CS 261N: Internet/Network Security

Spring 2020


Vern Paxson, office hours Fri 3:30-4:30PM (737 Soda) and by appointment.


  Tue/Fri, 2:10PM-3:30PM, 320 Soda


Web page: https://www.icir.org/vern/cs261n/
Announcements, questions: the class Piazza site, which you sign up for here.
Feel free to email any question/comment you want to make privately to the instructor at vern@berkeley.edu.

Course Description:

CS 261N: Internet/Network Security. Prerequisite: CS 168 / EE 122 or equivalent; CS 161 or equivalent; basic probability/statistics. (Non-PhD students must receive instructor approval.)

This class aims to provide a thorough grounding in network security suitable for those interested in conducting research in the area, as well as students more generally interested in either security or networking. We will also look at broader issues relating to Internet security for which networking plays a role. The syllabus has overlap with portions of the SEC prelim.

Topics include: denial-of-service; capabilities; network monitoring / intrusion detection; worms; forensics; scanning; traffic analysis / inferring activity; architecture; protocol issues; legality and ethics; web attacks; anonymity; censorship; surveillance; honeypots; botnets; spam; the underground economy; research issues & pitfalls.

The course is taught with an emphasis on seminal papers rather than bleeding-edge for a given topic. It includes a major project that students generally undertake in teams of two.

Three hours of lecture per week. 4 units, due to the significant workload.

A note on ethics: We will be discussing attacks, some of them quite nasty, and also powerful eavesdropping technology. None of this is in any way gives you permission or authorization to undertake these in any fashion other than with informed consent of all involved parties. If in any context you are uncertain about where to draw the line, come talk with me first.

A note on accommodations: The University provides a range of potential support resources and academic accommodations, which I encourage you to familiarize yourself with, and to discuss with me further as appropriate.


Class project: 50% (based on deliveries at milestones and, especially, final report; class presentations are not graded)
Homework: 40%
Lecture participation: 10%


This lecture schedule may be revised as the course progresses.

Date Topic Readings Notes
1/21 Overview and Logistics (none)
1/24 Denial-of-Service Inferring Internet Denial of Service Activity, Moore, Voelker and Savage, USENIX Security 2001 Lecture materials
1/28 Traceback Practical Network Support for IP Traceback, Savage et al., SIGCOMM 2000
1/31 DoS Defense SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, Yaar, Perrig, and Song, IEEE S&P 2004
1/31 PROJECT Project Initial Thoughts due (evening)
2/4 Network Monitoring Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.
2/7 Fundamental NIDS Issues Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, Mark Handley, Christian Kreibich and Vern Paxson, USENIX Security 2001
2/11 Evaluating Detectors Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory, John McHugh, ACM Transactions on Information and System Security, 3(4). November, 2000.
2/14 The Threat of Worms How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson and Nicholas Weaver, USENIX Security 2002
2/14 PROJECT Project Proposal due (evening)
2/18 Worm Detection/Defense Scalability, fidelity, and containment in the Potemkin virtual honeyfarm, Michael Vrable et al, SOSP 2005.
2/21 Scanning Fast Portscan Detection Using Sequential Hypothesis Testing, Jaeyeon Jung, Vern Paxson, Arthur Berger, and Hari Balakrishnan, IEEE S&P 2004
2/25 Inferring Activity Timing Analysis of Keystrokes and Timing Attacks on SSH, Dawn Song, David Wagner, Xuqing Tian, USENIX Security 2001
2/28 Forensics Toward a Framework for Internet Forensic Analysis, Vyas Sekar et al, HotNets 2004, and its public review (pp. 13-14)
2/28 PROJECT Project summary posted to Piazza (evening)
3/3 Securing Protocols Guidelines for Writing RFC Text on Security Considerations, E. Rescorla and B. Korver, RFC 3552, 2003
3/6 Securing Protocols, con't No paper assigned.
3/6 PROJECT Related Work Writeup due (evening)
3/10 Authentication Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication, Chris Karlof, J.D. Tygar, and David Wagner, NDSS 2009
3/13 Identity No paper assigned.
3/17 Anonymity Tor: The Second-Generation Onion Router, Roger Dingledine, Nick Mathewson, Paul Syverson, USENIX Security 2004
3/20 Censorship Telex: Anticensorship in the Network Infrastructure, Eric Wustrow, Scott Wolchok, Ian Goldberg and J. Alex Halderman, USENIX Security 2011
3/24 Spring Break
3/27 Spring Break
3/31 Surveillance Targeted Threat Index: Characterizing and Quantifying Politically-Motivated Targeted Malware, Seth Hardy et al., USENIX Security 2014
4/3 Legality and Ethics Conducting Cybersecurity Research Legally and Ethically, Aaron Burstein, First USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '08). Designing and Conducting Phishing Experiments, Peter Finn and Markus Jakobsson, IEEE Technology and Society Magazine, Special Issue on Usability and Security, 2007.
4/7 Architecture Ethane: Taking Control of the Enterprise, Martin Casado et al., SIGCOMM 2007
4/10 Botnets Your Botnet is My Botnet: Analysis of a Botnet Takeover, Brett Stone-Gross et al, CCS 2009
4/10 PROJECT Status Report due (evening)
4/14 Spam Spamming Botnets: Signatures and Characteristics, Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov, SIGCOMM 2008
4/17 Cybercrime Click Trajectories: End-to-End Analysis of the Spam Value Chain, Kirill Levchenko et al., IEEE S&P 2011
4/21 Project presentations
4/24 Project presentations
4/28 Project presentations
5/1 Project presentations
5/12 PROJECT Project writeup due (1PM)