CS 294-28, Spring 2009
Network Security

  Vern Paxson (vern@cs, 737 Soda Hall, 643-4209, 666-2882)

  Mon-Wed, 10:10-11:30am, 405 Soda

Office Hours:
  Mon 1:30-2:30pm in 737 Soda.


Previous announcements (other than for older past homeworks):

Course Description

CS294-28: Network Security. Prerequisite: EE122 or equivalent, knowledge of basic network security notions, basic probability/statistics.

This class aims to provide a thorough grounding in network security suitable for those interested in conducting research in the area, as well as students more broadly interested in security or networking. Topics will include: denial-of-service; capabilities; network intrusion detection; worms; forensics; scanning; traffic analysis; legal issues; web attacks; VOIP security issues; anonymity; wireless security; botnets and honeypots; and research pitfalls.

The course is taught with an emphasis on seminal papers rather than bleeding-edge for a given topic. It includes a major project each student undertakes individually or in pairs. The class is intended to evolve into a regular graduate offering, and the syllabus has substantial overlap with portions of the SEC prelim.

Three hours of lecture per week. (3 units)

Course topics

See the syllabus.


Class project: 50%
Homework: 20%
Lecture participation: 15%
Scribe notes: 15%


There will be a term project. You will do independent research in pairs or individually. Projects may cover any topic of interest in network security, interpreted broadly (it need not be a topic discussed in class); ties with current research are encouraged. See the project description for details and due dates for the different elements.

You are encouraged to start thinking of topics of interest early. Be ambitious!

Readings / Homework

There is no required textbook. All reading will be from papers. A tentative list of these is available from the syllabus. We will definitely cover most of these topics (and primary papers), but as this is course is under development I may make some changes.

Homework for the course primarily consists of writing a "mini-review" of each paper you read. In general you are only responsible for reading the first paper listed for a given topic. If you want to read and review a different paper instead, in general that's okay, but clear your choice with me in advance.

Submit your mini-review, via email, by Tuesday 9AM for papers discussed during a Wednesday lecture, and Friday 1PM for papers discussed during a following-Monday lecture. Your mini-review should give briefly sketch each of the following:

  1. What are the paper's main contributions?
  2. What parts of the paper do you find unclear?
  3. What parts of the paper are questionable? (E.g., methodology, omissions, relevance.)
  4. Given the contributions, what issues remain? What related ideas does it bring to mind?

Your mini-review does not need to be particularly formal, but it needs to reflect a thoughtful assessment of the paper. (It is understandable that you may find parts of some papers baffling or inaccessible. Flag these and don't kill yourself trying to absorb them - same goes for technical fine points - but use prudence in this regard.) If there are particular elements of your mini-review for which you'd like direct feedback, indicate them in your writeup.

Note, mini-reviews are to be done individually. It's fine to discuss the readings with your fellow students or others in order to gain comprehension, but the writeup should reflect your own views and framing.

Late mini-reviews lose 50% credit off the top. Writeups turned in after the scribe notes (see below) receive no credit.

Scribe notes

You will be expected to write scribe notes for a couple of lectures (the number depends on the class size). Email me document source (latex, HTML, Word) with your scribe notes suitable for editing and posting on the course Web site. For full credit, I need to receive it within one week after the corresponding lecture.

Inspect the syllabus and send me a note regarding which lecture(s) you'd prefer to scribe. I will allocate scribes in first-come-first-serve order.


We will be discussion attacks, some of them quite nasty, and also powerful eavesdropping technology. None of this is in any way an invitation to undertake these in any fashion other than with informed consent of all involved parties. If in any context you are uncertain about where to draw the line, come talk with me first.

Mailing List

The course uses a mailing list for announcements and discussions, so it is important for students to subscribe to it.


The schedule here will be updated as the course progresses. The intent is to aim for a lecture per topic in the syllabus, but will be updated here closer to the actual date to correctly reflect the actual lecture.

Topic Readings Notes
1/21 Overview and logistics (none) Lecture slides
1/26 Denial-of-Service Inferring Internet Denial of Service Activity, Moore, Voelker and Savage, USENIX Security 2001. Scribed by Jon Whiteaker. Lecture materials
1/28 Traceback Practical Network Support for IP Traceback, Savage et al., SIGCOMM 2000. Scribed by Lisa Fowler. Lecture materials
2/2 Capabilities SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, Yaar, Perrig, and Song, IEEE S&P 2004. Scribed by Akshay Krishnamurthy. Lecture materials
2/4 DoS Defense Mayday: Distributed Filtering for Internet Services, David Andersen, USITS 2003 (HTML, PDF). Scribed by Mark Winterrowd. Lecture materials
2/9 Network intrusion detection systems Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.
Scribed by Joel Weinberger. Lecture materials
2/11 NIDS Evasion Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, Mark Handley, Christian Kreibich and Vern Paxson, USENIX Security 2001
Scribed by Matthias Vallentin. Lecture materials
2/16 No class. (Campus holiday)
2/18 NIDS Evaluation Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory, John McHugh, ACM Transactions on Information and System Security, 3(4). November, 2000.
Scribed by Adrienne Felt. Lecture materials
2/20 Project Proposals due by the evening.
2/23 The Threat of Worms How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson and Nicholas Weaver, USENIX Security 2002
Scribed by Akshay Krishnamurthy Lecture materials
2/25 Worm Signatures Polygraph: Automatically Generating Signatures for Polymorphic Worms, James Newsome, Brad Karp and Dawn Song, IEEE S&P 2005
Scribed by Mark Winterrowd Lecture materials
3/2 Worm Defenses - Honeyfarms and Taint-Tracking Scalability, fidelity, and containment in the Potemkin virtual honeyfarm, Michael Vrable et al, SOSP 2005. Can we contain Internet worms?, Manuel Costa, Jon Crowcroft, Miguel Castro and Antony Rowstron, HotNets III 2004, and its public review (pp. 12-13).
Scribed by Jon Whiteaker Lecture materials
3/4 Legal and Policy Issues Guest lecture by Aaron Burstein. Conducting Cybersecurity Research Legally and Ethically, Aaron Burstein, First USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '08). Designing and Conducting Phishing Experiments, Peter Finn and Markus Jakobsson, IEEE Technology and Society Magazine, Special Issue on Usability and Security, 2007. Scribed by Joel Weinberger.
Aaron's slides.
3/9 Forensics Toward a Framework for Internet Forensic Analysis, Vyas Sekar et al, HotNets 2004, and its public review (pp. 13-14). Scribed by Matt Finifter. Lecture materials
3/11 Scanning Fast Portscan Detection Using Sequential Hypothesis Testing, Jaeyeon Jung, Vern Paxson, Arthur Berger, and Hari Balakrishnan, IEEE S&P 2004
Scribed by Lisa Fowler. Lecture materials
3/13 Project Related Work writeup due by the evening.
3/16 Timing Analysis Timing Analysis of Keystrokes and Timing Attacks on SSH, Dawn Song, David Wagner, Xuqing Tian, USENIX Security 2001
Scribed by Devin Jones. Lecture materials
3/18 Anonymity Tor: The Second-Generation Onion Router, Roger Dingledine, Nick Mathewson, Paul Syverson, USENIX Security 2004
Scribed by Matt Finifter. Lecture materials
3/23 No class. (Spring break)
3/25 No class. (Spring break)
3/30 Botnets A Multifaceted Approach to Understanding the Botnet Phenomenon, Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis, IMC 2006
Scribed by Jon Whiteaker. Lecture materials
4/1 Botnet Detection BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection, Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee, USENIX Security 2008
Scribed by Adrienne Felt. Lecture materials
4/6 No class. (USENIX Security PC Meeting)
4/8 Botnets and Scams Spamscatter: Characterizing Internet Scam Hosting Infrastructure, David Anderson, Chris Fleizach, Stefan Savage and Geoffrey Voelker, USENIX Security 2007 Scribed by Sam Zats. Lecture materials
4/10 Project Status report due by the evening.
4/13 Web Authentication Guest lecture by David Wagner. Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication, Chris Karlof, J.D. Tygar, and David Wagner, NDSS 2009
Scribed by Devin Jones.
4/15 Scams, con't No additional reading assignment. Scribed by Devin Jones. Lecture materials
4/20 No class. (USENIX LEET in Boston)
4/22 Wireless Can Ferris Bueller Still Have His Day Off? Protecting Privacy in the Wireless Era, Ben Greenstein et al, USENIX HotOS XI 2007
Scribed by Sam Zats. Lecture materials
4/27 Architecture Ethane: Taking Control of the Enterprise, Martin Casado et al., SIGCOMM 2007
Lecture materials
4/29 VOIP Security Issues
Guest lecture by Eric Rescorla. Scribed by Matthias Vallentin. Eric's slides.
5/4 Project Class Presentations
5/6 Project Class Presentations, con't
5/11 Course summary Last day of lecture.
5/13 Project Final Report due by 1PM.


Student feedback in general is always highly valuable. As this class is under development and intended to evolve into a regular grad offering, it is particularly valuable for this course! If you want to send anonymous comments or criticisms, feel free to use an anonymous remailer, or slip a note under my door or in my box.

Vern Paxson, vern@cs.berkeley.edu, http://www.icir.org/vern/.