Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course August 29, 2014

Objective of the Unit l This unit provides an overview of the course. The course describes concepts, developments, challenges, and directions in data and applications security. Topics include - database security, distributed data management security, object security, data warehouse security, data mining for security applications, privacy, secure semantic web, secure digital libraries, secure knowledge management and secure sensor information management, biometrics

Outline of the Unit l Outline of Course l Course Work l Course Rules l Contact l Appendix

Outline of the Course l Unit #1: Introduction to Data and Applications l Part I: Background - Unit #2: Data Management - Unit #3: Information Security - Unit #4: Information Management including Semantic Web l Part II: Discretionary Security - Unit #5: Concepts - Unit #6: Policy Enforcement l Part III: Mandatory Security - Unit #7: Concepts - Unit #8: Architectures

Outline of the Course (Continued) l Part IV: Secure Relational Data Management - Unit #9: Data Model - Unit #10: Functions - Unit #11: Prototypes and Products l Part V: Inference Problem - Unit #12: Concepts - Unit #13: Constraint Processing - Unit #14: Conceptual Structures l Part VI: Secure Distributed Data Management - Unit #15: Secure Distributed data management - Unit #16: Secure Heterogeneous Data Integration - Unit #17: Secure Federated Data Management

Outline of the Course (Continued) l Part VII: Secure Object Data Management - Unit #18: Secure Object Management - Unit #19: Secure Distributed Objects and Modeling Applications - Unit #20: Secure Multimedia Systems l Part VIII: Data Warehousing, Data Mining and Security - Unit #21: Secure Data Warehousing - Unit #22: Data Mining for Security Applications - Unit #23: Privacy - Additional Lectures: l Insider Threat Detection l Reactively Adaptive Malware

Outline of the Course (Continued) l Part IX: Secure Information Management - Unit #24: Secure Digital Libraries - Unit #25: Secure Semantic Web (web services, XML security) - Unit #26: Secure Information and Knowledge Management - Additional Topics l Secure Web Services and identity management l Social Network Security and Privacy l Secure cloud computing and secure cloud query processing l Part X: Dependable data management and forensics - Unit #27: Secure Dependable Data Management - Unit #28: Secure Sensor and Wireless Data Management - Unit #29: Other Technologies, e.g., digital forensics, biometrics, etc.

Outline of the Course (Continued) l Part XI: Emerging Technologies - Papers from ACM CODASPY 2011, 2012, 2013, 2014 on Data and Applications Security and Privacy l Unit #30 Conclusion to the Course

Topics Covered l August 29, Introduction, Security nodules l September 5: Access control, Malware l September 12 – Dr. Lin Lecture, Multilevel database management l Sept 19 – Inference problem + continuation of Sept 12 lecture l Sept 26 – Secure Dist Data Mgmt, Secure objects l October 3, October 3: Data Warehousing, Data Mining, Security, Privacy l October 10: Secure web services, XML security l October 24 – Secure semantic web, Secure web/knowledge mgmt l October 31 – Secure cloud, Secure social media l November 7 - Digital forensics, Biometrics, + misc other topics l November 14 – paper presentation l November 21 – paper presentation

Course Work l Two term papers; each worth 8 points l Two exams each worth 20 points l Programming project worth 15 points l Four homework assignments each worth 6 points l Paper presentation: 5 points l Total 100 points l Course Reference Book: Database and Applications Security: Integration Data Management and Information Security, Bhavani Thuraisingham, CRC Press, 2005 l Will also include papers as reading material

Tentative Schedule l Assignment #1: Due September 26, 2014 (posted lecture 7) l Assignment #2: Due October 3, 2014 (lecture 11) – new due date 10/10/14 l Term paper #1: October – new due date – 10/13/14 l Exam #1: October 17, 2014 l Assignment #3: October 31, 2014 l Assignment #4: November 7, 2014 l Term paper #2: November 14, 2014 l Programming project: November 21, 2014 l Exam #2: December 5, 2014

Assignment #1, 2, 3, 4 Assignment #1: Posted in Lecture 8 Assignment #2 Posted in Lecture 11 Assignment #3: Posted in Lecture 16 Assignment #4: Posted in Lecture 26

Some Topics for Papers: Any topic in data and applications security l XML Security l Inference Problem l Privacy l Secure Biometrics (after exam #1) l Intrusion Detection l E-Commerce Security (will be discussed after exam #1) l Secure Sensor Information Management (after exam #1) l Secure Distributed Systems l Secure Semantic Web (after exam #1) l Secure Data Warehousing l Insider Threat Analysis l Secure Multimedia/geospatial Systems l Malware detection l Policies and access control l Designs of multilevel secure databases

Term Papers: Example Format l Abstract l Introduction l Background on the Topic l Survey of various techniques, designs etc, (e.g., access control policies, inference control methods) l Analyze the techniques, designs etc. and give your opinions l Directions for further work l Summary and Conclusions l References

Term Papers: Example Format - II l Abstract l Introduction l Background on the Topic and Related Work l Discuss strengths and weaknesses of others’ work l Give your own design and say why it is better l Directions for further work l Summary and Conclusions l References

Project Report Format l Overview of the Project l Design of the System l Input/Output l Future Enhancements l References

Some Project Topics l Query Modification on XML Documents l Access control for web systems l Intrusion detection system l Access control for multimedia systems - E.g., access control for image, video l Role-based access control system l Access control for object systems l Secure data warehouse

Course Rules l Course attendance is mandatory; unless permission is obtained from instructor for missing a class with a valid reason (documentation needed for medical emergency for student or a close family member – e.g., spouse, parent, child). Attendance will be collected every lecture. 3 points will be deducted out of 100 for each lecture missed without approval. l Each student will work individually l Late assignments will not be accepted. All assignments have to be turned in just after the lecture on the due date l No make up exams unless student can produce a medical certificate or give evidence of close family emergency l Copying material from other sources will not be permitted unless the source is properly referenced l Any student who plagiarizes from other sources will be reported to the appropriate UTD authroities

Index to Lectures for Exam #1 Introduction to course Lecture 1: Introduction to data and applications security Lecture 2: Cyber security modules (extra credit) Lecture 3: Information Management (not included in exam) Lecture 4: Access control Lecture 5: Dr. Lin’s guest lecture (not included in the exam) Lecture 6: Multilevel secure data management Lecture 7: Assignment #1 Lecture 8: Inference problem – 1 Lecture 9: Inference problem – 2 Lecture 10: Assignment 3 Lecture 11: Secure Distributed Data Management

Index to Lectures for Exam #1 Lecture 12: Secure Object Systems Lecture 13: Data Warehousing, Data Mining Security Lecture 14: Privacy Lecture 15: Data Mining for Malware Detection Lecture 16: Assignment #3 Lecture 17: Malware (guest lecture) Lecture 18: Insider Threat Detection

Papers to Read for Exam #1 - RBAC: Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, Charles E. Youman: Role-Based Access Control Models. IEEE Computer 29(2): (1996)Edward J. CoyneHal L. Feinstein Charles E. YoumanIEEE Computer 29 - UCON: Jaehong Park, Ravi S. Sandhu: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1): (2004) - first 20 pagesRavi S. SandhuACM Trans. Inf. Syst. Secur. 7 - DCON: Roshan K. Thomas, Ravi S. Sandhu: Towards a Multi- dimensional Characterization of Dissemination Control. POLICY 2004: (IEEE)Ravi S. Sandhu POLICY Bhavani M. Thuraisingham: Mandatory Security in Object- Oriented Database Systems. OOPSLA 1989: OOPSLA Bhavani M. Thuraisingham, William Ford: Security Constraints in a Multilevel Secure Distributed Database Management System. IEEE Trans. Knowl. Data Eng. 7(2): (1995) (distributed inference control)William FordIEEE Trans. Knowl. Data Eng. 7

Papers to Read for Exam #1 - Rakesh Agrawal, Ramakrishnan Srikant: Privacy-Preserving Data Mining. SIGMOD Conference 2000: Ramakrishnan SrikantSIGMOD Conference Elisa Bertino, Bhavani M. Thuraisingham, Michael Gertz, Maria Luisa Damiani: Security and privacy for geospatial data: concepts and research directions. SPRINGL 2008: 6-19 Elisa BertinoMichael GertzMaria Luisa DamianiSPRINGL Bhavani M. Thuraisingham: Data Mining, National Security, Privacy and Civil Liberties. SIGKDD Explorations 4(2): 1-5 (2002)SIGKDD Explorations 4 - Mohammad M. Masud, Latifur Khan, Bhavani M. Thuraisingham: A Hybrid Model to Detect Malicious Executables. ICC 2007: Latifur KhanBhavani M. ThuraisinghamICC Pallabi Parveen, Nate McDaniel, Varun S. Hariharan, Bhavani M. Thuraisingham, Latifur Khan: Unsupervised Ensemble Based Learning for Insider Threat Detection SocialCom/PASSAT 2012: Nate McDanielVarun S. HariharanBhavani M. ThuraisinghamLatifur KhanSocialCom/PASSAT 2012

Suggested papers for Malware detection (NOT Mandatory for Exam) - Mohammad M. Masud, Latifur Khan, Bhavani M. Thuraisingham: E- Mail Worm Detection Using Data Mining. IJISP 1(4): (2007)Latifur KhanBhavani M. ThuraisinghamIJISP 1 - Mohammad M. Masud, Latifur Khan, Bhavani M. Thuraisingham, Xinran Wang, Peng Liu, Sencun Zhu: Detecting Remote Exploits Using Data Mining. IFIP Int. Conf. Digital Forensics 2008: Latifur KhanBhavani M. ThuraisinghamXinran WangPeng LiuSencun ZhuIFIP Int. Conf. Digital Forensics Latifur Khan, Mamoun Awad, Bhavani M. Thuraisingham: A new intrusion detection system using support vector machines and hierarchical clustering. VLDB J. 16(4): (2007) Latifur KhanBhavani M. ThuraisinghamVLDB J. 16

Index to Lectures for Exam #2 Lecture 19: XML Security Lecture 20: Assured Information Sharing in the Cloud Lecture 21: Guest Lecture (cloud query processing) Lecture 22: Secure Cloud Computing Lecture 23: Secure SOA Lecture 24: Guest Lecture (Intro to semantic web) Lecture 25: Trustworthy semantic web Lecture 26: Assignment #4 Lecture 27: Secure knowledge mgmt and web security Lecture 28: Guest Lecture: Semantic Web and Social Net Lecture 29: Security/Privacy for social net.

Index to Lectures for Exam #2 Lecture 30: Secure Dependable Data Mgmt Lecture 31: Attacks to databases Lecture 32: Digital Forensics and Biometrics Lecture 33: Database Forensics

Papers to Read for Presentations: CODASPY 2011 Lei JinLei Jin, Hassan Takabi, James B. D. Joshi: Towards active detection of identity clone attacks on online social networks Hassan TakabiJames B. D. Joshi Tyrone CadenheadTyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu, Bhavani M. Thuraisingham: A language for provenance access control Vaibhav KhadilkarMurat Kantarcioglu Bhavani M. Thuraisingham Philip W. L. FongPhilip W. L. Fong: Relationship-based access control: protection model and policy language Mohammad JafariMohammad Jafari, Philip W. L. Fong, Reihaneh Safavi-Naini, Ken Barker, Nicholas Paul Sheppard: Towards defining semantic foundations for purpose-based privacy policies Philip W. L. FongReihaneh Safavi-NainiKen BarkerNicholas Paul Sheppard Igor BilogrevicIgor Bilogrevic, Murtuza Jadliwala, Jean-Pierre Hubaux, Imad Aad, Valtteri Niemi: Privacy-preserving activity scheduling on mobile devices Murtuza JadliwalaJean-Pierre HubauxImad Aad Valtteri Niemi Barbara CarminatiBarbara Carminati, Elena Ferrari, Sandro Morasca, Davide Taibi: A probability-based approach to modeling the risk of unauthorized propagation of information in on-line social networks Elena FerrariSandro MorascaDavide Taibi

Papers to Read for Presentations: CODASPY 2012 l Yuhao Yang, Jonathan Lutes, Fengjun Li, Bo Luo, Peng Liu: Stalking online: on user privacy in social networks Yuhao YangJonathan LutesFengjun LiBo LuoPeng Liu l Suhendry Effendy, Roland H. C. Yap, Felix Halim: Revisiting link privacy in social networks Suhendry EffendyRoland H. C. YapFelix Halim l Ninghui Li, Haining Chen, Elisa Bertino: On practical specification and enforcement of obligations Ninghui LiHaining ChenElisa Bertino l Ian Molloy, Luke Dickens, Charles Morisset, Pau-Chen Cheng, Jorge Lobo, Alessandra Russo: Risk-based security decisions under uncertainty Ian MolloyLuke DickensCharles MorissetPau-Chen Cheng Jorge LoboAlessandra Russo l Musheer Ahmed, Mustaque Ahamad: Protecting health information on mobile devices Musheer AhmedMustaque Ahamad

Papers to Read for Presentations: CODASPY 2013 l Daniel Le Métayer: Privacy by design: a formal framework for the analysis of architectural choices Daniel Le Métayer l Sanae Rosen, Zhiyun Qian, Zhuoqing Morley Mao: AppProfiler: a flexible method of exposing privacy-related behavior in android applications to end users Sanae RosenZhiyun QianZhuoqing Morley Mao l Rimma V. Nehme, Hyo-Sang Lim, Elisa Bertino: FENCE: continuous access control enforcement in dynamic data stream environments Rimma V. NehmeHyo-Sang LimElisa Bertino l Wei Wei, Ting Yu, Rui Xue: iBigTable: practical data integrity for bigtable in public cloud Wei Ting YuRui Xue l Majid Arianezhad, L. Jean Camp, Timothy Kelley, Douglas Stebila: Comparative eye tracking of experts and novices in web single sign-on Majid ArianezhadL. Jean CampTimothy KelleyDouglas Stebila

Papers to Read for Presentations: CODASPY 2014 l William C. Garrison III, Yechen Qiao, Adam J. Lee: On the suitability of dissemination-centric access control systems for group-centric sharing William C. Garrison IIIYechen QiaoAdam J. Lee l Ebrahim Tarameshloo, Philip W. L. Fong, Payman Mohassel: On protection in federated social computing systems Ebrahim TarameshlooPhilip W. L. FongPayman Mohassel l Michael Mitchell, Guanyu Tian, Zhi Wang: Systematic audit of third-party android phones Michael MitchellGuanyu TianZhi Wang l Tien Tuan Anh Dinh, Anwitaman Datta: Streamforce: outsourcing access control enforcement for stream data to the clouds Tien Tuan Anh DinhAnwitaman Datta l Mohammad Saiful Islam, Mehmet Kuzu, Murat Kantarcioglu: Inference attack against encrypted range queries on outsourced databases Mohammad Saiful IslamMehmet KuzuMurat Kantarcioglu

Papers to Read for Exam #2: From Presentations Lei JinLei Jin, Hassan Takabi, James B. D. Joshi: Towards active detection of identity clone attacks on online social networks Hassan TakabiJames B. D. Joshi Tyrone CadenheadTyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu, Bhavani M. Thuraisingham: A language for provenance access control Vaibhav KhadilkarMurat Kantarcioglu Bhavani M. Thuraisingham Musheer AhmedMusheer Ahmed, Mustaque Ahamad: Protecting health information on mobile devices Mustaque Ahamad Yuhao YangYuhao Yang, Jonathan Lutes, Fengjun Li, Bo Luo, Peng Liu: Stalking online: on user privacy in social networks Jonathan LutesFengjun LiBo LuoPeng Liu Suhendry EffendySuhendry Effendy, Roland H. C. Yap, Felix Halim: Revisiting link privacy in social networks Roland H. C. YapFelix Halim Ian MolloyIan Molloy, Luke Dickens, Charles Morisset, Pau-Chen Cheng, Jorge Lobo, Alessandra Russo: Risk-based security decisions under uncertainty Luke DickensCharles MorissetPau-Chen Cheng Jorge LoboAlessandra Russo

Papers to Read for Exam #2: From Presentations l Daniel Le Métayer: Privacy by design: a formal framework for the analysis of architectural choices Daniel Le Métayer l Sanae Rosen, Zhiyun Qian, Zhuoqing Morley Mao: AppProfiler: a flexible method of exposing privacy-related behavior in android applications to end users Sanae RosenZhiyun QianZhuoqing Morley Mao l Wei Wei, Ting Yu, Rui Xue: iBigTable: practical data integrity for bigtable in public cloud Wei Ting YuRui Xue l Ebrahim Tarameshloo, Philip W. L. Fong, Payman Mohassel: On protection in federated social computing systems Ebrahim TarameshlooPhilip W. L. FongPayman Mohassel l Michael Mitchell, Guanyu Tian, Zhi Wang: Systematic audit of third-party android phones Michael MitchellGuanyu TianZhi Wang l Mohammad Saiful Islam, Mehmet Kuzu, Murat Kantarcioglu: Inference attack against encrypted range queries on outsourced databases Mohammad Saiful IslamMehmet KuzuMurat Kantarcioglu

Papers to Read for Exam #2: From Lectures - Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M. Thuraisingham, Amar Gupta: Selective and Authentic Third- Party Distribution of XML Documents. IEEE Trans. Knowl. Data Eng. 16(10): (2004) (first 6 sections, proofs not needed for exam) Elisa BertinoBarbara CarminatiElena FerrariAmar GuptaIEEE Trans. Knowl. Data Eng Barbara Carminati, Elena Ferrari, Raymond Heatherly, Murat Kantarcioglu, Bhavani M. Thuraisingham: A semantic web based framework for social network access control. SACMAT 2009: Barbara CarminatiElena FerrariRaymond HeatherlyMurat KantarciogluSACMAT Jack Lindamood, Raymond Heatherly, Murat Kantarcioglu, Bhavani M. Thuraisingham: Inferring private information using social network data. WWW 2009: Jack LindamoodRaymond HeatherlyMurat KantarciogluWWW Tyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu, Bhavani M. Thuraisingham: A cloud-based RDF policy engine for assured information sharing. SACMAT 2012: Tyrone CadenheadVaibhav KhadilkarMurat KantarciogluSACMAT 2012

Contacts: Instructor - Dr. Bhavani Thuraisingham - Louis Beecherl Distinguished Professor of Computer Science - Executive Director of the Cyber Security Research and Education Institute - Erik Jonsson School of Engineering and Computer Science - The University of Texas at Dallas Richardson, TX Phone: Fax: URL: URL:

Contacts: Teaching Assistant l Mohammed Iftekhar l Teaching Assistant Computer Science PhD, Computer Science Erik Jonsson Sch of Engr & Com