CS 6393: Research Challenges in Cyber Security

Prof. Ravi Sandhu

Spring 2013, Friday 10am-12:45pm, Location: SB 3.02.10A
www.profsandhu.com/cs6393_s13

All course related email should be sent to ravi.cs6393@gmail.com

TA:

Important Notices:

• 5/2/13: Exam 2 (optional for possible upgrade) docx pdf
• 4/18/13: Lecture 12 posted.
• 4/12/13: Lecture 10 slides posted.
• 4/11/13: Lecture 11 posted.
• 4/4/13: Lecture 10 reading paper posted.
• 3/28/13: Lecture 9 posted.
• 3/26/13: Lecture 9 reading paper posted.
• 3/21/13: Exam 1 due date extended to April 8 by 12noon.
• 3/21/13: RACKSPACE – UTSA OPEN CLOUD WORKSHOP (pdf)
• 3/20/13: Lecture 8 reading papers posted.
• 3/07/13: Lecture 7 posted.
• 3/06/13: Lecture 7 reading papers posted.
• 3/04/13: Exam 1 has been posted in the weekly schedule below under date 3/01/13.
• 3/01/13: Exam will be posted on Monday (3/04/13).
• 2/22/13: Lecture 6 posted
• 2/07/13: Lecture 4 posted.
• 1/30/13: Lecture 3 updated, Lecture 6 posted.
• 1/28/13: Lecture 3 reading papers posted.
• 1/18/13: Lecture 1 updated, Lecture 2 posted.
• 1/4/13: Initial web site created.
• Watch this space for important announcements throughout the course. Recent announcements will be highlighted in red.

Course Prerequisites:

• Currently enrolled in CS MS or PhD program at UTSA.
• Comfortable with Discrete Mathematics and Computer Systems Technologies.
• Comfortable accessing and searching papers on-line via http://lib.utsa.edu/Databases/ and via Google Scholar.

Catalog Description:

• 6393 Advanced Topics in Computer Security (3-0) 3 hours credit.
  Analysis of computer security. The topics may include but are not limited to database and distributed systems security, formal models for computer security, privacy and ethics, intrusion detection, critical infrastructure protection, network vulnerability assessments, wireless security, trusted computing, and highly dependable systems. May be repeated for credit when topics vary.

Course Format:

• Lectures with supporting papers from the literature.
• Examinations will require critical thinking beyond material available in the lectures, supporting papers and the Internet.

Course Objectives:

• This is a research-oriented course designed for CS graduate students.
• Primary goal is to develop critical understanding and thinking with respect to current research challeneges in cyber scurity.

Grading:

• Grades will be based on examinations and class participation.

Examination Protocol and Schedule:

• There are two examinations, nominally assigned to one lecture period each.
• Examinations will be posted on the class web page, embedded in the weekly schedule.
• Solutions are due on the posted date. No extensions without strong cause.
• Each examination is to be solved by students individually. Students can access whatever material they choose but cannot discuss with other students or colleagues.
• Each solution must be accompanied by the following statement: I have not taken any help on this examination from anybody and have not given any help to anybody.
• Each solution must be within the length limits provided.
• Solutions are to be submitted by email in pdf to ravi.cs6393@gmail.com

Schedule Notes:

• The weekly schedule is subject to change and adjustment as the semester proceeds.
• Assigned readings for a lecture are expected to be read in full in advance of the lecture for maximum benefit. Readings marked as partial are not required to be read in full. Selected aspects will be covered in class. Readings marked as reference should be reviewed as indicated in each case and will only be discussed briefly in class.

Schedule of Lectures, Readings and Examinations by Week:

• 1/18/13: Lecture 1: Cyber Security Research: A Personal Perspective (pptx) (pdf)
  
  Read fully:
  Ravi Sandhu;, "Speculations on the science of web user security", http://profsandhu.com/journals/compnw/compnw12.pdf, Computer Networks, Volume 56, Number 18, Dec. 2012, pages 3891-3895.
  


• 1/25/13: Lecture 2: Access Control Models (pptx) (pdf)
  
  Read in Full:
  
  1. Ravi Sandhu; Pierangela Samarati;, "Access Control: Principles and Practice", http://profsandhu.com/journals/commun/i94ac(org).pdf, Communications Magazine, IEEE, Volume 32, Issue 9, Sept. 1994, pages 40-48.
     
  2. Ravi Sandhu;, "Lattice-Based Access Control Models", http://profsandhu.com/journals/computer/i93lbacm(org).pdf, Computer, IEEE, Volume 26, Issue 11, Nov. 1993, Pages 9-19.
     
  3. Ravi Sandhu;, "Role-based access control models", http://profsandhu.com/journals/computer/i94rbac(org).pdf, Computer, IEEE,Volume 29, Issue 2, Feb. 1996, Pages 38-47.
     
  4. Ravi Sandhu; Jaehong Park;, "Usage Control: A Vision for Next Generation Access Control", http://profsandhu.com/confrnc/misconf/2003_MMS_UCON.pdf, MMM-ACNS 2003, Springer, Sep. 2003, Pages 17-31.
     
  Read as Reference:
  
  1. Ravi Sandhu;, "The PEI framework for application-centric security", http://profsandhu.com/confrnc/misconf/collabcom09_pei.pdf, CollaborateCom, Nov. 2009, Pages 1-5.
     
  2. David Ferraiolo; Ravi Sandhu;, "Proposed NIST Standard for Role-Based Access Control", http://profsandhu.com/journals/tissec/p224-ferraiolo.pdf, TISSEC, ACM, Volume 4, Issue 3, Aug. 2001,Pages 224-274 .
     


• 2/1/13: Lecture 2 continued
  2/1/13: Lecture 3: Authentication with Passwords (pptx) (pdf)
  
  Read in Full:
  
  1. "A Research Agenda Acknowledging the Persistence of Passwords"(pdf)
     
  2. "Password Security: A Case History"(pdf)
     
  3. "Rethinking Passwords"(pdf)
     
  Read as Reference:
  
  1. "Fast Dictionary Attacks on Passwords Using TimeSpace Tradeoff"(pdf)
     


• 2/8/13: Lecture 4: Authentication beyond Passwords (pptx) (pdf)
  
                      The Quest for Single Sign On (pptx) (pdf)
  Read in Full:
  
  1. "Comparing Passwords, Tokens, and Biometrics for User Authentication"(pdf)
     
  2. "A taxonomy of single sign-on systems"(pdf)
     
  3. "The Future of Authentication"(pdf)
     


• 2/15/13: Lecture 5: Federated Identity and Single-Sign On (pptx) (pdf)
  


• 2/22/13: Lecture 6: Social Network Security (pptx) (pdf). Guest lecture by Yuan Cheng.
  
  Read in Full
  Facebook-style Social Networking Systems:
  1. Philip W. L. Fong, Mohd Anwar and Zhen Zhao; "A Privacy Preservation Model for Facebook-Style Social Network Systems", In Proceedings of the 14th European Symposium on Research In Computer Security (ESORICS'09), volume 5789 of Lecture Notes in Computer Science, pages 303-320, Saint Malo, France, September 21-23, 2009. Springer.
     
  Relationship-based Access Control:
  2. Jaehong Park, Ravi Sandhu and Yuan Cheng, "ACON: Activity-Centric Access Control for Social Computing", In Proceedings 5th International Conference on Availability, Reliability and Security (ARES), Vienna, Austria, August 22-26, 2011, 6 pages.
     
  3. Yuan Cheng, Jaehong Park and Ravi Sandhu, "A User-to-User Relationship-based Access Control Model for Online Social Networks", In Proceedings 26th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec 2012), Paris, France, July 11-13, 2012, 18 pages.
     
  4. Yuan Cheng, Jaehong Park and Ravi Sandhu, "Relationship-based Access Control for Online Social Networks: Beyond User-to-User Relationships", In Proceedings 4th IEEE International Conference on Information Privacy, Security, Risk and Trust (PASSAT), Amsterdam, Netherlands, September 3-5, 2012, 10 pages.
     
  Read as Reference
  More Access Control Solutions for Online Social Networks:
  1. Jaehong Park, Ravi Sandhu and Yuan Cheng, "A User-Activity-Centric Framework for Access Control in Online Social Networks", IEEE Internet Computing, 15(5): 62-65, September 2011.
     
  2. Philip W. L. Fong. "Relationship-Based Access Control: Protection Modeal and Policy Language", In Proceedings of the First ACM Conference on Data and Application Security and Privacy (CODASPY'11), San Antonio, Texas, USA, February 21-23, 2011.
     
  3. C. E. Gates. "Access control requirements for web 2.0 security and privacy", In Proc. of Workshop on Web 2.0 Security and Privacy (W2SP 2007), 2007.
     


• 3/1/13: Exam 1: docx pdf. No lecture.
  Scale paper for question 1
  Credit card fraud notice paper for question 2
  NIST strategy report for question 3
  Trust paper for question 4
  


• 3/8/13: Lecture 7: Privacy (pptx) (pdf)
  
  Read in Full:
  
  1. "Information privacy?!"(pdf)
     
  2. "Electronic Identities Need Private Credentials"(pdf)
     
  3. "Netflix Spilled Your Brokeback Mountain Secret, Lawsuit Claims"(pdf)
     
  4. "Latest in Web Tracking: Stealthy 'Supercookies'"(pdf)
     
  5. "Are Digital Foxes Guarding the Web's Privacy Hen House?"(pdf)
     
  Read as Reference:
  
  1. "Robust De-anonymization of Large Sparse Datasets"(pdf)
     


• 3/15/13: Spring Break. No class.


• 3/22/13: Lecture 8: Privacy in Microdata Release (pptx) (pdf)(pdf8.1)
  
  Read in Full:
  
  1. "A Three-Dimensional Conceptual Framework for Database Privacy"(pdf)
     
  2. "A Critique of k-Anonymity and Some of Its Enhancements"(pdf)
     
  Read Partially:
  
  1. "Incognito: Efficient Full-Domain K-Anonymity"(pdf)
     
  2. "t-Closeness: Privacy Beyond k-Anonymity and l
     -Diversity"(pdf)
     
  3. "Attacks on Privacy and deFinetti’s Theorem"(pdf)
     
  Read as Reference:
  
  1. "Should the U.S. Adopt European-Style Data-Privacy Protections?"(pdf)
     
  2. "A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management"(pdf)
     


• 3/29/13: Lecture 9: Privacy in Microdata Release (pptx) (pdf)
  
  Read in Full:
  
  1. "Privacy-Preserving Data Publishing: A Survey of Recent Developments"(pdf)
     


• 4/5/13: Lecture 10: Secure Data Provenance(pdf) , PBAC-formula(pdf)
Read in Full:

1. "A Provenance-based Access Control Model"(pdf)
   
2. "Securing Provenance"(pdf)
   
3. "The Open Provenance Model core specification "(pdf)
   
Read as Reference:

1. "A Language for Provenance Access Control"(pdf)
   
2. "An Access Control Language for a General Provenance Model"(pdf)
   
3. "Introducing Secure Provenance: Problems and Challenges"(pdf)
   


• 4/12/13: Lecture 11: Cloud Security (pptx) (pdf)
  
  Read in Full:
  
  1. "A View of Cloud Computing"(pdf)
     
  2. "Final Version of NIST Cloud Computing Definition Published"(pdf)
     
  3. "NIST definition of cloud computing doesn't go far enough"(pdf)
     
  4. "The Cloud Is The Computer"(pdf)
     
  5. "Cloud Computing and Grid Computing 360-Degree Compared"(pdf)
     


• 4/19/13: Lecture 12: Cloud Security (pptx) (pdf)
  
  Read Partially:
  
  1. "Security for the cloud infrastructure: Trusted virtual data center implementation"(pdf)
     
  Read as Reference:
  
  1. "Guidlines on Security and Privacy in Public Cloud Computing"(pdf)
     


• 4/26/13: Lecture 13: Cloud Security


• Finals Week: Exam 2 (optional for possible upgrade) docx pdf

END