ECS 289M: Computer Security Research in Attack Analysis, Countermeasures, and Detection (Spring 2010)

Basic Course Details:

  • Instructor: Professor Sean Peisert
    • Email:
    • Office Location: 2111 Watershed (directions)
    • Office Hours: Tuesday/Thursday 3:30pm-4:30pm and by appointment

  • Meeting place and time:
    • 1134 Bainer 110 Hunt, Tuesday/Thursday 4:40pm-6:00pm
    • No class on Tuesday, May 18 (Oakland conference)

  • CRN: 83420

  • Prereqs: ECS 150, 153, 235A, or permission of instructor.

  • Concept: We will discuss concepts and papers at each class session. Students will volunteer (or be volunteered) to rotate presenting papers to the class. Over the course of the quarter, students will gather ideas to do a course project, which will be due in lieu of a final exam on the last day of class.

  • Grading:
    • Project/Homework: 65% of final grade
    • Paper presentation: 15% of final grade
    • General class participation: 20% of final grade

Course Outline and Reading (Rough)

Discussion Date Topic/Theme/Papers
Tuesday, March 29

Intro to the Class

no reading yet

Thursday, April 1 War stories

Julie Amero case

Cliff Stoll, "Stalking the Wily Hacker," CACM 31(5), May 1988.

Bill Cheswick, "Evening with Berferd," Proc. of the Winter USENIX Conference, 1990.

Tsutomu Shimomura. Testimony before the United States House of Representatives Committee on Science, Subcommittee on Technology, February 11, 1997.

Andrew H. Gross, "Analyzing Computer Intrusions," Ph.D Dissertation, University of California, San Diego, 1997. (§1.1 only)

Further reading:
Cliff Stoll, The Cuckoo's Egg, Pocket Books, 1989.
Tsutomu Shimomura and John Markoff, Takedown, Hyperion Press, 1996.
Tuesday, April 6 Current state of forensics

Brian Carrier, "Getting Physical with the Digital Investigation Process," J. of Digital Evidence 2(2), Nov. 2003.

Sean Peisert, Matt Bishop, Sidney Karin, and Keith Marzullo, "Principles-Driven Forensic Analysis," Proc. of NSPW'05, September 2005.

Thursday, April 8 Current state of forensic applications: law, e-voting, human resources, crime, hackers

Sean Peisert, Matt Bishop, and Keith Marzullo, "Computer Forensics In Forensis," Proc. of IEEE-SADFE'08, May 2008.

Steven J. Greenwald, "High Assurance Digital Forensics: A Panelist's Perspective," Proc. of SADFE'09, May 2009.

Matt Bishop, Sean Peisert, Candice Hoke, Mark Graff, and David Jefferson, "E-Voting and Forensics: Prying Open the Black Box," Proc. of EVT/WOTE'09, August 2009.

Matt Bishop, Mark Graff, Candice Hoke, David Jefferson, and Sean Peisert, "Resolving the Unexpected in Elections: Election Officials' Options, Tech Report, October 2008.

Further reading:
Fred Chris Smith and Rebecca Gurley Bace, A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony As An Expert Technical Witness, Addison Wesley Professional, 2003.
National Research Council of the National Academies. Strengthening Forensic Science in the United States: A Path Forward, National Academies Press, 2009.
A. Yasinsac, D. Wagner, M. Bishop, T. Baker, B. de Medeiros, G. Tyson, M. Shamos, and M. Burmester, Software Review and Security Analysis of the ES&S iVotronic Voting Machine Firmware, Security and Assurance in Information Technology Laboratory, Florida State University, Tallahassee, FL, February 2007.
Tuesday, April 13 Disk/filesystem Forensics

Brian Carrier, Sleuth Kit

Gene H. Kim and Eugene H. Spafford, "The design and implementation of Tripwire: a file system integrity checker," Proc of 2nd ACM CCS, 1994.

Andrew H. Gross, "Analyzing Computer Intrusions," Ph.D Dissertation, University of California, San Diego, 1997. (§4–5 only)

Further reading:
Dan Farmer and Wietse Venema, Forensic Discovery, Addison Wesley Professional, 2004. (text available freely online)
Brian Carrier, File System Forensic Analysis, Addison Wesley Professional, 2005.
Matt Bishop, Auditing Files on a Network of UNIX Machines, Proc. of the USENIX UNIX Security Workshop, 1988.
NIST Forensic Sciences Standards
NIST Computer Forensics Tool Testing Program
Thursday, April 15 Logging

Matt Bishop, "A Standard Audit Trail Format," Proc of the 1995 National Information Systems Security Conference, 1995.

Bruce Schneier and John Kelsey, "Secure Audit Logs to Support Computer Forensics," ACM TISSEC 2(2), May 1999.

Sun's Basic Security Module (BSM)

Tuesday, April 20 Host forensics

Samuel T. King and Peter M. Chen, "Backtracking Intrusions," ACM TOCS 23(1), February 2005.

Sean Peisert, Matt Bishop, Sidney Karin, and Keith Marzullo, "Analysis of Computer Intrusions Using Sequences of Function Calls," IEEE TDSC 4(2), April–June 2007.

Ashvin Goel, Wu-chang Feng, David Maier, Wu-chi Feng, and Jonathan Walpole, "Forensix: A Robust, High-Performance Reconstruction System," Proc. of the International Conference on Distributed Computing Systems, 2005.

Further reading:
Chris Eagle, The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler, No Starch Press, 2008.
Thursday, April 22 Network forensics (1)

Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson, "Practical network support for IP traceback," Proc of ACM SIGCOMM'00, 2000.

Peter Sommer, "Intrusion Detection Systems as Evidence," Proc. of RAID, 1998.

Peter Stephenson, "The Application of Intrusion Detection Systems in a Forensic Environment," (extended abstract), Proc. of RAID, 2000.

Further reading:
James A. Hoagland, Christopher Wee, and Karl N. Levitt, "Audit Log Analysis Using the Visual Audit Browser," Technical Report CSE-95-11, UC Davis, 1995.
Tuesday, April 27 Network forensics (2), Virtual machine introspection and the "observer" effect (1)

Samuel T. King, Z. Morley Mao, Dominic G. Lucchetti, and Peter M. Chen, Enriching Intrusion Alerts Through Multi-Host Causality," Proc. of NDSS, 2005.

Wei Wang and Thomas E. Daniels, "A Graph Based Approach Toward Network Forensics Analysis," ACM TISSEC 12(1), 2008.

George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza A. Basrai and Peter M. Chen, "ReVirt: enabling intrusion analysis through virtual-machine logging and replay," Proc of OSDI, 2002.

Samuel T. King, George W. Dunlap, and Peter M. Chen, "Debugging Operating Systems with Time-Traveling Virtual Machines," Proc of USENIX'05, April 2005.

Further reading:
Satish Narayanasamy, Gilles Pokam and Brad Calder, "BugNet: Recording Application Level Execution for Deterministic Replay Debugging," Proc. of ICSA, 2005.
Daniela A. S. de Oliveira, Jedidiah R. Crandall, Gary M. Wassermann, S. Felix Wu, Zhendong Su, and Frederic T. Chong, "ExecRecorder: VM-Based Full-System Replay for Attack Analysis and System Recovery. Workshop on Architectural and System Support for Improving Software Dependability," Proc. of ASID, 2006.
Yin Zhang and Vern Paxson, "Detecting Stepping Stones," Proc. of the 9th USENIX Security, 2000.
David L. Donoho, Ana Georgina Flesia, Umesh Shankar, Vern Paxson, Jason Coit, and Stuart Staniford, "Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay," Proc of RAID, 2002.
Thursday, April 29 VMs (2) and Models (1)

Brian Payne, "Secure and Flexible Monitoring of Virtual Machines," Proc of ACSAC, 2007.

Brian Hay and Kara Nance, "Forensic Examination of Volatile System Data Using Virtual Introspection," ACM SIGOPS, 42(3), 2008.

Matt Bishop, "A Model of Security Monitoring," Proc. of ACSAC, December 1989.

Further reading:
Bryan D. Payne, Martim Carbone, Monirul Sharif, and Wenke Lee, "Lares: An Architecture for Secure Active Monitoring Using Virtualization," Proc of IEEE S&P (Oakland), 2008.
Kara Nance, Brian Hay, and Matt Bishop, "Virtual Machine Introspection," IEEE Security & Privacy, 6(5):32-37, September/October 2008.
Tuesday, May 4 Models (2)

Matt Bishop, "A Model of Security Monitoring," Proc. of ACSAC, December 1989.

Matt Bishop, Christopher Wee, and Jeremy Frank, "Goal-Oriented Logging and Auditing," 1996 (re-published as Computer Security: Art and Science §24.3)

Sean Peisert, Matt Bishop, Sidney Karin, and Keith Marzullo, "Toward Models for Forensic Analysis," Proc. of SADFE'07, April 2007.

Further reading:
Sean Peisert and Matt Bishop, "How to Design Computer Security Experiments," Proc of WISE, 2007.
John McHugh, "Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by the Lincoln Laboratory," ACM TISSEC, 3(4), November 2000.
Stefan Axelsson, "The Base-Rate Fallcy and the Difficulty of Intrusion Detection," ACM TISSEC, 3(3), August 2000.
Kymie M.C. Tan and Roy A. Maxion, "'Why 6?'—Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector," Proc of IEEE S&P, Oakland, 2002.
Thursday, May 6 Models (3)

Andrew H. Gross, "Analyzing Computer Intrusions," Ph.D Dissertation, University of California, San Diego, 1997. (§2–3 only)

Fred B. Schneider, "Enforceable Security Policies," ACM TISSEC, 3(1), Feb. 2000.

Mark M. Pollitt, "An Ad Hoc Review of Digital Forensic Models," Proc. of SADFE, 2007. (available via Smartsite under "Resources")

Further reading:
Úlfar Erlingsson and Fred B. Schneider, "SASI Enforcement of Security Policies: A Retrospective," Proc. of NSPW, 1999.
Kevin W. Hamlen, Greg Morrisett, and Fred B. Schneider, "Computability Classes for Enforcement Mechanisms," ACM TOPLAS, 28(1), 2005.
Tuesday, May 11 Models (4)

Florian Buchholz and Clay Shields, "Providing Process Origin Information to Aid in Computer Forensic Investigations," J. of Computer Security 12(5), September 2004.

Benjamin A. Kuperman, A Categorization of Computer Security Monitoring Systems and the Impact on the Design of Audit Sources, PhD Dissertation, Purdue University, 2004. (§3–5 only)

Thursday, May 13 Models (5) and Insider Threat (1)

Christian W. Probst and René R. Hansen, "Analysing Access Control Specifications," Proc of SADFE, 2009. (available via Smartsite under "Resources")

Christian W. Probst, Jeffrey Hunker, Matt Bishop, and Dieter Gollmann, Countering Insider Threats (Dagstuhl Seminar Proceedings), 2008.

Further reading:
Dan Farmer and Wietse Venema, Forensic Discovery, Addison Wesley Professional, 2004. (§ 5, 6, and 8 only)
Tuesday, May 18 No Class: Oakland Conference
Thursday, May 20 Insider threat (2) and Investigations of the scope and economics of Internet crime

Peter G. Neumann, "Combatting Insider Misuse, with Relevance to Integrity and Accountability in Elections and Other Applications," Dagstuhl Workshop on Insider Threats, 2008.

Matt Bishop, Sophie Engle, Deborah A. Frincke, Carrie Gates, Frank L. Greitzer, Sean Peisert, and Sean Whalen, "A Risk Management Approach to the 'Insider Threat,'" Insider Threats in Cyber Security, Springer Verlag, 2010.

Jason Franklin, Vern Paxson, Stefan Savage, and Adrian Perrig, "An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants" Proc of. ACM CCS, 2007.

Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson, and Stefan Savage, "Spamalytics: An Empirical Analysis of Spam Marketing Conversion, CACM 52(9):99-107, 2009.

Further reading:
Matt Bishop, Sophie Engle, Sean Peisert, Sean Whalen, and Carrie Gates, "We Have Met the Enemy and He is Us," Proc. of NSPW, 2008.
Matt Bishop, Sophie Engle, Sean Peisert, Sean Whalen, and Carrie Gates, "Case Studies of an Insider Framework," Proc of HICSS, 2009.
Sara Sinclair and Sean W. Smith, "Preventative Directions For Insider Threat Mitigation Via Access Control," Insider Attack and Cyber Security: Beyond the Hacker, Springer-Verlag, 2008.
David S. Anderson, Chris Fleizach, Stefan Savage, and Geoffrey M. Voelker, "Spamscatter: Characterizing Internet Scam Hosting Infrastructure," Proc. of USENIX Security , 2007.
Christian Kreibich, Chris Kanich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson, and Stefan Savage, "Spamcraft: An Inside Look at Spam Campaign Orchestration," Proc. of LEET, 2009.
Tuesday, May 25 Guest Lecture
Thursday, May 27 Guest Lecture
Tuesday, June 1 Student Presentations
Thursday, June 3 Student Presentations


Details TBA.