CS 5323 Principles of Computer and Information Security

Professor Ravi Sandhu

Spring 2017, MW 6:00-7:15pm, Location: MH 2.02.16
Class web site: www.profsandhu.com/cs5323_s17
Please send all class related emails to: ravi.utsa@gmail.com
Office hours: by appointment only. Please request via email to above address.
UTSA common syllabus information: provost.utsa.edu/syllabus.asp

Important Notices:

• 4/19/17: Exam 2 summary of results is available here.
• 4/19/17: L18 posted.
• 4/17/17: Exam 3 has been posted in weekly schedule under date 4/24/17. Due 5/3/17 by 5:00pm.
• 4/17/17: L17 posted.
• 4/12/17: L16 posted.
• 4/10/17: L15 posted.
• 4/7/17: L13 revised: 2 slides added at end.
• 4/5/17: L14 posted.
• 4/3/17: L13 posted. L12 revised and posted, slide 22 onwards.
• 3/29/17: L12 posted.
• 3/27/17: L11 posted.
• 3/8/17: Exam grading rubric has been updated regarding discussions with me, as follows: rubric (docx) (pdf).
• 3/8/17: Exam 1 summary of results is available here.
• 3/8/17: Exam 2 has been posted in weekly schedule under date 3/20/17. Due 3/29/17 by 5:00pm.
• 3/8/17: All updates to Part 2 of the course have been posted.
• 3/1/17: L10 posted: last portion on OpenSSL Heartbleed attack to be done.
• 3/1/17: L8 modified: slides 31-33.
• 2/21/17: L8, L9 have been posted.
• 2/20/17: L7 has been posted.
• 2/5/17: Exam 1 has been posted in weekly schedule under date 2/13/17. Due 2/27/17 by 5:00pm.
• 2/2/17: L4 slide 55 modified to correct a typo.
• 2/1/17: L5 slide 24 modified to correct a typo.
• 1/24/17: L3 slide 30 modified to align all 3 lattices.
• 1/12/17: L2 new slide added at position 33.
• 12/31/16: part 1 slides and readings posted (L6 to be completed).
• 12/19/16: initial website created.
• Watch this space for important announcements throughout the semester.

Prerequisites:

Catalog Description:

• 5323 Principles of Computer and Information Security 3 hours credit.
  An introduction to the protection of computer systems and networks. Topics include authentication, access controls, malicious logic, formal security methods, assurance and trust in computer systems and networks, firewalls, auditing and intrusion detection, cryptography and information hiding, risk management, computer forensics, and ethics.

Format:

• Lectures with supporting readings from the literature.

Learning Objectives:

• Designed as first graduate course for CS students without prior security courses.
• Cover a broad range of fundamental security topics with technical depth.

Grading:

• Grading will be based on 3 written examinations.
• Each examination will be based on the lectures immediately preceding the examination.
• Examinations will be take-home with prescribed submission deadline.
• Examinations will be graded according to the following rubric (docx) (pdf).
• Extra credit at Professor's discretion will be given for the following.
  • Class attendance and participation.
  • Completing course evaluation as per Provost's memo.

Schedule Notes:

• The weekly schedule is subject to change and adjustment as the semester progresses.
• Assigned readings for a lecture should be read in advance of the lecture for maximum benefit.
• Readings are marked as follows.
  • Full: Read in full.
  • Part: Read in part.
  • Ref: Reference.

Schedule by Week: Please visit often as the semester proceeds.

Part 1: Access Control

• Mon 01/09/17: L1. Introduction and Basic Concepts
• Slides: L1.pptx, L1.pdf


• Wed 01/11/17: L2. Discretionary Access Control (DAC)
• Slides: L2.pptx, L2.pdf
• Readings: Full: Morris, R., & Thompson, K. (1979). Password security: A case history. Communications of the ACM, 22(11), 594-597.
• Readings: Full: Sandhu, R. S., & Samarati, P. (1994). Access control: principle and practice. IEEE communications magazine, 32(9), 40-48.
• Readings: Ref: Harrison, M. A., Ruzzo, W. L., & Ullman, J. D. (1976). Protection in operating systems. Communications of the ACM, 19(8), 461-471.


• Mon 01/16/17: MLK Holiday. No class.


• Wed 01/18/17: L3. Mandatory Access Control (MAC)
• Slides: L3.pptx, L3.pdf
• Readings: Full: Sandhu, R. S. (1993). Lattice-based access control models. IEEE Computer, 26(11), 9-19.
• Readings: Ref: Pittelli, P. A. (1987). The Bell-La Padula Computer Security Model Represented as a Special Case of the Harrison-Ruzzo-Ullman Model. National Computer Sec. Conf. (pp. 118-121).


• Mon 01/23/17: L3. Mandatory Access Control (MAC) continued


• Wed 01/25/17: L4. Role-Based Access Control (RBAC)
• Slides: L4.pptx, L4.pdf
• Readings: Full: Sandhu, R. S., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-based access control models. IEEE Computer, 29(2), 38-47.
  or alternately Chapters 1 & 2 of: Sandhu, R. S. (1998). Role-based access control. Advances in computers, 46, 237-286.
• Readings: Part: Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., & Chandramouli, R. (2001). Proposed NIST standard for role-based access control. ACM TISSEC, 4(3), 224-274.
• Readings: Part: Sandhu, R., Bhamidipati, V., & Munawer, Q. (1999). The ARBAC97 model for role-based administration of roles. ACM TISSEC, 2(1), 105-135.
• Readings: Part: Osborn, S., Sandhu, R., & Munawer, Q. (2000). Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM TISSEC, 3(2), 85-106.
• Readings: Ref: Fuchs, L., Pernul, G., & Sandhu, R. (2011). Roles in information security-A survey and classification of the research area. Computers & security, 30(8), 748-769.
• Readings: Ref: Ahn, G. J., & Sandhu, R. (2000). Role-based authorization constraints specification. ACM TISSEC, 3(4), 207-226.


• Mon 01/30/17: L4. Role-Based Access Control (RBAC) continued


• Wed 02/01/17: L5. Attribute-Based Access Control (ABAC)
• Slides: L5.pptx, L5.pdf
• Readings: Full: Hu, V. C., Kuhn, D. R., & Ferraiolo, D. F. (2015). Attribute-Based Access Control. IEEE Computer, 48(2), 85-88.
• Readings: Part: Jin, X., Krishnan, R., & Sandhu, R. (2012). A unified attribute-based access control model covering DAC, MAC and RBAC. IFIP 11.3 DBSec (pp. 41-55).
• Readings: Part: Chapter 3 of Xin Jin, Attribute-Based Access Control Models and Implementation in Cloud Infrastructure as a Service, PhD Dissertation, UTSA,Spring 2014.
• Readings: Full: Kuhn, D. R., Coyne, E. J., & Weil, T. R. (2010). Adding attributes to role-based access control. IEEE Computer, 43(6), 79-81.
• Readings: Part: Al-Kahtani, M. A., & Sandhu, R. (2002). A model for attribute-based user-role assignment. IEEE ACSAC (pp. 353-362).
• Readings: Part: Jin, X., Sandhu, R., & Krishnan, R. (2012). RABAC: Role-Centric Attribute-Based Access Control. MMM-ACNS (pp. 84-96).
• Readings: Part: Park, J., & Sandhu, R. (2004). The UCON ABC usage control model. ACM TISSEC, 7(1), 128-174.
• Readings: Ref: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication 800-162.
• Readings: Ref: Zhang, X., Parisi-Presicce, F., Sandhu, R., & Park, J. (2005). Formal model and policy specification of usage control. ACM TISSEC, 8(4), 351-387.


• Mon 02/06/17: L5. Attribute-Based Access Control (ABAC) continued


• Wed 02/08/17: L6. Relationship-Based Access Control (ReBAC)
• Slides: L6.pptx, L6.pdf
• Readings: Part: Cheng, Y., Park, J., & Sandhu, R. (2016). An Access Control Model for Online Social Networks Using User-to-User Relationships. IEEE TDSC, 13(4), 424-436.
• Readings: Part: Cheng, Y., Park, J., & Sandhu, R. (2012). Relationship-based access control for online social networks: Beyond user-to-user relationships. IEEE PASSAT (pp. 646-655).
• Readings: Part: Cheng, Y., Park, J., & Sandhu, R. (2014). Attribute-aware relationship-based access control for online social networks. IFIP 11.3 DBSec (pp. 292-306).
• Readings: Part: Ahmed, T., Patwa, F., & Sandhu, R. (2016). Object-to-Object Relationship-Based Access Control: Model and Multi-Cloud Demonstration. IEEE IRI (pp. 297-304).
• Readings: Full: Ahmed, T., Sandhu, R., & Park, J. (2017). Classifying and Comparing Attribute-Based and Relationship-Based Access Control. ACM CODASPY.


• Mon 02/13/17: E1: Take-home examination on Part 1. No class. Exam 1 (pdf) (docx)
  • Reading for Examination 1: Full: Florincio, D., Herley, C., & Van Oorschot, P. C. (2016). Pushing on string: The 'don't care' region of password strength. Communications of the ACM, 59(11), 66-74.
  
  
• Wed 02/15/17: E1: Take-home examination on Part 1 continued. No class.

Part 2: Cryptography

• Mon 02/20/17: L7. Symmetric Cryptography
• Slides: L7.pptx, L7.pdf


• Wed 02/22/17: L7. Symmetric Cryptography continued
  Wed 02/22/17: L8. Asymmetric Cryptography
• Slides: L8.pptx, L8.pdf


• Mon 02/27/17: L8. Asymmetric Cryptography continued


• Wed 03/01/17: L9. Challenge-Response Authentication
• Slides: L9.pptx, L9.pdf


• Mon 03/06/17: L10. The SSL Protocol
• Slides: L10.pptx, L10.pdf
• Readings: Ref: The TLS Protocol, Version 1.0, RFC 2246
• Readings: Full: The Problem with Multiple Roots in Web Browsers-Certificate Masquerading. Proc. Seventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 1998 (WET ICE '98), pp. 306-311.
• Readings: Part: Carvalho, M., DeMott, J., Ford, R., and Wheeler, D. A. (2014). Heartbleed 101. IEEE security & privacy, 12(4), 63-67.


• Wed 03/08/17: L10. The SSL Protocol continued


• Mon 03/13/17: Spring Break. No class.


• Wed 03/15/17: Spring Break continued. No class.


• Mon 03/20/17: E2: Take-home examination on Part 2. No class. Exam 2 (pdf) (docx).


• Wed 03/22/17: E2: Take-home examination on Part 2 continued. No class.

Part 3: Essential Topics (Assorted)

• Mon 03/27/17: L11. Malware Characteristics
• Slides: L11.pptx, L11.pdf
• Readings: Part: Symantec Internet Security Threat Report, Volume 21, April 2016.


• Wed 03/29/17: L12. Malware Detection
• Slides: L12.pptx, L12.pdf
• Readings: Part: Fred Cohen, Computer viruses: Theory and experiments, Computers & Security, Volume 6, Issue 1, February 1987, Pages 22-35.
• Readings: Part: Nwokedi Idika and Aditya Mathur, A Survey of Malware Detection Techniques, Purdue University, Feb 2007.
• Readings: Full: You, I., and Yim, K. Malware obfuscation techniques: A brief survey. IEEE International Conference on Broadband, Wireless Computing, Communication and Applications, Nov 2010, pp. 297-300.
• Readings: Part: Ken Thompson. Reflections on trusting trust. Commun. ACM 27, 8 (August 1984), 761-763.
• Readings: Ref: Wheeler, D.A., Countering trusting trust through diverse double-compiling, 21st Annual Computer Security Applications Conference, pp.13-48, 5-9 Dec. 2005.


• Mon 04/03/17: L13. Base Rate Fallacy
• Slides: L13.pptx, L13.pdf
• Readings: Part: Axelsson, Stefan. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (TISSEC) 3, no. 3 (2000): 186-205.


• Wed 04/05/17: L14. Anomaly Detection: Guest lecture by Shuvra Chakraborty
• Slides: L14.pptx, L14.pdf
• Readings: Part: Chandola, Varun, Arindam Banerjee, and Vipin Kumar. "Anomaly detection: A survey." ACM computing surveys (CSUR) 41, no. 3 (2009): 15.


• Mon 04/10/17: L15. Intrusion Detection Evaluation
• Slides: L15.pptx, L15.pdf
• Readings: Part: Milenkoski, A., Vieira, M., Kounev, S., Avritzer, A. and Payne, B.D., 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p.12.
• Readings: Part: Appendix to above paper.


• Wed 04/12/17: L16. Firewalls
• Slides: L16.pptx, L16.pdf


• Mon 04/17/17: L17. Privacy
• Slides: L17.pptx, L17.pdf
• Readings: Part: Clifton, Chris, and Tamir Tassa. "On Syntactic Anonymity and Differential Privacy." Transactions on Data Privacy 6, no. 2 (2013): 161-183.


• Wed 04/19/17: L18. Software Defined Networks (SDNs): Guest lecture by Abdullah Al-Alaj
• Slides: L18.pptx, L18.pdf
• Readings: Part: Ahmad, I., Namal, S., Ylianttila, M. and Gurtov, A., 2015. Security in software defined networks: A survey. IEEE Communications Surveys & Tutorials, 17(4), pp.2317-2346.
• Readings: Part: Alsmadi, I. and Xu, D., 2015. Security of software defined networks: A survey. Computers & security, 53, pp.79-108.
• Readings: Part: Alsmadi, I., 2016. The integration of access control levels based on SDN. International Journal of High Performance Computing and Networking, 9(4), pp.281-290.


• Mon 04/24/17: E3: Take-home examination on Part 3. No class. Exam 3 (pdf) (docx).



• Wed 04/26/17: E3: Take-home examination on Part 3 continued. No class.

END