CS 261N: Internet/Network Security. Prerequisite: CS 168 / EE 122 or equivalent; CS 161 or equivalent; basic probability/statistics. (Non-PhD students must receive instructor approval.)
This class aims to provide a thorough grounding in network security suitable for those interested in conducting research in the area, as well as students more generally interested in either security or networking. We will also look at broader issues relating to Internet security for which networking plays a role. The syllabus has overlap with portions of the SEC prelim.
Topics include: denial-of-service; capabilities; network monitoring / intrusion detection; worms; forensics; scanning; traffic analysis / inferring activity; architecture; protocol issues; legality and ethics; web attacks; anonymity; censorship; surveillance; honeypots; botnets; spam; the underground economy; research issues & pitfalls.
The course is taught with an emphasis on seminal papers rather than bleeding-edge for a given topic. It includes a major project that students generally undertake in teams of two.
Three hours of lecture per week. 4 units, due to the significant workload.
A note on ethics: We will be discussing attacks, some of them quite nasty, and also powerful eavesdropping technology. None of this is in any way gives you permission or authorization to undertake these in any fashion other than with informed consent of all involved parties. If in any context you are uncertain about where to draw the line, come talk with me first.
A note on accommodations: The University provides a range of potential support resources and academic accommodations, which I encourage you to familiarize yourself with, and to discuss with me further as appropriate.
Lecture participation: 10%
This lecture schedule may be revised as the course progresses.
|1/21||Overview and Logistics||(none)|
|1/24||Denial-of-Service||Inferring Internet Denial of Service Activity, Moore, Voelker and Savage, USENIX Security 2001||Lecture materials|
|1/28||Traceback||Practical Network Support for IP Traceback, Savage et al., SIGCOMM 2000|
|1/31||DoS Defense|| SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, Yaar, Perrig, and Song, IEEE S&P 2004|
|1/31||PROJECT||Project Initial Thoughts due (evening)|
|2/4||Network Monitoring|| Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.|
|2/7||Fundamental NIDS Issues|| Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, Mark Handley, Christian Kreibich and Vern Paxson, USENIX Security 2001|
|2/11||Evaluating Detectors|| Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory, John McHugh, ACM Transactions on Information and System Security, 3(4). November, 2000.|
|2/14||The Threat of Worms|| How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson and Nicholas Weaver, USENIX Security 2002|
|2/14||PROJECT||Project Proposal due (evening)|
|2/18||Worm Detection/Defense||Scalability, fidelity, and containment in the Potemkin virtual honeyfarm, Michael Vrable et al, SOSP 2005.|
|2/21||Scanning|| Fast Portscan Detection Using Sequential Hypothesis Testing, Jaeyeon Jung, Vern Paxson, Arthur Berger, and Hari Balakrishnan, IEEE S&P 2004|
|2/25||Inferring Activity|| Timing Analysis of Keystrokes and Timing Attacks on SSH, Dawn Song, David Wagner, Xuqing Tian, USENIX Security 2001|
|2/28||Forensics||Toward a Framework for Internet Forensic Analysis, Vyas Sekar et al, HotNets 2004, and its public review (pp. 13-14)|
|2/28||PROJECT||Project summary posted to Piazza (evening)|
|3/3||Securing Protocols|| Guidelines for Writing RFC Text on Security Considerations, E. Rescorla and B. Korver, RFC 3552, 2003|
|3/6||Securing Protocols, con't||No paper assigned.|
|3/6||PROJECT||Related Work Writeup due (evening)|
|3/10||Authentication|| Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication, Chris Karlof, J.D. Tygar, and David Wagner, NDSS 2009|
|3/13||Identity||No paper assigned.|
|3/17||Anonymity|| Tor: The Second-Generation Onion Router, Roger Dingledine, Nick Mathewson, Paul Syverson, USENIX Security 2004|
|3/20||Censorship|| Telex: Anticensorship in the Network Infrastructure, Eric Wustrow, Scott Wolchok, Ian Goldberg and J. Alex Halderman, USENIX Security 2011|
|3/31||Surveillance|| Targeted Threat Index: Characterizing and Quantifying Politically-Motivated Targeted Malware, Seth Hardy et al., USENIX Security 2014|
|4/3||Legality and Ethics||Conducting Cybersecurity Research Legally and Ethically, Aaron Burstein, First USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '08). Designing and Conducting Phishing Experiments, Peter Finn and Markus Jakobsson, IEEE Technology and Society Magazine, Special Issue on Usability and Security, 2007.|
|4/7||Architecture|| Ethane: Taking Control of the Enterprise, Martin Casado et al., SIGCOMM 2007|
|4/10||Botnets|| Your Botnet is My Botnet: Analysis of a Botnet Takeover, Brett Stone-Gross et al, CCS 2009|
|4/10||PROJECT||Status Report due (evening)|
|4/14||Spam|| Spamming Botnets: Signatures and Characteristics, Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov, SIGCOMM 2008|
|4/17||Cybercrime|| Click Trajectories: End-to-End Analysis of the Spam Value Chain, Kirill Levchenko et al., IEEE S&P 2011|
|5/12||PROJECT||Project writeup due (1PM)|