CS 6393: Cyber Security Models and Systems

Prof. Ravi Sandhu

Spring 2020, Friday 10am-12:30pm, Location: BB 2.05.04. Post Spring Break: On-line asynchronous lectures in narrated PowerPoint.
Class web site: www.profsandhu.com/cs6393_s20
Office hours: By appointment, Location: NPB 3.122 Virtual on-line meetings only by email request.
Usually will be available to meet immediately after class
UTSA common syllabus information: provost.utsa.edu/syllabus.asp

Please send all class related emails to: ravi.utsa@gmail.com You can email me at ravi.sandhu@utsa.edu OR ravi.utsa@gmail.com.
Please use this email address only for CS 6393 related matters
For all other UTSA related matters please use ravi.sandhu@utsa.edu

Class-wide Emails (post-Coronavirus crisis):

• 05/08/2020: CS6393 Assignment 2 due by May 15: REMINDER.
• 04/29/2020: CS6393 Assignment 1 has been graded.
  ALL LECTURES HAVE NOW BEEN POSTED
• 04/24/2020: CS6393 Lecture 13 (comprising 13-1 and 13-2) posted.
• 04/19/2020: CS6393 Lecture 12 (comprising 12-1 and 12-2) posted.
• 04/18/2020: CS6393 Lecture 11 (comprising 11-1 and 11-2) posted.
• 04/14/2020: CS6393 Lecture 10 (comprising 10-1 and 10-2) posted.
• 04/10/2020: CS6393 Grading Option CR/NC for Spring 2020.
• 04/08/2020: CS6393 Lecture 9 (comprising 9-1 and 9-2) posted.
• 04/06/2020: CS6393 Lecture 8-2 posted.
• 03/31/2020: CS6393 Lecture 8-1 posted.
• 03/27/2020: CS6393 Operation Rules posted.
• 03/18/2020: Coronavirus adjustments to CS 6393, Spring 2020. I have received acknowledgement from all students. Thanks to all.

Coronavirus Adjustments:

• These are trying times. Our top priorities are everyone's health and safety, and minimal disruption to your classes.
• As you are aware Spring Break has been extended by 1 week and all remaining classes will be conducted on-line.
• Plans and schedule for on-line classes will be posted soon after extended Spring Break is over.

Important Notices pre-Coronavirus:

• 02/18/2020: Lecture 5-crypto_review has been posted
• 02/13/2020: Assignment 1 is posted here (docx) (pdf). Due on Monday March 30, 2020.
• 02/13/2020: Lecture schedule modified
• 02/04/2020: Lecture 6-3 posted
• 01/31/2020: Part II topics and partial set of readings posted (Lecture 14 TBD)
• 01/31/2020: Part I slides and papers posted (Lecture 6-3 pending)
• 01/23/2020: Initial web site posted.
• Watch this space for important announcements throughout the semester. Announcements will be dated and recent posts will be highlighted in red.

Course Prerequisites:

Catalog Description:

• 6393 Advanced Topics in Computer Security (3-0) 3 hours credit.
  Analysis of computer security. The topics may include but are not limited to database and distributed systems security, formal models for computer security, privacy and ethics, intrusion detection, critical infrastructure protection, network vulnerability assessments, wireless security, trusted computing, and highly dependable systems. May be repeated for credit when topics vary.

Course Format:

• Lectures with supporting readings from the literature.
• Optional additional readings from the literature.

Course Objectives:

• Designed for advanced CS and related graduate students.
• Study selected topics of current interest in cyber security models and systems.
• Learn something of lasting value in your careers. Have some fun doing it.

Grading:

• Two assignments.
• Each assignment will have multiple questions. Each question will require a 3/4 page to 1 page answer.
• For assignment 1: You can discuss the assignement with anybody and refer to any material. However, the answer must be written in your own words and be accompanied with the honor code statement specified in the assignment.
• For assignment 2: You can refer to any material but are not allowed to discuss with anyone. The answer must be written in your own words and be accompanied with the honor code statement specified in the assignment.
• Due dates: March 30, 2020 for assignment 1. May 15, 2020 for assignment 2.
• Class attendance and participation will be factored into the overall grade at instructor's discretion.
• Remember each lecture is 7% of course material.

Assignments:

• Assignment 1 is posted here (docx) (pdf). Due on Monday March 30, 2020.
• Each question will be graded according to the following rubric (docx) (pdf).
• Assignment 2 is posted here (docx) (pdf). Due on Friday May 15, 2020.
• Each question will be graded according to the following rubric (docx) (pdf).

Schedule Notes:

• The weekly schedule is subject to change and adjustment as the semester progresses.
• Assigned readings for a lecture should be read for maximum benefit.
• Readings are marked as follows.
  • Full: Read in full.
  • Part: Read in part.
  • Ref: Reference.

Schedule by Week: Please visit often as the semester proceeds.

Part I: FOUNDATIONS

1. 01/24/20: Cyber Security Perspective
   • Slides: L1.pptx, L1.pdf
   • Readings: Full: How to spell cyber security?, Bishop-2003, Solms-Niekerk-2013, Sandhu-etal-2010
2. 01/31/20: Access Control: DAC and MAC/LBAC
   • Slides: L2.pptx, L2.pdf
   • Readings: Full: Sandhu, R. S., & Samarati, P. (1994). Access control: principle and practice. IEEE communications magazine, 32(9), 40-48.
   • Readings: Full: Sandhu, R. S. (1993). Lattice-based access control models. IEEE Computer, 26(11), 9-19.
3. 02/07/20: Access Control: RBAC
   • Slides: L3-1.pptx, L3-1.pdf, L3-2.ppt, L3-2.pdf
   • Readings: Full: Sandhu, R. S., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-based access control models. IEEE Computer, 29(2), 38-47.
     or alternately Chapters 1 & 2 of: Sandhu, R. S. (1998). Role-based access control. Advances in computers, 46, 237-286.
   • Readings: Part: Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., & Chandramouli, R. (2001). Proposed NIST standard for role-based access control. ACM TISSEC, 4(3), 224-274.
   • Readings: Full: Engineering Authority and Trust in Cyberspace: The OM-AM and RBAC Way
   • Readings: Full: The PEI Framework for Application-Centric Security
4. 02/14/20: Access Control: ABAC and UCON
   • Slides: L4.pptx, L4.pdf
   • Readings: Full: Hu, V. C., Kuhn, D. R., & Ferraiolo, D. F. (2015). Attribute-Based Access Control. IEEE Computer, 48(2), 85-88.
   • Readings: Part: Jin, X., Krishnan, R., & Sandhu, R. (2012). A unified attribute-based access control model covering DAC, MAC and RBAC. IFIP 11.3 DBSec (pp. 41-55).
   • Readings: Full: Kuhn, D. R., Coyne, E. J., & Weil, T. R. (2010). Adding attributes to role-based access control. IEEE Computer, 43(6), 79-81.
   • Readings: Ref: Park, J., & Sandhu, R. (2004). The UCON ABC usage control model. ACM TISSEC, 7(1), 128-174.
   • Readings: Ref: Ahmed, T., Sandhu, R., & Park, J. (2017). Classifying and Comparing Attribute-Based and Relationship-Based Access Control. ACM CODASPY.
5. 02/21/20: SSL and Man-in-the-Middle Vulnerability
   • Slides: L5-crypto_review.pptx, L5-crypto_review.pdf, L5.pptx, L5.pdf
   • Readings: Ref: The TLS Protocol, Version 1.0, RFC 2246
   • Readings: Full: The Problem with Multiple Roots in Web Browsers-Certificate Masquerading. Proc. Seventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 1998 (WET ICE '98), pp. 306-311.
   • Readings: Ref: Carvalho, M., DeMott, J., Ford, R., and Wheeler, D. A. (2014). Heartbleed 101. IEEE security & privacy, 12(4), 63-67.
6. 02/28/20: (1) Views of Cloud Computing, (2) NIST Reference Architecture, (3) AWS and AWS-IoT Access Control Models
   • Slides: L6-1.pptx, L6-1.pdf,
                 L6-2.pdf: NIST Cloud Computing Reference Architecture (Chapter 4 of NIST reference document),
                  L6-3.pptx, L6-3.pdf
   • Readings: Full: NIST Definition of Cloud Computing
   • Readings: Part: Foster et al 2008: Cloud versus Grid, Armbrust et al 2010: Berkeley View of Cloud
   • Readings: Ref: Zhang et al 2015. Community-Based Secure Information and Resource Sharing in AWS Public Cloud.
   • Readings: Ref: Alshehri et al 2016. Access Control Models for Cloud-Enabled Internet of Things: A Proposed Architecture and Research Agenda.
   • Readings: Ref: Bhatt et al 2017. Access Control Model for AWS Internet of Things.
7. 03/06/20: James Benson and Bushra Zahed on The Galahad System and its Access Control
   • Slides: Galahad.pdf Galahad.pptx
   • Readings: Full: Galahad Software Overview
   • Readings: Full: IARPA Virtue BAA
   • Readings: Ref: GitLab Galahad Project
   
   03/13/20: NO CLASS. SPRING BREAK.
   03/20/20: NO CLASS. SPRING BREAK EXTENDED.
   03/30/20: ASSIGNMENT 1 DUE.

Part II: APPLICATIONS. Revised Schedule will be incrementally updated.

8. 03/27/20: Intrusion Detection: (1) Base Rate Fallacy, (2) Evaluation
   • Slides (with audio): L8-1a.pptx, L8-2a.pptx
   • Slides (without audio): L8-1.pptx, L8-1.pdf, L8-2.pptx, L8-2.pdf
   • Readings: Part: Axelsson, Stefan. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (TISSEC) 3, no. 3 (2000): 186-205.
   • Readings: Part: Milenkoski, A. et al 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1) (including Appendix).
   • Readings: Ref: https://en.wikipedia.org/wiki/Receiver_operating_characteristic
   • Readings: Ref: Nwokedi Idika and Aditya Mathur, A Survey of Malware Detection Techniques, Purdue University, Feb 2007.
9. 04/03/20: Software Defined Networks (SDNs): (1) Overview, (2) SDN-RBAC Model (Slides prepared by Abdullah Al-Alaj, audio by Prof. Sandhu)
   • Slides (with audio): L9-1a.pptx, L9-2a.pptx
   • Slides (without audio): L9-1.pptx, L9-1.pdf, L9-2.pptx, L9-2.pdf
   • Readings: Part: Al-Alaj et al 2019. SDN-RBAC: An Access Control Model for SDN Controller Applications.
   • Readings: Part: Al-Alaj et al 2019. A Formal Access Control Model for SE-Floodlight Controller.
   • Readings: Ref: Ahmad et al 2015. Security in Software Defined Networks: A Survey.
10. 04/10/20: Access Control Policy Mining: (1) Feasibility Analysis, (2) RBAC to ABAC (Slides prepared by Shuvra Chakraborty, audio by Prof. Sandhu)
    • Slides (with audio): L10-1a.pptx, L10-2a.pptx
    • Slides (without audio): L10-1.pptx, L10-1.pdf, L10-2.pptx, L10-2.pdf
    • Readings: Part: Chakraborty et al 2019. On the Feasibility of Attribute-Based Access Control Policy Mining.
    • Readings: Part: Chakraborty et al 2019. On the Feasibility of RBAC to ABAC Policy Mining: A Formal Analysis.
11. 04/17/20: Access Control in Smart Home IoT: (1) Introduction and GRBAC Model, (2) EGRBAC Model (Slides prepared by Safwa Ameer, audio by Prof. Sandhu)
    • Slides (with audio): L11-1a.pptx, L11-2a.pptx
    • Slides (without audio): L11-1.pptx, L11-1.pdf, L11-2.pptx, L11-2.pdf
    • Readings: Full: Ameer et al 2020. DRAFT: NOT FOR GENERAL DISTRIBUTION The EGRBAC Model for Smart Home IoT Access Control.
    • Readings: Part: Covington et al 2000. Generalized Role-Based Access Control for Securing Future Applications.
    • Readings: Part: Covington et al 2001. Securing Context-Aware Applications Using Environment Roles.
12. 04/24/20: Authentication by Passwords: (1) Introduction and Storage Techniques, (2) NIST Guidance
    • Slides (with audio): L12-1a.pptx, L12-2a.pptx
    • Slides (without audio): L12-1.pptx, L12-1.pdf, L12-2.pptx, L12-2.pdf
    • Readings: Full: Morris, R., & Thompson, K. (1979). Password security: A case history. Communications of the ACM, 22(11), 594-597.
    • Readings: Full: Extracts from Digital Identity Guidelines Authentication and Lifecycle Management. NIST Special Publication 800-63B, June 2017.
    • Readings: Ref: Digital Identity Guidelines Authentication and Lifecycle Management. NIST Special Publication 800-63B, June 2017.
13. 05/01/20: Secure Cloud-Assisted Smart Cars: (1) Architecture aand Authorization Framework, (2) Dynamic Groups and ABAC (Slides prepared by Maanak Gupta, audio by Prof. Sandhu)
    • Slides (with audio): L13-1a.pptx, L13-2a.pptx
    • Slides (without audio): L13-1.pptx, L13-1.pdf, L13-2.pptx, L13-2.pdf
    • Readings: Full: Maanak Gupta and Ravi Sandhu, Authorization Framework for Secure Cloud Assisted Connected Cars and Vehicular Internet of Things. ACM SACMAT18.
    • Readings: Full: Maanak Gupta et al, Dynamic Groups and Attribute-Based Access Control for Next-Generation Smart Cars. ACM CODASPY19.
    • Readings: Ref: Yousefpour et al, All one needs to know about fog computing and related edge computing paradigms: A complete survey. Journal of Systems Architecture, 2019.
    • Readings: Ref: Alshehri et al 2016. Access Control Models for Cloud-Enabled Internet of Things: A Proposed Architecture and Research Agenda.
    • Readings: Ref: Bhatt et al 2017. An Access Control Framework for Cloud-Enabled Wearable Internet of Things.
    
    05/08/20: No lecture. Use the time to work on Assignment 2.
    05/15/20: ASSIGNMENT 2 DUE.
    05/18/20: GRADES DUE TO UTSA.

END