CS 261N: Internet/Network Security. Prerequisite: CS 168 / EE 122 or equivalent; CS 161 or equivalent; basic probability/statistics. (Non-PhD students must receive instructor approval.)
This class aims to provide a thorough grounding in network security suitable for those interested in conducting research in the area, as well as students more generally interested in either security or networking. We will also look at broader issues relating to Internet security for which networking plays a role. The syllabus has overlap with portions of the SEC prelim.
Topics include: denial-of-service; capabilities; network monitoring / intrusion detection; worms; forensics; scanning; traffic analysis / inferring activity; architecture; protocol issues; legality and ethics; web attacks; anonymity; censorship; surveillance; honeypots; botnets; spam; the underground economy; research issues & pitfalls.
The course is taught with an emphasis on seminal papers rather than bleeding-edge for a given topic. It includes a major project that students generally undertake in teams of two.
Three hours of lecture per week. 4 units, due to the significant workload.
A note on ethics: We will be discussing attacks, some of them quite nasty, and also powerful eavesdropping technology. None of this is in any way gives you permission or authorization to undertake these in any fashion other than with informed consent of all involved parties. If in any context you are uncertain about where to draw the line, come talk with me first.
A note on accommodations: The University provides a range of potential support resources and academic accommodations, which I encourage you to familiarize yourself with, and to discuss with me further as appropriate.
Lecture participation: 10%
This lecture schedule may be revised as the course progresses.
|1/21||Overview and Logistics||(none)|
|1/24||Denial-of-Service||Inferring Internet Denial of Service Activity, Moore, Voelker and Savage, USENIX Security 2001||Lecture materials|
|1/28||Traceback||Practical Network Support for IP Traceback, Savage et al., SIGCOMM 2000||Lecture materials|
|1/31||DoS Defense|| SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, Yaar, Perrig, and Song, IEEE S&P 2004|| Lecture materials
|1/31||PROJECT||Project Initial Thoughts due (evening)|
|2/4||Network Monitoring|| Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.||Lecture materials|
|2/7||Fundamental NIDS Issues|| Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, Mark Handley, Christian Kreibich and Vern Paxson, USENIX Security 2001||Lecture materials|
|2/11||Evaluating Detectors|| Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory, John McHugh, ACM Transactions on Information and System Security, 3(4). November, 2000.||Lecture materials|
|2/14||The Threat of Worms|| How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson and Nicholas Weaver, USENIX Security 2002||Lecture materials|
|2/14||PROJECT||Project Proposal due (evening)|
|2/18||Worm Detection/Defense||No paper assigned.||Lecture materials|
|2/21||Scanning|| Fast Portscan Detection Using Sequential Hypothesis Testing, Jaeyeon Jung, Vern Paxson, Arthur Berger, and Hari Balakrishnan, IEEE S&P 2004||Lecture materials|
|2/25||Inferring Activity|| Timing Analysis of Keystrokes and Timing Attacks on SSH, Dawn Song, David Wagner, Xuqing Tian, USENIX Security 2001||Lecture materials|
|2/28||Forensics||No paper assigned.||Lecture materials|
|2/28||PROJECT||Project summary posted to Piazza (evening)|
|3/3||Securing Protocols|| Guidelines for Writing RFC Text on Security Considerations, E. Rescorla and B. Korver, RFC 3552, 2003||Lecture materials|
|3/6||Securing Protocols, con't||No paper assigned.||Lecture materials|
|3/6||PROJECT||Related Work Writeup due (evening)|
|3/10||Lecture cancelled due to switch to remote teaching|
|3/13||Architecture|| Ethane: Taking Control of the Enterprise, Martin Casado et al., SIGCOMM 2007||Lecture materials|
|3/17||Architecture, con't|| Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication, Chris Karlof, J.D. Tygar, and David Wagner, NDSS 2009||Lecture materials|
|3/20||Authentication||No paper assigned.||Lecture materials|
|3/31||Authentication/Identity||No paper assigned.||Lecture materials|
|4/3||Botnets|| Your Botnet is My Botnet: Analysis of a Botnet Takeover, Brett Stone-Gross et al, CCS 2009||Lecture materials|
|4/7||Anonymity|| Tor: The Second-Generation Onion Router, Roger Dingledine, Nick Mathewson, Paul Syverson, USENIX Security 2004|
|4/10||Abusive Surveillance|| Guest lecture by Bill Marczak. |
When Governments Hack Opponents: A Look at Actors and Technology, William Marczak et al., USENIX Security 2014
|4/10||PROJECT||Status Report due (evening)|
|4/14||Spam|| Spamming Botnets: Signatures and Characteristics, Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov, SIGCOMM 2008|
|4/17||Cybercrime|| Click Trajectories: End-to-End Analysis of the Spam Value Chain, Kirill Levchenko et al., IEEE S&P 2011|
|5/12||PROJECT||Project writeup due (1PM)|