Cyber Security Essentials Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course May 29, 2015
Text Book l CISSP All-in-One Exam Guide, Sixth Edition l Author: Shon Harris l Publisher: McGraw-Hill Osborne Media; 6th edition l Language: English
Course Rules l Unless special permission is obtained from the instructor, each student will work individually. l Copying material from other sources will not be permitted unless the source is properly referenced. l Any student who plagiarizes from other sources will be reported to the Computer Science department and any other committees as advised by the department l No copying of anything from a paper except for about 10 words in quotes. No copying of figure even if it is attributed. You have to draw all figures. l Course Attendance is Mandatory unless prior permission is obtained
Course Plan l Exam #1: 20 points – July 10 l Exam #2: 20 points - August 7?? l Two term papers 10 points each: Total 20 points - June 26, July 24 l Programming project : 20 points - July 31 l Two Assignments: 10 points each: Total: 20 points - June 19, July 17
Assignment #1 l Explain with examples the following - Discretionary access control - Mandatory access control - Role-based access control (RBAC) - Privacy aware role based access control - Temporal role based access control - Risk aware role-based access control - Attribute-based access control - Usage control (UCON)
Assignment #2 l Suppose you are give the assignment of the Chief Security Officer of a major bank (e.g., Bank of America) or a Major hospital (e.g., Massachusetts General) l Discuss the steps you need to take with respect to the following (you need to keep the following in mining: Confidentiality, Integrity and Availability;; you also need to understand the requirements of banking or healthcare applications and the policies may be: - Information classification - Risk analysis - Secure networks - Secure data management - Secure applications
Term Papers l Write two papers on any topic discussed in class (that is, any of the 10 CISSP modules)
Sample format - 1 l Abstract l Introduction l Survey topics – e..g, access control models l Analysis (compare the models) l Future Directions l References
Sample format - 2 l Abstract l Introduction l Literature survey and what are the limitations l Your own approach and why it is better l Future Directions l References
Project l Software l Design document - Project description - Architecture (prefer with a picture) and description (software – e.g., Oracle, Jena etc.) - Results - Analysis - Potential improvements - References
Sample projects l Risk analysis tool l Query modification for XACML l Data mining tool for malware l Trust management system l -
Paper: Original – you can use material from sources, reword (redraw) and give reference l Abstract l Introduction l Body of the paper - Comparing different approaches and analyzing - Discuss your approach, - Survey l Conclusions l References - ([1]. [2], - - -[THUR99]. - Embed the reference also within the text. - E.g., Tim Berners Lee has defined the semantic web to be [2].
Contact l For more information please contact - Dr. Bhavani Thuraisingham - Professor of Computer Science and - Director of Cyber Security Research Center Erik Jonsson School of Engineering and Computer Science EC31, The University of Texas at Dallas Richardson, TX Phone: Fax: URL: -
Index to Lectures for Exam #2 Lecture #3: Data Mining for Malware Detection Lecture #7: Digital Forensics Lecture #8: Privacy Lecture #11: Access Control in Data Management Systems Lecture #13: Secure Data Architectures Lecture #20: Introduction to SOA, Secure SOA, Secure Cloud Lecture #21: Secure Cloud Computing (some duplication with Lecture #20) Lecture #22: Comprehensive Overview of Cloud Computing Lecture #23: Secure Publication of XML Documents in the Cloud Lecture #24: Cloud-based Assured Information Sharing Lecture #25: Secure Social Media l Also read the paper Managing Multi-Jurisdictional Requirements in the Cloud: Towards a Computational Legal Landscape, David Gordon and Travis Breaux; ACM CCS Cloud Security Workshop 2011
Papers to Read for Exam #2 l Managing Multi-Jurisdictional Requirements in the Cloud: Towards a Computational Legal Landscape, David Gordon and Travis Breaux; ACM CCS Cloud Security Workshop 2011 l Access Control in Data Management Systems (Lecture #11) - Suggested Papers - RBAC: Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, Charles E. Youman: Role-Based Access Control Models. IEEE Computer 29(2): (1996)Edward J. CoyneHal L. FeinsteinCharles E. YoumanIEEE Computer 29 - UCON: Jaehong Park, Ravi S. Sandhu: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1): (2004) - first 20 pagesRavi S. SandhuACM Trans. Inf. Syst. Secur. 7 - DCON: Roshan K. Thomas, Ravi S. Sandhu: Towards a Multi-dimensional Characterization of Dissemination Control. POLICY 2004: (IEEE)Ravi S. SandhuPOLICY 2004 l Privacy (Lecture #8) - Suggested papers - Rakesh Agrawal, Ramakrishnan Srikant: Privacy-Preserving Data Mining. SIGMOD Conference 2000: Ramakrishnan SrikantSIGMOD Conference 2000
Papers to Read for Exam #2 l Data Mining for Malware Detection (Lecture #3) - Suggested Papers - Mohammad M. Masud, Latifur Khan, Bhavani M. Thuraisingham: A Hybrid Model to Detect Malicious Executables. ICC 2007: Latifur KhanBhavani M. ThuraisinghamICC 2007 l Secure Third Part Publication of XML Data in the Cloud (Lecture #23) - Suggested Papers - Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M. Thuraisingham, Amar Gupta: Selective and Authentic Third-Party Distribution of XML Documents. IEEE Trans. Knowl. Data Eng. 16(10): (2004) (first 6 sections, proofs not needed for exam) Elisa BertinoBarbara CarminatiElena FerrariAmar GuptaIEEE Trans. Knowl. Data Eng. 16 l Cloud-basd Assured Information Sharing (Lecture #24) - Suggested Papers - Tyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu, Bhavani M. Thuraisingham: A cloud-based RDF policy engine for assured information sharing. SACMAT 2012: Tyrone CadenheadVaibhav KhadilkarMurat Kantarcioglu SACMAT 2012
Papers to Read for Exam #2 l Secure Social Media (Lecture #25) - Suggested Papers - Barbara Carminati, Elena Ferrari, Raymond Heatherly, Murat Kantarcioglu, Bhavani M. Thuraisingham: A semantic web based framework for social network access control. SACMAT 2009: Barbara CarminatiElena FerrariRaymond HeatherlyMurat KantarciogluSACMAT Jack Lindamood, Raymond Heatherly, Murat Kantarcioglu, Bhavani M. Thuraisingham: Inferring private information using social network data. WWW 2009: Jack LindamoodRaymond HeatherlyMurat KantarciogluWWW 2009
Papers to Read for Presentations: CODASPY 2011 Lei JinLei Jin, Hassan Takabi, James B. D. Joshi: Towards active detection of identity clone attacks on online social networks (Sachin)Hassan TakabiJames B. D. Joshi Philip W. L. FongPhilip W. L. Fong: Relationship-based access control: protection model and policy language Mohammad JafariMohammad Jafari, Philip W. L. Fong, Reihaneh Safavi-Naini, Ken Barker, Nicholas Paul Sheppard: Towards defining semantic foundations for purpose-based privacy policies (Jane)Philip W. L. FongReihaneh Safavi-NainiKen BarkerNicholas Paul Sheppard Igor BilogrevicIgor Bilogrevic, Murtuza Jadliwala, Jean-Pierre Hubaux, Imad Aad, Valtteri Niemi: Privacy-preserving activity scheduling on mobile devices Murtuza JadliwalaJean-Pierre HubauxImad AadValtteri Niemi Barbara CarminatiBarbara Carminati, Elena Ferrari, Sandro Morasca, Davide Taibi: A probability- based approach to modeling the risk of unauthorized propagation of information in on-line social networks (Chitra)Elena FerrariSandro MorascaDavide Taibi
Papers to Read for Presentations: CODASPY 2012 l Yuhao Yang, Jonathan Lutes, Fengjun Li, Bo Luo, Peng Liu: Stalking online: on user privacy in social networks (Jason) Yuhao YangJonathan LutesFengjun LiBo LuoPeng Liu l Suhendry Effendy, Roland H. C. Yap, Felix Halim: Revisiting link privacy in social networks (Kruthika) Suhendry EffendyRoland H. C. YapFelix Halim l Ninghui Li, Haining Chen, Elisa Bertino: On practical specification and enforcement of obligations (Ankita) Ninghui LiHaining ChenElisa Bertino l Ian Molloy, Luke Dickens, Charles Morisset, Pau-Chen Cheng, Jorge Lobo, Alessandra Russo: Risk-based security decisions under uncertainty (Navya) Ian MolloyLuke DickensCharles MorissetPau-Chen ChengJorge Lobo Alessandra Russo l Musheer Ahmed, Mustaque Ahamad: Protecting health information on mobile devices (Ajay) Musheer AhmedMustaque Ahamad
Papers to Read for Presentations: CODASPY 2013 l Sanae Rosen, Zhiyun Qian, Zhuoqing Morley Mao: AppProfiler: a flexible method of exposing privacy-related behavior in android applications to end users (Akshay) Sanae RosenZhiyun QianZhuoqing Morley Mao l Rimma V. Nehme, Hyo-Sang Lim, Elisa Bertino: FENCE: continuous access control enforcement in dynamic data stream environments Rimma V. NehmeHyo-Sang LimElisa Bertino l Wei Wei, Ting Yu, Rui Xue: iBigTable: practical data integrity for bigtable in public cloud (Ashwin) Wei Ting YuRui Xue l Majid Arianezhad, L. Jean Camp, Timothy Kelley, Douglas Stebila: Comparative eye tracking of experts and novices in web single sign-on Majid ArianezhadL. Jean CampTimothy KelleyDouglas Stebila
Papers to Read for Presentations: CODASPY 2014 l William C. Garrison III, Yechen Qiao, Adam J. Lee: On the suitability of dissemination-centric access control systems for group-centric sharing (Pratyusha) William C. Garrison IIIYechen QiaoAdam J. Lee l Ebrahim Tarameshloo, Philip W. L. Fong, Payman Mohassel: On protection in federated social computing systems (Aishwarya) Ebrahim TarameshlooPhilip W. L. FongPayman Mohassel l Michael Mitchell, Guanyu Tian, Zhi Wang: Systematic audit of third-party android phones Michael MitchellGuanyu TianZhi Wang l Tien Tuan Anh Dinh, Anwitaman Datta: Streamforce: outsourcing access control enforcement for stream data to the clouds (Arpita) Tien Tuan Anh DinhAnwitaman Datta l Mohammad Saiful Islam, Mehmet Kuzu, Murat Kantarcioglu: Inference attack against encrypted range queries on outsourced databases Mohammad Saiful IslamMehmet KuzuMurat Kantarcioglu
Papers to Read for Presentations – ACM CCS Cloud Security Workshop 2011 l All Your Clouds are Belong to us - Security Analysis of Cloud Management Interfaces Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Joerg Schwenk, Nils Gruschka and Luigi Lo Iacono (Kirupa) l Trusted Platform-as-a-Service: A Foundation for Trustworthy Cloud-Hosted Applications Andrew Brown and Jeff Chase (Rohit) l Detecting Fraudulent Use of Cloud Resources Joseph Idziorek, Mark Tannian and Doug Jacobson
Papers to Read for Presentations – ACM CCS Cloud Security Workshop 2012 l Fast Dynamic Extracted Honeypots in Cloud Computing Sebastian Biedermann, Martin Mink, Stefan Katzenbeisser (Anirudh) l Unity: Secure and Durable Personal Cloud Storage Beom Heyn Kim, Wei Huang, David Lie l Exploiting Split Browsers for Efficiently Protecting User Data Angeliki Zavou, Elias Athanasopoulos, Georgios Portokalidis, Angelos Keromytis (Rahul) l CloudFilter: Practical Control of Sensitive Data Propagation to the Cloud Ioannis Papagiannis, Peter Pietzuch
Papers to Read for Presentations – ACM CCS Cloud Security Workshop 2013 l Structural Cloud Audits that Protect Private Information Hongda Xiao; Bryan Ford; Joan Feigenbaum l Cloudoscopy: Services Discovery and Topology Mapping Amir Herzberg; Haya Shulman; Johanna Ullrich; Edgar Weippl (Ahmed) l Cloudsweeper: Enabling Data-Centric Document Management for Secure Cloud Archives Chris Kanich; Peter Snyder (Greeshma) l Supporting Complex Queries and Access Policies for Multi-user Encrypted Databases Muhammad Rizwan Asghar; Giovanni Russello; Bruno Crispo
Papers to Read for Presentations – ACM CCS Cloud Security Workshop 2014 l CloudSafetyNet: Detecting Data Leakage between Cloud Tenants Christian Priebe; Divya Muthukumaran; Dan O'Keeffe; David Eyers; Brian Shand; Ruediger Kapitza; Peter Pietzuch (Sowmaya) l Reconciling End-to-End Confidentiality and Data Reduction In Cloud Storage, Nathalie Baracaldo; Elli Androulaki; Joseph Glider; Alessandro Sorniotti l A Framework for Outsourcing of Secure Computation Jesper Buus Nielsen; Claudio Orlandi (Ajay) l Guardians of the Clouds: When Identity Providers Fail Andreas Mayer; Marcus Niemietz; Vladislav Mladenov; Joerg Schwenk (Viswesh) l Your Software at my Service Vladislav Mladenov, Christian Mainka; Florian Feldmann; Julian Krautwald; Joerg Schwenk