CS 665 - Network Forensics
Tuesdays - 6:15pm-8:45pm - BC640
DRAFT SYLLABUS -AUG 27, 2009
Network forensics involves the
identification, preservation, and
analysis of evidence of attacks in order to identify the attackers and
document their activity with sufficient reliability to justify
appropriate technological, business, and legal responses. This course,
however, only focuses on the technological and not on the legal
components of the topic. Much emphasis is on the network traffic
analysis aspect, not on the host aspect. The technical aspect addresses
analysis of
intruder types and the intrusion process, review of network traffic
logs (pcap, flow records) and profiles
and their types, identification of attack signatures and fingerprints,
application of data mining techniques, study of various traceback
methods, and the extraction of information (e.g. from malware,
including botnet traffic) acquired
through the use of network analysis tools and techniques. The class
will not only cover the subjects in theory but
instead also provide the students with an extensive hands-on
experience. The class will involve a fair
amount of programming. Those who take the class are expected to be able
to program in C/C++, have some basic
knowledge of linear algebra, graph theory and statistics, be able to
work with Mathematica and Matlab, and be familiar with network
basics and programming, as well as Unix-like
operating systems.
Instructor:
Dr. Sven Dietrich (spock AT cs DOT stevens DOT edu)
Office hours: Tuesdays before class, and by appointment. Babbio 635.
Prerequisites:
- CS 521, CS579
- or permission of the instructor
Textbook and Resources:
Applied Security Visualization, by Raffael Marty
Publisher: Addison Wesley Professional
ISBN-10: 0-321-51010-0
ISBN-13: 978-0-321-51010-5
Other recommended books and resources:
Applied Cryptography, by Bruce Schneier.
Cryptography
and
Network Security, by William Stallings.
Firewalls and Internet Security, by William Cheswick,
Steven Bellovin
and Aviel Rubin.
"Internet
Denial of Service: Attack and Defense Mechanisms," by Jelena
Mirkovic, Sven Dietrich, David Dittrich, and Peter Reiher.
Other materials will include recent papers on the various
subject areas, as shown in the timetable below.
SiLK tool suite.
The Honeynet project
page.
Davix
tool suite.
Emulab, a virtual testing
environment. A forensics project has been created.
Projects/Programming:
There will be group projects for this
class. In general, programming sections of a project should compile and
run on
the Unix lab (Burchard) or Cybersecurity lab (Babbio) machines. For
projects dealing with
Windows/MacOS or other OSes, you
must get the permission of the instructor.
Project I: A 5 to 8-page paper summarizing your project findings plus a
15-minute presentation to the class followed by 10-15 minutes of
discussion.
Project II: A 15-page paper summarizing your project findings, plus any
programming appendices, and a 30-minute presentation followed by 15-30
minutes of discussion.
Grading:
- Quizzes (unannounced): 30%
- Midterm paper/presentation: 20%
- Final paper/presentation: 30 %
- Class participation/peer review: 20%
Policies:
- No cell phones should be used in class. They should be off or
on silent.
- Laptops should not be used in class, unless explicitly required.
- A make-up project presentation will be granted only if the
instructor
is notified before the exam and there is serious illness or similarly
important reason for missing that day.
- No make-up quizzes.
- For fairness to all students there will be no individual extra
credit work.
- Assignments are due before the lecture begins at
6:15pm. After 6:15pm, 25% will be deducted from your grade. For
assignments late more than one (two) day(s), 50% (75%) will be
deducted.
No credit will be given for assignments that are more than 3 days late.
Exceptions may be granted only if there is an important reason.
Exceptions must be cleared with the instructor in advance. If you must
miss a class at which an assignment is due, you may email your
assignment
to the instructor timestamped BEFORE it is due.
- You may collaborate on projects with your fellow students to
a limited degree. I.e., you may discuss concept clarifications with
other students, but the specific details of your projects must be your
own work.
- You must specify in writing any resources (web, books etc.)
other than the textbook that you used for completing the assignments.
- It is cheating to collaboratively work out a detailed
solution, to copy a solution from another student or some other
resource without specifying it, or to give away a solution.
- Self-plagiarism is considered cheating.
- ALL parties involved in a case of cheating get an automatic
grade of zero (0) in the assignment/exam. Repeated cases get an F in
the course. Any case of cheating will be reported to the honor board or
the Dean of the Graduate School.
Syllabus:
| Week |
Date |
Topics |
Reading |
| 1 |
September 1, 2009
|
Introduction. Host security and network
security. Basic cryptography and cryptanalysis. Steganography.
Traffic types.
|
Mirkovic et al. Chapters 1-4 |
| 2 |
September 8, 2009
|
Basic traffic analysis. Pcap vs. NetFlow vs. Headers.
Project I & II ideas due |
SiLK Analysts' Handbook
Paper
1
Paper
2
Paper
3
|
| 3 |
September 15, 2009
|
Approaches for Traffic and Data Anonymization.
Project I proposals
due |
Paper
1
Paper
2
Paper
3
Paper 4
|
| 4 |
September 22, 2009
|
Network Statistics and Visualization.
|
SiLK's RAVE docs
Passive
monitor
Visualization
(cached)
|
| 5 |
September 29, 2009
|
TBD
|
Mirkovic et al.
Chapter 7, Appendix C
Presentation 1
Presentation 2
Presentation 3
|
| 6 |
October 6, 2009
|
Advanced Mathematical Traffic Models
|
Paper
1
Paper 2
Paper
3
Paper 4
|
| 7 |
October 13, 2009
|
No
classes - Monday schedule |
|
| 8 |
October 20, 2009
|
Project presentations I
Project II revised proposals due |
|
| 9 |
October 27, 2009
|
Multiresolution
Analysis I
|
Wikipedia
entry
Paper 1
Paper
2
|
| 10 |
November 3, 2009
|
Multiresolution
Analysis II |
Paper
1
Paper
2
Paper
3
Paper
4
Wavelets examples in
Matlab
Matlab Wavelets package
|
| 11 |
November 10, 2009
|
Sidechannel Analysis |
Cryptanalysis
Lounge
Wikipedia
entry
Mirkovic, Backscatter
|
| 12 |
November 17, 2009
|
Connecting the dots: relating to the host
|
|
| 13 |
November 24 2009
|
Basic host forensics
|
Knoppix
Forensic
tools
|
| 14 |
December 1, 2009
|
Special topics
Draft presentations/papers due.
|
Highlights from recent papers
|
15
|
December 15, 2009
|
Project
presentations II.
|
Presentation 1
Paper 1
|