The ICSI Networking Group Blog

Internships for Summer 2016

2016-01-07T06:22:00.003-08:00

The ICSI Networking and Security Group is accepting applications for summer interns for 2016. ICIR's internships are paid positions, and generally aimed at Ph.D. students actively engaged in network and/or security research and with research interests that have overlap with the general areas of research of one or more of the group's staff.

Please send your applications no later than Friday, January 29, 2016. We will notify applicants of our decisions by February 16, 2015.

You can find details regarding the application process here.

Internships for Summer 2015

2015-01-22T10:27:00.001-08:00

The ICSI Networking and Security Group is accepting applications for summer interns for 2015. ICIR's internships are paid positions, and generally aimed at Ph.D. students actively engaged in network and/or security research and with research interests that have overlap with the general areas of research of one or more of the group's staff.

Please send your applications no later than Friday, January 30, 2015. We will notify applicants of our decisions by February 13, 2015.

You can find details regarding the application process here.

Internships for Summer 2014

2014-01-14T15:25:00.000-08:00

The ICSI Networking and Security Group now accepts applications for summer interns for 2014. ICIR's internships are paid positions, and generally aimed at Ph.D. students actively engaged in network and/or security research and with research interests that have overlap with the general areas of research of one or more of the group's staff.

Please send your applications no later than Friday, January 31, 2014. We will notify applicants of our decisions by February 14, 2014.

You can find details regarding the application process here.

Fathom is a Google Summer of Code Project

2013-04-18T11:51:00.001-07:00

Fathom, our browser-based network measurement platform, is part of M-lab's list of Google Summer of Code Projects. If you're a great browser/JavaScript hacker and interested in working with us on this project in the summer, check out the Fathom website and the GSoC ideas page, and get in touch!

Internships for Summer 2013

2013-01-18T05:19:00.003-08:00

The ICSI Networking and Security Group is accepting applications for summer interns for Summer 2013. ICIR's internships are paid positions, and generally aimed at Ph.D. students actively engaged in network and/or security research and with research interests that have overlap with the general areas of research of one or more of the group's staff.

The deadline for submissions is Friday February 8, 2013.
Applicants will be notified of decisions by February 22, 2013.

The application process is outlined here.

Announcing the ICSI Certificate Notary

2012-11-02T15:52:00.000-07:00

We are happy to announce the ICSI Certificate Notary today. This service provides near real-time reputation information on a large number of TLS/SSL certificates seen in the wild, collected continuously from a set of partner network sites. The notary’s data includes the time when a certificate was first and last seen, and whether we can establish a valid chain to a root certificate from the Mozilla root store.

Since the beginning of this year we collaborate with operations at about ten large network sites to passively extract certificates from their upstream traffic using Bro. This has allowed us to build a certificate database that now comprises roughly half a million unique web certificates from over 8 billion connections, representing the activity of estimated 220,000 users. (In fact, we have collected 7 million unique certificates but the majority is non-web activity and hence excluded from the notary.)

You can use the service by sending a DNS request for an A or TXT record to:

<sha1>.notary.icsi.berkeley.edu

The token <sha1> represents the SHA1 digest of the certificate to query, which you may find when consulting your browser for details about a certificate. For A record queries, the result comes back either as the address 127.0.0.1 to indicate that our data providers have seen the certificate, as 127.0.0.2 if we could recently validate the certificate against the Mozilla root store, or NXDOMAIN if we have not seen the certificate. For TXT record queries, the notary returns key-value pairs with more details. Here is an example reply:

"version=1 first_seen=15387 last_seen=15646 times_seen=260 validated=1"

For further details, usage instructions, and background reading, please visit the notary website at http://notary.icsi.berkeley.edu. We much appreciate your feedback at this early stage, both positive works-for-me notices as well as problems and suggestions for improvements.

Summer Internships

2012-02-06T10:03:00.000-08:00

The Networking Group is now accepting applications for Summer 2012 internships. Applicants should be Ph.D. students with a solid research background in networking and/or security. To apply, send a resume to summer@icir.org, and arrange for a letter of reference to be sent to that address too. The deadline for applications is February 24, 2012.

Oakland'11 papers

2011-06-09T00:08:00.000-07:00

At this year's IEEE Symposium on Security and Privacy we presented two papers.

The first presents an extensive measurement study our team of 15 researchers, postdocs and graduate students at UCSD and ICSI has worked on for two years. It expands the analysis of the spam value chain into the financial domain, illuminates the affiliate program landscape for pharmaceuticals, replica goods, and software, and identifies three banks that together receive the credit card transactions of 95% of the spam we observe.

K. Levchenko, A. Pitsillidis, N. Chachra, B. Enright, M. Felegyhazi, C. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, D. McCoy, N. Weaver, V. Paxson, G. M. Voelker, and S. Savage. Click Trajectories: End-to-End Analysis of the Spam Value Chain. IEEE Symposium on Security and Privacy, 2011, Oakland, USA.

The second paper presents Monarch, a real-time system that crawls URLs as they are submitted to web services and determines whether the URLs direct to spam. The paper evaluates the fundamental challenges that arise due to the diversity of web service spam. Monarch could protect a service such as Twitter—which needs to process 15 million URLs/day—for a bit under $800/day.

K. Thomas, C. Grier, J. Ma, V. Paxson and D. Song. Monarch: Providing Real-Time URL Spam Filtering as a Service. IEEE Symposium on Security and Privacy, 2011, Oakland, USA.

SIGCOMM awards

2011-06-08T23:50:00.000-07:00

ACM has awarded this year's SIGCOMM award to Vern Paxson, for his seminal contributions to the fields of Internet measurement and Internet security, and for distinguished leadership and service to the Internet community.

SIGCOMM's Test-Of-Time Award recognizes papers published at least ten years ago that have turned out to make significant contributions to the field of networking. This year one of the two papers chosen is "A Scalable Content-addressable Network" which appeared in SIGCOMM 2001 and is authored by current and past ICSI researchers Sylvia Ratnasamy, Paul Francis, Mark Handley, Richard Karp and Scott Shenker.

Bro Internship

2011-02-23T15:29:00.001-08:00

The Bro project is looking for an intern this summer as well.

Summer Internships

2011-02-22T10:11:00.001-08:00

The Networking Group is now accepting applications for Summer 2011 internships. Applicants should be Ph.D. students with a solid research background in networking and/or security. To apply, send a resume to summer@icir.org, and arrange for a letter of reference to be sent to that address too. The deadline for applications is March 18, 2011.

Characterizing Scanning Behavior

2010-12-07T09:31:00.000-08:00

Last week, Tom Dooner and Brian Stack, two undergraduates we're working with at Case Western Reserve University, presented a poster at Case's Intersections: SOURCE Undergraduate Symposium and Poster Session. The work presented is a preliminary characterization of scanning patterns as observed over 12+ years at LBNL. You can view the poster here.

Followup: Tom and Brian's poster won second place among posters from the College of Engineering at this event. Congrats!

IMC'10 Paper on Illuminating Edge Networks

2010-11-23T10:36:00.000-08:00

Earlier this month we presented the ICSI Netalyzr at the Internet Measurement Conference in Melbourne, Australia. The Netalyzr is a public edge network measurement and debugging service that evaluates the functionality provided by people's Internet connectivity. Its tests include outbound port filtering, hidden in-network HTTP caches, DNS manipulations, NAT behavior, path MTU issues, access-modem buffer capacity, and growing IPv6 support and performance. The paper is available here:

Christian Kreibich, Nicholas Weaver, Boris Nechaev, and Vern Paxson. Netalyzr: Illuminating The Edge Network. Internet Measurement Conference, 2010, Melbourne, Australia. (bib)

The Netalyzr has been one of our major research efforts over the past two years, and we're thrilled by the popularity it has gained since we launched it—to date, Netalyzr has collected 160,000 sessions from 6,800 different organisations in 190 countries: The study is ongoing, so visit the Netalyzr website and run it yourself!

Paper on Emergency Notification

2010-11-17T05:24:00.000-08:00

We recently published a paper that discusses a special-purpose social network for communicating during an wide-scale emergency situation (e.g., an earthquake).

Mark Allman. On Building Special-Purpose Social Networks for Emergency Communication. ACM Computer Communication Review, 40(5), October 2010.

The CCR public review of the paper is also available here.

Dealing with Tussle

2010-10-22T04:32:00.000-07:00

At HotNets this week Aditya Akella presented our joint paper outlining an architectural framework for dealing with the tussle that naturally arise between networks that want to control resources and enforce policies, on the one hand, and users who are trying to accomplish some work, on the other. The paper is:

Chitra Muthukrishnan, Vern Paxson, Mark Allman, Aditya Akella. Using Strongly Typed Networking to Architect for Tussle. ACM SIGCOMM Workshop on Hot Topics in Networks (HotNets), October 2010.

While many of the details of a practical implementation would need to be worked out we'd appreciate feedback on this thought experiment.

Postdoctoral Fellowship Opening

2010-09-13T15:23:00.001-07:00

The International Computer Science Institute (ICSI) invites applications for a Postdoctoral Fellow position in the area of applying modern compiler technology to the domain of high-performance network security monitoring.

The Fellow will be working with ICSI's Networking Group on designing, implementing, and evaluating novel approaches for efficient monitoring of large-scale network environments. The position's primary research focus is on developing strategies for compiling high-level analysis descriptions into highly optimized code for execution on current multi-core architectures.

Please see the full posting for more information.

Major NSF Funding for Bro Development

2010-08-24T17:12:00.003-07:00

The Bro team is jazzed to announce that the National Science Foundation has awarded a grant of almost $3M to the International Computer Science Institute (ICSI) and the National Center for Supercomputing Applications (NCSA) for extensive Bro development.

The funded project aims specifically at addressing much of the feedback that we have received from Bro users over the years. It will enable us to refine many of the rough edges that the system has accumulated over time[*], improve Bro's performance significantly, and also make it much easier for the community to contribute to the project.

For further information, see the joint ICSI/NCSA press release.

Thanks to everybody who helped make this happen!

[*] Yes, that includes documentation!

Cybercasing the Joint

2010-08-24T17:12:00.001-07:00

Earlier this month, we presented a paper on how geotagging can leave users vulnerable to what we termed "cybercasing":

Gerald Friedland, Robin Sommer
Cybercasing the Joint: On the Privacy Implications of Geo-Tagging
Proc. USENIX Workshop on Hot Topics in Security, 2010

This work was featured by the New York Times, ABC News, Toronto Star, and New Scientist.

Machine Learning For Network Intrusion Detection

2010-05-24T21:34:00.001-07:00

At last week's IEEE Symposium on Security & Privacy, we presented some thoughts on using machine learning for intrusion detection:

Robin Sommer, Vern Paxson
Outside the Closed World: On Using Machine Learning For Network Intrusion Detection
Proc. IEEE Symposium on Security and Privacy, 2010

Slides are here.

LEET'10 paper on proactive domain blacklisting

2010-05-04T11:21:00.000-07:00

At last week's LEET'10 workshop we presented our recent work on proactive domain blacklisting based on registration patterns of domain names used in scams.

M. Felegyhazi, C. Kreibich, and V. Paxson. On the Potential of Proactive Domain Blacklisting. Third USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '10), 2010, San Jose, CA, USA. (bib)

TCP Performance in Enterprise Networks

2010-05-03T12:58:00.000-07:00

Last week at INM/WREN Vern presented our paper (as a proxy for Boris who was stranded in Finland by volcanic ash) on TCP performance observed within the LBNL enterprise network. The paper is:

Boris Nechaev, Mark Allman, Vern Paxson, Andrei Gurtov. A Preliminary Analysis of TCP Performance in an Enterprise Network. USENIX Internet Network Management Workshop/Workshop on Research on Enterprise Networking (INM/WREN), April 2010.

Early Retransmit

2010-04-27T07:11:00.000-07:00

After many years our Early Retransmit specification is now an RFC.

Mark Allman, Konstantin Avrachenkov, Urtzi Ayesta, Josh Blanton, Per Hurtig. Early Retransmit for TCP and SCTP, April 2010. RFC 5827.

An Assessment of Web Timeouts

2010-04-20T11:41:00.000-07:00

Two weeks ago at PAM Zak presented our work in assessing the length and implications of various timeouts associated with the process of downloading web pages. The paper are slides:

Zakaria Al-Qudah, Michael Rabinovich, Mark Allman. Web Timeouts and Their Implications. Passive and Active Measurement Conference, April 2010. Zak's slides.

A Longitudinal Look at Web Traffic

2010-04-20T11:40:00.000-07:00

A couple weeks back at PAM Tom presented our initial analysis of 3.5 years of HTTP traffic from ICSI's border. The paper and slides from the talk:

Tom Callahan, Mark Allman, Vern Paxson. A Longitudinal View of HTTP Traffic. Passive and Active Measurement Conference, April 2010. Tom's slides.

ICSI Netalyzr leaves beta

2010-01-13T10:24:00.000-08:00

Today we are taking the ICSI Netalyzr out of the beta stage. Among the changes we are rolling out are:

New tests. We now provide a path MTU test, IP fragmentation support, improved DNS examination, and look up additional names. Besides the client-side transcript you can now inspect the server-side one, which is useful for debugging highly troubled sessions. In addition, we have improved the overall robustness of the existing tests.
Interface improvements. A frequent complaint we received was that the results summary is overwhelming. As a first step to improve the situation, you can now selectively show or hide result summary detail. On the summary page, you find clickable plus/minus symbols that will expand/collapse test results on the entire page, in a particular test class, or on a particular test. When you first arrive at the summary page, any issues we have noticed remain expanded by default.
Updated info pages. Each of our tests comes with an info page, available by clicking on the test's name (such as "Path MTU" in the above). We have given those info pages a makeover, which will hopefully make them easier to understand and more useful to less technical users.

We hope you will enjoy the new Netalyzr. Many thanks to everyone who has tried out the tool in the past!