CS 62600: Advanced Information Assurance

Tuesday and Thursday from 1:30-2:45

LWSN 1106

Chris Clifton

Email: (Please put 626 somewhere in the subject for course-related matters.)

Office hours: By appointment (or just drop by LWSN 2142F, I'm generally in 8:30-5)

Advanced topics in information assurance, including selections from the following: penetration testing, formal verification of systems, formal models of information flow and protection, distributed system authentication, protocol design and attack, computer viruses and malware, intrusion and anomaly detection models, multi-level security, active defenses, investigation and forensics, network firewalls, anonymity and identity, e-commerce support, and database security models and mechanisms.

There are two major goals to this course:

1. To provide a comprehensive view of information security so as to develop a big picture perspective. This expands the focus from protecting individual machines and files to that of developing and managing policy and mechanism for a full enterprise.
2. To provide exposure to some advanced concepts in information security and assurance, including some recent research results. Students will be expected to exhibit critical assessment skills regarding these concepts.

Course Methodology

The course will be taught through lectures and (largely student-presented) case studies / discussions. Material will be drawn from current events, a good source is Spaf's Blog.

For now, Professor Clifton will not have regular office hours. Feel free to drop by anytime, or send email with some suggested times to schedule an appointment.

You can also send things to the course email list (if traffic goes beyond 1-2/week, we'll start a newsgroup instead.)

Prerequisites

The official requirement is CS 52600 (Information Security) and CS 55500 (Cryptography and Data Security) or the equivalent. Students who have not had these courses, but feel they have equivalent experience gained elsewhere, please see the instructor.

Evaluation/Grading

Evaluation will be a subjective process (see my grading standards) based on your understanding of the material as evidenced in your final project, presentations, assignments, and contributions to discussions both in and out of class. Assignments will consist of:

• A presentation in class. This will be on a topic of your choice (within reason - I reserve veto power). The goal is to explore an issue in information assurance with a wholistic view. A case-study style is suggested, e.g., start with a specific example of a system or vulnerability, then go into technical details on solutions. You will need to identify reading materials for the subject.
• Two critical reviews. This will involve reading the materials for a presentation, perhaps identifying other materials relevant to the topic, and producing a two to four page executive summary of the area/issues/solutions. Think of it as writing a short Gartner group-style report. A particularly good example of what I am expecting is available courtesy of Kevin Steuer, Jr.. These are due at the beginning of class on the day that your assigned report topic is presented. Please submit as text or PDF through Blackboard.
  If you find that you didn't really understand the expectations and would like to try again after receiving feedback on a review, you can submit a new review on a different topic. You can submit up to four reviews, your grade will be based on the best two. (If Blackboard won't allow you to resubmit, just email be the revised one.)
• A final project. You will be responsible for determining the topic, scope, and style of your project, but I expect most will be in the form of a term paper. Plan to meet with me at least once (and preferably more) to discuss your progress on the project before crunch time.

Relative weighting of these items is to be determined, but expect approximately 45% final project, 25% presentation, 10% each review, and 10% class participation. This may be adjusted a bit after I see the final project proposals (if you all suggest extremely deep final projects, I may increase the weight on that a bit.)

Projects and assignments will be evaluated on a ten point scale:

10

Exceptional work. So good that it makes up for substandard work elsewhere in the course. These will be rare.

8

What I'd expect of a Ph.D. candidate. This corresponds to an A grade.

6

Good enough for a Master's degree, but not what I'd like to see for a Ph.D. candidate. This corresponds to a B grade.

4

Okay for a Master's candidate who does extremely well in other courses. This corresponds to a C grade.

2

Not good enough for a graduate student. But something.

0

Missing work, or so bad that you needn't have bothered.

Late work will be penalized 10% per day (24 hour period). This penalty will apply except in case of documented emergency (e.g., medical emergency), or by prior arrangement if doing the work in advance is impossible due to fault of the instructor (e.g., you are going to a conference and ask to start the project early, but I don't have it ready yet.)

Blackboard will be used to record/distribute grades and turn in assignments.

Policy on Intellectual Honesty

Please read the departmental academic integrity policy above. This will be followed unless I provide written documentation of exceptions. In particular, I encourage interaction: you should feel free to discuss the course with other students. However, unless otherwise noted work turned in should reflect your own efforts and knowledge.

For example, if you are discussing an assignment with another student, and you feel you know the material better than the other student, think of yourself as a teacher. Your goal is to make sure that after your discussion, the student is capable of doing similar work independently; their turned-in assignment should reflect this capability. If you need to work through details, try to work on a related, but different, problem.

If you feel you may have overstepped these bounds, or are not sure, please come talk to me and/or note on what you turn in that it represents collaborative effort (the same holds for information obtained from other sources that you provided substantial portions of the solution.) If I feel you have gone beyond acceptable limits, I will let you know, and if necessary we will find an alternative way of ensuring you know the material. Help you receive in such a borderline case, if cited and not part of a pattern of egregious behavior, is not in my opinion academic dishonesty, and will at most result in a requirement that you demonstrate your knowledge in some alternate manner.

Syllabus (numbers correspond to roughly to week):

1. Course overview, discussion of the range of issues and answers. Reading: Purdue University Policies: Information Technology Data Security.
2. September 1: Guest Lecture, Dr. Marc Rogers: Current Challenges in Digital Forensics.
   Logging and Audit
3. Privacy: What are the Issues?. Reading: Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and Yirong Xu, Hippocratic Databases, VLDB02; DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (in particular, clauses 27-31, Article 7.) Further Reading: Documents of the Data Protection Working Party.
4. Security Metrics. Reading: Under attack: Common Criteria has loads of critics, but is it getting a bum rap? (Common Criteria documents) Directions in Security Metrics Research. Further Investigation:: Security Metrics Workshops.
   September 17: Guest Lecture, Dr. Fariborz Farahmand. Reading: Incentives and Perceptions of Information Security Risks. Follow-up: Kahneman's Nobel Lecture.
5. Michael Kirkpatrick, Anonymous Publishing. Reading: Protecting Free Expression Online with Freenet, Publius: A robust, tamper-evident, censorship-resistant web publishing system.
   Wahbeh Qardaji, Anonymizing Network Traffic Data. Reading: The Challenges of Effectively Anonymizing Network Data, The Devil and Packet Trace Anonymization, Taming the Devil: Techniques for Evaluating Anonymized Network Data.
6. Nabeel Mohamed, Insider Threat. Reading: Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model, Andrew P. Moore, Dawn M. Cappelli, Thomas C. Caron, Cric Shaw, Randall F. Trzeciak, MIST 2009, Data Theft: A Prototypical Insider Threat, Michael McCormick, 2008, A Data-Centric Approach to Insider Attack Detection in Database Systems, Sunu Mathew, Michalis Petropoulos , Hung Ngo , Shambhu Upadhyaya, TR 2009. Additional background from CERT and The I3P.
   Andrew Newell, Incentive compatibility in security. Reading: Rational Secret Sharing and Multiparty Computation: Extended Abstract, Distributed Computing Meets Game Theory: Robust Mechanisms for Rational Secret Sharing and Multiparty Computation, Incentive Compatible Privacy-Preserving Data Analysis.
7. William Pfeifer, Corporate Espionage and hacking cases, and the strategy for defense. Reading: Article on a Pretexting case, Sans Institute - Corporate Espionage, Sans Institute - Social Engineering. (Another news article of interest.)
   Jeffrey Seibert, State-sponsored Cyberwarfare. Reading: Kenneth Geers Article, Essay by Bruce Schneier, Congressional Research Service Report, Article on Georgia, Chapters 3 and 4 of the National Academies Report (PDF), Rand Corp report.
   One paragraph description of final project due by 08:00 October 8.
8. October Break (no class 10/13).
   Ryan Poyar, Polymorphic code. Reading: SANS report: What is polymorphic shell code and what can it do?, On the Infeasibility of Modeling Polymorphic Shellcode, Smashing the Stack with Hydra: The Many Heads of Advanced Polymorphic Shellcode (pre-publication - do not distribute), Polymorphic Blending Attacks . Further reading: Polymorphic Shellcode Engine Using Spectrum Analysis.
9. Serkan Uzunbaz, Security/Privacy with Social Networks. Reading: Social network privacy study finds identity link to cookies, On the Leakage of Personally Identifiable Information Via Online Social Networks , De-Anonymizing Social Networks. Further reading: Imagined Communities Awareness, Information Sharing, and Privacy on the Facebook, (Under)mining Privacy in Social Networks , Preserving Privacy in Social Networks Against Neighborhood Attacks.
   Christopher Gates, NLP applications to security. Reading: Why NLP should move into IAS, Plausible deniability using automated linguistic steganography, Providing Privacy through Plausibly Deniable Search, Natural Language Watermarking and Tamperproofing.
10. Kevin Steuer, Security in Cloud Computing. Amazon Web Services Security Center, Amazon Web Services: Overview of Security Processes, Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds (CCS09), Towards Trusted Cloud Computing (HotCloud09).
    Erhan Nergiz, Data Outsourcing. Reading: When 2+2 Equals a Privacy Question, Search on Encrypted Data, Managing and Querying Encrypted Data, Towards Secure Data Outsourcing.
11. Mohamed Yakout, Private Data Integration. Privacy-preserving data integration and sharing, Privacy preserving schema and data matching, A Hybrid Approach to Private Record Linkage, Efficient Private Record Linkage,
    Brent Roth, Tradeoffs in System Design. Reading: A Goal Oriented Approach for Modeling and Analyzing Security Trade-Offs, Directions in Security Metrics Research.
12. Ashrith Barthur, White-hat botnets. Reading: Air Force Colonel Wants to Build a Military Botnet, Ethics for Bots, Your Botnet is My Botnet: Analysis of a Botnet Takeover, The Anatomy of Clickbot.
    Formal proposal for final project due 17:00 November 10 (see description in Blackboard.)
    November 12: Guest Lecture, Prof. Stephen Elliott: Biometrics.
13. Discussion: How do we achieve breakthroughs in system security?
    
14. Thanksgiving Break (no class 11/26).
15.  
16.  

Final exam: Given that the final project proposals of a majority of the class will provide ample opportunity to demonstrate the level of knowledge of a big picture perspective of information assurance, there will be no final exam in this course. Keep in mind when reporting on your final project that you should demonstrate that you have met the course goals, not just understanding of a narrow facet of this area.

In the event of a major campus emergency, course requirements, deadlines and grading percentages are subject to changes that may be necessitated by a revised semester calendar or other circumstances. In such event, this page will be updated to reflect such changes.