The ICSI Networking Group Blog

Summer Internships

2012-02-06T10:03:00.000-08:00

The Networking Group is now accepting applications for Summer 2012 internships. Applicants should be Ph.D. students with a solid research background in networking and/or security. To apply, send a resume to summer@icir.org, and arrange for a letter of reference to be sent to that address too. The deadline for applications is February 24, 2012.

Oakland'11 papers

2011-06-09T00:08:00.000-07:00

At this year's IEEE Symposium on Security and Privacy we presented two papers.

The first presents an extensive measurement study our team of 15 researchers, postdocs and graduate students at UCSD and ICSI has worked on for two years. It expands the analysis of the spam value chain into the financial domain, illuminates the affiliate program landscape for pharmaceuticals, replica goods, and software, and identifies three banks that together receive the credit card transactions of 95% of the spam we observe.

K. Levchenko, A. Pitsillidis, N. Chachra, B. Enright, M. Felegyhazi, C. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, D. McCoy, N. Weaver, V. Paxson, G. M. Voelker, and S. Savage. Click Trajectories: End-to-End Analysis of the Spam Value Chain. IEEE Symposium on Security and Privacy, 2011, Oakland, USA.

The second paper presents Monarch, a real-time system that crawls URLs as they are submitted to web services and determines whether the URLs direct to spam. The paper evaluates the fundamental challenges that arise due to the diversity of web service spam. Monarch could protect a service such as Twitter—which needs to process 15 million URLs/day—for a bit under $800/day.

K. Thomas, C. Grier, J. Ma, V. Paxson and D. Song. Monarch: Providing Real-Time URL Spam Filtering as a Service. IEEE Symposium on Security and Privacy, 2011, Oakland, USA.

SIGCOMM awards

2011-06-08T23:50:00.000-07:00

ACM has awarded this year's SIGCOMM award to Vern Paxson, for his seminal contributions to the fields of Internet measurement and Internet security, and for distinguished leadership and service to the Internet community.

SIGCOMM's Test-Of-Time Award recognizes papers published at least ten years ago that have turned out to make significant contributions to the field of networking. This year one of the two papers chosen is "A Scalable Content-addressable Network" which appeared in SIGCOMM 2001 and is authored by current and past ICSI researchers Sylvia Ratnasamy, Paul Francis, Mark Handley, Richard Karp and Scott Shenker.

Bro Internship

2011-02-23T15:29:00.001-08:00

The Bro project is looking for an intern this summer as well.

Summer Internships

2011-02-22T10:11:00.001-08:00

The Networking Group is now accepting applications for Summer 2011 internships. Applicants should be Ph.D. students with a solid research background in networking and/or security. To apply, send a resume to summer@icir.org, and arrange for a letter of reference to be sent to that address too. The deadline for applications is March 18, 2011.

Characterizing Scanning Behavior

2010-12-07T09:31:00.000-08:00

Last week, Tom Dooner and Brian Stack, two undergraduates we're working with at Case Western Reserve University, presented a poster at Case's Intersections: SOURCE Undergraduate Symposium and Poster Session. The work presented is a preliminary characterization of scanning patterns as observed over 12+ years at LBNL. You can view the poster here.

Followup: Tom and Brian's poster won second place among posters from the College of Engineering at this event. Congrats!

IMC'10 Paper on Illuminating Edge Networks

2010-11-23T10:36:00.000-08:00

Earlier this month we presented the ICSI Netalyzr at the Internet Measurement Conference in Melbourne, Australia. The Netalyzr is a public edge network measurement and debugging service that evaluates the functionality provided by people's Internet connectivity. Its tests include outbound port filtering, hidden in-network HTTP caches, DNS manipulations, NAT behavior, path MTU issues, access-modem buffer capacity, and growing IPv6 support and performance. The paper is available here:

Christian Kreibich, Nicholas Weaver, Boris Nechaev, and Vern Paxson. Netalyzr: Illuminating The Edge Network. Internet Measurement Conference, 2010, Melbourne, Australia. (bib)

The Netalyzr has been one of our major research efforts over the past two years, and we're thrilled by the popularity it has gained since we launched it—to date, Netalyzr has collected 160,000 sessions from 6,800 different organisations in 190 countries: The study is ongoing, so visit the Netalyzr website and run it yourself!

Paper on Emergency Notification

2010-11-17T05:24:00.000-08:00

We recently published a paper that discusses a special-purpose social network for communicating during an wide-scale emergency situation (e.g., an earthquake).

Mark Allman. On Building Special-Purpose Social Networks for Emergency Communication. ACM Computer Communication Review, 40(5), October 2010.

The CCR public review of the paper is also available here.

Dealing with Tussle

2010-10-22T04:32:00.000-07:00

At HotNets this week Aditya Akella presented our joint paper outlining an architectural framework for dealing with the tussle that naturally arise between networks that want to control resources and enforce policies, on the one hand, and users who are trying to accomplish some work, on the other. The paper is:

Chitra Muthukrishnan, Vern Paxson, Mark Allman, Aditya Akella. Using Strongly Typed Networking to Architect for Tussle. ACM SIGCOMM Workshop on Hot Topics in Networks (HotNets), October 2010.

While many of the details of a practical implementation would need to be worked out we'd appreciate feedback on this thought experiment.

Postdoctoral Fellowship Opening

2010-09-13T15:23:00.001-07:00

The International Computer Science Institute (ICSI) invites applications for a Postdoctoral Fellow position in the area of applying modern compiler technology to the domain of high-performance network security monitoring.

The Fellow will be working with ICSI's Networking Group on designing, implementing, and evaluating novel approaches for efficient monitoring of large-scale network environments. The position's primary research focus is on developing strategies for compiling high-level analysis descriptions into highly optimized code for execution on current multi-core architectures.

Please see the full posting for more information.

Major NSF Funding for Bro Development

2010-08-24T17:12:00.003-07:00

The Bro team is jazzed to announce that the National Science Foundation has awarded a grant of almost $3M to the International Computer Science Institute (ICSI) and the National Center for Supercomputing Applications (NCSA) for extensive Bro development.

The funded project aims specifically at addressing much of the feedback that we have received from Bro users over the years. It will enable us to refine many of the rough edges that the system has accumulated over time[*], improve Bro's performance significantly, and also make it much easier for the community to contribute to the project.

For further information, see the joint ICSI/NCSA press release.

Thanks to everybody who helped make this happen!

[*] Yes, that includes documentation!

Cybercasing the Joint

2010-08-24T17:12:00.001-07:00

Earlier this month, we presented a paper on how geotagging can leave users vulnerable to what we termed "cybercasing":

Gerald Friedland, Robin Sommer
Cybercasing the Joint: On the Privacy Implications of Geo-Tagging
Proc. USENIX Workshop on Hot Topics in Security, 2010

This work was featured by the New York Times, ABC News, Toronto Star, and New Scientist.

Machine Learning For Network Intrusion Detection

2010-05-24T21:34:00.001-07:00

At last week's IEEE Symposium on Security & Privacy, we presented some thoughts on using machine learning for intrusion detection:

Robin Sommer, Vern Paxson
Outside the Closed World: On Using Machine Learning For Network Intrusion Detection
Proc. IEEE Symposium on Security and Privacy, 2010

Slides are here.

LEET'10 paper on proactive domain blacklisting

2010-05-04T11:21:00.000-07:00

At last week's LEET'10 workshop we presented our recent work on proactive domain blacklisting based on registration patterns of domain names used in scams.

M. Felegyhazi, C. Kreibich, and V. Paxson. On the Potential of Proactive Domain Blacklisting. Third USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '10), 2010, San Jose, CA, USA. (bib)

TCP Performance in Enterprise Networks

2010-05-03T12:58:00.000-07:00

Last week at INM/WREN Vern presented our paper (as a proxy for Boris who was stranded in Finland by volcanic ash) on TCP performance observed within the LBNL enterprise network. The paper is:

Boris Nechaev, Mark Allman, Vern Paxson, Andrei Gurtov. A Preliminary Analysis of TCP Performance in an Enterprise Network. USENIX Internet Network Management Workshop/Workshop on Research on Enterprise Networking (INM/WREN), April 2010.

Early Retransmit

2010-04-27T07:11:00.000-07:00

After many years our Early Retransmit specification is now an RFC.

Mark Allman, Konstantin Avrachenkov, Urtzi Ayesta, Josh Blanton, Per Hurtig. Early Retransmit for TCP and SCTP, April 2010. RFC 5827.

An Assessment of Web Timeouts

2010-04-20T11:41:00.000-07:00

Two weeks ago at PAM Zak presented our work in assessing the length and implications of various timeouts associated with the process of downloading web pages. The paper are slides:

Zakaria Al-Qudah, Michael Rabinovich, Mark Allman. Web Timeouts and Their Implications. Passive and Active Measurement Conference, April 2010. Zak's slides.

A Longitudinal Look at Web Traffic

2010-04-20T11:40:00.000-07:00

A couple weeks back at PAM Tom presented our initial analysis of 3.5 years of HTTP traffic from ICSI's border. The paper and slides from the talk:

Tom Callahan, Mark Allman, Vern Paxson. A Longitudinal View of HTTP Traffic. Passive and Active Measurement Conference, April 2010. Tom's slides.

ICSI Netalyzr leaves beta

2010-01-13T10:24:00.000-08:00

Today we are taking the ICSI Netalyzr out of the beta stage. Among the changes we are rolling out are:

New tests. We now provide a path MTU test, IP fragmentation support, improved DNS examination, and look up additional names. Besides the client-side transcript you can now inspect the server-side one, which is useful for debugging highly troubled sessions. In addition, we have improved the overall robustness of the existing tests.
Interface improvements. A frequent complaint we received was that the results summary is overwhelming. As a first step to improve the situation, you can now selectively show or hide result summary detail. On the summary page, you find clickable plus/minus symbols that will expand/collapse test results on the entire page, in a particular test class, or on a particular test. When you first arrive at the summary page, any issues we have noticed remain expanded by default.
Updated info pages. Each of our tests comes with an info page, available by clicking on the test's name (such as "Path MTU" in the above). We have given those info pages a makeover, which will hopefully make them easier to understand and more useful to less technical users.

We hope you will enjoy the new Netalyzr. Many thanks to everyone who has tried out the tool in the past!

Securing Web Content

2009-12-14T20:05:00.000-08:00

Former ICSI visitor Joakim Koskela recently presented a joint paper on securing web content at the Re-Architecting the Internet workshop held at CoNext 2009. The paper is available as:

Joakim Koskela, Nicholas Weaver, Andrei Gurtov, Mark Allman. Securing Web Content. ACM CoNext Workshop on ReArchitecting the Internet (ReArch), December 2009.

CCS'09 paper on automatic protocol reverse-engineering

2009-11-13T13:29:00.000-08:00

At this week's CCS conference we presented a technique for automating protocol reverse-engineering from executable programs and its application to botnet C&C protocols.

J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol Reverse-Engineering. 16th ACM Conference on Computer and Communications Security (CCS), Chicago, IL, USA. [PDF, BibTeX]

This is joint work with the BitBlaze team at UC Berkeley. MIT Technology Review has published an article on our work.

IMC '09 Paper on Characterizing Residential Broadband Traffic

2009-11-12T12:43:00.000-08:00

Last week at IMC we presented initial work on characterizing residential broadband traffic. The paper is:

Gregor Maier, Anja Feldmann, Vern Paxson, Mark Allman. On Dominant Characteristics of Residential Broadband Internet Traffic. ACM SIGCOMM/USENIX Internet Measurement Conference, November 2009.

IMC '09 Paper on Calibrating Enterprise Packet Trace Measurements

2009-11-12T12:37:00.000-08:00

Last week we presented a paper at IMC on calibrating a set of packet traces taken by simultaneously tapping multiple switch ports within a large enterprise. We present a set of techniques, the pitfalls of not calibrating such packet traces and a quite initial traffic breakdown from LBNL's enterprise network. The paper is:

Boris Nechaev, Vern Paxson, Mark Allman, Andrei Gurtov. On Calibrating Enterprise Switch Measurements. ACM SIGCOMM/USENIX Internet Measurement Conference, November 2009.

Bro Tutorial at ACSAC

2009-09-17T11:01:00.001-07:00

A heads-up for folks interested in learning more about using Bro effectively: In addition to the Bro workshop next month, we will also be giving a one-day Bro tutorial at this year's ACSAC conference in Honolulu, Hawaii.

Postdoctoral Fellowship Opening

2009-08-21T11:02:00.001-07:00

The International Computer Science Institute (ICSI) invites applications for a postdoctoral Fellow position in the area of high-performance network security monitoring. The Fellow will be working with ICSI's networking group on designing, implementing, and evaluating novel approaches to highly concurrent network traffic analyses in large-scale network environments. The work will focus on exploiting the concurrency potential of both commodity and special-purpose hardware platforms, as well as on building novel programming & execution environments tailored to the target domain.

See the full job description for information on how to apply.