Tue/Fri, 2:10PM-3:30PM, 320 Soda

Web page: https://www.icir.org/vern/cs261n/
Announcements, questions: the class Piazza site, which you sign up for here.
Feel free to email any question/comment you want to make privately to the instructor at vern@berkeley.edu.

CS 261N: Internet/Network Security. Prerequisite: CS 168 / EE 122 or equivalent; CS 161 or equivalent; basic probability/statistics. (Non-PhD students must receive instructor approval.)

This class aims to provide a thorough grounding in network security suitable for those interested in conducting research in the area, as well as students more generally interested in either security or networking. We will also look at broader issues relating to Internet security for which networking plays a role. The syllabus has overlap with portions of the SEC prelim.

Topics include: denial-of-service; capabilities; network monitoring / intrusion detection; worms; forensics; scanning; traffic analysis / inferring activity; architecture; protocol issues; legality and ethics; web attacks; anonymity; censorship; surveillance; honeypots; botnets; spam; the underground economy; research issues & pitfalls.

The course is taught with an emphasis on seminal papers rather than bleeding-edge for a given topic. It includes a major project that students generally undertake in teams of two.

Three hours of lecture per week. 4 units, due to the significant workload.

A note on ethics: We will be discussing attacks, some of them quite nasty, and also powerful eavesdropping technology. None of this is in any way gives you permission or authorization to undertake these in any fashion other than with informed consent of all involved parties. If in any context you are uncertain about where to draw the line, come talk with me first.

A note on accommodations: The University provides a range of potential support resources and academic accommodations, which I encourage you to familiarize yourself with, and to discuss with me further as appropriate.

Class project: 50% (based on deliveries at milestones and, especially, final report; class presentations are not graded)
Homework: 40%
Lecture participation: 10%

This lecture schedule may be revised as the course progresses.

Date	Topic	Readings	Notes
1/21	Overview and Logistics	(none)
1/24	Denial-of-Service	Inferring Internet Denial of Service Activity, Moore, Voelker and Savage, USENIX Security 2001	Lecture materials
1/28	Traceback	Practical Network Support for IP Traceback, Savage et al., SIGCOMM 2000	Lecture materials
1/31	DoS Defense	SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, Yaar, Perrig, and Song, IEEE S&P 2004	Lecture materials
1/31	PROJECT	Project Initial Thoughts due (evening)
2/4	Network Monitoring	Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.	Lecture materials
2/7	Fundamental NIDS Issues	Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, Mark Handley, Christian Kreibich and Vern Paxson, USENIX Security 2001	Lecture materials
2/11	Evaluating Detectors	Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory, John McHugh, ACM Transactions on Information and System Security, 3(4). November, 2000.	Lecture materials
2/14	The Threat of Worms	How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson and Nicholas Weaver, USENIX Security 2002	Lecture materials
2/14	PROJECT	Project Proposal due (evening)
2/18	Worm Detection/Defense	No paper assigned.	Lecture materials
2/21	Scanning	Fast Portscan Detection Using Sequential Hypothesis Testing, Jaeyeon Jung, Vern Paxson, Arthur Berger, and Hari Balakrishnan, IEEE S&P 2004	Lecture materials
2/25	Inferring Activity	Timing Analysis of Keystrokes and Timing Attacks on SSH, Dawn Song, David Wagner, Xuqing Tian, USENIX Security 2001	Lecture materials
2/28	Forensics	No paper assigned.	Lecture materials
2/28	PROJECT	Project summary posted to Piazza (evening)
3/3	Securing Protocols	Guidelines for Writing RFC Text on Security Considerations, E. Rescorla and B. Korver, RFC 3552, 2003	Lecture materials
3/6	Securing Protocols, con't	No paper assigned.	Lecture materials
3/6	PROJECT	Related Work Writeup due (evening)
3/10	Lecture cancelled due to switch to remote teaching
3/13	Architecture	Ethane: Taking Control of the Enterprise, Martin Casado et al., SIGCOMM 2007	Lecture materials
3/17	Architecture, con't	Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication, Chris Karlof, J.D. Tygar, and David Wagner, NDSS 2009	Lecture materials
3/20	Authentication	No paper assigned.	Lecture materials
3/24	Spring Break
3/27	Spring Break
3/31	Authentication/Identity	No paper assigned.	Lecture materials
4/3	Botnets	Your Botnet is My Botnet: Analysis of a Botnet Takeover, Brett Stone-Gross et al, CCS 2009	Lecture materials
4/7	PPI / Presentations	Tor: The Second-Generation Onion Router, Roger Dingledine, Nick Mathewson, Paul Syverson, USENIX Security 2004	Lecture materials
4/10	Abusive Surveillance	Guest lecture by Bill Marczak. When Governments Hack Opponents: A Look at Actors and Technology, William Marczak et al., USENIX Security 2014	Lecture materials
4/10	PROJECT	Status Report due (evening)
4/14	Anonymity / Spam	Taster's Choice: A Comparative Analysis of Spam Feeds, Andreas Pitsillidis et al., ACM IMC 2012	Lecture materials
4/17	Cybercrime	No paper assigned.	Lecture materials
4/21		Project presentations: Catherine & Allen (slides); Evan & Huazhe (slides)
4/24		Project presentations: Shivendra & Sumukh (slides); Noura & Conor (slides)
4/28		Project presentations: Mingcheng & Sean (slides; with animations); Ian (slides)
5/1		Project presentations: Changze & Weihao (Powerpoint, PDF); Chester & Pranav (slides)
5/12	PROJECT	Project writeup due (1PM)