1. Cyber Security Essentials Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course May 29, 2015

2. Text Book l CISSP All-in-One Exam Guide, Sixth Edition l Author: Shon Harris l Publisher: McGraw-Hill Osborne Media; 6th edition l Language: English

3. Course Rules l Unless special permission is obtained from the instructor, each student will work individually. l Copying material from other sources will not be permitted unless the source is properly referenced. l Any student who plagiarizes from other sources will be reported to the Computer Science department and any other committees as advised by the department l No copying of anything from a paper except for about 10 words in quotes. No copying of figure even if it is attributed. You have to draw all figures. l Course Attendance is Mandatory unless prior permission is obtained

4. Course Plan l Exam #1: 20 points – July 10 l Exam #2: 20 points - August 7?? l Two term papers 10 points each: Total 20 points - June 26, July 24 l Programming project : 20 points - July 31 l Two Assignments: 10 points each: Total: 20 points - June 19, July 17

5. Assignment #1 l Explain with examples the following - Discretionary access control - Mandatory access control - Role-based access control (RBAC) - Privacy aware role based access control - Temporal role based access control - Risk aware role-based access control - Attribute-based access control - Usage control (UCON)

6. Assignment #2 l Suppose you are give the assignment of the Chief Security Officer of a major bank (e.g., Bank of America) or a Major hospital (e.g., Massachusetts General) l Discuss the steps you need to take with respect to the following (you need to keep the following in mining: Confidentiality, Integrity and Availability;; you also need to understand the requirements of banking or healthcare applications and the policies may be: - Information classification - Risk analysis - Secure networks - Secure data management - Secure applications

7. Term Papers l Write two papers on any topic discussed in class (that is, any of the 10 CISSP modules)

8. Sample format - 1 l Abstract l Introduction l Survey topics – e..g, access control models l Analysis (compare the models) l Future Directions l References

9. Sample format - 2 l Abstract l Introduction l Literature survey and what are the limitations l Your own approach and why it is better l Future Directions l References

10. Project l Software l Design document - Project description - Architecture (prefer with a picture) and description (software – e.g., Oracle, Jena etc.) - Results - Analysis - Potential improvements - References

11. Sample projects l Risk analysis tool l Query modification for XACML l Data mining tool for malware l Trust management system l -

12. Paper: Original – you can use material from sources, reword (redraw) and give reference l Abstract l Introduction l Body of the paper - Comparing different approaches and analyzing - Discuss your approach, - Survey l Conclusions l References - ([1]. [2], - - -[THUR99]. - Embed the reference also within the text. - E.g., Tim Berners Lee has defined the semantic web to be -- -- [2].

13. Contact l For more information please contact - Dr. Bhavani Thuraisingham - Professor of Computer Science and - Director of Cyber Security Research Center Erik Jonsson School of Engineering and Computer Science EC31, The University of Texas at Dallas Richardson, TX 75080 - Phone: 972-883-4738 - Fax: 972-883-2399 - Email: bhavani.thuraisingham@utdallas.edu - URL: - http://www.utdallas.edu/~bxt043000/

14. Index to Lectures for Exam #2 Lecture #3: Data Mining for Malware Detection Lecture #7: Digital Forensics Lecture #8: Privacy Lecture #11: Access Control in Data Management Systems Lecture #13: Secure Data Architectures Lecture #20: Introduction to SOA, Secure SOA, Secure Cloud Lecture #21: Secure Cloud Computing (some duplication with Lecture #20) Lecture #22: Comprehensive Overview of Cloud Computing Lecture #23: Secure Publication of XML Documents in the Cloud Lecture #24: Cloud-based Assured Information Sharing Lecture #25: Secure Social Media l Also read the paper Managing Multi-Jurisdictional Requirements in the Cloud: Towards a Computational Legal Landscape, David Gordon and Travis Breaux; ACM CCS Cloud Security Workshop 2011

15. Papers to Read for Exam #2 l Managing Multi-Jurisdictional Requirements in the Cloud: Towards a Computational Legal Landscape, David Gordon and Travis Breaux; ACM CCS Cloud Security Workshop 2011 l Access Control in Data Management Systems (Lecture #11) - Suggested Papers - RBAC: Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, Charles E. Youman: Role-Based Access Control Models. IEEE Computer 29(2): 38-47 (1996)Edward J. CoyneHal L. FeinsteinCharles E. YoumanIEEE Computer 29 - UCON: Jaehong Park, Ravi S. Sandhu: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1): 128-174 (2004) - first 20 pagesRavi S. SandhuACM Trans. Inf. Syst. Secur. 7 - DCON: Roshan K. Thomas, Ravi S. Sandhu: Towards a Multi-dimensional Characterization of Dissemination Control. POLICY 2004: 197-200 (IEEE)Ravi S. SandhuPOLICY 2004 l Privacy (Lecture #8) - Suggested papers - Rakesh Agrawal, Ramakrishnan Srikant: Privacy-Preserving Data Mining. SIGMOD Conference 2000: 439-450Ramakrishnan SrikantSIGMOD Conference 2000

16. Papers to Read for Exam #2 l Data Mining for Malware Detection (Lecture #3) - Suggested Papers - Mohammad M. Masud, Latifur Khan, Bhavani M. Thuraisingham: A Hybrid Model to Detect Malicious Executables. ICC 2007: 1443-1448Latifur KhanBhavani M. ThuraisinghamICC 2007 l Secure Third Part Publication of XML Data in the Cloud (Lecture #23) - Suggested Papers - Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M. Thuraisingham, Amar Gupta: Selective and Authentic Third-Party Distribution of XML Documents. IEEE Trans. Knowl. Data Eng. 16(10): 1263-1278 (2004) (first 6 sections, proofs not needed for exam) Elisa BertinoBarbara CarminatiElena FerrariAmar GuptaIEEE Trans. Knowl. Data Eng. 16 l Cloud-basd Assured Information Sharing (Lecture #24) - Suggested Papers - Tyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu, Bhavani M. Thuraisingham: A cloud-based RDF policy engine for assured information sharing. SACMAT 2012: 113-116 Tyrone CadenheadVaibhav KhadilkarMurat Kantarcioglu SACMAT 2012

17. Papers to Read for Exam #2 l Secure Social Media (Lecture #25) - Suggested Papers - Barbara Carminati, Elena Ferrari, Raymond Heatherly, Murat Kantarcioglu, Bhavani M. Thuraisingham: A semantic web based framework for social network access control. SACMAT 2009: 177-186 Barbara CarminatiElena FerrariRaymond HeatherlyMurat KantarciogluSACMAT 2009 - Jack Lindamood, Raymond Heatherly, Murat Kantarcioglu, Bhavani M. Thuraisingham: Inferring private information using social network data. WWW 2009: 1145-1146 Jack LindamoodRaymond HeatherlyMurat KantarciogluWWW 2009

18. Papers to Read for Presentations: CODASPY 2011 Lei JinLei Jin, Hassan Takabi, James B. D. Joshi: Towards active detection of identity clone attacks on online social networks. 27-38 (Sachin)Hassan TakabiJames B. D. Joshi Philip W. L. FongPhilip W. L. Fong: Relationship-based access control: protection model and policy language. 191-202 Mohammad JafariMohammad Jafari, Philip W. L. Fong, Reihaneh Safavi-Naini, Ken Barker, Nicholas Paul Sheppard: Towards defining semantic foundations for purpose-based privacy policies. 213-224 (Jane)Philip W. L. FongReihaneh Safavi-NainiKen BarkerNicholas Paul Sheppard Igor BilogrevicIgor Bilogrevic, Murtuza Jadliwala, Jean-Pierre Hubaux, Imad Aad, Valtteri Niemi: Privacy-preserving activity scheduling on mobile devices. 261-272Murtuza JadliwalaJean-Pierre HubauxImad AadValtteri Niemi Barbara CarminatiBarbara Carminati, Elena Ferrari, Sandro Morasca, Davide Taibi: A probability- based approach to modeling the risk of unauthorized propagation of information in on-line social networks. 51-62 (Chitra)Elena FerrariSandro MorascaDavide Taibi

19. Papers to Read for Presentations: CODASPY 2012 l Yuhao Yang, Jonathan Lutes, Fengjun Li, Bo Luo, Peng Liu: Stalking online: on user privacy in social networks. 37-48 (Jason) Yuhao YangJonathan LutesFengjun LiBo LuoPeng Liu l Suhendry Effendy, Roland H. C. Yap, Felix Halim: Revisiting link privacy in social networks. 61-70 (Kruthika) Suhendry EffendyRoland H. C. YapFelix Halim l Ninghui Li, Haining Chen, Elisa Bertino: On practical specification and enforcement of obligations. 71-82 (Ankita) Ninghui LiHaining ChenElisa Bertino l Ian Molloy, Luke Dickens, Charles Morisset, Pau-Chen Cheng, Jorge Lobo, Alessandra Russo: Risk-based security decisions under uncertainty. 157-168 (Navya) Ian MolloyLuke DickensCharles MorissetPau-Chen ChengJorge Lobo Alessandra Russo l Musheer Ahmed, Mustaque Ahamad: Protecting health information on mobile devices. 229-240 (Ajay) Musheer AhmedMustaque Ahamad

20. Papers to Read for Presentations: CODASPY 2013 l Sanae Rosen, Zhiyun Qian, Zhuoqing Morley Mao: AppProfiler: a flexible method of exposing privacy-related behavior in android applications to end users. 221-232 (Akshay) Sanae RosenZhiyun QianZhuoqing Morley Mao l Rimma V. Nehme, Hyo-Sang Lim, Elisa Bertino: FENCE: continuous access control enforcement in dynamic data stream environments. 243-254 Rimma V. NehmeHyo-Sang LimElisa Bertino l Wei Wei, Ting Yu, Rui Xue: iBigTable: practical data integrity for bigtable in public cloud. 341-352 (Ashwin) Wei Ting YuRui Xue l Majid Arianezhad, L. Jean Camp, Timothy Kelley, Douglas Stebila: Comparative eye tracking of experts and novices in web single sign-on. 105- 116 Majid ArianezhadL. Jean CampTimothy KelleyDouglas Stebila

21. Papers to Read for Presentations: CODASPY 2014 l William C. Garrison III, Yechen Qiao, Adam J. Lee: On the suitability of dissemination-centric access control systems for group-centric sharing. 1-12 (Pratyusha) William C. Garrison IIIYechen QiaoAdam J. Lee l Ebrahim Tarameshloo, Philip W. L. Fong, Payman Mohassel: On protection in federated social computing systems. 75-86 (Aishwarya) Ebrahim TarameshlooPhilip W. L. FongPayman Mohassel l Michael Mitchell, Guanyu Tian, Zhi Wang: Systematic audit of third-party android phones. 175-186 Michael MitchellGuanyu TianZhi Wang l Tien Tuan Anh Dinh, Anwitaman Datta: Streamforce: outsourcing access control enforcement for stream data to the clouds. 13-24 (Arpita) Tien Tuan Anh DinhAnwitaman Datta l Mohammad Saiful Islam, Mehmet Kuzu, Murat Kantarcioglu: Inference attack against encrypted range queries on outsourced databases. 235-246 Mohammad Saiful IslamMehmet KuzuMurat Kantarcioglu

22. Papers to Read for Presentations – ACM CCS Cloud Security Workshop 2011 l All Your Clouds are Belong to us - Security Analysis of Cloud Management Interfaces Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Joerg Schwenk, Nils Gruschka and Luigi Lo Iacono (Kirupa) l Trusted Platform-as-a-Service: A Foundation for Trustworthy Cloud-Hosted Applications Andrew Brown and Jeff Chase (Rohit) l Detecting Fraudulent Use of Cloud Resources Joseph Idziorek, Mark Tannian and Doug Jacobson

23. Papers to Read for Presentations – ACM CCS Cloud Security Workshop 2012 l Fast Dynamic Extracted Honeypots in Cloud Computing Sebastian Biedermann, Martin Mink, Stefan Katzenbeisser (Anirudh) l Unity: Secure and Durable Personal Cloud Storage Beom Heyn Kim, Wei Huang, David Lie l Exploiting Split Browsers for Efficiently Protecting User Data Angeliki Zavou, Elias Athanasopoulos, Georgios Portokalidis, Angelos Keromytis (Rahul) l CloudFilter: Practical Control of Sensitive Data Propagation to the Cloud Ioannis Papagiannis, Peter Pietzuch

24. Papers to Read for Presentations – ACM CCS Cloud Security Workshop 2013 l Structural Cloud Audits that Protect Private Information Hongda Xiao; Bryan Ford; Joan Feigenbaum l Cloudoscopy: Services Discovery and Topology Mapping Amir Herzberg; Haya Shulman; Johanna Ullrich; Edgar Weippl (Ahmed) l Cloudsweeper: Enabling Data-Centric Document Management for Secure Cloud Archives Chris Kanich; Peter Snyder (Greeshma) l Supporting Complex Queries and Access Policies for Multi-user Encrypted Databases Muhammad Rizwan Asghar; Giovanni Russello; Bruno Crispo

25. Papers to Read for Presentations – ACM CCS Cloud Security Workshop 2014 l CloudSafetyNet: Detecting Data Leakage between Cloud Tenants Christian Priebe; Divya Muthukumaran; Dan O'Keeffe; David Eyers; Brian Shand; Ruediger Kapitza; Peter Pietzuch (Sowmaya) l Reconciling End-to-End Confidentiality and Data Reduction In Cloud Storage, Nathalie Baracaldo; Elli Androulaki; Joseph Glider; Alessandro Sorniotti l A Framework for Outsourcing of Secure Computation Jesper Buus Nielsen; Claudio Orlandi (Ajay) l Guardians of the Clouds: When Identity Providers Fail Andreas Mayer; Marcus Niemietz; Vladislav Mladenov; Joerg Schwenk (Viswesh) l Your Software at my Service Vladislav Mladenov, Christian Mainka; Florian Feldmann; Julian Krautwald; Joerg Schwenk