CS 294-28, Spring 2008
Network Security

  Vern Paxson (vern@cs, 615 Soda Hall, 643-4209, 666-2882)

  Mon-Fri, 1:00-2:30pm, 320 Soda

Office Hours:
  Mon 3-4pm in 615 Soda.

Previous announcements (other than for past homeworks):

Course Description

CS294-28: Network Security. Prerequisite: EE122 or equivalent, knowledge of basic network security notions.

This class aims to provide a thorough grounding in network security suitable for those interested in conducting research in the area, as well as students more broadly interested in security. Topics will span: securing communication and infrastructure; protocol vulnerabilities; attacks at different layers; intrusion detection and prevention; evasion; spoofing; reconnaissance; automated exploits; denial-of-service; traceback; worms; bots and botnets; honeypots; network telescopes; securing wireless access; traffic analysis and classification; Web security; exfiltration and covert channels; the "underground economy"; and research pitfalls.

The course will be taught with an emphasis on seminal papers rather than bleeding-edge for a given topic. It will include a major project each student will undertake individually or in pairs. The class is intended to evolve into a regular graduate offering. In addition, the syllabus will have substantial overlap with portions of a new security-area prelim under development by the security faculty.

Three hours of lecture per week. (3 units)

Course topics

See the syllabus.


Class project: 50%
Homework: 20%
Lecture participation: 15%
Scribe notes: 15%


There will be a term project. You will do independent research in pairs or individually. Projects may cover any topic of interest in network security, interpreted broadly (it need not be a topic discussed in class); ties with current research are encouraged. See the project description for details and due dates for the different elements.

You are encouraged to start thinking of topics of interest early. Be ambitious!

Readings / Homework

There is no required textbook. All reading will be from papers. A tentative list of these is available from the syllabus. We will definitely cover most of these, but as this is a new course under development I may make some changes.

Homework for the course primarily consists of writing a brief "mini-review" of each paper you read. In general you are only responsible for reading the first paper listed for a given topic. If you want to read and review a different paper instead, in general that's okay, but clear your choice with me in advance.

Submit your mini-review, via email, 24 hours prior to the corresponding lecture. Your mini-review should give a few sentences for each of:

  1. What are the paper's main contributions?
  2. What parts of the paper do you find unclear?
  3. What parts of the paper are questionable? (E.g., methodology, omissions, relevance.)
  4. Given the contributions, what issues remain? What related ideas does it bring to mind?

Your mini-review does not need to be particularly formal, but it needs to reflect a thoughtful assessment of the paper. (It is understandable that you may find parts of some papers baffling or inaccessible. Flag these and don't kill yourself trying to absorb them - same goes for technical fine points - but use prudence in this regard.)

Note, mini-reviews are to be done individually. It's fine to discuss the readings with your fellow students or others in order to gain comprehension, but the writeup should reflect your own views and framing.

Late mini-reviews lose 50% credit off the top. Writeups turned in after the scribe notes (see below) receive no credit.

Scribe notes

You will be expected to write scribe notes for two lectures. Email me document source (latex, HTML, Word) with your scribe notes suitable for editing and posting on the course Web site. For credit, I need to receive it within one week after the corresponding lecture.

Inspect the syllabus and send me a note regarding which lecture(s) you'd prefer to scribe. I will allocate scribes in first-come-first-serve order.


We will be discussion attacks, some of them quite nasty, and also powerful eavesdropping technology. None of this is in any way an invitation to undertake these in any fashion other than with informed consent of all involved parties. If in any context you are uncertain about where to draw the line, come talk with me first.

Mailing List

The course uses a mailing list for announcements and discussions, so it is important for students to subscribe to it.


The schedule here will be updated as the course progresses. The intent is to aim for a lecture per topic in the syllabus, but will be updated here closer to the actual date to correctly reflect the actual lecture.

Topic Readings Notes
1/25 Overview and logistics (none) Lecture slides
1/28 Authentication & Identity Using Encryption for Authentication in Large Networks of Computers, Needham and Schroeder. (no scribe)
2/1 Denial-of-Service Inferring Internet Denial of Service Activity, Moore, Voelker and Savage. Scribed by Steve Hanna
2/4 Traceback Practical Network Support for IP Traceback, Savage et al. Scribed by Ari Rabkin
2/8 Capabilities SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, Yaar, Perrig, and Song. Scribed by Ashima Atul
2/11 DoS Defense SOS: Secure overlay services, Keromytis, Misra, and Rubenstein. Scribed by Steve Chan
2/15 DoS Defense #2 No assigned paper. For optional reading, see alternative papers listed in Homework #5, or contact me for others. Scribed by Scott Campbell
2/18 No class. (Campus holiday)
2/22 Network intrusion detection systems Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.
Scribed by Daniel Chen
2/25 Network intrusion detection systems, con't No further reading required. Scribed by Assane Gueye
2/29 NIDS Evasion Shortened lecture (EECS recruiting retreat).
Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, Mark Handley, Christian Kreibich and Vern Paxson, USENIX Security 2001
Scribed by Bonnie Zhu
3/3 NIDS Evaluation Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory, John McHugh, ACM Transactions on Information and System Security, 3(4). November, 2000.
Scribed by Prateek Saxena
3/7 The Threat of Worms How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson and Nicholas Weaver, USENIX Security 2002
Scribed by Haley Nguyen
3/10 Worm Defense #1 Polygraph: Automatically Generating Signatures for Polymorphic Worms, James Newsome, Brad Karp and Dawn Song, IEEE S&P 2005
Scribed by Ashima Atul
3/14 Worm Defense #2 Scalability, fidelity, and containment in the Potemkin virtual honeyfarm, Michael Vrable et al, SOSP 2005
Scribed by Prateek Saxena
3/17 No class. (NSF Cybertrust PI meeting)
3/21 No class. (Additional EECS recruiting retreat)
3/24 No class. (Spring break)
3/28 No class. (Spring break)
3/31 Forensics Toward a Framework for Internet Forensic Analysis, Vyas Sekar et al, HotNets 2004
Scribed by Mao Ye. Lecture slides
4/4 Scanning Fast Portscan Detection Using Sequential Hypothesis Testing, Jaeyeon Jung, Vern Paxson, Arthur Berger, and Hari Balakrishnan, IEEE S&P 2004
Scribed by Calvin Ardi. Lecture slides
4/7 Side Channels Remote Timing Attacks are Practical, David Brumley and Dan Boneh, USENIX Security 2003.
Information Leakage from Optical Emanations, Joe Loughry and David Umphress, ACM Transactions on Information and System Security, 5(3) 2002.
Information Flow in the Peer-Reviewing Process, Michael Backes, Markus Durmuth and Dominique Unruh, IEEE Symposium on Security and Privacy, 2007.
Scribed by Ganesh Ananthanarayanan.
4/11 Traffic Analysis Timing Analysis of Keystrokes and Timing Attacks on SSH, Dawn Song, David Wagner, Xuqing Tian, USENIX Security 2001
Scribed by Alvaro Cardenas.
4/14 Legal Issues Guest lecture by Aaron Burstein. Conducting Cybersecurity Research Legally and Ethically, Aaron Burstein, First USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '08). Scribed by Elliot Block (unedited).
Aaron's slides.
4/18 Web Server Attacks Anomaly Detection of Web-based Attacks, Christopher Kruegel and Giovanni Vigna, CCS 2003
Scribed by Steve Hanna.
4/21 Web Client Attacks Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities, Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King, NDSS 2006
Scribed by Gelareh Taban.
4/25 VOIP Security Issues.
Guest lecture by Eric Rescorla. Scribed by Scott Campbell (unedited). Eric's slides.
4/28 Anonymity Tor: The Second-Generation Onion Router, Roger Dingledine, Nick Mathewson, Paul Syverson, USENIX Security 2004
Scribed by Bonnie Zhu (unedited).
5/2 No class. (EECS faculty retreat.)
5/5 Wireless Can Ferris Bueller Still Have His Day Off? Protecting Privacy in the Wireless Era, Ben Greenstein et al, USENIX HotOS XI 2007
Scribed by Ganesh Ananthanarayanan.
5/9 Botnets A Multifaceted Approach to Understanding the Botnet Phenomenon, Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis, IMC 2006
To be scribed by Assane Gueye.
5/12 Course summary Last day of lecture. Lecture slides


Student feedback in general is always highly valuable. As this is a new class that's intended to evolve into a regular grad offering, it is particularly valuable for this course! If you want to send anonymous comments or criticisms, feel free to use an anonymous remailer, or slip a note under my door or in my box.

Vern Paxson, vern@cs.berkeley.edu, http://www.icir.org/vern/.