CS 261N: Internet/Network Security

Spring 2015

Instructor:

Vern Paxson, office hours Mon 3:30-4:30PM (737 Soda) and by appointment.
      Office hours by appointment the weeks of Jan 19 and Jan 26.

Lectures:

  Wed/Fri, 10:40AM-12:00PM, 320 Soda

Addresses:

Web page: http://www.icir.org/vern/cs261n/
Announcements, questions: the class Piazza site, which you sign up for here.
Feel free to email any question/comment you want to make privately to the instructor at vern@berkeley.edu.

Course Description:

CS 261N: Internet/Network Security. Prerequisite: CS 168 / EE 122 or equivalent; CS 161 or equivalent; basic probability/statistics. (Undergraduates must receive instructor approval.)

This class aims to provide a thorough grounding in network security suitable for those interested in conducting research in the area, as well as students more generally interested in either security or networking. We will also look at broader issues relating to Internet security for which networking plays a role. The syllabus has overlap with portions of the SEC prelim.

Topics include: denial-of-service; capabilities; network monitoring / intrusion detection; worms; forensics; scanning; traffic analysis / inferring activity; architecture; protocol issues; legality and ethics; web attacks; anonymity; honeypots; botnets; spam; the underground economy; research issues & pitfalls.

The course is taught with an emphasis on seminal papers rather than bleeding-edge for a given topic. It includes a major project that students generally undertake in teams of two.

Three hours of lecture per week. 4 units, due to the significant workload.

A note on ethics: We will be discussing attacks, some of them quite nasty, and also powerful eavesdropping technology. None of this is in any way an invitation to undertake these in any fashion other than with informed consent of all involved parties. If in any context you are uncertain about where to draw the line, come talk with me first.


Lectures:

This lecture schedule may be revised as the course progresses.

Date Topic Readings Notes
1/21 Overview and Logistics (none)
1/23 No lecture (Science of Security workshop)
1/28 Denial-of-Service Inferring Internet Denial of Service Activity, Moore, Voelker and Savage, USENIX Security 2001 Lecture materials
1/30 Traceback Practical Network Support for IP Traceback, Savage et al., SIGCOMM 2000 Lecture materials
1/30 PROJECT Project Initial Thoughts due (evening)
2/4 DoS Defense SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, Yaar, Perrig, and Song, IEEE S&P 2004 Lecture materials
2/6 Network Intrusion Detection Systems Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.
Lecture materials
2/11 Fundamental NIDS Issues Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, Mark Handley, Christian Kreibich and Vern Paxson, USENIX Security 2001
Lecture materials
2/13 NIDS Evaluation Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory, John McHugh, ACM Transactions on Information and System Security, 3(4). November, 2000.
Lecture materials
2/13 PROJECT Project Proposal due (evening)
2/18 The Threat of Worms How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson and Nicholas Weaver, USENIX Security 2002
Lecture materials
2/20 Worm Detection/Defense Scalability, fidelity, and containment in the Potemkin virtual honeyfarm, Michael Vrable et al, SOSP 2005. Can we contain Internet worms?, Manuel Costa, Jon Crowcroft, Miguel Castro and Antony Rowstron, HotNets III 2004, and its public review (pp. 12-13).
Lecture materials
2/25 Scanning Fast Portscan Detection Using Sequential Hypothesis Testing, Jaeyeon Jung, Vern Paxson, Arthur Berger, and Hari Balakrishnan, IEEE S&P 2004
Lecture materials
2/27 Inferring Activity Timing Analysis of Keystrokes and Timing Attacks on SSH, Dawn Song, David Wagner, Xuqing Tian, USENIX Security 2001
Lecture materials
3/4 Forensics Toward a Framework for Internet Forensic Analysis, Vyas Sekar et al, HotNets 2004, and its public review (pp. 13-14) Lecture materials
3/6 Anonymity Tor: The Second-Generation Onion Router, Roger Dingledine, Nick Mathewson, Paul Syverson, USENIX Security 2004
Lecture materials
3/6 PROJECT Related Work Writeup due (evening)
3/11 No lecture (Digital Crimes Consortium)
3/13 Legality and Ethics Conducting Cybersecurity Research Legally and Ethically, Aaron Burstein, First USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '08). Designing and Conducting Phishing Experiments, Peter Finn and Markus Jakobsson, IEEE Technology and Society Magazine, Special Issue on Usability and Security, 2007. Lecture materials
3/18 Securing Protocols Guidelines for Writing RFC Text on Security Considerations, E. Rescorla and B. Korver, RFC 3552, 2003
Lecture materials
3/20 Securing Protocols, con't No paper assigned. Lecture materials
3/25 Spring Break
3/27 Spring Break
4/1 Architecture Ethane: Taking Control of the Enterprise, Martin Casado et al., SIGCOMM 2007
Lecture materials
4/3 Censorship Telex: Anticensorship in the Network Infrastructure, Eric Wustrow, Scott Wolchok, Ian Goldberg and J. Alex Halderman, USENIX Security 2011
Lecture materials
4/8 Surveillance / Authentication Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication, Chris Karlof, J.D. Tygar, and David Wagner, NDSS 2009
Lecture materials
4/10 User Authentication No paper assigned. Lecture materials
4/10 PROJECT Status Report due (evening)
4/15 Identity No paper assigned. Lecture materials
4/17 Botnets Your Botnet is My Botnet: Analysis of a Botnet Takeover, Brett Stone-Gross et al, CCS 2009
Lecture materials
4/22 Spam Spamming Botnets: Signatures and Characteristics, Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov, SIGCOMM 2008
Lecture materials
4/24 No lecture (EECS departmental retreat)
4/29 Cybercrime Click Trajectories: End-to-End Analysis of the Spam Value Chain, Kirill Levchenko et al., IEEE S&P 2011
Lecture materials
5/1 Project presentations: Akshay/Michael; Rafael/Wontae; Ashkan
5/6 RRR Project presentations: Grant; Giulia/Wenting; Allon
5/8 RRR Project presentations: Ben/Hokeun; Linda; HKN evaluation
5/12 PROJECT Project Report due (1PM)

Homework / Readings:

Link to the homeworks assigned so far.

There is no required textbook. All reading will be from papers. A tentative list of these is available from the syllabus. We will definitely cover most of these topics (and primary papers), but may make some changes over the course of the semester.

Homework for the course primarily consists of writing a reflection upon each paper you read. In general you are only responsible for reading the first paper listed for a given topic. If you want to read and assess a different paper instead, clear your choice with me in advance.

Submit your writeup, via email, as either plain text or HTML. (See below about anonymizing your work.) The usual deadline for writeups of papers corresponding to a Wednesday lecture is Monday 11AM. For papers corresponding to a Friday lecture, it's Wednesday 9PM. These deadlines are sharp. (Note, I may adjust them as the semester progresses.)

Typically the assignment will be for you to sketch different facets of the paper, such as:

  1. What are the paper's main contributions?
  2. What parts of the paper do you find unclear? (Optional)
  3. What parts of the paper are questionable? (E.g., methodology, omissions, relevance, presentation.)
  4. Most homeworks will include an additional specific question or two regarding the topic, such as challenging you to come up with and defend a proposed solution.

Your writeup does not need to be particularly formal, but it needs to reflect a thoughtful assessment of the paper. Writeups should generally aim for a total of around 2 pages of thoughtful content. They can be shorter if you write concisely; if longer, that may mean you have trouble trimming your discussion effectively (a skill researchers need to develop!).

It is understandable that you may find parts of some papers baffling or inaccessible. Flag these and don't kill yourself trying to absorb them - same goes for technical fine points - but use prudence in this regard. You should be able to extract a solid amount of technical material from each paper.

In general, I try to provide feedback on homework assignments. However, the size of the class may make it infeasible for me to do so for each student for each assignment. If so, I may limit the feedback I provide for some of your assignments. That said, if there are particular elements of your assessment for which you'd like direct feedback, indicate them at the top of your writeup.

I expect most homework assignments to be done individually, with it being fine to discuss the readings with your fellow students or others in order to gain comprehension, but the writeup reflecting your own views and framing. However, this year I am experimenting with allowing students to do some homeworks in pairs. In such instances, I expect both students to have read the paper and contributed to the writeup, and I will hold such writeups to a bit higher quality standards. If you work with a partner on an assignment, turn in one copy, with the partner cc'd on the email.

You should turn in your homework via email and as plain text or HTML. Include the word "Homework" (not just "HW", which some students tend to use) in the subject line, lest you risk me overlooking your mail during my relentless email processing crunch. Please leave the body of your email anonymous (don't have your name appear other than in the From address).

Late homeworks risk losing 50% credit off the top (a bit less if only a few minutes late). Writeups turned in after the corresponding lecture or posting of the corresponding exemplar (see below) will not receive any credit unless you have discussed this with me in advance.

In assessing your overall homework grade, I will skip your 4 lowest-scoring turned-in assignments. The minimum requirement for a turned-in assignment is a brief answer for part 1 (summarizing the paper's contributions), to ensure that you've read the paper enough to absorb its gist - important in order to follow elements of the lecture, which presume familiarity with the assigned paper. Assignments that you don't turn in at all count as 2 skips. This means that, without penalty, you can omit turning in up to 2 writeups, or skip 1 and turn in 2 minimal assignments, or turn in up to 4 minimal assignments.

If you won't be turning in a given assignment, I'd appreciate a note letting me know by the assignment deadline.

Homework "exemplars": Students can benefit from seeing examples of homework writeups that did particularly well at addressing an assignment. I will make such "exemplars" available a little while after an assignment's due date. Exemplars generally come from past offerings of the class (made available with the students' permission). Please do not redistribute exemplars. You can opt out of having your assignments considered for future use as exemplars by sending me a note at any time during the semester.


Project

A research-oriented project is the most significant element of your effort in the class. You undertake your project in pairs or (with instructor approval) individually. Projects may cover any topic of interest in network security, interpreted broadly (it need not be a topic discussed in class); ties with current research are encouraged. See the project description for details regarding the different elements.

You should start thinking of topics of interest quite early (first milestone regarding ideas is the end of the second week of class). Be ambitious!


Grading

Class project: 50% (based on deliveries at milestones and, especially, final report; class presentations are not graded)
Homework: 40%
Lecture participation: 10%

Syllabus

Here are the currently planned lecture topics for the course (subject to change). Usually, for each lecture the first paper is required reading and needs to be written up for homework prior to the lecture, while the remaining papers are optional.

  1. Denial-of-Service
    Inferring Internet Denial of Service Activity, David Moore, Geoffrey Voelker, and Stefan Savage, USENIX Security 2001
    Internet Denial-of-Service Considerations, M. Handley and E. Rescorla, ed., RFC 4732, 2006
    Worldwide Infrastructure Security Report, Arbor Networks, 2014 Report
    2010 Report on Distributed Denial of Service (DDoS) Attacks, Ethan Zuckerman, Hal Roberts, Ryan McGrady, Jillian York, and John Palfrey, Berkman Center for Internet & Society
    An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks, Vern Paxson, Computer Communication Review 31(3), 2001
    Denial of Service via Algorithmic Complexity Attacks, Scott Crosby and Dan Wallach, USENIX Security 2003

  2. Traceback
    Practical Network Support for IP Traceback, Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson, SIGCOMM 2000
    Single-Packet IP Traceback, Alex Snoeren et al, IEEE/ACM Transactions on Networking 10(6), 2002
    Advanced and Authenticated Marking Schemes for IP Traceback, Dawn Song and Adrian Perrig, INFOCOM 2001
    Understanding the Efficacy of Deployed Internet Source Address Validation Filtering, Robert Beverly, Arthur Berger, Young Hyun, and k claffy, Proc. ACM IMC 2009

  3. DoS Defense
    SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, Abraham Yaar, Adrian Perrig, and Dawn Song, IEEE S&P 2004
    PI: A Path Identification Mechanism to Defend against DDoS Attacks, Abraham Yaar, Adrian Perrig and Dawn Song, IEEE S&P 2003
    Mayday: Distributed Filtering for Internet Services, David Andersen, USITS 2003

  4. Network Intrusion Detection Systems
    Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.
    Snort - Lightweight Intrusion Detection for Networks, Martin Roesch, LISA '99
    Intrusion and intrusion detection, John McHugh, International Journal of Information Security 1(1), 14-35, 2001
    NetSTAT: A Network-based Intrusion Detection System, Giovanni Vigna and Richard Kemmerer, Journal of Computer Security 7(1), pp 37-71, 1999
    Outside the Closed World: On Using Machine Learning For Network Intrusion Detection, Robin Sommer and Vern Paxson, Proc. IEEE Symposium on Security and Privacy, 2010

  5. Fundamental NIDS Issues
    Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, Mark Handley, Christian Kreibich and Vern Paxson, USENIX Security 2001
    Insertion, Evasion, and Denial Of Service: Eluding Network Intrusion Detection, Thomas H. Ptacek and Timothy N. Newsham, Secure Networks techncial report, 1998
    Robust TCP Stream Reassembly in the Presence of Adversaries, Sarang Dharmapurikar and Vern Paxson, USENIX Security 2005
    Abusing File Processing in Malware Detectors for Fun and Profit, Suman Jana and Vitaly Shmatikov, Proc. IEEE Security & Privacy, 2012

  6. NIDS Evaluation
    Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory, John McHugh, ACM Transactions on Information and System Security, 3(4). November, 2000.
    Strategies for Sound Internet Measurement, Vern Paxson, Proc. ACM IMC 2004
    Prudent Practices for Designing Malware Experiments: Status Quo and Outlook, C. Rossow et al., IEEE S&P 2012

  7. The Threat of Worms
    How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson and Nicholas Weaver, USENIX Security 2002
    Conficker Working Group: Lessons Learned, Conficker Working Group, January 2011
    With microscope and tweezers: An analysis of the Internet virus of November 1988, Mark Eichin and Jon Rochlis, IEEE S&P 1989
    A Worst-Case Worm, Nicholas Weaver and Vern Paxson, Proc. WEIS 2004
    Stuxnet: Dissecting a Cyberwarfare Weapon, Ralph Langner, IEEE Security & Privacy 9(3), 2011

  8. Worm Detection/Defense
    Scalability, fidelity, and containment in the Potemkin virtual honeyfarm, Michael Vrable et al, SOSP 2005
    Can we contain Internet worms?, Manuel Costa, Jon Crowcroft, Miguel Castro and Antony Rowstron, HotNets III 2004
    A behavioral approach to worm detection, Daniel Ellis, John Aiken, Kira Attwood, Scott Tenaglia, WORM 2004
    Design Space and Analysis of Worm Defense Strategies, David Brumley, Li-Hao Liu, Pongsin Poosankam and Dawn Song, ASIACCS'06

  9. Scanning
    Fast Portscan Detection Using Sequential Hypothesis Testing, Jaeyeon Jung, Vern Paxson, Arthur Berger, and Hari Balakrishnan, IEEE S&P 2004
    The Art of Port Scanning, Fyodor, Phrack Magazine 7(51), 1997
    DNS-based Detection of Scanning Worms in an Enterprise Network, David Whyte, Evangelos Kranakis, Paul C. van Oorschot, NDSS 2005
    A Brief History of Scanning, Mark Allman, Vern Paxson and Jeff Terrell, Proc. ACM IMC 2007
    ZMap: Fast Internet-Wide Scanning and its Security Applications, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman, Proc. USENIX Security, 2013
    Detecting Stealthy, Distributed SSH Brute-Forcing, Mobin Javed and Vern Paxson, Proc. ACM CCS, 2013

  10. Inferring Activity
    Timing Analysis of Keystrokes and Timing Attacks on SSH, Dawn Song, David Wagner, Xuqing Tian, USENIX Security 2001
    Detecting stepping stones, Yin Zhang and Vern Paxson, USENIX Security 2000
    Statistical Identification of Encrypted Web Browsing Traffic, Qixiang Sun et al, IEEE S&P 2002
    Remote Timing Attacks are Practical, David Brumley and Dan Boneh, USENIX Security 2003
    BLINC: Multilevel Traffic Classification in the Dark, Thomas Karagiannis, Konstantina Papagiannaki, Michalis Faloutsos, SIGCOMM 2005
    Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow, Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang, IEEE S&P 2010

  11. Forensics
    Toward a Framework for Internet Forensic Analysis, Vyas Sekar, Yinglian Xie, David A. Maltz, Michael K. Reiter and Hui Zhang, HotNets 2004
    Public Review of 'Toward a Framework for Internet Forensic Analysis', Alex Snoeren, HotNets 2004 Public Reviews (pp. 13-14)
    Exploiting Underlying Structure for Detailed Reconstruction of an Internet Scale Event, Abhishek Kumar, Vern Paxson and Nicholas Weaver, Proc. ACM IMC, October 2005
    Analysis of Credential Stealing Attacks in an Open Networked Environment, A. Sharma, Z. Kalbarczyk, R. Iyer and J. Barlow, Proc. Network and System Security, September 2010

  12. Anonymity / Censorship
    Tor: The Second-Generation Onion Router, Roger Dingledine, Nick Mathewson, Paul Syverson, USENIX Security 2004
    Telex: Anticensorship in the Network Infrastructure, Eric Wustrow, Scott Wolchok, Ian Goldberg, J. Alex Halderman, USENIX Security 2011

  13. Legality and Ethics
    Conducting Cybersecurity Research Legally and Ethically, Aaron Burstein, LEET 2008
    Designing and Conducting Phishing Experiments, Peter Finn and Markus Jakobsson, IEEE Technology and Society Magazine Special Issue on Usability and Security, 2007
    The Menlo Report, Michael Bailey, David Dittrich, Erin Kenneally and Doug Maughan, IEEE Security & Privacy, Vol. 10, March/April 2012

  14. Securing Protocols
    Guidelines for Writing RFC Text on Security Considerations, E. Rescorla and B. Korver, RFC 3552, 2003
    A Survey of BGP Security Issues and Solutions, Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer Rexford, Proc. IEEE 98(1), January 2010
    A Fundamental Look at DNSSEC, Deployment, and DNS Security Extensions, Geoff Huston, CircleID, 2006
    Security Assessment of the Internet Protocol Version 4, F. Gont, RFC 6274, 2011
    Secure In-Band Wireless Pairing, Shyamnath Gollakota, Nabeel Ahmed, Nickolai Zeldovich, and Dina Katabi, Proc. USENIX Security, 2011

  15. Architecture
    Ethane: Taking Control of the Enterprise, Martin Casado et al, SIGCOMM 2007
    SCION: Scalability, Control, and Isolation On Next-Generation Networks, Xin Zhang, Hsu-Chun Hsiao, Geoffrey Hasker, Haowen Chan, Adrian Perrig and David G. Andersen, IEEE S&P 2011
    A DoS-limiting network architecture, Xiaowei Yang, David Wetherall, Thomas Anderson, SIGCOMM 2005
    Tussle in Cyberspace: Defining Tomorrow's Internet, David D. Clark, John Wroclawski, Karen Sollins and Robert Braden, SIGCOMM 2002

  16. Authentication
    Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication, Chris Karlof, J.D. Tygar, and David Wagner, NDSS 2009
    Robust Defenses for Cross-Site Request Forgery, Adam Barth, Collin Jackson, and John C. Mitchell, CCS 2008
    You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings, Serge Egelman, Lorrie Faith Cranor, and Jason Hong, Proc. ACM CHI, 2008
    Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services, Rui Wang, Shuo Chen, and XiaoFeng Wang, Proc. IEEE Security & Privacy, 2012

  17. Web Attacks & Defenses
    Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves, Adam Barth, Juan Caballero, and Dawn Song, IEEE S&P 2009
    Securing Frame Communication in Browsers, Adam Barth, Collin Jackson, and John C. Mitchell, CACM 52(6), June 2009
    BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers, Mike Ter Louw and V.N. Venkatakrishnan, IEEE Security S&P 2009
    How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores, Rui Wang, Shuo Chen, XiaoFeng Wang, and Shaz Qadeer, IEEE S&P 2011
    Clickjacking: Attacks and Defenses, Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart Schechter and Collin Jackson, IEEE S&P 2012
    Postcards from the post-XSS world, Michal Zalewski, Technical report, 2011
    The most dangerous code in the world: validating SSL certificates in non-browser software, M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov, Proc. ACM CCS, 2012
    The Matter of Heartbleed, Z. Durumeric, et al., Proc. ACM IMC, 2014

  18. E-Commerce / Botnets
    Your Botnet is My Botnet: Analysis of a Botnet Takeover, Brett Stone-Gross et al, CCS 2009
    Studying Spamming Botnets Using Botlab, John P.John, Alexander Moshchuk, Steven D. Gribble, and Arvind Krishnamurthy, NSDI 2009
    A Multifaceted Approach to Understanding the Botnet Phenomenon, Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis, Proc. ACM IMC 2006
    Characterizing Large-Scale Click Fraud in ZeroAccess, Paul Pearce, et al., Proc. ACM CCS, 2014

  19. Botnets, con't
    Measuring Pay-per-Install: The Commoditization of Malware Distribution, Juan Caballero, Chris Grier, Christian Kreibich and Vern Paxson, USENIX Security 2011
    Tracking GhostNet: Investigating a Cyber Espionage Network, Citizen Lab, Technical report, 2009
    Not-a-Bot (NAB): Improving Service Availability in the Face of Botnet Attacks, Ramakrishna Gummadi, Hari Balakrishnan, Petros Maniatis and Sylvia Ratnasamy, NSDI 2009

  20. Spam
    Spamming Botnets: Signatures and Characteristics, Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov, SIGCOMM 2008
    Understanding the Network-Level Behavior of Spammers, Anirudh Ramachandran and Nick Feamster, SIGCOMM 2006
    Design and Evaluation of a Real-Time URL Spam Filtering Service, Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson and Dawn Song, IEEE S&P 2011
    deSEO: Combating Search-Result Poisoning, John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy, and Martin Abadi, Proc. USENIX Security, 2011
    Suspended Accounts in Retrospect: An Analysis of Twitter Spam, Kurt Thomas, Chris Grier, Vern Paxson and Dawn Song, Proc. ACM IMC 2011

  21. Spam / Underground Economy
    Examining the Impact of Website Take-down on Phishing, Tylor Moore and Richard Clayton, Proc. Anti-Phishing Working Group eCrime Researchers Summit, 2007
    Spamscatter: Characterizing Internet Scam Hosting Infrastructure, David Anderson, Chris Fleizach, Stefan Savage and Geoffrey Voelker, USENIX Security 2007
    The Impact of Incentives on Notice and Take-down, Tyler Moore and Richard Clayton, Workshop on the Economics of Information Security (WEIS), 2008.

  22. Underground Economy, con't
    Click Trajectories: End-to-End Analysis of the Spam Value Chain, Kirill Levchenko et al., IEEE S&P 2011
    Show Me the Money: Characterizing Spam-advertised Revenue, Chris Kanich et al., USENIX Security 2011
    Dirty Jobs: The Role of Freelance Labor in Web Service Abuse, Marti Motoyama, Damon McCoy, Kirill Levchenko, Stefan Savage, and Geoffrey M. Voelker, USENIX Security 2011