CS 6301: Advanced Topics in Internet Measurement and Network Security (Fall 2017)

Syllabus Schedule
Instructor: Shuang Hao
Email: shao -at- utdallas.edu
Office: ECSS 2.703
Office hours: 3-5 pm Tuesday
Class time: 4-6:45 pm Friday
Location: ECSN 2.120

Course Overview

CS 6301 is a graduate level, research oriented, network security course. We will cover techniques and considerations for conducting empirical network security and Internet measurement research. The course will center around readings of foundational and seminal research papers. Topics include measurement methodology, intrusion detection, denial-of-service, botnets and spam, protocol issues, web attacks, search engine optimization, and underground economy. Students will also learn skills of reading essays and research papers and giving presentations.


Networking course is a pre-requisite. Computer Security course is suggested (not a pre-requisite).

Textbook and Reading List

The course has no textbook. We will read a bunch of research papers. The instructor will introduce reference books for particular topics.

  1. Measuring and Detecting Fast-Flux Service Networks. Thorsten Holz, Christian Gorecki, Konrad Rieck, and Felix C. Freiling. NDSS 2008.
  2. The Long 'Taile' of Typosquatting Domain Names. Janos Szurdi, Balazs Kocso, Gabor Cseh, Jonathan Spring, Mark Felegyhazi, and Chris Kanich. USENIX Security 2014.
  3. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. Christian Rossow. NDSS 2014.
  4. IoT Goes Nuclear: Creating a ZigBee Chain Reaction. Eyal Ronen, Colin O'Flynn, Adi Shamir, and Achi-Or Weingarten. IEEE S&P 2017.
  5. Your Botnet is My Botnet: Analysis of a Botnet Takeover. Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna. CCS 2009.
  6. The Crossfire Attack. Min Suk Kang, Soo Bum Lee, and Virgil D. Gligor. IEEE S&P 2013.
  7. deSEO: Combating Search-Result Poisoning. John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy, and Martin Abadi. USENIX Security 2011.
  8. Cloak and Dagger: Dynamics of Web Search cloaking. David Y. Wang, Stefan Savage, and Geoffrey M.Voelker. CCS 2011.
  9. Click Trajectories: End-to-End Analysis of the Spam Value Chain. Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, Mark Felegyhazi, Chris Grier, Tristan Halvorson, Chris Kanich, Christian Kreibich, He Liu, Damon McCoy, Nicholas Weaver, Vern Paxson, Geoffrey M. Voelker, and Stefan Savage. IEEE S&P 2011.
  10. You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions. Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens and Giovanni Vigna. CCS 2012.
  11. @spam: The Underground on 140 Characters or Less. Chris Grier, Kurt Thomas, Vern Paxson, and Michael Zhang. CCS 2010.
  12. Dissecting Android Malware: Characterization and Evolution. Yajin Zhou and Xuxian Jiang. IEEE S&P 2012.
  13. Entropy/IP: Uncovering Structure in IPv6 Addresses:. Pawel Foremski, David Plonka, and Arthur Berger. IMC 2016.
  14. Analysis of Country-wide Internet Outages Caused by Censorship. Alberto Dainotti, Claudio Squarcella, Emile Aben, Kimberly C. Claffy, Marco Chiesa, Michele Russo, and Antonio Pescape. IMC 2011.
  15. Spamming Botnets: Signatures and Characteristics. Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten,and Ivan Osipkov. SIGCOMM 2008.
  16. Filtering Spam with Behavioral Blacklisting. Anirudh Ramachandran, Nick Feamster, and Santosh Vempala. CCS 2007.
  17. Measuring Pay-per-Install: The Commoditization of Malware Distribution. Juan Caballero, Chris Grier, Christian Kreibich, andVern Paxson. USENIX Security 2011.
  18. Detecting and Defending Against Third-Party Tracking on the Web. Franziska Roesner, Tadayoshi Kohno, and David Wetherall. NSDI 2012.
  19. Comprehensive Experimental Analyses of Automotive Attack Surfaces. Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. USENIX Security 2011.
  20. Fast Portscan Detection Using Sequential Hypothesis Testing. Jaeyeon Jung, Vern Paxson, Arthur Berger, and Hari Balakrishnan. IEEE S&P 2004.
  21. Towards Making Systems Forget with Machine Unlearning. Yinzhi Cao and Junfeng Yang. IEEE S&P 2015.
  22. Seeking Nonsense, Looking for Trouble: Efficient Promotional-Infection Detection through Semantic Inconsistency Search. Xiaojing Liao, Kan Yuan, XiaoFeng Wang, Zhongyu Pei, Hao Yang, Jianjun Chen, Haixin Duan, Kun Du, Eihal Alowaisheq, Sumayah Alrwais, Luyi Xing, and Raheem Beyah. IEEE S&P 2016.
  23. Doppelgänger Finder: Taking Stylometry To The Underground. Sadia Afroz, Aylin Caliskan-Islam, Ariel Stolerman, Rachel Greenstadt, Damon McCoy. IEEE S&P 2014.
  24. Don't Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy. Jakub Czyz, Matthew Luckie, Mark Allman, and Michael Bailey. NDSS 2016.
  25. Accountable Internet Protocol. David G. Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, and Scott Shenker. SIGCOMM 2008.
  26. Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. Nadhem J. AlFardan and Kenneth G. Paterson. IEEE S&P 2013.

Grading Policy

The grade will be computed based on the following components:

- Class Participation will be based on attendance.

- In-Class Presentations will be presentations of research papers to the class. Each student will be assigned twice during the class to present the assigned papers. The students are expected to describe the challenges of the problem, introduce technical details of the papers, and provide review opinions on the papers.

- Class Project will be completed individually or in a team of two. The project ideas will be approved by the instructor. Please come to talk with the instructor early about the project ideas, the instructor will provide suggestions or point to the right directions.

Tentative Course Schedule

Date Topic
08/25Course Overview
09/01 Techniques of Measurement and Large-scale Data Analysis
09/08 Paper Reading, Writing, and Review
09/15 A DNS Fast Flux []
09/15 B Domain Typosquatting []
09/22 A Search Engine Poisoning[]
09/22 B Cloaking and Redirection []
09/29 A Vulnerabilities in IPv6 Networks []
09/29 B Finding IPv6 Addresses []
10/06 A Fast Scan Detection []
10/06 B Denial-of-Service Attacks []
10/06 C Link-flooding Attacks []
10/13 A Semantic-based Detection []
10/13 B Stylometry Analysis []
10/13 C Machine Unlearning []
10/20 A Android Malware []
10/20 B Internet of Things Security []
10/20 C Automotive Security []
10/27 A Botnet Takeover []
10/27 B Social Network Spam []
10/27 C Censorship []
11/03 A Underground Economy []
11/03 B Malware Distribution []
11/10 A Web Security []
11/10 B Web Tracking []
11/17 A Botnet Characteristics []
11/17 B Spam Filtering []
11/24 Thanksgiving Break
12/01 A Accountable Infrastructure []
12/01 B TLS Session Security []
12/08 Project Presentation, 5-7:45 pm, ECSS 2.306