CS 5323 Principles of Computer and Information Security

Professor Ravi Sandhu

Spring 2018, TR 6:00-7:15pm, Location: MH 3.04.14
Class web site: www.profsandhu.com/cs5323_s18
Please send all class related emails to: ravi.utsa@gmail.com
Office hours: by appointment only. Please request via email to above address.
UTSA common syllabus information: provost.utsa.edu/syllabus.asp

Important Notices:

• 4/30/18: Quiz 3 grades have been posted. Quiz 3 resubmission due Monday May 7 by midnight Central.
• 4/17/18: Quiz 3 protocol: graded papers will be returned by email, resubmission will be due 1 week after graded papers are returned.
• 4/12/18: Students with score less than 18 on Exam 2 can resubmit by 4/30/18, midnight Central time.
• 4/12/18: For resubmission, limit the answers to 1/2 page for each question. Otherwise follow same directions as for original submission.
• 4/12/18: Exam 2 grades have been posted.
• 4/5/18: Quiz 2 resubmission grades have been posted.
• 3/28/18: Complete lecture schedule, slides (except L16 is incomplete), and readings have been posted.
• 3/28/18: Weightage for take-home examinations, quizzes and term paper has been adjusted.
• 3/28/18: Take-home examination 3 has been eliminated. Use the time to work on your term paper.
• 3/27/18: Quiz 2 grades have been posted. Quiz 2 resubmission due Tuesday April 3 by midnight Central.
• 3/23/18: Lecture 13 has been renamed, no change in content.
• 3/21/18: Part III lecture slides and readings have been posted. Final 2 lectures are pending.
• 3/11/18: Exam 2 has been posted. Due by Monday Mar 26, midnight Central.
• 3/06/18: Students must finalize selection of term project papers by Friday 3/16/18.
• 3/08/18: Exam 1 grades have been posted.
• 3/01/18: Feedback on selection of term project papers has been provided.
• 2/27/18: Quiz 1 resubmission grades have been posted.
• 2/13/18: Quiz 1 grades have been posted. Quiz 1 resubmission due Tuesday Feb 20 by midnight Central.
• 2/12/18: Slides and readings for Part II: Access Control have been posted
• 2/07/18: Guidance on term papers updated
• 2/06/18: Reminder: choice of technology domain for term project is due today
• 2/06/18: Take-home exam 1 posted, due by Monday Feb 26 midnight Central
• 2/06/18: Take-home exam schedule adjusted
• 1/25/18: Lecture 4, slide 2 also slightly updated
• 1/25/18: Slides for lectures 2, 3 updated to mark slides not covered in class
• 1/23/18: Broken links for 1/30/18 lecture fixed
• 1/23/18: Quiz 0 class performance posted
• 1/18/18: Schedule readjusted to final form (subject to small adjustments)
• 1/17/18: Lecture slides and readings through 2/1/18 posted
• 1/17/18: Lecture schedule adjusted due to UTSA closure on Tues 1/16/18
• 1/11/18: Quiz 0 resubmissions due by 5pm Thurs Jan 18, 2018 by email to ravi.utsa@gmail.com
• 1/02/18: Initial website launched.
• Watch this space for important announcements throughout the semester.

Important Policies:

• Attendance: Students are expected to attend all lectures. Attendance will be recorded and will be taken into consideration when assigning overall class grade.
• In class quizzes: Quizzes are to be answered in class without use of any reference material including class powerpoint and notes.
• Follow up to in class quizzes: Students are required to resubmit answers to quiz questions for which they had points deducted. These answers must be certified by each student as being their own work without help from anyone else. The follow up is open-book in that any reference material can be used.
• Take-home examinations: Take-home examinations are open-book in that any reference material can be used. Each student is required to certify that they have not taken or given any help on the examination. Class time will be allocated to work on each examination, but preparing a solution will typically take additional time.
• Term project: There will be an individual term project. Policies for certification of individual effort are identical to those for take-home examinations.
• Make-up opportunities for missed assignments/exams/term projects: No make-up exams/assignments will be given except for the university sanctioned excused absences. If you must miss an exam or an assignment and you have an excused absence (e.g., a religious holy day, an official university function, military service, medical emergency, extenuating circumstances), it is your responsibility to contact me in advance or as soon as possible thereafter and provide reasonable documentation. For more information, see www.utsa.edu/hop/chapter5/5-9.html.

Prerequisites:

Catalog Description:

• 5323 Principles of Computer and Information Security 3 hours credit.
  An introduction to the protection of computer systems and networks. Topics include authentication, access controls, malicious logic, formal security methods, assurance and trust in computer systems and networks, firewalls, auditing and intrusion detection, cryptography and information hiding, risk management, computer forensics, and ethics.

Format:

• Lectures with supporting readings from the literature.

Learning Objectives:

• Designed as first graduate course for CS students without prior security courses.
• Cover a broad range of fundamental security topics with technical depth.
• Foster independent and critical thinking on security topics by students.

Grading:

• Modified on 3/28/18: Grades will be based on take-home written examinations (30%), in class quizzes and follow up (40%), and a term project (30%).
• Original announcement: Grades will be based on take-home written examinations (40%), in class quizzes and follow up (40%), and a term project (20%).
• Examinations and term project will be graded according to the following rubric (docx) (pdf).
• Quiz questions will be graded on a 3 point scale: 2=sufficiently correct, 1=somewhat correct, 0=incorrect.
• Extra positive and negative credit, at Professor's discretion, will be given for the following.
  • Class attendance and participation.
  • Completing course evaluation as per Provost's memo.

Term Project is as follows: (additional guidelines may be posted here as semester proceeds)

• Technology domains selected:
  • Internet of Things (IoT): 11
  • Cloud Computing: 5
  • Electronic Currency: 5
  • Smart Grid: 2
  • Smart Home: 2
  • Electronic Voting: 2
  • Smart City: 1
  • Medical Devices: 0
  • Android Security: 0
  • Online Banking: 0
  Choose your own (subject to approval of instructor):
  • Autonomous Vehicles: 1
  • Gaming: 1
  • Intrusion Prevention Systems: 1
  • Wearable Devices: 1
• Submit a term paper at the end of the semester addressing the following questions:
  1. What is the current state of art with respect to this technology domain? Is it mature, emerging or speculative? What is the future prognosis? [Limit 1/2 page total]
  2. What is unique or special about this technology domain with respect to security? [Limit 1/2 page total]
  3. Select 3 papers from the literature which you recommend as useful to read for someone investigating this domain. For each paper explain why you consider it important to read and what are its crucial insights. Also identify the shortcomings and limitations of each paper. [Limit 1/2 page total for each paper]
     [Total Limit for Term Paper: 2 1/2 pages]
• Term paper must be written entirely by each student without assistance. Students are permitted to discuss the topic with others (unlike for take-home examinations).
• Due dates:
  • 2/06/18: Commit to a technology domain, send email to ravi.utsa@gmail.com
  • 2/27/18: Email pdf copies of 3 selected papers to ravi.utsa@gmail.com with subject: "Term Project Papers <lastname, firstname>". Name the paper files as "<lastname firstname 1>.pdf", "<lastname firstname 2>.pdf", and "<lastname firstname 3>.pdf".
  • 3/16/18: Obtain approval from instructor for choice of papers
  • 4/30/18: Term paper due by email to ravi.utsa@gmail.com
    • Subject line: "Term paper <lastname firstname>"
    • Attached pdf file should be named: "Term paper <lastname firstname>.pdf"
    • Attached pdf file shoud include the statement: "I have not given any help to anyone in writing the term paper and have not received any such help in my writing" followed by your name as a token of signature.

Examinations, due dates and class performance: will be posted here as the semester proceeds

• Exam 2: max=18, min=10, med=18, avg=15.3 out of 18
• Examination 2 is posted: pdf, docx. Due by Monday Mar 26, midnight Central.
  • Above pdf states limit of 1 page per answer while docx says 1/2 page. Either length is acceptable without penalty.
• Exam 1: max=44, min=27, med=37.5, avg=36.1 out of 45
• Examination 1 is posted: pdf, docx. Due by Monday Feb 26, midnight Central.
• Readings for Examination 1: Solms-Niekerk-2013, Sandhu-etal-2010.

Quiz resubmission due dates and class performance: will be posted here as the semester proceeds

• Quiz 3 in class: max=20, min=2, med=11.5, avg=12.1 out of 20
• Quiz 3 resubmissions due by midnight Mon May 7, 2018
  • Email to ravi.utsa@gmail.com with subject "Quiz 3 <lastname, firstname>"
  • Attach a pdf file named "Quiz 3 <lastname, firstname>.pdf"
• Quiz 2 resubmission: max=24, min=23, med=24, avg=23.9 out of 24
• Quiz 2 in class: max=24, min=0, med=17.5, avg=15.4 out of 24
• Quiz 2 resubmissions due by midnight Tues Apr 3, 2018
  • Email to ravi.utsa@gmail.com with subject "Quiz 2 <lastname, firstname>"
  • Attach a pdf file named "Quiz 2 <lastname, firstname>.pdf"
• Quiz 1 resubmission: max=18, min=16, med=18, avg=17.8 out of 18
• Quiz 1 in class: max=18, min=6, med=13.5, avg=13.2 out of 18
• Quiz 1 resubmissions due by midnight Tues Feb 20, 2018
  • Email to ravi.utsa@gmail.com with subject "Quiz 1 <lastname, firstname>"
  • Attach a pdf file named "Quiz 1 <lastname, firstname>.pdf"
• Quiz 0 resubmit: max=50, min=36, med=46, avg=44.8 out of 50
• Quiz 0 in class: max=43, min=1, med=13, avg=14.1 out of 50
• Quiz 0 resubmissions due by 5pm Thurs Jan 18, 2018 by email to ravi.utsa@gmail.com

Schedule Notes:

• The weekly schedule is subject to change and adjustment as the semester progresses.
• Assigned readings for a lecture should be read in advance of the lecture for maximum benefit.
• Readings are marked as follows.
  • Full: Read in full.
  • Part: Read in part.
  • Ref: Reference.

Schedule by Week: subject to change

• Tue 1/09/18: Opening class and class evaluation quiz 0 (not counted towards class grade).
• Thu 1/11/18: Introduction to Cyber Security
  • Slides: L1.pptx, L1.pdf

  Part I: Cryptography

• Tue 1/16/18: UTSA closed due to inclement weather.
• Thu 1/18/18: Cryptography Basics and Symmetric Cryptography
  • Slides: L2.pptx, L2.pdf
  • Readings: no assigned readings for lectures through 1/25/18
• Tue 1/23/18: Asymmetric Cryptography
  • Slides: L3.pptx, L3.pdf
• Thu 1/25/18: Public-Key Certificates, Challenge-Response Authentication
  • Slides: L4.pptx, L4.pdf, L5.pptx, L5.pdf
• Tue 1/30/18: SSL
  • Slides: L6.pptx, L6.pdf
  • Readings: Ref: The TLS Protocol, Version 1.0, RFC 2246
  • Readings: Full: The Problem with Multiple Roots in Web Browsers-Certificate Masquerading. Proc. Seventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 1998 (WET ICE '98), pp. 306-311.
  • Readings: Part: Carvalho, M., DeMott, J., Ford, R., and Wheeler, D. A. (2014). Heartbleed 101. IEEE security & privacy, 12(4), 63-67.
• Thu 2/01/18: SSL (continued)
• Tue 2/06/18: Review lecture.
• Thu 2/08/18: In class quiz 1. Take-home examination 1. No lecture.

  Part II: Access Control

• Tue 2/13/18: Discretionary Access Control (DAC)
  • Slides: L7.pptx, L7.pdf
  • Readings: Full: Sandhu, R. S., & Samarati, P. (1994). Access control: principle and practice. IEEE communications magazine, 32(9), 40-48.
• Thu 2/15/18: Mandatory Access Control (MAC). Also called Lattice-Based Access Control (LBAC).
  • Slides: L8.pptx, L8.pdf
  • Readings: Full: Sandhu, R. S. (1993). Lattice-based access control models. IEEE Computer, 26(11), 9-19.
• Tue 2/20/18: Take-home examination 1 (continued). No class.
• Thu 2/22/18: Take-home examination 1 (continued). No class.
• Tue 2/27/18: MAC continued. Role-Based Access Control (RBAC) started.
  • Slides: L9.pptx, L9.pdf
  • Readings: Full: Sandhu, R. S., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-based access control models. IEEE Computer, 29(2), 38-47.
    or alternately Chapters 1 & 2 of: Sandhu, R. S. (1998). Role-based access control. Advances in computers, 46, 237-286.
  • Readings: Part: Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., & Chandramouli, R. (2001). Proposed NIST standard for role-based access control. ACM TISSEC, 4(3), 224-274.
• Thu 3/01/18: RBAC continued.
• Tue 3/06/18: Attribute-Based Access Control (ABAC)
  • Slides: L10.pptx, L10.pdf
  • Readings: Full: Hu, V. C., Kuhn, D. R., & Ferraiolo, D. F. (2015). Attribute-Based Access Control. IEEE Computer, 48(2), 85-88.
  • Readings: Part: Jin, X., Krishnan, R., & Sandhu, R. (2012). A unified attribute-based access control model covering DAC, MAC and RBAC. IFIP 11.3 DBSec (pp. 41-55).
  • Readings: Full: Kuhn, D. R., Coyne, E. J., & Weil, T. R. (2010). Adding attributes to role-based access control. IEEE Computer, 43(6), 79-81.
• Thu 3/08/18: Review lecture.
• Tue 3/13/18: Spring Break. No class.
• Thu 3/15/18: Spring Break. No class.
• Tue 3/20/18: In class quiz 2. Take-home examination 2. No lecture.
• Thu 3/22/18: Take-home examination 2 (continued). No class.

  Part III: Miscellaneous Topics

• Tue 3/27/18: Intrusion Detection: Base Rate Fallacy
  • Slides: L11.pptx, L11.pdf
  • Readings: Part: Axelsson, Stefan. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (TISSEC) 3, no. 3 (2000): 186-205.
  • Readings: Part: Nwokedi Idika and Aditya Mathur, A Survey of Malware Detection Techniques, Purdue University, Feb 2007.
• Thu 3/29/18: Intrusion Detection Evaluation
  • Slides: L12.pptx, L12.pdf
  • Readings: Part: Milenkoski, A. et al 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p.12 (including Appendix).
• Tue 4/03/18: Work on term paper. No class.
• Thu 4/05/18: Internet Security Threat Status
  • Slides: L13.pptx, L13.pdf
  • Readings: Part: Symantec Internet Security Threat Report, Volume 22, April 2017.
  • Readings: Part: Symantec Internet Security Threat Report, Volume 21, April 2016.
• Tue 4/10/18: Work on term paper. No class.
• Thu 4/12/18: Malware Detection
  • Slides: L14.pptx, L14.pdf
  • Readings: Full: You, I., and Yim, K. Malware obfuscation techniques: A brief survey. IEEE International Conference on Broadband, Wireless Computing, Communication and Applications, Nov 2010, pp. 297-300.
  • Readings: Part: Ken Thompson. Reflections on trusting trust. Commun. ACM 27, 8 (August 1984), 761-763.
  • Readings: Ref: Fred Cohen, Computer viruses: Theory and experiments, Computers & Security, Volume 6, Issue 1, February 1987, Pages 22-35.
  • Readings: Ref: Wheeler, D.A., Countering trusting trust through diverse double-compiling, 21st Annual Computer Security Applications Conference, pp.13-48, 5-9 Dec. 2005.
• Tue 4/17/18: Privacy
  • Slides: L15.pptx, L15.pdf
  • Readings: Part: Clifton, Chris, and Tamir Tassa. "On Syntactic Anonymity and Differential Privacy." Transactions on Data Privacy 6, no. 2 (2013): 161-183.
• Thu 4/19/18: Authentication
  • Slides: L16.pptx, L16.pdf
  • Readings: Full: Morris, R., & Thompson, K. (1979). Password security: A case history. Communications of the ACM, 22(11), 594-597.
  • Readings: Full: Extracts from Digital Identity Guidelines Authentication and Lifecycle Management. NIST Special Publication 800-63B, June 2017.
  • Readings: Ref: Digital Identity Guidelines Authentication and Lifecycle Management. NIST Special Publication 800-63B, June 2017.
• Tue 4/24/18: Review lecture
• Thu 4/26/18: In class quiz 3. No lecture.

• Mon 5/11/18: Finals Grades Due by 2pm.

END