Tuesday, December 7, 2010

Characterizing Scanning Behavior

Last week, Tom Dooner and Brian Stack, two undergraduates we're working with at Case Western Reserve University, presented a poster at Case's Intersections: SOURCE Undergraduate Symposium and Poster Session. The work presented is a preliminary characterization of scanning patterns as observed over 12+ years at LBNL. You can view the poster here.

Followup: Tom and Brian's poster won second place among posters from the College of Engineering at this event. Congrats!

Tuesday, November 23, 2010

IMC'10 Paper on Illuminating Edge Networks

Earlier this month we presented the ICSI Netalyzr at the Internet Measurement Conference in Melbourne, Australia. The Netalyzr is a public edge network measurement and debugging service that evaluates the functionality provided by people's Internet connectivity. Its tests include outbound port filtering, hidden in-network HTTP caches, DNS manipulations, NAT behavior, path MTU issues, access-modem buffer capacity, and growing IPv6 support and performance. The paper is available here: The Netalyzr has been one of our major research efforts over the past two years, and we're thrilled by the popularity it has gained since we launched it—to date, Netalyzr has collected 160,000 sessions from 6,800 different organisations in 190 countries: The study is ongoing, so visit the Netalyzr website and run it yourself!

Wednesday, November 17, 2010

Paper on Emergency Notification

We recently published a paper that discusses a special-purpose social network for communicating during an wide-scale emergency situation (e.g., an earthquake). The CCR public review of the paper is also available here.

Friday, October 22, 2010

Dealing with Tussle

At HotNets this week Aditya Akella presented our joint paper outlining an architectural framework for dealing with the tussle that naturally arise between networks that want to control resources and enforce policies, on the one hand, and users who are trying to accomplish some work, on the other. The paper is: While many of the details of a practical implementation would need to be worked out we'd appreciate feedback on this thought experiment.

Monday, September 13, 2010

Postdoctoral Fellowship Opening

The International Computer Science Institute (ICSI) invites applications for a Postdoctoral Fellow position in the area of applying modern compiler technology to the domain of high-performance network security monitoring.

The Fellow will be working with ICSI's Networking Group on designing, implementing, and evaluating novel approaches for efficient monitoring of large-scale network environments. The position's primary research focus is on developing strategies for compiling high-level analysis descriptions into highly optimized code for execution on current multi-core architectures.

Please see the full posting for more information.

Tuesday, August 24, 2010

Major NSF Funding for Bro Development

The Bro team is jazzed to announce that the National Science Foundation has awarded a grant of almost $3M to the International Computer Science Institute (ICSI) and the National Center for Supercomputing Applications (NCSA) for extensive Bro development.

The funded project aims specifically at addressing much of the feedback that we have received from Bro users over the years. It will enable us to refine many of the rough edges that the system has accumulated over time[*], improve Bro's performance significantly, and also make it much easier for the community to contribute to the project.

For further information, see the joint ICSI/NCSA press release.

Thanks to everybody who helped make this happen!

[*] Yes, that includes documentation!

Cybercasing the Joint

Earlier this month, we presented a paper on how geotagging can leave users vulnerable to what we termed "cybercasing":

Gerald Friedland, Robin Sommer
Cybercasing the Joint: On the Privacy Implications of Geo-Tagging
Proc. USENIX Workshop on Hot Topics in Security, 2010

This work was featured by the New York Times, ABC News, Toronto Star, and New Scientist.

Monday, May 24, 2010

Machine Learning For Network Intrusion Detection

At last week's IEEE Symposium on Security & Privacy, we presented some thoughts on using machine learning for intrusion detection:

Robin Sommer, Vern Paxson
Outside the Closed World: On Using Machine Learning For Network Intrusion Detection
Proc. IEEE Symposium on Security and Privacy, 2010

Slides are here.

Tuesday, May 4, 2010

LEET'10 paper on proactive domain blacklisting

At last week's LEET'10 workshop we presented our recent work on proactive domain blacklisting based on registration patterns of domain names used in scams.

Monday, May 3, 2010

TCP Performance in Enterprise Networks

Last week at INM/WREN Vern presented our paper (as a proxy for Boris who was stranded in Finland by volcanic ash) on TCP performance observed within the LBNL enterprise network. The paper is:

Tuesday, April 27, 2010

Early Retransmit

After many years our Early Retransmit specification is now an RFC.

Tuesday, April 20, 2010

An Assessment of Web Timeouts

Two weeks ago at PAM Zak presented our work in assessing the length and implications of various timeouts associated with the process of downloading web pages. The paper are slides:

A Longitudinal Look at Web Traffic

A couple weeks back at PAM Tom presented our initial analysis of 3.5 years of HTTP traffic from ICSI's border. The paper and slides from the talk:

Wednesday, January 13, 2010

ICSI Netalyzr leaves beta

Today we are taking the ICSI Netalyzr out of the beta stage. Among the changes we are rolling out are:
  • New tests. We now provide a path MTU test, IP fragmentation support, improved DNS examination, and look up additional names. Besides the client-side transcript you can now inspect the server-side one, which is useful for debugging highly troubled sessions. In addition, we have improved the overall robustness of the existing tests.
  • Interface improvements. A frequent complaint we received was that the results summary is overwhelming. As a first step to improve the situation, you can now selectively show or hide result summary detail. On the summary page, you find clickable plus/minus symbols that will expand/collapse test results on the entire page, in a particular test class, or on a particular test. When you first arrive at the summary page, any issues we have noticed remain expanded by default.
  • Updated info pages. Each of our tests comes with an info page, available by clicking on the test's name (such as "Path MTU" in the above). We have given those info pages a makeover, which will hopefully make them easier to understand and more useful to less technical users.
We hope you will enjoy the new Netalyzr. Many thanks to everyone who has tried out the tool in the past!