights, “Prof. Spafford” is appropriate. But somehow it just doesn’t fit. Soon you, too, find yourself calling him “Spaf.” It feels awkward not to.

Spaf doesn’t seem to mind. “He’s a listener instead of a compulsive talker,” says Gene Schultz, an adjunct professor at Purdue. “He very seldom misunderstands what someone says. He’s very reflective—not just on things in the field, but on everything. He’s always looking at the other side of the analysis.”

Spaf can talk your ear off about system reliability or fault-tolerance, but he’s just as comfortable discussing philosophy, or business, or psychology, or medicine…or whatever. One glance at his bedside table bears this out: he’s reading Dorothy Denning’s new book, Information Warfare and Security, but also a collection of essays by Louis Grizzard, a translation of Sun Tzu’s The Art of War and a treasury of sayings and stories by his mainstay, Mark Twain.

“What’s unusual about him is that he’s not just a byte head,” Schultz says. “Technically, he’s one of the best in the field, and there aren’t many topics in the field of information security he doesn’t know about. Too many people who’ve made their mark made it only in one area. This guy’s the complete player.”

Lance Hoffman, director of the Cyberspace Policy Institute at George Washington University, agrees. “If they had Oscars for computer security, Spaf would sweep most of the awards—things like ‘Number of Important Projects Worked On,’ ‘Impact on Policy-Related Matters,’ ‘Overall Impact on the Field,’ and so on,” he says. “I’d find it hard to beat him in any of those categories.”

The other thing is, for someone who’s supposed to be such a curmudgeon, the guy’s pretty funny—not funny weird, but funny ha-ha. Around campus, for instance, he has a well-earned reputation as an incurable practical joker. Mike Atallah, another Purdue colleague, tells about the time Spaf duped about a dozen colleagues on April Fool’s Day 1989. Seems Spaf sent them all a letter on “official-looking” FBI stationary. Signed by “Special Agent Baer,” the letter asked them to contact the FBI field office in nearby Indianapolis regarding “an urgent national security matter.” If Agent Baer wasn’t available, they were to ask for Agent Lyon instead. So, they all diligently called the phone number provided, only to be puzzled when they kept reaching the Indianapolis zoo. Then they noticed the agents’ full names: Theodore “Teddy” Baer and George C. Lyon.

Infosecurity Ambassador

That Spaf focused his career on information security in the first place is more a matter of circumstance than master planning. He has dabbled in security since his early days at Georgia Tech, but it wasn’t until the Morris worm hit the ’Net in 1988 that Spaf got serious. Up to that point, published scholarship in computer security tended to be highly theoretical, focusing on the bits and bytes of flaws and vulnerabilities. In the Morris worm, Spaf saw a perfect opportunity to educate the industry about the practical implications of security threats and vulnerabilities—their impact not just on technology, but on business process and social dynamics as well. “My experience has been that the most significant problems, the ones that are the hardest to deal with, are not the technology issues,” Spaf says, “but the issues of awareness, cost, education, ethics and use.”

The resulting treatise, “The Internet Worm Program: An Analysis,” was highly acclaimed both inside and outside the academy. The paper also set the tone for much of Spaf’s research in the ensuing 10 years, the bulk of which has been conducted under two programs: the Software Engineering Research Center (SERC), an NSF-sponsored, multi-university co-op devoted to the development of tools and methods for improving software quality; and COAST, the Purdue CS lab that focuses on security for legacy computing systems.

Spaf has directed more than 40 research projects at SERC and COAST since 1988, some more widely known than others. You may not have heard about projects such as OPUS, which explored better ways to control passwords; or IDIOT, a new approach to misuse detection. Then again, you’ve undoubtedly heard of COPS, the popular audit and vulnerability assessment tool; and Tripwire, a widely used integrity-monitoring tool for Unix (and now NT) operating systems.

When you take a step back and examine the body of this research, three themes emerge. The first is utility, an insistence on developing practical methods and tools that address real-life problems. Such a focus seems like a no-brainer in today’s application-driven industry, but in academia it hasn’t always been so. From 1990 to 1994, for instance, Spaf and several students worked on a project called Spyder, which studied new methods for improving software debugging and testing. At the project’s conclusion, they wrote up the results and even offered the software free to commercial developers. To their amazement, “nobody looked at it,” Spaf says. “It made no difference. For someone like me, that was very frustrating.”

Which brings us to the second theme: accessibility. One of reasons Spaf has remained in academia—despite the fact that he could make three or four times the salary by crossing over to industry—is a desire to improve not only the industry’s approach to system design, but the general population’s awareness of security as well. “Some of the things I’ve been doing all along have been trying to make information more available,” he says. “I don’t want to make a product that someone’s going to use for 15 years and then it goes away. I want to do something over the longer term by actually changing the population.”

This meant changing, first and foremost, the way the industry itself perceived security. “For a very long time, infosec was a cloistered area. We didn’t talk about security problems, and we didn’t talk about security issues,” Spaf says. “The tools were highly restricted, and we didn’t share them with anyone. To me, from the standpoint of software quality, if you can’t get the information, you can’t fix things.”

Take COPS, for example, the audit tool developed by Dan Farmer under Spaf’s direction. Until COPS was released in 1990, system vulnerability assessment tools were virtually nonexistent for general public consumption. Several commercial firms were working on proprietary solutions, but none was willing to share the technology with anyone else. “Everybody believed that if you had a tool like that, people would use it to break into systems,” Spaf says. As the first publicly available audit program of its kind, COPS “helped change the public attitude about work that had an application component rather than a highly theoretical one.”

The third theme of Spaf’s work is the most obvious one: education. Both of his parents were teachers, and despite all his other commitments, Spaf says he still gets a thrill out of “seeing that light bulb go on” in his student’s minds. “It’s a sense that you have thrown a pebble into the pond and the ripples are going to go much further than you could possibly ever tell.”

The Purdue alumni who have studied under Spaf make up a veritable Who’s Who of infosecurity’s next generation. In addition to COPS’s Dan Farmer, who went on to develop the SATAN system scanning tool, there’s Gene Kim, lead student researcher on the Tripwire system and now vice president of Tripwire Security Systems, which sells commercial UNIX and NT versions of Tripwire; Ivan Krsul, a repeat winner of Purdue’s Maurice Halsted Software Engineering Award, now a professor and entrepreneur in his native Bolivia; Steve Chapin, a Purdue Ph.D. recipient, soon to join the faculty at Syracuse University; and dozens of others, the industry’s best and brightest, now working for the likes of Telcordia Technologies, HP, Nortel, Fed Ex, IBM, Cisco, Sun, Intel, Motorola, Microsoft and several U.S. government agencies.

Spaf Gets CERIAS

All of which brings us full circle to Spaf’s latest coup: CERIAS. In grand and storybook fashion, CERIAS encapsulates all that Spaf has worked for professionally and personally. Drawing on resources and faculty from eight university departments, the Center will explore not only the technical issues in computer and network security, but also public policy as it relates to security, the economics of information assurance, computer crime investigation and response, infowarfare issues, and the social, legal and ethical aspects of information. The Center, which absorbed the work of the COAST lab on Jan. 1, 1999, initially plans to award an interdisciplinary master’s degree in information security, and eventually a corresponding Ph.D.

Never one to rest on his laurels, Spaf sees CERIAS not as the culmination of his efforts, but as a springboard to even bigger and better things. By fortifying infosec’s connections to larger social, economic and cultural issues, he hopes to engender no less than a society-wide awakening to the role of security in the Cyber Age. “I hope to get enough of the end-user population aware of security issues that they start becoming informative, active consumers,” Spaf says. “We have a lot of technology that we can use to make things safer. But nobody demands it in their products. That needs to change, and that’s what I’d like to accomplish in the long run.”

Andy Briney is editor of Information Security.

Bertino Elected as a Fellow of the American Association for the Advancement of Science

Spafford Recognized With One of the Indiana’s Highest Honors

Another Surprise for Spaf

IN-ISAC Recognized for Leadership and Innovation

Spaf to Receive International Award

It Was A Good Monday

Could Determined Hackers Change the Outcome of the Election?

Sandia’s Dr. Peter Choi to Present Research on Digitally Unclonable Function

Top Colleges For Cybersecurity

Protecting Personal Data: Real-World Tips from Security Gurus


Analog Devices, Inc.

RetroScope opens doors to the past in smart phone investigations

Game of Thrones Can Teach You Valuable Security Lessons

Podcast: The Intersection Between Cybersecurity and Victims of Violence

Visiting Scholar Talk:  Battling the Digital Forensic Backlog and Evidence Plan

Dr. Mark Scanlon

Dr. Mark Scanlon

Lecturer in Forensic Computing and Cybercrime Investigation; Digital Forensics Researcher
University College Dublin

Time: 1:30 pm Tuesday, July 19, 2016
Location: LWSN 3102 A/B

Given the ever-increasing prevalence of technology in modern life, there is a corresponding increase in the likelihood of digital devices being pertinent to a criminal investigation or civil litigation. As a direct consequence, the number of investigations requiring digital forensic expertise is resulting in huge digital evidence backlogs being encountered by law enforcement agencies throughout the world. It can be anticipated that the volume of cases requiring digital forensic analysis will continue to increase into the future. It is also likely that each case will require the analysis of an increasing number of devices including computers, smartphones, tablets, cloud-based services, Internet of Things devices, wearables, etc. The first part of this talk explores some of the current challenges contributing to the backlog in digital forensics from a technical standpoint and outlines a number of potential future research topics that could greatly contribute to a more efficient digital forensic investigative process. The second part of this talk focuses on the manipulation and planting of digital evidence artefacts to create viable challenges for use in digital forensic education.
Dr. Mark Scanlon is a Lecturer/Assistant Professor in the School of Computer Science, University College Dublin, Ireland. Dr. Scanlon is visiting Purdue University as a Fulbright Scholar in Cybersecurity and Cybercrime Investigation. Both his MSc and PhD are in the field of Remote Digital Forensic Evidence Acquisition. His research interests include Remote Evidence Acquisition, Evidence Whitelisting & Data Deduplication, Cloud Forensics, File Synchronization Service Forensics, Network Forensics and Digital Forensics Education. Dr. Scanlon is an active member of the digital forensics research community and is a keen editor, reviewer and conference organizer across a range of key journals and conferences in the field including the Journal of Digital Investigation, the Journal of Digital Forensics, Security and Law, the Digital Forensics Research Workshop Conferences (DFRWS), the International Conference on Digital Forensics and Cybercrime (ICDF2C) among numerous others.

Tomorrow, July 20 at 1:30 pm in REC 218B, Dr. Scanlon will share his Fulbright application and interview experience with whoever may be interested in applying for a Fulbright in the future.

Passing of a Cyber Securty Pioneer

Debating Hillary’s Email Server: The Missing Element

Changes for CERIAS…and Spaf

2016 Symposium Photos

Nominations solicitied for the CSHOF

What 17 Years as an Infosec Trainer Have Taught me

Future of Online Voting

Exploring and Protecting Your Digital Footprint

2016 Annual Symposium Awards

CERIAS TechTalk: Operational Dependencies and Cybersecurity in Complex Systems

Panel #3: Securing the Internet of ...

Panel #2: The State of Software Security