Vern Paxson (vern@cs, 737 Soda Hall, 643-4209, 666-2882)
Mon/Wed, 2:40-4PM, 405 Soda
Mon 4:15-5:15PM in 737 Soda.
Also by appointment - send email.
CS 261N: Internet/Network Security. Prerequisite: EE 122 or equivalent, CS 161 or equivalent, basic probability/statistics.
This class aims to provide a thorough grounding in network security suitable for those interested in conducting research in the area, as well as students more generally interested in either security or networking. We will also look at broader issues relating to Internet security for which networking plays a role. The syllabus has substantial overlap with portions of the SEC prelim.
Topics include: denial-of-service; capabilities; network intrusion detection; worms; forensics; scanning; traffic analysis / inferring activity; architecture; protocol issues; legality and ethics; web attacks; anonymity; honeypots; botnets; spam; the underground economy; and research pitfalls.
The course is taught with an emphasis on seminal papers rather than bleeding-edge for a given topic. It includes a major project that students generally undertake in teams of two.
Three hours of lecture per week.
3 units for Spring 2012. This will change to 4 units for Fall 2012,
which is the correct representation of the workload. If you have
difficulties receiving only 3 units for the class, please contact me.
See the syllabus.
There will be a term project. You will do independent research in pairs or (with instructor approval) individually. Projects may cover any topic of interest in network security, interpreted broadly (it need not be a topic discussed in class); ties with current research are encouraged. See the project description for details and due dates for the different elements.
You are encouraged to start thinking of topics of interest early. Be ambitious!
There is no required textbook. All reading will be from papers. A tentative list of these is available from the syllabus. We will definitely cover most of these topics (and primary papers), but may make some changes over the course of the semester.
Homework for the course primarily consists of writing a reflection upon each paper you read. In general you are only responsible for reading the first paper listed for a given topic. If you want to read and assess a different paper instead, clear your choice with me in advance.
Submit your writeup, via email (plain text preferred), by Tuesday 11AM for papers discussed during a Wednesday lecture, and Thursday 9PM for papers discussed during a Monday lecture. These deadlines are sharp.
Typically the assignment will be for you to sketch different facets of the paper, such as:
Your assessment does not need to be particularly formal, but it needs to reflect a thoughtful assessment of the paper. Writeups should generally aim for a total of 2 or 3 pages of thoughtful content. They can be shorter if you write concisely; if much longer, that may mean you have trouble trimming your discussion effectively (a skill researchers need to develop!).
It is understandable that you may find parts of some papers baffling or inaccessible. Flag these and don't kill yourself trying to absorb them - same goes for technical fine points - but use prudence in this regard. You should be able to extract a solid amount of technical material from each paper.
In general, I try to provide feedback on homework assignments. Unfortunately, the size of the class this time makes it infeasible for me to do so for each student for each assignment. My plan is therefore to randomly select for which assignments a given student will receive feedback. That said, if there are particular elements of your assessment for which you'd like direct feedback, indicate them in your writeup.
Note, homework assignments are to be done individually. It's fine to discuss the readings with your fellow students or others in order to gain comprehension, but the writeup should reflect your own views and framing.
You should turn in your homework via email and as plain text. Late homeworks lose 50% credit off the top. Writeups turned in after the corresponding lecture or posting of the corresponding exemplar (see below) will not receive any credit.
Update: thanks to feedback from the mid-course "load" survey, the homework grading policy is that I will skip your 4 lowest-scoring assignments when computing overall homework grades. This means you can omit turning in up to 4 writeups without an overall penalty (and/or you can make up for some late assignments).
Students can benefit from seeing examples of homework writeups that did particularly well at addressing an assignment. I will make such "exemplars" available a little while after an assignment's due date. Most of the exemplars will come from a past offering of the class (made available with the students' permission), though I will also select some of the assignments done this semester. Please do not redistribute exemplars.
You will put together a "briefing" for one of the lecture topics. A briefing is a 10-minute sketch of additional context (that you have researched by yourself) that complements the paper assigned for the topic. Typically, a briefing focuses on an additional paper other than the one assigned for homework, though other approaches can work too (but need to be cleared with me well in advance).
Update: thanks to some feedback from the mid-course "load" survey, I've amended the scope of briefings to be either the above or a presentation of your in-progress class research project.
For a lecture topic that you will brief, email me a short summary of what you plan 5 days in advance. The summary should sketch which paper your are planning to use for your brief and what particular facets of it you will develop. I will send you feedback regarding thoughts on what to emphasize or omit (for example, it may be that I will already be covering some of your items in the lecture, so no need for you to delve into them). Send me any slides you plan to use for your brief 48 hours in advance so I can give you comments on them with time for you to then potentially revise them. I encourage you to avoid slides with much text on them. They can tempt you to read off the slide, or the audience to read the slide rather than listen to what you're saying.
You will present/lead a discussion of your briefing at some point in the lecture. It's important to stick to the 10-minute time allocation. Note that this sort of time management can be challenging! You should rehearse, both so that you understand how long the presentation takes, and to work on the quality of your delivery, which is part of the assessment I will make of your effort. Note that even with rehearsing, you may find that you have to adapt your delivery on-the-fly so that it stays coherent given the available time; being nimble in modifying your original presentation plan in real-time is a great skill to develop!
Please inspect the syllabus and send me a note with an ordered list of which lectures you would like to brief. Given the size of the class, some briefings will need to be the responsibility of a pair of students. If you prefer to do your briefing with a partner, indicate whom you have in mind. The two of you can either share the resulting 10-minute presentation slot (this can be tricky to coordinate), or one of you can deliver it in full. Such briefings will be held to a somewhat higher standard regarding quality of both technical content and delivery.
We will be discussing attacks, some of them quite nasty, and also powerful eavesdropping technology. None of this is in any way an invitation to undertake these in any fashion other than with informed consent of all involved parties. If in any context you are uncertain about where to draw the line, come talk with me first.
The course uses a class discussion/announcement group on Piazza, so it is important for students to join it and track it regularly.
Student feedback in general is always highly valuable, both positive and critical. Please feel encouraged to provide your thoughts! If you want to send anonymous comments or criticisms, feel free to use an anonymous remailer, or slip a note under my door or in my box.
The schedule here will be updated as the course progresses. The following is a tentative list of topics and ordering, but those not imminent may change.
|1/18||Overview and Logistics||(none)|
|1/23||Denial-of-Service||Inferring Internet Denial of Service Activity, Moore, Voelker and Savage, USENIX Security 2001||Lecture materials|
|1/25||Traceback||Practical Network Support for IP Traceback, Savage et al., SIGCOMM 2000||Lecture materials|
|1/30||Capabilities|| SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, Yaar, Perrig, and Song, IEEE S&P 2004|| Notes from topic briefing by Warren He
|| Lecture materials
|2/1||Network Intrusion Detection Systems|| Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.||Lecture materials|
|2/6||NIDS Evasion|| Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, Mark Handley, Christian Kreibich and Vern Paxson, USENIX Security 2001||Lecture materials|
|2/8||NIDS Evaluation|| Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory, John McHugh, ACM Transactions on Information and System Security, 3(4). November, 2000.||Notes from topic briefing by Alex Kantchelian||Lecture materials|
|2/10||PROJECT||Project Proposal Due (evening). Schedule a meeting with me to discuss.|
|2/13||The Threat of Worms|| How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson and Nicholas Weaver, USENIX Security 2002||Notes from topic briefing by Scott Marshall||Lecture materials|
|2/15||Worm Detection/Defense|| Scalability, fidelity, and containment in the Potemkin virtual honeyfarm, Michael Vrable et al, SOSP 2005. Can we contain Internet worms?, Manuel Costa, Jon Crowcroft, Miguel Castro and Antony Rowstron, HotNets III 2004, and its public review (pp. 12-13). ||Notes from topic briefing by Sebastian Benthall||Lecture materials|
|2/22||Scanning|| Fast Portscan Detection Using Sequential Hypothesis Testing, Jaeyeon Jung, Vern Paxson, Arthur Berger, and Hari Balakrishnan, IEEE S&P 2004||Notes from topic briefing by Gautam Kumar||Lecture materials|
|2/27||Forensics||Toward a Framework for Internet Forensic Analysis, Vyas Sekar et al, HotNets 2004, and its public review (pp. 13-14)||Notes from topic briefing by Saung Li and Tom Magrino||Lecture materials|
|2/29||Inferring Activity|| Timing Analysis of Keystrokes and Timing Attacks on SSH, Dawn Song, David Wagner, Xuqing Tian, USENIX Security 2001||Notes from topic briefing by Thurston Dang and Sangjin Han||Lecture materials|
|3/5||Anonymity|| Tor: The Second-Generation Onion Router, Roger Dingledine, Nick Mathewson, Paul Syverson, USENIX Security 2004||Notes from topic briefing by Aurojit Panda||Lecture materials|
|3/5||PROJECT||Related Work Writeup Due (evening)|
|3/7||Architecture|| Ethane: Taking Control of the Enterprise, Martin Casado et al., SIGCOMM 2007||Notes from topic briefing by Kay Ousterhout||Lecture materials|
|3/12||Legality and Ethics||Conducting Cybersecurity Research Legally and Ethically, Aaron Burstein, First USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '08). Designing and Conducting Phishing Experiments, Peter Finn and Markus Jakobsson, IEEE Technology and Society Magazine, Special Issue on Usability and Security, 2007.||(no topic briefing)||Lecture materials|
|3/14||Securing Protocols||No paper assigned.||Lecture materials|
|3/19||Securing Protocols, con't||No paper assigned.||Notes from topic briefing by Colin Scott||Lecture materials|
|3/20||Authentication|| Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication, Chris Karlof, J.D. Tygar, and David Wagner, NDSS 2009||Lecture materials|
|4/2||Web Attacks & Defenses|| Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves, Adam Barth, Juan Caballero, and Dawn Song, IEEE S&P 2009||Notes from topic briefing by Gene Pang||Lecture materials|
|4/4||Botnets|| Your Botnet is My Botnet: Analysis of a Botnet Takeover, Brett Stone-Gross et al, CCS 2009||Notes from topic briefing by Nitesh Mor||Lecture materials|
|4/6||PROJECT||Status Report Due (evening). Schedule a meeting with me to discuss.|
|4/9|| Botnets, con't|| Measuring Pay-per-Install: The Commoditization of Malware Distribution, Juan Caballero, Chris Grier, Christian Kreibich and Vern Paxson, USENIX Security 2011||Lecture materials|
|4/11||Spam|| Spamming Botnets: Signatures and Characteristics, Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov, SIGCOMM 2008||Notes from topic briefing by Shaddi Hasan||Lecture materials|
|4/16||Spam & Scams||Examining the impact of website take-down on phishing, Tylor Moore and Richard Clayton, Proc. Anti-Phishing Working Group eCrime Researchers Summit 2007.||Notes from topic briefing by Antonio Lupher||Lecture materials|
|4/18||Scams, con't|| Click Trajectories: End-to-End Analysis of the Spam Value Chain, Kirill Levchenko et al., IEEE S&P 2011||Notes from topic briefing by Jennifer Goett||Lecture materials|
|4/23||Project presentations||Saung, Gautam/Kay, Colin/Panda/Shaddi|
|4/25||Project presentations||Thurston, Sangjin/Scott, Kevin|
|4/30||Project presentations||Tom/Warren, Gene/Nitesh, Jen|
|5/2||Project presentations||Alex/Sebastian, Antonio|
|5/8||PROJECT||Project Report Due (1PM)|