Selected Publications by Spaf

Introduction and Overview

A full listing of my publications and activities may be found in my academic vita.

Research Interests

My research interests are focused in reliable computing and on the consequences of computer failure and misuse. The increasing use of computer technology in the world around us presents difficult and sometimes dangerous situations when computers and their programs fail to operate as intended. These failures can range from the unnoticeable to the catastrophic, including large losses of money and even life.

Computer-related failures may result from accident—as when a power failure or fire causes a system to cease functioning—or from faults present in software that was poorly designed and inadequately tested. Failures may also occur when systems are developed by individuals with insufficient understanding of the situation and potential dangers. Additionally, failures can occur because of malicious activity by individuals, or through the application of vandalware such as worms and viruses.

My interests may be summarized as:

Selected Presentations

Archived video of a number of my talks, conference addresses, and interviews is available on YouTube.

A Note on These Publications

The following is a selection of items I have authored during my years at Purdue. It is not a complete list, but is intended to represent items cited more frequently than others, or that otherwise have particular significance.

A note about author name order: A policy I maintained in my research groups from 1990 to about 2010 was to list authors in alphabetical order rather than trying to determine relative contributions. This eliminated debate and the difficulties that arise in other research groups. However, this sometimes resulted in students with last names that started far into the alphabet (e.g., Zamboni) not appearing as first authors, even when they did most of the work. It also means my name was seldom listed first, even in cases where I did most of the development. All authors listed made significant, material contributions to the papers where they appear, and the order of names is not necessarily significant.

A note about conference papers: I have been a keynote or featured speaker at many conferences. Those invitations usually include an opportunity to submit a paper. Unfortunately, I have been suffering from a combination of RSI and arthritis in my fingers since 1996; preparing papers is painful and slow. You will not find submitted papers for many recent conferences where I have spoken.

Back to top

Books

Books Authored

  1. Gene Spafford, Leigh Metcalf, and Josiah Dykstra; Cybersecurity Myths and Misconceptions; Addison-Wesley; 380 pages; Feb 2023.
    — Named to Cybersecurity Canon Hall of Fame, 2024. A Japanese translation is available in Japan. Audiobook version available.
  2. Simson L. Garfinkel with Gene Spafford; Web Security & Commerce; O'Reilly & Associates; 483 pages; 1997.
    — 2nd edition, renamed Web Security, Privacy & Commerce; O'Reilly & Associates; 756 pages; Jan 2002. Translations exist in Chinese (Taiwan), Czech, German, Japanese, Polish, Korean, Russian, Spanish, and Ukrainian.
  3. Simson L. Garfinkel and Gene Spafford; Practical UNIX Security; O'Reilly & Associates; 512 pages; May 1991.
    — 2nd edition, renamed Practical UNIX and Internet Security; O'Reilly & Associates; 1000 pages; May 1996.
    — 3rd edition, with S. Garfinkel and A. Schwartz; O'Reilly & Associates; 954 pages; Feb 2003. Translations exist in Chinese (Taiwan), Czech, German, Japanese, Polish, Korean, Russian, and Spanish.
  4. Eugene H. Spafford, Kathleen A. Heaphy, and D. J. Ferbrache; Computer Viruses: Dealing with Electronic Vandalism and Programmed Threats; ADAPSO (which became ITAA, and then CompTIA); Arlington, VA; 123 pages; 1989. Out of print.

Books Edited

  1. Editorial advisor (associate editor) for the section on operating systems and networks; A. B. Tucker, editor-in-chief; CRC Handbook of Computer Science and Engineering; CRC Press; Boca Raton, FL; 2611 pages; 1996.
  2. K. A. Seger, W. R. VonStorch, and D. J. Icove; Computer Crime: A Crimefighter's Handbook; Contributing editor; O'Reilly & Associates; 455 pages; 1995. (Used as the first FBI computer crime manual at Quantico.)
Back to top

Major Reports and Book Chapters

Major Reports

  1. As a member of the Panel on Review of the Information Technology Laboratory at NIST; An Assessment of Selected Divisions of the National Institute of Standards and Technology Information Technology Laboratory: Fiscal Year 2024; National Academies Press; 2025.
  2. As a member of the Panel on Review of the Information Technology Laboratory at NIST; An Assessment of Four Divisions of the Information Technology Laboratory at the National Institute of Standards and Technology—Fiscal Year 2018; National Academies Press; 2018.
  3. Karthik Kannan, Jackie Rees, Eugene H. Spafford; Unsecured Economies: Protecting Vital Information; ed. Red Consultancy; McAfee, Inc.; Jan 2009.
  4. As a member of the USAF Scientific Advisory Board; Implications of Cyber Warfare, Vols. 1–3; SAB-TR-07-02; ed. T. Saunders and A. Levis; U.S. Air Force; Aug 2007. (Note: Volumes 1 & 2 Distribution FOUO; Volume 3 Classified Secret.)
  5. As a member of the PITAC; Report to the President on Computational Science: Ensuring America's Competitiveness; US Government Printing Office; Jun 2005.
  6. As a member of the PITAC; Report to the President on Cyber Security: A Crisis of Prioritization; US Government Printing Office; Feb 2005.
  7. As a member of the PITAC; Report to the President on Revolutionizing Health Care Through Information Technology; US Government Printing Office; May 2004.
  8. A. B. Tucker, B. H. Barnes, R. M. Aiken, K. Barker, K. M. Bruce, J. T. Cain, S. E. Conry, G. L. Engel, R. G. Epstein, D. K. Lidtke, M. C. Mulder, J. B. Rogers, E. H. Spafford, and A. J. Turner; Computing Curricula 1991; IEEE Press and ACM; 160 pages; Feb 1991.

Book Chapters

  1. Mohammed Almeshekah and Eugene H. Spafford; Cyber Security Deception; in Cyber Deception: Building the Scientific Foundation; edited by Sushil Jajodia, V.S. Subrahmanian, Vipin Swarup, and Cliff Wang; chapter 2, pp. 23–50; Springer International; 2016.
  2. Fariborz Farahmand and Eugene H. Spafford; Understanding Risk and Risk-Taking Behavior in Virtual Worlds; in Security in Virtual Worlds, 3D Webs, and Immersive Environments: Models for Development, Interaction, and Management; edited by Alan Rea; chapter 4, pp. 59–71; Information Science Reference, IGI Publishing; Hershey, PA; 2011.
  3. Shimon Modi and Eugene H. Spafford; Future Biometric Systems and Privacy; in Privacy in America: Interdisciplinary Perspectives; edited by William Aspray and Philip Doty; chapter 6, pp. 167–193; Bloomsbury Academic; 2011.
  4. Lorraine Kisselburgh, Eugene H. Spafford, and Mihaela Vorvoreanu; Web 2.0: A Complex Balancing Act; McAfee Corporation; 2010.
  5. Eugene H. Spafford; Cyber Security: Assessing Our Vulnerabilities and Developing an Effective Defense; chapter 3 in Protecting Persons While Protecting the People; revised papers of the Second Annual Workshop on Information Privacy and National Security, ISIPS 2008; ed. Cecilia S. Gal, Paul B. Kantor, Michael E. Lesk; pp. 20–33, v. 5661; Springer Lecture Notes in Computer Science; 2009.
  6. Bingrui Foo, Matthew W. Glause, Gaspar M. Howard, Yu-Sung Wu, Saurabh Bagchi, and Eugene H. Spafford; Intrusion Response Systems: A Survey; chapter 13 in Information Assurance: Dependability and Security in Networked Systems; pp. 377–416; Morgan Kaufmann Publishers; Jan 2009.
  7. Eugene H. Spafford and Annie I. Antón; The Balance Between Security and Privacy; in Controversies in Science and Technology, Volume II; ed. D. L. Kleinman, K. A. Cloud-Hansen, C. Matta, and J. Handelsman; chapter 8, pp. 152–168; Mary Ann Liebert, Inc.; New York, NY; 2008.
  8. James B. D. Joshi, Walid G. Aref, Arif Ghafoor, and Eugene H. Spafford; Security and Privacy Challenges of a Digital Government; in Advances in Digital Government: Technology, Human Factors, and Policy; Eds. W. J. McIver, Jr., A. K. Elmagarmid; pp. 121–136; Kluwer Academic Publishers; 2002.
  9. Eugene H. Spafford; One View of Protecting the National Information Infrastructure; in Science and Technology in a Vulnerable World; pp. 41–50; AAAS; 2002.
  10. M. J. Atallah, K. N. Pantazopoulos, J. R. Rice, and Eugene H. Spafford; Secure Outsourcing of Scientific Computations; in Advances in Computers; chapter 6, pp. 215–272; doi: 10.1016/S0065-2458(01)80019-X; Academic Press; Aug 2001.
  11. E. Eugene Schultz and Eugene H. Spafford; Intrusion Detection: How to Utilize a Still Immature Technology; in Information Security Management (4th edition); edited by H. Tipton and M. Krause; Auerbach/CRC; 2000.
  12. Gene Kim and Eugene H. Spafford; Tripwire: A Case Study in Integrity Monitoring; in Internet Besieged: Countering Cyberspace Scofflaws; edited by Dorothy and Peter Denning; Addison-Wesley; 1997.
  13. Eugene H. Spafford; Virus; entry in the Encyclopedia of Software Engineering; edited by John Marciniak; John Wiley & Sons; 1994.
    — Reprinted in Internet Besieged: Countering Cyberspace Scofflaws; Dorothy and Peter Denning, editors; Addison-Wesley; 1997.
Back to top

Journal Articles

  1. Richard A. DeMillo and Eugene H. Spafford; Grand Challenges in Trustworthy Computing at 20: A Retrospective Look at the Second CRA Grand Challenges Conference; in Communications of the ACM; pp. 54–61, v. 68(8); doi: 10.1145/3720534; ACM; Aug 2025.
  2. Josiah Dykstra and Eugene H. Spafford; The Case for Disappearing Cyber Security; in Communications of the ACM; pp. 40–42, v. 61(7); doi: 10.1145/3213764; ACM; Jul 2018.
  3. Christopher N. Gutierrez, Eugene H. Spafford, Saurabh Bagchi, and Thomas Yurek; Reactive Redundancy for Data Destruction Protection (R2D2); in Computers & Security; pp. 184–201, v. 72; doi: 10.1016/j.cose.2017.12.012; Elsevier; May 2018.
  4. Christopher N. Gutierrez, Mohammed H. Almeshekah, Eugene H. Spafford, Mikhail J. Atallah, and Jeff Avery; Inhibiting and Detecting Offline Password Cracking Using ErsatzPasswords; in ACM Transactions on Privacy and Security; pp. 1–30, v. 19(3); doi: 10.1145/2996457; ACM; Dec 2016.
  5. Fariborz Farahmand, Aman Yadav, and Eugene H. Spafford; Risks and Uncertainties in Virtual Worlds: An Educators' Perspective; in Journal of Computing in Higher Education; pp. 49–67, v. 25(2); doi: 10.1007/s12528-013-9067-5; Springer; Aug 2013.
  6. Fariborz Farahmand and Eugene H. Spafford; Understanding Insiders: An Analysis of Risk-Taking Behavior; in Information Systems Frontiers; pp. 5–15, v. 15(1); doi: 10.1007/s10796-010-9265-x; Springer; Mar 2013.
  7. Kyungroul Lee, Kangbin Yim, and Eugene H. Spafford; Reverse-safe Authentication Protocol for Secure USB Memories; in Security and Communication Networks; pp. 834–845, v. 5(8); doi: 10.1002/sec.580; John Wiley & Sons; Aug 2012.
  8. Fariborz Farahmand, Mikhail Atallah, and Eugene H. Spafford; Incentive Alignment and Risk Perception: An Information Security Application; in IEEE Transactions on Engineering Management; pp. 238–246, v. 60(2); IEEE; May 2012.
  9. Benjamin A. Kuperman and Eugene H. Spafford; Audlib: A Configurable, High-Fidelity Application Audit Mechanism; in Software Practice & Experience; pp. 989–1005, v. 40(11); doi: 10.1002/spe.983; John Wiley & Sons; Oct 2010.
  10. Travis D. Breaux, Annie I. Antón, and Eugene H. Spafford; A Distributed Requirements Management Framework for Legal Compliance and Accountability; in Computers & Security; pp. 8–17, v. 28(1); Elsevier; Jan 2009.
  11. Xuxian Jiang, Florian Buchholz, Aaron Walters, Dongyan Xu, Yi-Min Wang, and Eugene H. Spafford; Tracing Worm Break-in and Contaminations via Process Coloring: A Provenance-Preserving Approach; in IEEE Transactions on Parallel and Distributed Systems; pp. 890–902, v. 19(7); IEEE; Jul 2008.
  12. Florian Buchholz and Eugene H. Spafford; Run-time Label Propagation for Forensic Audit Data; in Computers & Security; pp. 496–513, v. 26(7–8); Elsevier; Dec 2007.
  13. Eugene H. Spafford; Voter Assurance; invited paper; in The Bridge; pp. 28–34, v. 37(2); National Academy of Engineering; Summer 2007.
  14. Paul Williams and Eugene H. Spafford; CuPIDS: An Exploration of Highly Focused, Coprocessor-based Information System Protection; in Computer Networks; pp. 1284–1298, v. 51(5); Elsevier; Apr 2007.
  15. Yu-Sung Wu, Bingrui Foo, Yu-Chun Mao, Saurabh Bagchi, and Eugene H. Spafford; Automated Adaptive Intrusion Containment in Systems of Interacting Services; in Computer Networks; pp. 1334–1360, v. 51(5); Elsevier; Apr 2007.
  16. Florian Buchholz and Eugene H. Spafford; On the Role of File System Metadata in Digital Forensics; in Digital Investigation; pp. 298–309, v. 1(4); doi: 10.1016/j.diin.2004.10.002; Elsevier; Dec 2004.
  17. Brian Carrier and Eugene H. Spafford; Defining Digital Event Reconstruction of Digital Crime Scenes; in Journal of Forensic Sciences; v. 49(6); Nov 2004.
  18. Brian Carrier and Eugene H. Spafford; Getting Physical with the Digital Investigation Process; in International Journal of Digital Evidence; v. 2(2); Fall 2003.
  19. Jackie Rees, Shubho Bandyopadhyay, and Eugene H. Spafford; PFIRES: A Policy Framework for Information Security; in Communications of the ACM; pp. 101–106, v. 46(7); doi: 10.1145/792704.792706; ACM; Jul 2003.
  20. Florian Kerschbaum, Eugene H. Spafford, and Diego Zamboni; Embedded Sensors and Detectors for Intrusion Detection; in Journal of Computer Security; pp. 23–70, v. 10(1/2); 2002.
  21. James B. D. Joshi, Walid G. Aref, Arif Ghafoor, and Eugene H. Spafford; Security Models for Web-Based Applications; in Communications of the ACM; pp. 38–44, v. 44(2); doi: 10.1145/359205.359224; ACM; Feb 2001.
  22. James Joshi, Arif Ghafoor, Walid G. Aref, and Eugene H. Spafford; Digital Government Security Infrastructure Design Challenges; in IEEE Computer; pp. 66–72, v. 34(2); IEEE; Feb 2001.
  23. Eugene H. Spafford and Diego Zamboni; Intrusion Detection Using Autonomous Agents; in Computer Networks; pp. 547–570, v. 34(4); doi: 10.1016/S1389-1286(00)00136-5; Elsevier; 2000.
  24. Thomas E. Daniels and Eugene H. Spafford; Identification of Host Audit Data to Detect Attacks on Low-level IP Vulnerabilities; in Journal of Computer Security; pp. 3–35, v. 7(1); 1999.
  25. Steve J. Chapin and Eugene H. Spafford; Dissemination of State Information in Distributed, Autonomous Systems; in Computer Communications; pp. 969–979, v. 21(11); Oct 1998.
  26. Christoph Schuba, Berry Kercheval, and Eugene H. Spafford; Prototyping Experiences with Classical IP and ARP over Signaled ATM Connections; in Journal of Systems and Software; pp. 31–43, v. 44; Apr 1998.
  27. Ivan Krsul and Eugene H. Spafford; Authorship Analysis: Identifying the Author of a Program; in Computers & Security; pp. 248–259, v. 16(3); 1997.
  28. Simson Garfinkel and Eugene H. Spafford; Cryptography and the Web; in World Wide Web Journal; pp. 113–126, v. 2(3); Summer 1997.
  29. Simson Garfinkel and Eugene H. Spafford; Secure CGI/API Programming; in World Wide Web Journal; pp. 187–200, v. 2(3); Summer 1997.
  30. Steve J. Chapin and Eugene H. Spafford; Support for Implementing Scheduling Algorithms Using MESSIAHS; in Scientific Programming; pp. 325–340, v. 3; 1994.
  31. Eugene H. Spafford; Computer Viruses as Artificial Life; in Journal of Artificial Life; pp. 249–265, v. 1(3); doi: 10.1162/artl.1994.1.3.249; 1994.
    — Reprinted (pp. 249–266) in Artificial Life: An Overview; ed. Chris Langton; 1995.
  32. Eugene H. Spafford and Stephen A. Weeber; Software Forensics: Tracking Code to its Authors; in Computers & Security; pp. 585–595, v. 12(6); Dec 1993.
  33. Hiralal Agrawal, Richard A. DeMillo, and Eugene H. Spafford; Debugging with Dynamic Slicing and Backtracking; in Software Practice & Experience; pp. 589–616, v. 23(6); Wiley; Jun 1993.
  34. Eugene H. Spafford; OPUS: Preventing Weak Password Choices; in Computers & Security; pp. 273–278, v. 11(3); May 1992.
  35. Eugene H. Spafford; Are Computer Break-Ins Ethical?; in Journal of Systems and Software; pp. 41–48, v. 17(1); doi: 10.1016/0164-1212(92)90079-Y; Elsevier; Jan 1992.
    — Reprinted in Computers, Ethics, & Social Values; D. G. Johnson and H. Nissenbaum, editors; pp. 125–134; Prentice-Hall; 1995.
    — Reprinted in The Moral Foundations of Intellectual Property; Adam D. Moore, editor; pp. 292–304; Rowman and Littlefield; 1997.
    — Reprinted in Computers, Ethics and Society; M. David Ermann, Mary B. Williams, and Michele S. Shauf, eds.; pp. 77–88; Oxford University Press; 1997.
    — Reprinted in the Encyclopedia of Applied Ethics; Ruth Chadwick, editor; pp. 571–577; Academic Press; 1997.
    — Reprinted in Internet Besieged: Countering Cyberspace Scofflaws; Dorothy and Peter Denning, editors; pp. 73–95; Addison-Wesley; 1997.
  36. A. B. Tucker, B. H. Barnes, R. M. Aiken, K. Barker, K. M. Bruce, J. T. Cain, S. E. Conry, G. L. Engel, R. G. Epstein, D. K. Lidtke, M. C. Mulder, J. B. Rogers, E. H. Spafford, and A. J. Turner; Computing Curricula 1991; in Communications of the ACM; pp. 69–84, v. 34(6); doi: 10.1145/103701.103710; ACM; Jun 1991.
  37. Hiralal Agrawal, Richard A. DeMillo, and Eugene H. Spafford; An Execution Backtracking Approach to Program Debugging; in IEEE Software; pp. 21–26, v. 8(3); doi: 10.1109/52.88940; IEEE; May 1991.
  38. Eugene H. Spafford; Extending Mutation Testing to Find Environmental Bugs; in Software Practice & Experience; pp. 181–189, v. 20(2); doi: 10.1002/spe.4380200205; Wiley; Feb 1990.
  39. Eugene H. Spafford; The Internet Worm: Crisis and Aftermath; in Communications of the ACM; pp. 678–687, v. 32(6); doi: 10.1145/63526.63527; ACM; Jun 1989.
Back to top

Conference and Workshop Papers

  1. Ida Ngambeki, Eugene Spafford, Subia Ansari, Isslam Alhasan, Marlo Basil-Camino, and Douglas Rapp; Mapping the Landscape of Industrial Control Systems Cybersecurity: A Delphi Study; in Proceedings of the 2021 IEEE Frontiers in Education Conference (FIE); Lincoln, NE; Oct 2021.
  2. Christopher N. Gutierrez, Mohammed Almeshekah, Saurabh Bagchi, and Eugene H. Spafford; A Hypergame Analysis for Ersatz Passwords; in Proceedings of the 33rd IFIP International Conference on ICT Systems Security and Privacy Protection (SEC 2018); pp. 47–61; Springer; Poznan, Poland; 2018.
  3. Jeffrey Avery and Eugene H. Spafford; Ghost Patches: Fake Patches for Fake Vulnerabilities; in Proceedings of the 32nd IFIP International Conference on ICT Systems Security and Privacy Protection (SEC 2017); pp. 399–412; Springer; Rome, Italy; 2017.
  4. Jeffrey Avery, Eugene H. Spafford, and Mohammed Almeshekah; Offensive Deception in Computing; in Proceedings of the 12th International Conference on Cyber Warfare and Security; pp. 23–31; Dayton, OH; 2017.
  5. Mohammed Almeshekah, Christopher N. Gutierrez, Mikhail Atallah, and Eugene H. Spafford; ErsatzPasswords: Ending Password Cracking and Detecting Password Leakage; in Proceedings of the Annual Computer Security Applications Conference (ACSAC 2015); pp. 311–320; doi: 10.1145/2818000.2818015; ACM; Los Angeles; Dec 2015. (Best paper award.)
  6. Mohammed Almeshekah, Mikhail Atallah, and Eugene H. Spafford; Enhancing Password Security Using Deceptive Covert Communication; in Proceedings of IFIP SEC 2015; Hamburg, Germany; May 2015.
  7. Gene Spafford; We Are Out of Balance; in Proceedings of the SIGSEC Workshop on Information Security Curriculum Development; pp. 9–12; doi: 10.1145/2695577.2695579; ACM; Dec 2014.
  8. Mohammed Almeshekah and Eugene H. Spafford; Planning and Integrating Deception into Computer Security Defenses; in Proceedings of the New Security Paradigms Workshop (NSPW 2014); pp. 127–138; doi: 10.1145/2683467.2683482; ACM; Victoria, BC; Sep 2014.
  9. Mohammed Almeshekah and Eugene H. Spafford; The Case of Using Negative (Deceiving) Information in Data Protection; in Proceedings of the 9th International Conference on Cyber Warfare and Security; pp. 235–244; West Lafayette, IN; 2014.
  10. Mohammed Almeshekah, Mikhail J. Atallah, and Eugene H. Spafford; Covert Channels Can Be Useful!—Layering Authentication Channels to Provide Covert Communication; in Proceedings of the 21st International Workshop on Security Protocols; Springer-Verlag; Cambridge, England; 2013.
  11. Brent Roth and Eugene H. Spafford; Implicit Buffer Overflow Protection Using Memory Segregation; in Proceedings of the ARES 2011 Conference; Vienna, Austria; Aug 2011.
  12. Fariborz Farahmand and Eugene H. Spafford; Insider Behavior: An Analysis of Decision under Risk; in Proceedings of the First International Workshop on Managing Insider Security Threats (MIST); IFIP International Conference on Trust Management; Purdue University; Jun 2009.
  13. Fariborz Fahramand, Eugene H. Spafford, and Melissa J. Dark; Perceptions of Information Security Risks and Implications for Public Policy; in Proceedings of the 4th Annual Symposium on Financial Information Systems and Cybersecurity; College Park, MD; May 2007.
  14. Yu-Sung Wu, Bingrui Foo, Gaspar Modelo-Howard, Saurabh Bagchi, and Eugene H. Spafford; The Search for Efficiency in Automated Intrusion Response for Distributed Applications; in Proceedings of the 27th IEEE Symposium on Reliable and Distributed Systems (SRDS 2008); Napoli, Italy; Oct 2008.
  15. Eugene H. Spafford; Some Challenges in Digital Forensics; in Research Advances in Digital Forensics—II: Proceedings of the IFIP Conference on Digital Forensics; Springer; Aug 2006.
  16. X. Jiang, A. Walters, F. Buchholz, D. Xu, Y. Wang, and E. H. Spafford; Provenance-Aware Tracing of Worm Break-ins and Contaminations: A Process Coloring Approach; in Proceedings of the IEEE International Conference on Distributed Computing Systems (ICDCS 2006); Lisbon, Portugal; Jul 2006.
  17. X. Jiang, D. Xu, H. J. Wang, and E. H. Spafford; Virtual Playgrounds for Worm Behavior Investigation; in Proceedings of the RAID 2005 Symposium; Seattle, WA; Sep 2005.
  18. Rajeev Gopalakrishna, Eugene H. Spafford, and Jan Vitek; Efficient Intrusion Detection Using Automaton Inlining; in Proceedings of the IEEE Symposium on Security & Privacy; pp. 18–31; Oakland, CA; May 2005.
  19. Saurabh Bagchi, Bingrui Foo, Yu-Sung Wu, Yu-Chun Mao, and Eugene H. Spafford; ADEPTS: Adaptive Intrusion Response Using Attack Graphs in an E-Commerce Environment; in Proceedings of the DSN-DCC Symposium 2005; Yokohama, Japan; Jun 2005.
  20. Paul D. Williams and Eugene H. Spafford; CuPIDS Enhances StUPIDS: Exploring a Coprocessing Paradigm Shift in Information System Security; in Proceedings of the IEEE Workshop on Information Assurance and Security; West Point, NY; Jun 2005.
  21. Brian Carrier and Eugene H. Spafford; Automated Digital Evidence Target Definition Using Outlier Analysis and Existing Evidence; in Proceedings of the Digital Forensics Research Workshop (DFRWS); Aug 2005.
  22. Gene Spafford; What *Is* Information Security?; in Proceedings of SIGCSE 2004; pp. 342–342; doi: 10.1145/971300.971304; ACM; Mar 2004.
  23. Brian Carrier and Eugene H. Spafford; An Event-Based Digital Forensic Investigation Framework; in Proceedings of the Digital Forensics Research Workshop (DFRWS); 2004.
  24. Eugene H. Spafford; A Failure to Learn from the Past; invited classic paper; in Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC); Dec 2003.
  25. Eric Bryant, James Early, Rajeev Gopalakrishna, Gregory Roth, Eugene H. Spafford, Keith Watson, Paul Williams, and Scott Yost; Poly2 Paradigm: A Secure Network Service Architecture; in Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC); Dec 2003.
  26. Thomas E. Daniels and Eugene H. Spafford; A Network Audit System for Host-Based Intrusion Detection (NASHID) in Linux; in Proceedings of the 16th Annual Computer Security Applications Conference; Dec 2000.
  27. Thomas E. Daniels, Benjamin A. Kuperman, and Eugene H. Spafford; Penetration Analysis of XEROX Docucenter DC 230ST: Assessing the Security of a Multi-Purpose Office Machine; in Proceedings of the National Information Systems Security Conference; Sep 2000.
  28. Thomas E. Daniels and Eugene H. Spafford; Network Traffic Tracking Systems: Folly in the Large?; in Proceedings of the New Security Paradigms Workshop (NSPW 2000); pp. 119–124; doi: 10.1145/366173.366200; ACM; Sep 2000.
  29. Thomas E. Daniels and Eugene H. Spafford; Subliminal Traceroute in TCP/IP; in Proceedings of the National Information Systems Security Conference; Sep 2000.
  30. Florian Kerschbaum, Eugene H. Spafford, and Diego Zamboni; Using Embedded Sensors for Detecting Network Attacks; in Proceedings of the 1st ACM Workshop on Intrusion Detection Systems; Nov 2000.
  31. Eugene H. Spafford and Diego Zamboni; Design and Implementation Issues for Embedded Sensors in Intrusion Detection; in Proceedings of the RAID'2000 Workshop; Oct 2000.
  32. Christoph Schuba and Eugene H. Spafford; Modeling Firewalls Using Hierarchical Colored Petri Nets; in Proceedings of the NATO Symposium on Protecting Information Systems in the 21st Century; Oct 1999.
  33. Jai Sundar Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, Eugene H. Spafford, and Diego Zamboni; An Architecture for Intrusion Detection Using Autonomous Agents; in Proceedings of the 14th IEEE Computer Security Applications Conference; pp. 13–24; Dec 1998.
  34. Eugene H. Spafford and Diego Zamboni; AAFID: Autonomous Agents for Intrusion Detection; in Proceedings of the RAID'98 Workshop; Sep 1998.
  35. Christoph Schuba and Eugene H. Spafford; A Reference Model for Firewall Technology; in Proceedings of the 13th IEEE Computer Security Applications Conference; pp. 133–145; Dec 1997.
  36. Mohd A. Bashar, Ganesh Krishnan, Markus G. Kuhn, Eugene H. Spafford, and S. S. Wagstaff, Jr.; Low-Threat Security Patches and Tools; in Proceedings of the 1997 IEEE International Conference on Software Maintenance; pp. 306–313; Oct 1997.
  37. Hsin Pan, Richard A. DeMillo, and Eugene H. Spafford; Failure and Fault Analysis for Software Debugging; in Proceedings of COMPSAC 97; 1997.
  38. Christoph Schuba, Ivan Krsul, Markus G. Kuhn, Eugene H. Spafford, Aurobindo Sundaram, and Diego Zamboni; Analysis of a Denial of Service Attack on TCP; in Proceedings of the 1997 IEEE Symposium on Security and Privacy; pp. 208–233; May 1997.
  39. Steve Lodin, Bryn Dole, and Eugene H. Spafford; Misplaced Trust: Kerberos 4 Random Session Keys; in Proceedings of the Internet Society Symposium on Network and Distributed System Security (NDSS); pp. 60–70; Feb 1997.
  40. Richard A. DeMillo, Hsin Pan, and Eugene H. Spafford; Critical Slicing for Software Fault Localization; in Proceedings of the International Symposium on Software Testing and Analysis (ISSTA 96); pp. 121–134; doi: 10.1145/229000.226310; ACM; Jan 1996.
  41. Taimur Aslam, Ivan Krsul, and Eugene H. Spafford; A Taxonomy of Security Vulnerabilities; in Proceedings of the 19th National Information Systems Security Conference; pp. 551–560; Oct 1996.
  42. Mark Crosbie and Eugene H. Spafford; Evolving Event-Driven Programs; in Proceedings of the First Annual Conference on Genetic Programming; pp. 273–278; Jul 1996.
  43. Mark Crosbie and Eugene H. Spafford; Genetic Programming Applied to Intrusion Detection; in Proceedings of the AAAI Genetic Programming Symposium; Nov 1995.
  44. Mark Crosbie and Eugene H. Spafford; Active Defense of Computer Systems Using Autonomous Agents; in Proceedings of the 18th National Information Security Conference; Oct 1995.
  45. Ivan Krsul and Eugene H. Spafford; Authorship Analysis: Identifying the Author of a Program; in Proceedings of the 18th National Information Security Conference; Oct 1995.
  46. Sandeep Kumar and Eugene H. Spafford; A Software Architecture to Support Misuse Intrusion Detection; in Proceedings of the 18th National Information Security Conference; pp. 194–204; Oct 1995.
  47. Sandeep Kumar and Eugene H. Spafford; A Pattern-Matching Model for Intrusion Detection; in Proceedings of the National Computer Security Conference; pp. 11–21; Oct 1994.
  48. Gene H. Kim and Eugene H. Spafford; The Design and Implementation of Tripwire: A File System Integrity Checker; in Proceedings of the 2nd ACM Conference on Computer and Communications Security; pp. 18–29; doi: 10.1145/191177.191183; ACM; Nov 1994.
  49. Gene H. Kim and Eugene H. Spafford; Writing, Supporting, and Evaluating Tripwire: A Publicly Available Security Tool; in Proceedings of the USENIX Unix Applications Development Symposium; pp. 89–107; Usenix Association; 1994.
  50. Gene H. Kim and Eugene H. Spafford; Experiences with Tripwire: Using Integrity Checkers for Intrusion Detection; in Proceedings of SANS III: System Administration, Networking, and Security Conference; Usenix Association; Apr 1994.
  51. Steve J. Chapin and Eugene H. Spafford; Support for Security in Distributed Systems Using MESSIAHS; in Proceedings of the National Computer Security Conference; pp. 339–447; Oct 1994.
  52. Steve J. Chapin and Eugene H. Spafford; Constructing Distributed Schedulers Using the Messiahs Interface Language; in Proceedings of the 27th Hawaii International Conference on Systems and Software (HICSS); pp. 425–434, Vol. II; IEEE Press; 1994.
  53. Hsin Pan and Eugene H. Spafford; Towards Automatic Localization of Software Faults; in Proceedings of the 10th Pacific Northwest Software Quality Conference; pp. 192–209; Oct 1992.
  54. Eugene H. Spafford and Stephen A. Weeber; Software Forensics: Can We Track Code to its Authors?; in Proceedings of the 15th National Computer Security Conference; pp. 641–650; Oct 1992.
  55. Eugene H. Spafford; Observing Reusable Password Choices; in Proceedings of the 3rd Usenix UNIX Security Symposium; pp. 299–312; Usenix Association; Sep 1992.
  56. Sandeep Kumar and Eugene H. Spafford; A Generic Virus Scanner in C++; in Proceedings of the 8th Computer Security Applications Conference; pp. 210–219; IEEE Press; Dec 1992.
  57. Mehmet Şahinoğlu, I. Baltaci, and Eugene H. Spafford; Monte Carlo Simulation on Software Mutation Testcase Adequacy; in Proceedings of COMPSTAT '92, International Association of Statistical Computing; pp. 47–52; Springer-Verlag; Aug 1992.
  58. Hiralal Agrawal, Richard A. DeMillo, and Eugene H. Spafford; Dynamic Slicing in the Presence of Unconstrained Pointers; in Proceedings of the 4th ACM Symposium on Testing, Analysis, and Verification (TAV4); pp. 60–73; doi: 10.1145/120807.120813; ACM; Oct 1991.
  59. Eugene H. Spafford; Preventing Weak Password Choices; in Proceedings of the 14th National Computer Security Conference; pp. 446–455; Oct 1991.
  60. Mehmet Şahinoğlu and Eugene H. Spafford; A Bayes Sequential Statistical Procedure for Approving Software Products; in Proceedings of the IFIP Conference on Approving Software Products (ASP–90); pp. 43–56; Elsevier Science; Sep 1990.
  61. Dan Farmer and Eugene H. Spafford; The COPS Security Checker System; in Proceedings of the Summer 1990 Usenix Conference; pp. 165–170; Usenix Association; Jun 1990.
  62. Eugene H. Spafford; An Analysis of the Internet Worm; in Proceedings of the European Software Engineering Conference 1989 (Lecture Notes in Computer Science, no. 387); pp. 446–468; Springer-Verlag; Sep 1989.
    — Reprinted as chapter 18 in Rogue Programs: Viruses, Worms, and Trojan Horses; Lance Hoffman, editor; Van Nostrand Reinhold; New York; 1990.
  63. Eugene H. Spafford; Some Musings on Ethics and Computer Break-ins (invited paper); in Proceedings of the Winter 1989 Usenix Conference; pp. 305–311; Usenix Association; Feb 1989.
  64. Hiralal Agrawal and Eugene H. Spafford; An Execution Backtracking Approach to Program Debugging; in Proceedings of the 6th Pacific Northwest Software Quality Conference; pp. 283–300; Oct 1988.
Back to top

Other Scholarly Works

In Memoriam

  1. Simson Garfinkel and Eugene H. Spafford; In Memoriam: C. A. R. Hoare; in Communications of the ACM (Digital); doi: 10.1145/3797904; ACM; Mar 2026.
  2. Eugene H. Spafford and Simson Garfinkel; In Memoriam: Vicki L. Hanson; in Communications of the ACM; p. 18, v. 69(3); doi: 10.1145/3794788; ACM; Mar 2026.
  3. Simson Garfinkel and Eugene H. Spafford; In Memoriam: David J. Farber; in Communications of the ACM (Digital); doi: 10.1145/3797904; ACM; Feb 2026.
  4. Eugene H. Spafford and Simson L. Garfinkel; In Memoriam: E. Allen Emerson; in Communications of the ACM; p. 23, v. 67(12); doi: 10.1145/3702968; ACM; Dec 2024.
  5. Simson Garfinkel and Eugene H. Spafford; In Memoriam: Gordon Bell; in Communications of the ACM; p. 17, v. 67(7); doi: 10.1145/3669937; ACM; Jul 2024.
  6. Simson Garfinkel and Eugene H. Spafford; In Memoriam: Niklaus Wirth; in Communications of the ACM; p. 20, v. 67(3); doi: 10.1145/3641309; ACM; Mar 2024.
  7. Simson L. Garfinkel and Eugene H. Spafford; In Memoriam: William A. Wulf; in Communications of the ACM; pp. 20–23, v. 66(6); doi: 10.1145/3594711; ACM; Jun 2023.
  8. Simson Garfinkel and Eugene H. Spafford; In Memoriam: Frederick P. Brooks, Jr. (1931–2022); in Communications of the ACM; pp. 21–22, v. 66(1); doi: 10.1145/3572995; ACM; Jan 2023.
  9. Simson Garfinkel and Eugene H. Spafford; In Memoriam: Juris Hartmanis (1928–2022); in Communications of the ACM; pp. 14–15, v. 65(10); doi: 10.1145/3559705; ACM; Oct 2022.
  10. Simson Garfinkel and Eugene H. Spafford; In Memoriam: Charles M. Geschke (1939–2021); in Communications of the ACM; p. 22, v. 64(7); doi: 10.1145/3467481; ACM; Jul 2021.
  11. Simson Garfinkel and Eugene H. Spafford; In Memoriam: Jack Minker (1927–2021); in Communications of the ACM; p. 17, v. 64(6); doi: 10.1145/3462465; ACM; Jun 2021.
  12. Simson L. Garfinkel and Eugene H. Spafford; In Memoriam: Ronald E. Anderson (1941–2020); in Communications of the ACM; v. 64(2); doi: 10.1145/3749739; ACM; Feb 2021.
  13. Simson Garfinkel and Eugene H. Spafford; In Memoriam: Edmund M. Clarke (1945–2020); in Communications of the ACM; pp. 23–24, v. 64(3); doi: 10.1145/3447810; ACM; Feb 2021.
  14. Simson Garfinkel and Eugene H. Spafford; In Memoriam: Fran Allen (1932–2020); in Communications of the ACM; pp. 18–19, v. 63(10); doi: 10.1145/3418560; ACM; Oct 2020.

Other Publications

  1. Eugene H. Spafford; Foreword to Information Assurance and Security Ethics in Complex Systems: Interdisciplinary Perspectives; ed. Melissa Jane Dark; IGI Global; Aug 2010.
  2. Mahesh Tripunitara and Gene Spafford; Connectivity Provisioning with Security Attributes; in Software Focus; v. 2, #3; pp. 112–116; Fall 2001.
  3. Eugene H. Spafford; Statement on the State of Information Security; Briefing Before the Committee on Science, U.S. House of Representatives; Oct 2001.
  4. Eugene H. Spafford; One View of a Critical National Need: Support for Information Security Education and Research; Briefing Before the Committee on Science, U.S. House of Representatives; pp. 29–38; Feb 1997.
  5. Eugene H. Spafford; System Intrusions and Law Enforcement; in EDP Audit, Control, and Security Newsletter; v. XXIV, #2; Aug 1996.
  6. Eugene H. Spafford; Hacker Challenges: Boon or Bane?; in IEEE Cipher; electronic issue #12; Feb 1996.
  7. Eugene H. Spafford; UNIX and Security: The Influences of History; in Information Systems Security; v. 4(3); pp. 52–60; Fall 1995.
  8. A. Gargaro, E. Dooley, W. Dykstra, R. Holden, T. Horton, R. Kramer, G. Lowney, G. Matey, P. Plauger, E. Spafford, and P. Voldner; ACM Technical Standards Committee: A New Advocacy Power; in Computer Standards & Interfaces; v. 16; pp. 139–142; 1994.
  9. A. Gargaro, E. Dooley, W. Dykstra, R. Holden, T. Horton, R. Kramer, G. Lowney, G. Matey, P. Plauger, E. Spafford, and P. Voldner; The Power of Standards; in Communications of the ACM; v. 36(8); pp. 11–12; ACM; Aug 1993.
  10. Eugene H. Spafford; Keeping a Lock on Pandora’s Box; in Science News; v. 139(20); p. 315; May 1991.
  11. Eugene H. Spafford; Is a Computer Break-in Ever Ethical?; in Information Technology Quarterly; Harvard University; v. IX(2); pp. 9–14; Summer 1990.

Viewpoints and Correspondence

  1. Steve Furnell and Eugene H. Spafford; The Morris Worm at 30; in IT NOW; v. 61(1); British Computer Society; Feb 2019.
  2. Eugene H. Spafford; The Strength of Encryption; in Communications of the ACM; p. 5, v. 59(3); doi: 10.1145/2889284; ACM; Mar 2016.
  3. Diana L. Burley and Eugene H. Spafford; An Interview with Gene Spafford on Balancing Breadth and Depth in Cybersecurity Education; in ACM Inroads; v. 5(1); pp. 42–46; doi: 10.1145/2568195.2568211; ACM; Mar 2014.
  4. Eugene H. Spafford; USACM and U.S. Legislation; in Communications of the ACM; p. 5, v. 55(6); doi: 10.1145/2184319.2184320; ACM; Jun 2012.
  5. Eugene H. Spafford; Remembrances of Things Pest; in Communications of the ACM; pp. 35–37, v. 53(8); doi: 10.1145/1787234.1787246; ACM; Aug 2010.
  6. Eugene H. Spafford; Privacy and Security: Answering the Wrong Questions Is No Answer; in Communications of the ACM; pp. 22–24, v. 52(6); doi: 10.1145/1516046.1516056; ACM; Jun 2009.
  7. Eugene H. Spafford; USACM's Policy Role; in Communications of the ACM; p. 5, v. 52(2); doi: 10.1145/1461928.1461929; ACM; Feb 2009.
  8. Eugene H. Spafford; Industry Progress and Attitudes; in Information Security; Oct 2008.
  9. Eugene H. Spafford; Inspiration and Trust; in Communications of the ACM; pp. 61–62, v. 51(1); doi: 10.1145/1327452.1327480; ACM; Jan 2008.
  10. Richard Ford and Eugene H. Spafford; Happy Birthday, Dear Viruses; in Science; pp. 210–211, v. 317; doi: 10.1126/science.1140909; Jul 2007.
  11. Barbara Simons and Eugene H. Spafford; Risks of Total Surveillance; Inside Risks; in Communications of the ACM; p. 120, v. 46(3); doi: 10.1145/636772.636804; ACM; Mar 2003.
  12. Eugene H. Spafford; Spaf’s Crystal Ball; in Information Security; v. 5, #11; p. 100; Nov 2002.
  13. Eugene H. Spafford; Protecting Personal Information in Academia; in CRA News; v. 13, #3; pp. 3, 4, 12; May 2001.
  14. E. H. Spafford; An Illustration of Why Security Is More than Technology; in Computer Graphics; pp. 22–23, v. 34(4); ACM SIGGRAPH; Nov 2000.
  15. Eugene H. Spafford; The United States vs. Craig Neidorf: A Debate; in Communications of the ACM; v. 34(3); pp. 36–38; ACM; Mar 1991.
  16. Eugene H. Spafford; On Hiring Hackers; ACM Forum; in Communications of the ACM; v. 33(10); p. 14; ACM; Oct 1990.
  17. Eugene H. Spafford; Response to Fred Cohen’s Contest; in The Sciences; Jan/Feb 1991.
  18. Thomas Narten and Eugene H. Spafford; Beyond Worms; ACM Forum; in Communications of the ACM; pp. 673–674, v. 32(6); ACM; Jun 1989.
  19. H. Agrawal and E. H. Spafford; Bibliography on Debugging and Backtracking; in ACM SIGPLAN Notices; pp. 49–56; doi: 10.1145/71647.71653; ACM; Apr 1989.
  20. Eugene H. Spafford; The Internet Worm Program: An Analysis; in ACM SIGCOMM Computer Communication Review; pp. 17–57; doi: 10.1145/66093.66095; ACM; Jan 1989.