CS 261N: Internet/Network Security

Spring 2020


Vern Paxson, office hours Fri 3:30-4:30PM (737 Soda) and by appointment.


  Tue/Fri, 2:10PM-3:30PM, 320 Soda


Web page: https://www.icir.org/vern/cs261n/
Announcements, questions: the class Piazza site, which you sign up for here.
Feel free to email any question/comment you want to make privately to the instructor at vern@berkeley.edu.

Course Description:

CS 261N: Internet/Network Security. Prerequisite: CS 168 / EE 122 or equivalent; CS 161 or equivalent; basic probability/statistics. (Non-PhD students must receive instructor approval.)

This class aims to provide a thorough grounding in network security suitable for those interested in conducting research in the area, as well as students more generally interested in either security or networking. We will also look at broader issues relating to Internet security for which networking plays a role. The syllabus has overlap with portions of the SEC prelim.

Topics include: denial-of-service; capabilities; network monitoring / intrusion detection; worms; forensics; scanning; traffic analysis / inferring activity; architecture; protocol issues; legality and ethics; web attacks; anonymity; censorship; surveillance; honeypots; botnets; spam; the underground economy; research issues & pitfalls.

The course is taught with an emphasis on seminal papers rather than bleeding-edge for a given topic. It includes a major project that students generally undertake in teams of two.

Three hours of lecture per week. 4 units, due to the significant workload.

A note on ethics: We will be discussing attacks, some of them quite nasty, and also powerful eavesdropping technology. None of this is in any way gives you permission or authorization to undertake these in any fashion other than with informed consent of all involved parties. If in any context you are uncertain about where to draw the line, come talk with me first.

A note on accommodations: The University provides a range of potential support resources and academic accommodations, which I encourage you to familiarize yourself with, and to discuss with me further as appropriate.


Class project: 50% (based on deliveries at milestones and, especially, final report; class presentations are not graded)
Homework: 40%
Lecture participation: 10%


This lecture schedule may be revised as the course progresses.

Date Topic Readings Notes
1/21 Overview and Logistics (none)
1/24 Denial-of-Service Inferring Internet Denial of Service Activity, Moore, Voelker and Savage, USENIX Security 2001 Lecture materials
1/28 Traceback Practical Network Support for IP Traceback, Savage et al., SIGCOMM 2000 Lecture materials
1/31 DoS Defense SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, Yaar, Perrig, and Song, IEEE S&P 2004 Lecture materials
1/31 PROJECT Project Initial Thoughts due (evening)
2/4 Network Monitoring Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.
Lecture materials
2/7 Fundamental NIDS Issues Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, Mark Handley, Christian Kreibich and Vern Paxson, USENIX Security 2001
Lecture materials
2/11 Evaluating Detectors Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory, John McHugh, ACM Transactions on Information and System Security, 3(4). November, 2000.
Lecture materials
2/14 The Threat of Worms How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson and Nicholas Weaver, USENIX Security 2002
Lecture materials
2/14 PROJECT Project Proposal due (evening)
2/18 Worm Detection/Defense No paper assigned. Lecture materials
2/21 Scanning Fast Portscan Detection Using Sequential Hypothesis Testing, Jaeyeon Jung, Vern Paxson, Arthur Berger, and Hari Balakrishnan, IEEE S&P 2004
Lecture materials
2/25 Inferring Activity Timing Analysis of Keystrokes and Timing Attacks on SSH, Dawn Song, David Wagner, Xuqing Tian, USENIX Security 2001
Lecture materials
2/28 Forensics No paper assigned. Lecture materials
2/28 PROJECT Project summary posted to Piazza (evening)
3/3 Securing Protocols Guidelines for Writing RFC Text on Security Considerations, E. Rescorla and B. Korver, RFC 3552, 2003
Lecture materials
3/6 Securing Protocols, con't No paper assigned. Lecture materials
3/6 PROJECT Related Work Writeup due (evening)
3/10 Lecture cancelled due to switch to remote teaching
3/13 Architecture Ethane: Taking Control of the Enterprise, Martin Casado et al., SIGCOMM 2007
Lecture materials
3/17 Architecture, con't Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication, Chris Karlof, J.D. Tygar, and David Wagner, NDSS 2009
Lecture materials
3/20 Authentication No paper assigned. Lecture materials
3/24 Spring Break
3/27 Spring Break
3/31 Authentication/Identity No paper assigned. Lecture materials
4/3 Botnets Your Botnet is My Botnet: Analysis of a Botnet Takeover, Brett Stone-Gross et al, CCS 2009
Lecture materials
4/7 PPI / Presentations Tor: The Second-Generation Onion Router, Roger Dingledine, Nick Mathewson, Paul Syverson, USENIX Security 2004
Lecture materials
4/10 Abusive Surveillance Guest lecture by Bill Marczak.
When Governments Hack Opponents: A Look at Actors and Technology, William Marczak et al., USENIX Security 2014
Lecture materials
4/10 PROJECT Status Report due (evening)
4/14 Anonymity / Spam Taster's Choice: A Comparative Analysis of Spam Feeds, Andreas Pitsillidis et al., ACM IMC 2012
Lecture materials
4/17 Cybercrime No paper assigned. Lecture materials
4/21 Project presentations: Catherine & Allen (slides); Evan & Huazhe (slides)
4/24 Project presentations: Shivendra & Sumukh (slides); Noura & Conor (slides)
4/28 Project presentations: Mingcheng & Sean (slides; with animations); Ian (slides)
5/1 Project presentations: Changze & Weihao (Powerpoint, PDF); Chester & Pranav (slides)
5/12 PROJECT Project writeup due (1PM)