CPSC 689: Special Topics in

Computer and Network Security

Fall 2008

Instructor:        Dr. Guofei Gu (guofei@cs, 515A HRBB)

Lectures:         Tuesday, Thursday 5:30-6:45pm, Rm 126 HRBB

Office Hours:   Thursday 3-5pm or by appointment

Announcements

[11/10]: Initial schedule of final presentation is ready.

[10/22]: Project status report is due on Nov. 9. This is a semi-final report, including (mininum requirement) introduction/motivation, related work, proposed idea/technique sketch, current evaluation result. The final report is due on Dec. 7.

[9/12]: Project proposal is due on Oct. 9. Find your team member (or you can do individually) and prepare the project topic ASAP! In this proposal, you should also have a section of literature review (related work).

[9/12]: Homework is posted. It's due on Oct. 3 (you have about three weeks to finish the homework)

Course Description

Prerequisites: Operating Systems, Computer Networks, and C/C++ and/or Java.

This course will introduce modern topics in computer and network security. It will provide a thorough grounding in computer and network security suitable for those interested in conducting research in this area, as well as students more broadly interested in real-world security. Topics will span (but not limited to):

Textbook (s): There is no required textbook. All reading will be from research papers in top security conferences and journals.

Three hours of lecture per week. (3 units)

Grading

Homework: 15%
Term project: 45%
Paper presentation: 20%
Paper mini-review and lecture participation:  20%

There is no mid-term or final exam.

Homework

There will be one homework. You will be asked to implement a simple, well-defined assignment individually. This homework will be assigned before mid-term.

Term Project

There will be a term project. You will do independent research in pairs or individually. You can choose any interested topic in computer/network security (not necessary a topic discussed in class, however, tied with current research is encouraged). Be ambitious and start thinking of project topics early!

Paper presentation and mini-review:

You need to write a brief mini-review/summary of each paper you read. This mini-review/summary can include:

The mini-reviews are to be done individually and sent to me before the midnight prior to the corresponding lecture (with email subject "CPSC689-Review"). You need to read all the papers (excluding optional papers). But you don't need to review all the papers (you only need to review about 80% of all the papers, i.e., 20 papers).

For a paper presenter, you need to do more work in addition to writing mini-review:

You need to be a paper presenter for only 1 time (dependent on the number of the students participating in the class).

Ethics & Academic Integrity

We will discuss threats and attacks in class. You should be fully aware of ethics when studying these techniques. If in any context you are not sure about where to draw the line, come talk to me first.

"An Aggie does not lie, cheat, or steal or tolerate those who do."

Upon accepting admission to Texas A&M University, a student immediately assumes a commitment to uphold the Honor Code, to accept responsibility for learning, and to follow the philosophy and rules of the Honor System. Students will be required to state their commitment on examinations, research papers, and other academic work. Ignorance of the rules does not exclude any member of the TAMU community from the requirements or the processes of the Honor System.

Schedule 

This tentative schedule will be updated as the course progresses. Please check back for most recent update!

Date Topic Readings Presenter Note
Aug. 26 Course overview and logistics none Dr. Gu  
Aug. 28 Botnets: threat and defense BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, and Wenke Lee. Security'07
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee. Security'08

[Optional]
The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. Evan Cooke, Farnam Jahanian, and Danny McPherson
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. Guofei Gu, Junjie Zhang, and Wenke Lee. NDSS'08

 Dr. Gu No review
Sep. 2 A Multifaceted Approach to Understanding the Botnet Phenomenon. Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis. IMC'06

[Optional] Know your Enemy: Tracking Botnets, Honeynet

 Cheng-chung Tan  
Sep. 4 Spamming Botnet: Signatures and Characteristics. Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov. SIGCOMM'08

[Optional] Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack,Felix Freiling. LEET'08
Wide-scale Botnet Detection and Characterization. Anestis Karasaridis,Brian Rexroad, David Hoeflin. Hotbots '07

 Xiaoyong Li  
Sep. 9 Intrusion detection & prevention Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.
 Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, Mark Handley, Christian Kreibich and Vern Paxson, USENIX Security'01

[Optional] Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, T. Ptacek

 John Syers,

Gabe Knezek 

  
Sep. 11  A sense of self for Unix processes. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. Oakland'96
Anomalous Payload-based Network Intrusion Detection. Ke Wang, Salvatore J. Stolfo. RAID'04

[Optional] Mimicry Attacks on Host-Based Intrusion Detection Systems. David Wagner and Paolo Soto. CCS'02
 Polymorphic Blending Attacks. Prahlad Fogla, Monirul Sharif, Roberto Perdisci, Oleg Kolesnikov, and Wenke Lee. Security'06

 Shi Pu   
Sep. 16 Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade, Crispin Cowan, et al.

[Optional] Smashing The Stack For Fun And Profit, Aleph One
StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. Cowan, Pu, Maier, Hinton, Bakke, Beattie, Grier, Wagle, Zhang. Security'98

Bashar Anabtawi   Homework posted!
Sep. 18 Worm: threat and defense Monitoring and Early Warning for Internet Worms. Cliff C. Zou, Lixin Gao, Weibo Gong, and Don Towsley. CCS'03

[Optional] How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson and Nicholas Weaver, USENIX Security'02
 Fast Portscan Detection Using Sequential Hypothesis Testing, Jaeyeon Jung, Vern Paxson, Arthur Berger, and Hari Balakrishnan, Oakland'04

 Yimin Song  
Sep. 23 Automated Worm Fingerprinting, Singh, Estan,Varghese and Savage. OSDI'04

[Optional] Polygraph: Automatically Generating Signatures for Polymorphic Worms, James Newsome, Brad Karp and Dawn Song, Oakland'05

 Ankur Nandwani   
Sep. 25 Denial-of-Service: attack and defense Practical network support for IP Traceback, S. Savage, et al. SIGCOMM'00

[Optional] Inferring Internet Denial of Service Activity, Moore, Voelker and Savage. Security'01

 Christian Mcarthur  
Sep. 30 A DoS-Limiting Network Architecture, Yang, Wetherall, and Anderson. SIGCOMM'05.

[Optional] SIFF: An Endhost Capability Mechanism to Mitigate DDoS Flooding Attacks. Abraham Yaar, Adrian Perrig, and Dawn Song.  Oakland'04
SOS: Secure overlay services, Keromytis, Misra, and Rubenstein.

Zhao Zhang    
Oct. 2 Rootkit: threat and defense HookFinder: Identifying and Understanding Malware Hooking Behaviors. Heng Yin, Zhenkai Liang and Dawn Song. NDSS'08

[Optional] Automated Detection of Persistent Kernel Control-Flow Attacks. Nick L. Petroni, Jr. and Michael Hicks. CCS'07
Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing. R. Riley, X. Jiang, and D. Xu. RAID'08

 Prajjwal Devkota Homework due on Oct. 3
Oct. 7 Spyware: threat and defense Behavior-based Spyware Detection. Engin Kirda, Christopher Kruegel, Greg Banks, Giovanni Vigna, and Richard A. Kemmerer. Security'06

[Optional] Dynamic Spyware Analysis. Manuel Egele, Christopher Kruegel, Engin Kirda, Heng Yin, and Dawn Song. Usenix'07.

 Mahesh Sabbavarapu  
Oct. 9 Spam: threat and defense Understanding the Network-Level Behavior of Spammers. A. Ramachandran and N. Feamster. SIGCOMM'06

[Optional]
A Quantitative Study of Forum Spamming Using Context-based Analysis. Yuan Niu, Yi-Min Wang, Hao Chen, Ming Ma, and Francis Hsu. NDSS'07
Filtering Spam with Behavioral Blacklisting. A. Ramachandran, N. Feamster, S. Vempala. CCS'07

 Sanmin Liu Project proposal due today!
Oct. 14 Phishing Phinding phish: An evaluation of anti-phishing toolbars. Lorrie Cranor, Serge Egelman, Jason Hong, and Yue Zhang. NDSS'07
Learning to detect phishing emails. Ian Fette, Norman Sadeh, and Anthony Tomasic. WWW'07

[Optional] Why Phishing Works. Dhamija, Tygar, and Hearst.
Cantina: A content-based approach to detecting phishing web sites.Y. Zhang, J. Hong, and L. Cranor. WWW'07
Behind Phishing: An Examination of Phisher. Modi Operandi. D. Kevin McGrath and Minaxi Gupta. LEET'08

 Pu Duan,

Ishita Patnaik

  
Oct. 16 Vulnerability signature Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. Helen J. Wang, Chuanxiong Guo, Daniel R. Simon, and Alf Zugenmaier. SIGCOMM'04

[Optional] ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities
with Informed Probing. Weidong Cui, Marcus Peinado, Helen J. Wang and Michael Locasto. Okaland'07
XFA: Faster signature matching with extended automata. Randy Smith, Cristian Estan, Somesh Jha. Oakland'08
Deflating the Big Bang: fast and scalable deep packet inspection with variable-extended automata. Randy Smith, Cristian Estan, Somesh Jha, Shijin Kong. SIGCOMM'08

 Qiang Xu  
Oct. 21 Static/dynamic analysis MOPS: an infrastructure for examining security properties of software. Hao Chen and David Wagner. CCS'02

[Optional] Dynamic Taint Analysis: Automatic Detection, Analysis, and Signature Generation of Exploit Attacks on Commodity Software. Newsome and Song. NDSS'06
Exploring Multiple Execution Paths for Malware Analysis. Andreas Moser, Christopher Kruegel and Engin Kirda. Oakland'07.

 Hao Wang  
Oct. 23 DNS security Increased DNS Forgery Resistance Through 0x20-Bit Encoding. David Dagon, Manos Antonakakis, Paul Vixie, Jinmei Tatuya, and Wenke Lee. CCS'08

[Optional] Protecting Browsers from DNS Rebinding Attacks. Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao and Dan Boneh. CCS'07
A New Approach to DNS Security (DNSSEC). Giuseppe Ateniese, S. Mangard. CCS'01

 Sandeep Yadav  
Oct. 28 Web security All Your iFRAMEs Point to Us. Niels Provos and Panayiotis Mavrommatis, Moheeb Abu Rajab, Fabian Monrose. Security'08

[Optional] The Ghost In The Browser, Analysis of Web-based Malware. N. Provos et al. HotBots'07.
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities, Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King, NDSS 2006

 Jeremy Kelley  
Oct. 30 Secure web browsing with the OP web browser. Chris Grier, Shuo Tang, Samuel King. Oakland'08

[Optional]
Protection and Communication Abstractions for Web Browsers in MashupOS. Helen J. Wang, Xiaofeng Fan, Collin Jackson, and Jon Howell. SOSP'07
Anomaly Detection of Web-based Attacks, Christopher Kruegel and Giovanni Vigna, CCS 2003

 Eswara Thota  
Nov. 4 Virtual machines for security Stealthy Malware Detection Through VMM-Based "Out-of-the-Box" Semantic View Reconstruction. Xuxian Jiang, Dongyan Xu and Xinyuan Wang.CCS'07

[Optional] A Virtual Machine Introspection Based Architecture for Intrusion Detection . Garfinkel and Rosenblum.
Xen and the Art of Virtualization. Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebar, Ian Pratt and Andrew Warfield. SOSP'03

 Weiqin Ma  
Nov. 6 Lares: An Architecture for Secure Active Monitoring Using Virtualization. Bryan Payne, Martim Carbone, Monirul Sharif, Wenke Lee. Oakland'08

[Optional] Secure and Flexible Monitoring of Virtual Machines. Bryan Payne, M Carbone, and W Lee. ACSAC'07

 Xiaojian Wu  Project status report due on Nov. 9
Nov. 11 OS security Making information flow explicit in HiStar. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. OSDI'06

[Optional]
An Overview of the Singularity Project. Galen C. Hunt et al.
Securing Distributed Systems with Information Flow Control. Nickolai Zeldovich, Silas Boyd-Wickizer, and David Mazières. NSDI'08

 Saswat Mohanty  
Nov. 13 Privacy and anonymity Tor: The Second-Generation Onion Router, Dingledine et al. Security'04

[Optional] Passive Logging Attacks Against Anonymous Communications. Matthew Wright, Micah Adler, Brian Neil Levine, and Clay Shields. TISSEC

 Jeff Scaparra  
Nov. 18 Forensics Backtracking Intrusions. Samuel King and Peter Chen. SOSP'03.
Toward a Framework for Internet Forensic Analysis, Vyas Sekar et al, HotNets 2004

[Optional] Detecting Past and Present Intrusions Through Vulnerability-Specific Predicates. Peter Chen, Ashlesha Joshi, Sam King, George Dunlap.SOSP05

 David Collins  
Nov. 20 Mini-workshop: student project presentation   Duan, Pu, Scaparra,
Knezek, Tan, Mcarthur		  
Nov. 25 Mini-workshop: student project presentation   Devkota/Patnaik, Mohanty, Xu, Kelley, Song/Liu, Nandwani, Sabbavarapu  
Nov. 27 Thanksgiving holiday. No class.
Dec. 2 Mini-workshop: student project presentation   Collins/Syers, Wang, Thota, Li, Yadav, Zhang, Wu/Ma  Final report due on Dec. 7