CS 294-28, Fall 2010
Internet/Network Security

  Vern Paxson (vern@cs, 737 Soda Hall, 643-4209, 666-2882)

  Wed/Fri, 1:10-2:30PM, 320 Soda

Office Hours:
  Mon 2-3PM in 737 Soda.


Previous announcements (other than for older past homeworks):

Course Description

CS294-28: Internet/Network Security. Prerequisite: EE122 or equivalent, knowledge of basic network security notions, basic probability/statistics.

This class aims to provide a thorough grounding in network security suitable for those interested in conducting research in the area, as well as students more broadly interested in either security or networking. Topics will include: denial-of-service; capabilities; network intrusion detection; worms; forensics; scanning; traffic analysis / inferring activity; legality and ethics; web attacks; anonymity; wireless/device security; honeypots; botnets; and research pitfalls.

The course is taught with an emphasis on seminal papers rather than bleeding-edge for a given topic. It includes a major project each student undertakes individually or in pairs. The class is slated in 2011 to become a regular graduate offering, CS261N, and the syllabus has substantial overlap with portions of the SEC prelim.

Three hours of lecture per week. (3 units)

Course topics

See the syllabus.


Class project: 50%
Homework: 30%
Topic briefing: 10%
Lecture participation: 10%


There will be a term project. You will do independent research in pairs or individually. Projects may cover any topic of interest in network security, interpreted broadly (it need not be a topic discussed in class); ties with current research are encouraged. See the project description for details and due dates for the different elements.

You are encouraged to start thinking of topics of interest early. Be ambitious!

Readings / Homework

There is no required textbook. All reading will be from papers. A tentative list of these is available from the syllabus. We will definitely cover most of these topics (and primary papers), but may make some changes over the course of the semester.

Homework for the course primarily consists of writing a reflection upon each paper you read. In general you are only responsible for reading the first paper listed for a given topic. If you want to read and assess a different paper instead, in general that's okay, but clear your choice with me in advance.

Submit your writeup, via email (plain text preferred), by Tuesday 1PM for papers discussed during a Wednesday lecture, and Thursday 1PM for papers discussed during a Friday lecture. (These times might shift up to 9AM, depending on class size, and also will sometimes be adjusted, so check for each assignment.)

Typically the assignment will be for your reflection to sketch different facets of the paper such as along the following lines:

  1. What are the paper's main contributions?
  2. What parts of the paper do you find unclear? (Optional)
  3. What parts of the paper are questionable? (E.g., methodology, omissions, relevance, presentation.)
  4. Given the contributions, what issues remain? What related ideas does it bring to mind? (Sometimes this part will frame specific questions, such as challenging you to come up with and defend a proposed solution.)
  5. Locate a more recent paper in the same area that you find interesting. From a skim, briefly discuss its relevance to the topic area and the assigned paper, and why you find it particularly interesting.

Your assessment does not need to be particularly formal, but it needs to reflect a thoughtful assessment of the paper. (It is understandable that you may find parts of some papers baffling or inaccessible. Flag these and don't kill yourself trying to absorb them - same goes for technical fine points - but use prudence in this regard.) If there are particular elements of your assessment for which you'd like direct feedback, indicate them in your writeup.

Note, homework assignments are to be done individually. It's fine to discuss the readings with your fellow students or others in order to gain comprehension, but the writeup should reflect your own views and framing.

Late homeworks lose 50% credit off the top. Writeups turned in after the corresponding lecture may not receive any feedback.

Topic "Briefing"

You will put together a "brief" for either one or two of the lecture topics (how many depends on the class size). A brief is a 10 minute sketch of additional context (that you have researched by yourself) that complements the paper assigned for the topic. In general you will either develop more in-depth elements/considerations of the paper, or discuss a related (usually subsequent) paper. Note that this is a change from the original framing, which was: The brief should aim to bring the topic up to date (what has been done since the work reported in the paper?, how is the problem space viewed today?).

For a lecture topic that you will brief, email a short summary of what you plan. The summary should sketch which paper your are planning to use for your brief and what particular facets of it you will develop. I will send you feedback regarding thoughts on what to emphasize or omit (for example, it may be that I will already be covering some of your items in the lecture, so no need for you to delve into them). If you will use slides, you need to send them to me two evenings prior to the lecture so I can give you comments on them with time for you to then possibly revise them. I encourage you to avoid slides with much text on them. They can tempt you to read off the slide, or the audience to read the slide rather than listen to what you're saying.

You will then present/lead a discussion of your brief at some point in the lecture. It's important to stick to the 10-minute time allocation, unless we have previously agreed on a different amount of time for your particular briefing. Note that this sort of time management can be challenging. You may need to either rehearse, or be nimble in modifying your original presentation plan in real-time (a great skill if you can swing it).

Please inspect the syllabus and send me a note with an ordered list of which lectures you would like to brief. I will allocate slots by September 5 (earlier if someone wants to brief for the DoS lecture on September 1).

Note, the notion of such briefs is a new experiment that I'm trying. Thus, feedback to me on the process will be quite helpful, and I may change the structure of the briefs over the course of the semester.


We will be discussion attacks, some of them quite nasty, and also powerful eavesdropping technology. None of this is in any way an invitation to undertake these in any fashion other than with informed consent of all involved parties. If in any context you are uncertain about where to draw the line, come talk with me first.

Mailing List

The course uses a mailing list for announcements and discussions, so it is important for students to subscribe to it.


The schedule here will be updated as the course progresses.

Topic Readings Topic Briefing Notes
8/27 Overview and logistics (none) Lecture slides
9/1 Denial-of-Service Inferring Internet Denial of Service Activity, Moore, Voelker and Savage, USENIX Security 2001 Lecture materials
9/3 No lecture
9/8 Traceback Practical Network Support for IP Traceback, Savage et al., SIGCOMM 2000 Notes from topic briefing by Mobin Javed Lecture materials
9/10 Capabilities SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, Yaar, Perrig, and Song, IEEE S&P 2004 No topic briefing Lecture materials
9/15 DoS Defense Mayday: Distributed Filtering for Internet Services, David Andersen, USITS 2003 (HTML, PDF). Notes from topic briefing by Edward Wu Lecture materials
9/17 Network intrusion detection systems Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.
Notes from topic briefing by David MacDonald Lecture materials
9/17 PROJECT Project Proposal Due (evening). Schedule a meeting with me to discuss.
9/22 NIDS Evasion Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, Mark Handley, Christian Kreibich and Vern Paxson, USENIX Security 2001
Notes from topic briefing by Justine Sherry Lecture materials
9/24 NIDS Evaluation Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory, John McHugh, ACM Transactions on Information and System Security, 3(4). November, 2000.
No topic briefing Lecture materials
9/29 The Threat of Worms How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson and Nicholas Weaver, USENIX Security 2002
Notes from topic briefing by Neil Kumar Lecture materials
10/1 Worm Signatures Polygraph: Automatically Generating Signatures for Polymorphic Worms, James Newsome, Brad Karp and Dawn Song, IEEE S&P 2005
No topic briefing Lecture materials
10/6 Worm Detection/Defense Scalability, fidelity, and containment in the Potemkin virtual honeyfarm, Michael Vrable et al, SOSP 2005. Can we contain Internet worms?, Manuel Costa, Jon Crowcroft, Miguel Castro and Antony Rowstron, HotNets III 2004, and its public review (pp. 12-13).
Notes from topic briefing by Kevin Chen Lecture materials
10/8 Scanning Fast Portscan Detection Using Sequential Hypothesis Testing, Jaeyeon Jung, Vern Paxson, Arthur Berger, and Hari Balakrishnan, IEEE S&P 2004
Notes from topic briefing by Albert Kim Lecture materials
10/13 Forensics Toward a Framework for Internet Forensic Analysis, Vyas Sekar et al, HotNets 2004, and its public review (pp. 13-14) Notes from topic briefing by Noah Johnson Lecture materials
10/15 Inferring Activity Timing Analysis of Keystrokes and Timing Attacks on SSH, Dawn Song, David Wagner, Xuqing Tian, USENIX Security 2001
Notes from topic briefing by Brad Miller Lecture materials
10/15 PROJECT Related Work Writeup Due (evening)
10/20 No lecture (HotNets)
10/22 Anonymity Tor: The Second-Generation Onion Router, Roger Dingledine, Nick Mathewson, Paul Syverson, USENIX Security 2004
Notes from topic briefing by Justin Samuel Lecture materials
10/27 Architecture Ethane: Taking Control of the Enterprise, Martin Casado et al., SIGCOMM 2007
Notes from topic briefing by Alex Smolen Lecture materials
10/29 Wireless/Devices Can Ferris Bueller Still Have His Day Off? Protecting Privacy in the Wireless Era, Ben Greenstein et al, USENIX HotOS XI 2007
Notes from topic briefing by Kaushik Iyer Lecture materials
11/3 Architecture, con't Guest lecture by Scott Shenker. No additional reading.
11/5 Legality and Ethics Conducting Cybersecurity Research Legally and Ethically, Aaron Burstein, First USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '08). Designing and Conducting Phishing Experiments, Peter Finn and Markus Jakobsson, IEEE Technology and Society Magazine, Special Issue on Usability and Security, 2007. Notes from topic briefing by Beth Trushkowsky (none)
11/8 PROJECT Status Report Due (evening). Schedule a meeting with me to discuss.
11/10 Authentication Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication, Chris Karlof, J.D. Tygar, and David Wagner, NDSS 2009
Notes from topic briefing by Gabe Nunez Lecture materials
11/12 Web Attacks Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves, Adam Barth, Juan Caballero, and Dawn Song, IEEE S&P 2009
Notes from topic briefing by Devdatta Akhawe Lecture materials
11/17 Botnets Your Botnet is My Botnet: Analysis of a Botnet Takeover, Brett Stone-Gross et al, CCS 2009
Notes from topic briefing by Paul Pearce Lecture materials
11/19 Botnets/Scams Examining the impact of website take-down on phishing, Tylor Moore and Richard Clayton, Proc. Anti-Phishing Working Group eCrime Researchers Summit 2007. Notes from topic briefing by Richard Shin Lecture materials
11/22 Scams, con't No additional reading assignment. Note, special date (usual time); lecture scheduled for 61 Evans. No additional briefing. Lecture materials
11/26 No lecture Thanksgiving Holiday
12/1 Project presentations Justine, Richard, Edward, David/Gabe
12/3 Project presentations Alex, Brad/Paul, Kevin/Noah, Beth
12/6 Project presentations Mobin, Albert, Neil/Kaushik, Devdatta/Justin
12/13 PROJECT Project Report Due (1PM)


Student feedback in general is always highly valuable. As this class is under development and intended to evolve into a regular grad offering, it is particularly valuable for this course! If you want to send anonymous comments or criticisms, feel free to use an anonymous remailer, or slip a note under my door or in my box.

Vern Paxson, vern@cs.berkeley.edu, http://www.icir.org/vern/.