Course Lecture Plan

Notes: Reading refers to textbook KR unless denoted otherwise.


Lectures Topics

Speakers & Notes


Tu 3/30

Class overview, Introduction to networking security (cryptography, authentication)

Yan [ppt]

KR 7.1 - 7.3

Th 4/1

Introduction to networking security (authentication, integrity). Mobile malcode: intro

Yan [ppt]

KR 7.3 – 7.5

Tu 4/6

Mobile malcode: terminology, anatomy, and defense

Ashish [taxonomy.ppt]


1.     A Taxonomy of Computer Worms, N. Weaver, V. Paxson, S. Staniford, and R. Cunningham,  the First Workshop on Rapid Malcode (WORM), 2003.

2.     How to 0wn the Internet in Your Spare Time, S. Staniford, V. Parxson and N. Weaver. In Proceedings of the 11th Usenix Security Symposium, 2002.

Th 4/8

Viruses and worms: history and current defense postures

Stefan [slammer.ppt]


1.   The Spread of the Sapphire/Slammer Worm. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver, 2003.

2.   Large Scale Malicious Code: A Research Agenda, N. Weaver, V. Paxson, S. Staniford and R. Cunningham, DARPA-sponsored report, 2003.

Tu 4/13

Malcode containment, port scan detection

Matt [portscan.ppt]


1.     Fast Portscan Detection Using Sequential Hypothesis Testing,  J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, Proc. IEEE Symposium on Security and Privacy, 2004.

2.     Internet Quarantine: Requirements for Containing Self-Propagating Code. D. Moore, C. Shannon, G. Voelker and S. Savage. In Proceedings of the IEEE Infocom, 2003.

Th 4/15

Denial-of-Service (DoS) attacks

Kate [dosTaxonomy.ppt] [inferDOS.ppt] [animation movie]

1.     A Taxonomy of DDoS Attacks and Defense Mechanisms, J. Mirkovic and P. Reiher, in ACM Computer and Communication Review (CCR), Apr. 2004.

2.     Inferring Internet Denial of Service Activity, D. Moore, G. Voelker and Stefan Savage, in Proc. of the USENIX Security Symposium, 2001.

Tu 4/20

DoS attacks (cont’d)

Aaron [DoSvsFE.ppt] [SYNdetection.ppt] [SYNDet_related.ppt]

1.     Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites (PS version), J. Jung, B. Krishnamurthy and M. Rabinovich, in Proc. of WWW, 2002.

2.     Detecting SYN Flooding Attacks, Haining Wang, Danlu Zhang, and Kang G. Shin, in Proc. of IEEE INFOCOM, 2002

Th 4/22


Kate and Tamara [firewalls.ppt]

1.  Firewall Gateways, Chapter 9 of “Firewalls and Internet Security: Repelling the Wily Hacker”, (similarly, chapter 3 of version 1 is online here), W. Cheswick and S. Bellovin.

Tu 4/27

Intrusion Detection system (IDS): survey and taxonomy

Laurence [ppt]

1.  Towards a Taxonomy of Intrusion Detection Systems and Attacks, D. Alessandri and many others. IBM research report 2001

2.   State of the Practice of Intrusion Detection Technologies, J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, and E. Stoner. CMU/SEI Technical Report (CMU/SEI-99-TR-028) 1999.

Th 4/29

Host-based vs. network-based IDS

Laurence [ppt]

Zach [ppt]

1.     Bro: A System for Detecting Network Intruders in Real-Time, V. Paxson, Computer Networks, 31(23-24). December, 1999.

Tu 5/4

IDS benchmark and Worm Detection

Ashish [ppt]

1.     The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks, J. Levine, R. L, H. Owen, D. Contis, and B. Culver, in Proc. of Workshop on Information Assurance, 2003.  An interesting extended work-in-progress is Wormholes and a Honeyfarm (PPT), N. Weaver, V. Paxson, and S. Staniford, DIMACS Workshop on Large-Scale Internet Attacks, 2003.

2.     Benchmarking Anomaly-Based Detection Systems. R. Maxion and K. M. C Tan. In Proc. of the 1st International Conference on Dependable Systems & Networks. 2000.

Th 5/6

Signature- vs. statistics-based NIDS and anomaly detection

Ashish (finish up)

Aaron [eluding.ppt], Matt [wavelet.ppt]

1.     Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. T. H. Ptacek and T. N. Newsham. Technical Report. 1998.

NOTES: This paper is a bit long.

1. The first 3 sections are the most important.  Make sure that you cover everything.  
2. We can skip Sec. 4 and 5
3. Go over Sec. 6 and cover the major points, don't need to be very detailed.
4. The metho and evaluation part is kind of interesting, - they compare various out-of-shelf IDS products. Go over briefly.


2.     A Signal Analysis of Network Traffic Anomalies, P. Barford, J. Kline, D. Plonka and Amos Ron, in Proc. of ACM SIGCOMM Internet Measurement Workshop (IMW), 2003. (slides in PDF).

Tu 5/11

Network traffic anomaly analysis

Elliot [ppt]

1.     Internet Intrusions: Global Characteristics and Prevalence, Yegneswaran, Vinod; Barford, Paul; Ullrich, Johannes., In Proc. of ACM SIGMETRICS, June, 2003

Th 5/13

Network fault diagnostics

Hugo [ppt][ppt]

1.     User-level Internet Path Diagnosis,R. Mahajan, N. Spring, D. Wetherall and T. Anderson, in Proc. of ACM SOSP 2003.

2.     Server-based Inference of Internet Performance.V. N. Padmanabhan, L. Qiu, and H. Wang, in Proc. of IEEE INFOCOM, 2003.

Tu 5/18

High-speed network anomaly detection

Elliot [ppt]

1.     Automatically Inferring Patterns of Resource Consumption in Network Traffic, C. Estan, S. Savage and G. Varghese, in ACM SIGCOMM, 2003.  Paper in (PostScript) and (PDF). Slides in XP PowerPoint.

2.     Sketch-based Change Detection: Methods, Evaluation, and Applications, B. Krishnamurthy, S. Sen, Y. Zhang, and Y. Chen, in Proc. of ACM SIGCOMM Internet Measurement Conference (IMC), 2003.

Th 5/20

Network topology discovery

Zach [ppt]

1.     Heuristics for Internet Map Discovery, R. Govindan, and H. Tangmunarunkit, in Proc. of IEEE INFOCOM, 2000 (slides).

2.     Measuring ISP Topologies with Rocketfuel, N. Spring, R. Mahajan, and D. Wetherall, in ACM SIGCOMM 2002 (talk).

Tu 5/25

BGP and routing anomalies

Tamara [ppt]

1.     BGP tutorial from Cisco, please read the “BGP fundamental” part and this simplified tutorial of BGP.  (I will go over the slides in the class.  You may also want to read the full version of “Introduction to BGP” by Tim Griffin.)

Note: you don’t need to write flaws for the tutorial in your summary.

2.     Delayed Internet Routing Convergence, by C. Labovitz, A. Ahuja, A. Bose and F. Jahanian, in ACM SIGCOMM 2000.  (slides of their NANOG 19 talk)

Th 5/27

Overlay and P2P network measurement/monitoring

Stefan [ron.ppt] Hugo [tom.ppt]

1.     Resilient Overlay Networks, D. G. Andersen, H. Balakrishnan, M. F. Kaashoek, and R. Morris, in Proc. of ACM SOSP, 2001 (talk).

2.     Tomography-based Overlay Network Monitoring, Y. Chen, D. Bindel, and R. H. Katz, in Proc. of ACM SIGCOMM Internet Measurement Conference (IMC), 2003 (talk).  Full version to appear in ACM SIGCOMM 2004.

Tu 6/1

Project presentation

  1. Ashish, Elliot and Robbie [ppt]
  2. Stefan, Kate and Tamara [ppt]

Th 6/3

Project presentation

  1. Aaron and Matt [ppt]
  2. Laurence and Jason [ppt]
  3. Hugo and Zach [ppt]



  1. You may find the brochure (suggested by Fabián E. Bustamante) useful: Efficient reading of papers in Science and Technology by Michael J. Hanson, 1990, revised 2000 Dylan McNamee.