Sécurité Réseau et Systèmes -- REcent Attacks and Defense (READ)

This module covers the following topics and will be organized into FIVE 3-hour-long sessions. Before each session, you are expected to have a quick review on the relevant technical papers. The reference of scientific projects is also given upon your request. Most of those papers are available online in our campus, please abide by all applicable copyright laws for downloading. If you have any problem to get them, please let us know.

• Intrusion, Intrusion Detection, and IDS

• Buffer overflow

• Malware: virus and worms

• Botnet

• Underground Economy: Internet scams and spam

• Unwanted network traffic: DDoS

Duration: UV 120 Hours (READ 18 Hours),  Attendee: ~32 final year engineering students

• Acknowledgement 

The slides and handouts used in this module have incorporated those developed by Dr. Vern Paxson (UC Berkeley), Dr. Guofei GU (TAMU), and Dr. Nick Feamster (Georgia Tech).  

• Books

1. William Stallings and Lawrie Brown. Computer Security: Principles and Practice. Prientice Hall, 2007. ISBN 0136004245.

2. William Stallings, Network Security Essentials: Applications and Standards, 4/E, ISBN-10: 0136108059, ISBN-13: 9780136108054, Prentice Hall, 2010

3. Charles P. Pfleeger and Shari Lawrence Pfleeger. Security in Computing, Fourth Edition. Prentice Hall, 2007. ISBN 0-13-239077-9.

• Session 1: Basics: Intrusion Detection Systems

  1. V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.

  2. S. Axelsson, "The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection," in the Proc. of ACM CCS'99.

  3. J. McHugh, "Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory," ACM Transactions on Information and System Security, 3(4). November, 2000.

  4. M. Handley, C. Kreibich and V. Paxson, "Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics," in the Proceedings of USENIX Security 2001.

• Session 2: Buffer Overflow and Virus 

• 1. S. Staniford, V. Paxson and N. Weaver, "How to 0wn the Internet in Your Spare Time," in the Proceedings of USENIX Security 2002. 

  2. J. Newsome, B. Karp and D. Song, "Polygraph: Automatically Generating Signatures for Polymorphic Worms," in the Proceedings of IEEE S&P 2005. 

  3. Crispin Cowan, et al., "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade". 

  4. M. Costa, J. Crowcroft, M. Castro and A. Rowstron, "Can we contain Internet worms?," in the Proceedings of HotNets III 2004. 

• Session 3: Large-scale Malware: Worm and Botnet

• 1. M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon," in the Proceedings of Internet Measurement Conference'06. 

  2. B. Stone-Gross et al., "Your Botnet is My Botnet: Analysis of a Botnet Takeover," in the Proceedings of ACM CCS'09. 

  3. P. Bacher, T. Holz, M. Kotter, G. Wichersk, "Know your Enemy:Tracking Botnets Using honeynets to learn more about Bots." 

• Session 4:  Underground Economy: Internet Scams and Spam

• 1. S. Hao, N. A. Syed, N. Feamster, A. G. Gray, and Sven Krasser, "Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine," in the Proceedings of the 18th conference on USENIX security symposium, 2009. 

  2. A. Ramachandran, N. Feamster, and S. Vempala, "Filtering Spam with Behavioral Blacklisting," in the Proceedings of ACM CCS'07. 

  3. Z. Qian, Z. Mao, Y. Xie and F. Yu, "On Network-level Clusters for Spam Detection," in the Proceedings of NDSS'2010. 

• Session 5: DDoS attacks

• 1. Jelena Mirkovic and Peter Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms," ACM SIGCOMM Computer Communication Review archive, pages 39-54, 34 (2), April, 2005.

  2. Yaar, A., Perrig, A., Song, D., "SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks," in the Proceedings of IEEE Symposium on Security and Privacy (S&P'04), pp.130-143. 

  3. D. Moore, G. Voelker, and S. Savage, "Inferring Internet Denial-of-Service Activity," in the Proceedings of the 10th USENIX Security Symposium. 

• Projects

Attack Graph

1. R. Lippmann, and K. W. Ingols, "An annotated review of past papers on attack graphs," Technical report, MIT Lincoln Laboratory, Mar. 2005.

2. Kyle Ingols, Matthew Chu, Richard Lippmann, Seth E. Webster, Stephen W. Boyer, "Modeling Modern Network Attacks and Countermeasures Using Attack Graphs," in Proc. of Twenty-Fifth Annual Computer Security Applications Conference, ACSAC 2009, pp.117-126.

3. X. Ou, W. F. Boyer, and M. A. McQueen, "A scalable approach to attack graph generation," In Proc. of ACM CCS'06, pp.~336-345.

4. S. Jajodia, and S. Noel, "Topological vulnerability analysis: A powerful new approach for network attack prevention, detection, and response," in Algorithms, Architectures and Information Systems Security(Indian Statistical Institute Platinum Jubilee Series), pp. 285-305, 2009.

-- 

Anonymity 

• 1. R. Dingledine, N. Mathewson, and P. Syverson "Tor: The Second-Generation Onion Router", in the Proceeding of USENIX Security, Pp. 303–320, 2004.

  2. J. Clark, P. C. van Oorschot, and C. Adams., "Usability of anonymous web browsing: an examination of Tor interfaces and deployability," in the Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS '07), pp.41-51.

  3. R. Snader and N. Borisov, "A Tune-up for Tor: Improving Security and Performance in the Tor Network," in the Proceedings of the Network and Distributed Security Symposium, February 2008.