Information for Spring 06 CS239, Lecture 3---Advanced Topics in Network Security

This page contains pointers to PDF versions of slides used in CS239, Lecture 3 (Advanced Topics in Network Security). It also contains pointers to papers that students should read for this class and other material related to the class. Also, I will sometimes assign web pages as reading material, and links to those pages will be on this page.

This page is organized by the weeks of the quarter in which discussions were scheduled. The weeks are in inverse order, on the assumption you will most often be looking for the most recent week.

This class will be taught by Peter Reiher. Spreadsheet showing topics, schedule, and current assignments.

The papers for the first session of the class are listed below. I will publish a more complete list of the papers for the quarter early next week.

I will not be in town from April 17-April 30. Three of the four sessions during that period will be covered by guest lecturers, as outlined below. The remaining session will be cancelled. At the moment, I have no readings for any of these sessions, but some might be assigned at a later date.

Week 8 (May 22 - May 26)

Wednesday, May 24: Phishing and Pharming

Web Links:

Why Phishing Works,Rachna Dhamija, J. D. Tygar and Marti Hearst, to appear in the Proceedings of the Conference on Human Factors in Computing Systems (CHI2006), 2006.

Evolution of Phishing Attacks, Anti-Phishing Working Group.

Know Your Enemy: Phishing, The Honeynet Project and Research Alliance, May 2005.

Phishing Activity Trends Report, December 2005, Anti-Phishing Working Group, December 2005.

Monday, May 22: Security Alert Systems and Dealing With Compromised Machines

Slides:

Lecture 14. Slides security alert systems and handling compromised hosts.

Papers:

Resilient Self-Organizing Overlay Networks for Security Update Delivery, J. Li, P. Reiher, and G. Popek, IEEE Journal on Selected Areas in Communications, vol. 22, no. 1, January 2004

Indra: A Peer-to-Peer Approach to Network Intrusion Detection And Prevention ,

Week 7 (May 15 - May 19)

Wednesday, May 17: Anonymization and Privacy

Papers:

Tor: The Second-Generation Onion Router, R. Dingledine, N. Mathweson, P. Syverson, to appear in Usenix Security Symposium 2004.

Infranet: Circumventing Web Censorship and Surveillance, N. Feamseter, M. Balazinska, G. Harfst, H. Balakrishna, D. Karger, Usenix Security Symposium 2002.

Web pages:

US Government Computer Emergency Response Team Web site. This site contains information about the mechanisms the government is using to disseminate important news about computer vulnerabilities.

Know Your Enemy: Tracking Botnets, The Honeynet Project and Research Alliance, March 2005. A paper discussing many interesting aspects of botnets from one of the leading honeynet groups.

Protecting Privacy in Continuous Location-Tracking Applications, M. Gruteser and X. Liu, IEEE Security and Privacy, Vol. 2 No. 2, March/April 2004.

Protecting Free Expression Online With Freenet Ian Clarke, Theodore Hong, Oskar Sandberg, and Brandon Wiley, IEEE Internet Computing, January/February 2001.

Monday, May 15: Spam

Slides:

Lecture 12. Slides on spam.

Papers:

A Bayesian Approach to Filtering Junk Email, Meharan Sahami, Susan Dumais, David Heckerman, Eric Horvitz, AAAI Workshop on Learning for Text Categorization, July 1998.

Miracle Cures and Toner Cartridges: Finding Solutions to the Spam Problem, Michael Clifford, Daniel Faigin, Matt Bishop, Tasneem Brutch, Panel Discussion notes, 19th Annual Computer Security Applications Conference, December 2003.

Technical Solutions for Controling Spam, Shane Bird, AUUG 2002, September 2002.

DNS Based Blacklists and Whitelists for Email, J. Levine, Internet Draft, April 2004.

Guidelines for Management of DNS Blacklists, Y. Shafranovich, Internet Draft, April 2004.

Spam Zombies From Outer Space, John Aycock and Nathan Friess, Technical report TR 2006-808-01, Computer Science Department, University of Calgary, January 2006.

Week 6 (May 8 - May 12)

Wednesday, May 10: Evaluating Wide Area Network Defenses

Slides:

Lecture 11. Slides on evaluating network defenses.

Papers:

The Deter Testbed: An Overview, October, 2004. A description of a testbed being set up to evaluate network attacks and defenses.

Experiences With Deter: A Testbed for Security Research, Terry Benzel, Robert Braden, Dongho Kim, Clifford Neuman, Anthony Joseph, Keith Sklower, Ron Ostrenga, and Stephen Schwab, 2nd IEEE Conference on Testbeds and Research Infrastructure for the Development of Networks and Communities (TridentCom 2006), March 2006. More on Deter.

Cyber Defense Technology Networking and Evaluation, R. Bajcsy, et al, Communications of the ACM, Vol. 47, No. 3, 2004.

Inferring Internet Denial-of-Service Activity, David Moore, Geoffrey Voelker, and Stefan Savage , 10th Usenex Security Symposium, 2001. A CAIDA paper describing the basic backscatter technique of determining various properties of DDoS attacks.

Monday, May 8: DDoS: Other Defense Mechanisms

Papers:

Implementing Pushback: Router-Based Defense Against DDoS Attacks, J. Ioannidis and S. Bellovin In Proceedings of NDSS '02, Feb. 2002.

SOS: An Architecture for Mitigating DDoS Attacks, Angelos Keromytis, Vishal. Misra, and Dan Rubenstein, IEEE JSAC, vol. 22, no. 1, January 2004.

NetBouncer: Client-Legitimacy Based High Performance DDoS Filtering, R. THomas, B. Mark, T. Johnson, and J. Croall, DISCEX 2003.

Week 5 (May 1 - May 5)

Wednesday, May 3: DDoS: Introduction

Slides:

Lecture 9. Slides on introduction to DDoS attacks

Papers:

"A Taxonomy of DDoS Attacks and DDos Defense Mechanisms", Jelena Mirkovic and Peter Reiher, Computer Communications Review, Vol. 34, No. 2, April 2004.

"Attacking DDoS at the Source,", Jelena Mirkovic, Greg Prier, and Peter Reiher, ICNP, November 2002.

Monday, May 1: Worms

Slides:

Lecture 8. Slides on worms

Papers:

How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson, Nicholas Weaver, 11th Usenex Security Symposium, 2002.

Compartive Response Strategies for Large Scale Attack Mitigation, D. Jojiri, J. Rowe, K. Levitt, DISCEX 03, 2003.

A Virtual Honeypot Framework, Niels Provos, CITI Technical Report 03-1, October 2003.

Vigilante: End-to-End Containment of Internet Worms, Manuel Costa1, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham, SOSP 2005.

Week 4 (April 24 - April 29)

Wednesday, April 26: Intrusion detection systems

Guest lecturer: Carey Nachenberg

Monday, April 24: Security issues for ubiquitous environments

Guest lecturers: Kevin Eustice and V. Ramakrishna (Slides)

Week 3 (April 17 - April 22)

Wednesday, April 19: NO CLASS

Monday, April 17: Viruses

Guest lecturer: Carey Nachenberg

Week 2 (April 10 - April 15)

Monday, April 10: DNS Security

Slides:

Lecture 4. Slides on DNS Security.

Papers:

"DNS Amplification Attacks", Gadi Evron and Randal Vaughn, March 2006

"DNS Cache Poisoners: Lazy, Stupid, or Evil?", Duane Wessels, February 2006

"DNS Security Introduction and Requirements," R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose, Internet Draft, February 14, 2003.

"Threat Analysis of the Domain Name System," R. Austein, Internet Draft, February 2002.

A New Approach to DNS Security (DNSSEC),"Giuseppe Ateniese, Stefan Mangard," 8th ACM Conference on Computer and Communications Security, 2001.

Monday, April 10: Routing protocol security

Slides:

lecture 3. Slides on routing protocol security

Papers:

"Secure Border Gateway Protocol (Secure BGP),", Stephen Kent, Charles Lynn, Karen Seo, IEEE Journal on Selected Areas in Communication, Vol. 18, No. 4, April 2000.

"Secure Border Gateway Protocol (S-BGP) - Real World Performance and Deployment Issues," Stephen Kent, Charles Lynn, Joanne Mikkelson, and Karen Seo.

"Efficient Security Mechanisms for Routing Protocols," Yih-Chun Hu, Adrian Perrig, David B. Johnson, NDSS 03.

"Generic Threats to Routing Protocols," A. Barbir, S. Murphy, Y. Yang, December 2003.

Week 1 (April 3 - April 8)

Slides:

lecture 2. Slides on IP spoofing prevention.

Papers:

"Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," P. Ferguson, RFC 2827. (Available from many other sources, as well.) This RFC describes a simple form of filtering that can help limit IP spoofing.

"On the Effectiveness of Route-based Packet Filtering for Distributed DoS Attack Prevention in Power-law Internets", Kihong Park and H. Lee, Proceeding of the ACM SIGCOMM '01. This paper discusses how widely deployed network filtering capabilities would need to be to offer an effective defense against IP spoofing.

"SAVE: Source Address Validity Enforcement," Jun Li, Jelena Mirkovic, Mengqiu Wang, Peter Reiher, and Lixia Zhang, Infocom 2002. This paper describes a protocol that allows routers to determine the proper incoming interfaces for packets with particular IP source addresses. Tables of these kinds are assumed in Park's paper, above.

"Hop Count Filtering: An Effective Defense Against Spoofed DDoS Traffic," $hen Jin, Haining Wang, Kang G. Shin, 10th ACM Conference on Computer and Communications Security, 2003. This paper describes a technique to detect spoofing based on knowing the proper TTL values for packets arriving from particular sources. While targeted at DDoS, the technique is more generally related to spoofing.

lecture 1. Introductory material.