Yan Chen,
Assistant Professor
Room 330,
Office Hours: Wed. 2-4pm, Rm 330,
Jason A. Skicewicz
jskitz@cs.northwestern.edu
Office Hours: Tu. and Th. 3:30pm - 4:30pm, Rm 321,
· Lectures: Tuesday and Thursday 2-3:20pm, Room 342, 1890 Maple.
The evolution of Internet has spawned rich complexity and vulnerability in its infrastructure. In this course, we will take a measurement-based approach to understand the complexity of the Internet, i.e., characterize, understand, and model the enormous volume and great variety of Internet traffic in terms of large-scale behaviors. Based on that, we will investigate the vulnerability of the Internet when different services have evolved and innovated in different and competing ways, with increasingly less global consensus.
We will start with the basic concepts of security, cryptography, authentication and integrity, and then focus on security challenges of network and distributed systems as well as the counter-attack approaches. In the first half of the course, we will study large-scale Internet attacks. Topics include the characterization, technologies, history and current defense of mobile malcode (virus/worm), denial of service (DoS) attacks, firewall technologies, intrusion detection systems (IDS), testbed and benchmark for security. While lots of existing attacks can be discovered by their signatures, there are still many unknown, new attacks, and traffic anomalies. In the second part of the class we examine these anomalies through investigating high-speed network measurement and monitoring, network fault diagnostics and root cause analysis, BGP/routing anomalies, network topology discovery, measurement-based inference, and overlay and peer-to-peer system monitoring.
During the course, we will read and discuss research papers, and identify a list of open research problems, from which the students can choose their class projects. In addition to deploying end-to-end measurement on global network testbed, PlanetLab (http://www.planet-lab.org/), massive real-world anonymized router/gateway traffic data will be obtained to analyze the reliability/vulnerability of the Internet and to detect both well-known and unknown virus/worm/attacks. We will further characterize and diagnoise the unknown anomalies and network failures.
No exams for this class.
There is no required textbook. All reading will be from papers. Whenever possible, handouts and papers will be placed online on the web page. A schedule of assigned readings is available online.
To ensure lively discussions, you will be required to write a very brief summary of each paper you read, to be electronically handed in to the TA before the beginning of the class when the reading is due. Your summary should include at least:
We will start each class with an introduction of the basic problems/ideas/solutions (10 minutes), followed by student presentations of the two papers assigned. For each paper, there are 20 minutes for presentation, and 10 minutes for discussion. We will summarize them with the last 10 minutes. Some rules for the paper presentation are available online.
Each presentation should include at least the following from the paper:
You must send the slides to the TA and me for review at least 24 hours before your presentation. There are some guidelines suggested by Prof. Fabián E. Bustamante which you will find useful.
Projects (done in groups of size 2+) are a critical component of this course. Your goal is to design, build and evaluate interesting systems that address issues, solve problems and exploit techniques from classroom discussions and readings.
Projects must be written up in a term paper and teams will present their results at the end of the course in a mini-conference and write up a report. The list of potential ideas for projects will be posted soon. Feel free to use one, propose something completely different, or refine one of these into your own idea.
Project Deliverables
and Deadlines
Proposal – April 8: 3-4 pages describing the purpose of the project, work to be done and potential load distribution, expected outcome/results, etc. Make sure to describe the context and related work for the proposed project. You should have another 1-2 pages references.
Design Document – April 15: 4-5 pages with a detailed description of the software design, load distribution among group members. Construct a detailed sketch of your evaluation plan - what hypothesis is to be tested, how you will control the test circumstances, what workloads will you apply, why will this test enable resolution of the hypothesis, and what and how will specific metrics be measured.
Weekly Meeting and Progress Report – 4/13-5/25: Each team will schedule a weekly meeting (30 minutes) with me. A work-in-progress report (except the 4/13 week) of 1-2 pages on the project status, initial results, and problems encountered, etc. is due 24 hours ahead of the meeting.
Project Presentation – June 1 and 3: Present the results in class, including Q&A.
Final Report – June 9: The final report is a workshop-level paper describing your work, evaluation, related research, potential avenues to explore, etc. You should incorporate the comments received during the presentation. Code should be submitted electronically.
Tentative
Schedules
Notes:
Date |
Lectures Topics |
Notes |
|
Tu 3/30 |
Class overview, Introduction to networking security (cryptography, authentication) |
[ppt][pdf] |
KR 7.1 - 7.3 |
Th 4/1 |
Introduction to networking security (authentication, integrity, access control) |
[ppt][pdf] |
KR 7.3 – 7.5 |
Tu 4/6 |
Mobile malcode: terminology, anatomy, and defense |
[ppt][pdf] |
1. The Internet Worm Program: An Analysis, Eugene H. Spafford, Purdue Technical Report CSD-TR-823, 1988. 2. A Taxonomy of Computer Worms, N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, the First Workshop on Rapid Malcode (WORM), 2003. |
Th 4/8 |
Viruses and worms: history and current defense postures |
[ppt][pdf] |
1.
How
to 0wn the Internet in Your Spare Time, 2.
Large
Scale Malicious Code: A Research Agenda, N.
Weaver, V. Paxson, |
Tu 4/13 |
Advances in malcode technology |
[ppt][pdf] |
1. The Spread of the Sapphire/Slammer Worm. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver, 2003 2. Internet Quarantine: Requirements for Containing Self-Propagating Code. D. Moore, C. Shannon, G. Voelker and S. Savage. In Proceedings of the IEEE Infocom, 2003. |
Th 4/15 |
Denial-of-Service (DoS) attacks |
[ppt][pdf] |
1. A Taxonomy of DDoS Attacks and Defense Mechanisms, J. Mirkovic and P. Reiher, in ACM Computer and Communication Review (CCR), Apr. 2004. 2.
Inferring
Internet Denial of Service Activity, D. |
Tu 4/20 |
DoS attacks (cont’d) |
[ppt][pdf] |
1. Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites (PS version), J. Jung, B. Krishnamurthy and M. Rabinovich, in Proc. of WWW, 2002. 2. Low-Rate TCP-Targeted Denial of Service Attacks. (The Shrew vs. the Mice and Elephants), A. Kuzmanovic and E. W. Knightly, in Proc. of ACM SIGCOMM, 2003. |
Th 4/22 |
Firewalls |
[ppt][pdf] |
1. Firewall Gateways, Chapter 3 of “Firewalls and Internet Security: Repelling the Wily Hacker”, (version 1 is online here), W. Cheswick and S. Bellovin. |
Tu 4/27 |
Intrusion Detection system (IDS): survey and taxonomy |
[ppt][pdf] |
1. Towards a Taxonomy of Intrusion Detection Systems and Attacks, D. Alessandri and many others. IBM research report 2001 2. Intrusion Detection Systems, Rebecca Bace and Peter Mell, NIST report. |
Th 4/29 |
Host-based vs. network-based IDS |
[ppt][pdf] |
1. Network Intrusion Detection. B. Mukherjee, L. T. Heberlein, and K. N. Levitt. IEEE Network, May/June, 1994 2. Bro: A System for Detecting Network Intruders in Real-Time, V. Paxson, Computer Networks, 31(23-24). December, 1999. |
Tu 5/4 |
IDS benchmark and Worm Detection |
[ppt][pdf] |
1.
The Use of Honeynets to Detect Exploited
Systems Across Large Enterprise Networks, J. Levine,
R. L, H. Owen, D. Contis, and B. Culver, in Proc. of Workshop on Information
Assurance, 2003. An interesting
extended work-in-progress is Wormholes and
a Honeyfarm (PPT), N. Weaver, V. Paxson, and 2. Benchmarking
Anomaly-Based Detection Systems. R. Maxion and K. M. C Tan. In Proc. of
the 1st International Conference on Dependable Systems & Networks. 2000. |
Th 5/6 |
Signature- vs. statistics-based NIDS and anomaly detection |
[ppt][pdf] |
1. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. T. H. Ptacek and T. N. Newsham. Technical Report. 1998. 2. Anomaly Detection in IP Networks, by M. Thottan and C. Ji, IEEE Trans. on Signal Processing, Aug. 2003 |
Tu 5/11 |
High-speed network monitoring |
[ppt][pdf] |
1. Automatically Inferring Patterns of Resource Consumption in Network Traffic, C. Estan, S. Savage and G. Varghese, in ACM SIGCOMM, 2003. Paper in (PostScript) and (PDF). Slides in XP PowerPoint. 2. New Directions in Traffic Measurement and Accounting, C. Estan and G. Varghese, in ACM SIGCOMM, 2002. Paper in (PostScript) and (PDF). Slides (PowerPoint) |
Th 5/13 |
High-speed network anomaly detection |
[ppt][pdf] |
1. Sketch-based Change Detection: Methods, Evaluation, and Applications, B. Krishnamurthy, S. Sen, Y. Zhang, and Y. Chen, in Proc. of ACM SIGCOMM Internet Measurement Conference (IMC), 2003. 2. A Signal Analysis of Network Traffic Anomalies, P. Barford, J. Kline, D. Plonka and Amos Ron, in Proc. of ACM SIGCOMM Internet Measurement Workshop (IMW), 2003. (slides in PDF). |
Tu 5/18 |
BGP/routing anomalies and attacks |
[ppt][pdf] |
1. Delayed Internet Routing Convergence, by C. Labovitz, A. Ahuja, A. Bose and F. Jahanian, in ACM SIGCOMM 2000. 2. Generic Threats to Routing Protocols, A. Barbir, S. Murphy and Y. Yang, draft-ietf-rpsec-routing-threats-04, Dec. 2003. |
Th 5/20 |
Network fault diagnostics |
[ppt][pdf] |
1. User-level Internet Path Diagnosis,R. Mahajan, N. Spring, D. Wetherall and T. Anderson, in Proc. of ACM SOSP 2003. 2. Server-based Inference of Internet Performance.V. N. Padmanabhan, L. Qiu, and H. Wang, in Proc. of IEEE INFOCOM, 2003. |
Tu 5/25 |
Network topology discovery |
[ppt][pdf] |
1. Heuristics
for Internet Map Discovery, R. Govindan, and H. Tangmunarunkit, in Proc. of IEEE INFOCOM, 2000 (slides). 2. Measuring ISP Topologies with Rocketfuel, N. Spring, R. Mahajan, and D. Wetherall, in ACM SIGCOMM 2002 (talk). |
Th 5/27 |
Overlay and P2P network measurement/monitoring |
[ppt][pdf] |
1. Resilient Overlay Networks, D. G. Andersen, H. Balakrishnan, M. F. Kaashoek, and R. Morris, in Proc. of ACM SOSP, 2001 (talk). 2. Tomography-based Overlay Network Monitoring, Y. Chen, D. Bindel, and R. H. Katz, in Proc. of ACM SIGCOMM Internet Measurement Conference (IMC), 2003 (talk). Full version is technical report UCB//CSD-03-1252. |
Tu 6/1 |
Project presentation |
|
|
Th 6/3 |
Project presentation |
|
|