Course Lecture Plan


Lectures Topics

Speakers & Notes


Mon 3/26 Class Overview, Overview of Internet Security. Yan [ppt]

Symantec Internet Security Threat Report April 2010.

Wed 3/28 Mobile Malcode [malcode.ppt][botnet.ppt]
No paper summary needed.

Taxonomy of Botnet Threats, Trend Micro White Paper, November 2006.

[Reference]A Survey of Botnet Technology and Defenses, M. Bailey, et al. in the Proc. of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

Mon 4/2 Network-level defense: vulnerability signatures
Xitao, Yan
Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits, by Helen J. Wang, et al, in the Proc. of ACM SIGCOMM, 2004.
[Ref] NetShield: Massive Semantics-based Vulnerability Signature Matching for High-speed Networks , by Z. Li et al,  in the Proc. of ACM SIGCOMM, 2010.
Wed 4/4 Vulnerability signature generation
Xitao, Xin

Towards Automatic Generation of Vulnerability-Based Signatures, by David Brumley, et al, in the Proceedings of the 2006 IEEE Symposium on Security and Privacy.

Mon 4/9

Polymorphic Malware Detection


Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors. Matt Fredrikson, Somesh Jha, Mihai Christodorescu, Reiner Sailer, Xifeng Yan. IEEE Symposium on Security and Privacy 2010.
[Ref] Effective and Efficient Malware Detection at the End Host, by Clemens Kolbitsch, et al, Usenix Security Symposium 2009.

Wed 4/11

WWW security background

No paper summary needed

Browser Security Handbook, part 1 (Basic concepts).

Virtual Browser: a Virtualized Browser to Sandbox Third-party JavaScripts with Enhanced Security, by Yinzhi Cao et al, in the Proc. of AsiaCCS, 2012.

Mon 4/16

Web origins and the same origin policy

Jed, Xin

The Multi-Principal OS Construction of the Gazelle Web Browser, Helen Wang, Chris Grier, Alexander Moshchuk, Samuel T. King, Piali Choudhury, and Herman Venter, USENIX Security 2009.

[Ref]Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense, Adam Barth, Joel Weinberger, and Dawn Song, USENIX Security 2009.

Wed 4/18

(Combined with 4/16 class)
Cross-site Scripting Attacks (XSS)


Jonathan, William

ScriptGard: Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications, by Prateek Saxena, et al, in the Proc. of ACM CCS 2011.
A Systematic Analysis of XSS Sanitization in Web Application Frameworks, by Joel Weinberger, et al, in the Proc. of ESORICS 2011.

Mon 4/23

Cross-site request forgery (CSRF) Attacks

Connor, Xiang

A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications, by Riccardo Pelizzi, and R Sekar. in thet Proc. of ACSAC 2011.
[Ref] Automatic and Precise Client-Side Protection against CSRF Attacks, by Philippe De Ryck, et al, in the Proc. of Esorics, 2011.

Wed 4/25

Heap Spraying Attacks

Xiang, Yinzhi
Rozzle: De-Cloaking Internet Malware, by Clemens Kolbitsch, et al, in the Proc. of IEEE Symposium on Security and Privacy, 2012.
[Ref] ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection, by Charlie Curtsinger, et al., in the Proc. of USENIX Security, 2011.

Mon 4/30

Midterm project presentation
[Social Network Security][NIPS and Vulnerability Signatures] [Android Security]  [Web Security

Wed 5/2

Smartphone security and privacy background.

No paper summary is needed.
Mobile Application Security on Android, by Jesse Burns at Black Hat 2009.
Reference slides: Understanding Android's Security Framework (Tutorial) by W. Enck, and P. McDaniel.
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, by William Enck et al. in Proc. of the USENIX OSDI, 2010.

Mon 5/7

Smartphone Malware

Jed, Jonathon
Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets, by Yajin Zhou, et al, in the Proc. of the NDSS 2012.
[Ref] A Survey of Mobile Malware in the Wild, Adrienne Porter Felt et al, ACM Workshop on Security and Privacy in Mobile Devices (SPSM) 2011 (ref slides).

Wed 5/9

Smartphone Capability Leaks

William, Shaker
Systematic Detection of Capability Leaks in Stock Android Smartphones. by Michael Grace, et al, in the Proc. of the NDSS 2012.
[Ref] Permission Re-Delegation: Attacks and Defenses, by Adrienne Porter Felt, et al., in the Proc. of USENIX Security Symposium, 2011. (Reference talk slides).

Mon 5/14

Online Social Network Security Background

No paper summary is needed.
Towards Online Spam Detection in Social Networks, by Hongyu Gao et al., in the Proc. of NDSS 2012
[Ref] Security Issues in Online Social Networks, by Hongyu Gao, et. al, in IEEE Internet Computing, Volume 15, Issue 4, 2011.

Wed 5/16

OSN Spam



Dan, Shaker

Suspended Accounts in Retrospect: An Analysis of Twitter Spam, by Kurt Thomas, et. al. in the Proc. of ACM SIGCOMM IMC, 2011.
[Ref] @spam: The Underground on 140 Characters or Less, by Grier, et. al, in the Proc. of ACM CCS, 2010.

Mon 5/21

OSN Privacy


, Hongyu

Hummingbird: Privacy at the time of Twitter, by Emiliano De Cristofaro, et. al. in the Proc. of IEEE Symposium on S&P (Oakland), 2012.
[Ref] You are what you like! Information leakage through users' Interests, by Abdelberi Chaabane, et. al., in the Proc. of NDSS, 2012.

Wed 5/23

Merged with the 5/30 class

Mon 5/28

No class due to Memorial Day.

Wed 5/30

Project presentation.

Notes: You may find the brochure useful: Efficient reading of papers in Science and Technology by Michael J. Hanson, 1990, revised 2000 Dylan McNamee.