Transcript Introduction - The University of Texas at Dallas

Cyber Security Essentials
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Introduction to the Course
May 29, 2015
Text Book
 CISSP All-in-One Exam Guide, Sixth Edition
 Author: Shon Harris
 Publisher: McGraw-Hill Osborne Media; 6th edition
 Language: English
Course Rules
 Unless special permission is obtained from the instructor, each
student will work individually.
 Copying material from other sources will not be permitted unless the
source is properly referenced.
 Any student who plagiarizes from other sources will be reported to
the Computer Science department and any other committees as
advised by the department
 No copying of anything from a paper except for about 10 words in
quotes. No copying of figure even if it is attributed. You have to draw
all figures.
 Course Attendance is Mandatory unless prior permission is obtained
Course Plan
 Exam #1: 20 points – July 10
 Exam #2: 20 points - August 7??
 Two term papers 10 points each: Total 20 points
- June 26, July 24
 Programming project : 20 points
- July 31
 Two Assignments: 10 points each: Total: 20 points
- June 19, July 17
Assignment #1
 Explain with examples the following
- Discretionary access control
- Mandatory access control
- Role-based access control (RBAC)
- Privacy aware role based access control
- Temporal role based access control
- Risk aware role-based access control
- Attribute-based access control
- Usage control (UCON)
Assignment #2
 Suppose you are give the assignment of the Chief Security Officer of
a major bank (e.g., Bank of America) or a Major hospital (e.g.,
Massachusetts General)
 Discuss the steps you need to take with respect to the following (you
need to keep the following in mining: Confidentiality, Integrity and
Availability;; you also need to understand the requirements of
banking or healthcare applications and the policies may be:
- Information classification
- Risk analysis
- Secure networks
- Secure data management
- Secure applications
Term Papers
 Write two papers on any topic discussed in class (that is, any of the
10 CISSP modules)
Sample format - 1
 Abstract
 Introduction
 Survey topics – e..g, access control models
 Analysis (compare the models)
 Future Directions
 References
Sample format - 2
 Abstract
 Introduction
 Literature survey and what are the limitations
 Your own approach and why it is better
 Future Directions
 References
Project
 Software
 Design document
- Project description
- Architecture (prefer with a picture) and description (software –
e.g., Oracle, Jena etc.)
- Results
- Analysis
- Potential improvements
- References
Sample projects
 Risk analysis tool
 Query modification for XACML
 Data mining tool for malware
 Trust management system
    -
Paper: Original – you can use material from
sources, reword (redraw) and give reference
 Abstract
 Introduction
 Body of the paper
- Comparing different approaches and analyzing
- Discuss your approach,
- Survey
 Conclusions
 References
- ([1]. [2], - - -[THUR99].
- Embed the reference also within the text.
- E.g., Tim Berners Lee has defined the semantic web to be -[2].
--
Contact
 For more information please contact
- Dr. Bhavani Thuraisingham
- Professor of Computer Science and
- Director of Cyber Security Research Center Erik Jonsson School
of Engineering and Computer Science EC31, The University of
Texas at Dallas Richardson, TX 75080
- Phone: 972-883-4738
- Fax: 972-883-2399
- Email: [email protected]
- URL:
- http://www.utdallas.edu/~bxt043000/
Index to Lectures for Exam #2
Lecture #3: Data Mining for Malware Detection
Lecture #7: Digital Forensics
Lecture #8: Privacy
Lecture #11: Access Control in Data Management Systems
Lecture #13: Secure Data Architectures
Lecture #20: Introduction to SOA, Secure SOA, Secure Cloud
Lecture #21: Secure Cloud Computing (some duplication with Lecture #20)
Lecture #22: Comprehensive Overview of Cloud Computing
Lecture #23: Secure Publication of XML Documents in the Cloud
Lecture #24: Cloud-based Assured Information Sharing
Lecture #25: Secure Social Media
 Also read the paper Managing Multi-Jurisdictional Requirements in the
Cloud: Towards a Computational Legal Landscape, David Gordon and Travis
Breaux; ACM CCS Cloud Security Workshop 2011
Papers to Read for Exam #2
 Managing Multi-Jurisdictional Requirements in the Cloud: Towards a
Computational Legal Landscape, David Gordon and Travis Breaux; ACM CCS
Cloud Security Workshop 2011
 Access Control in Data Management Systems (Lecture #11)
-
Suggested Papers
-
RBAC: Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, Charles E. Youman:
Role-Based Access Control Models. IEEE Computer 29(2): 38-47 (1996)
UCON: Jaehong Park, Ravi S. Sandhu: The UCONABC usage control model. ACM
Trans. Inf. Syst. Secur. 7(1): 128-174 (2004) - first 20 pages
DCON: Roshan K. Thomas, Ravi S. Sandhu: Towards a Multi-dimensional
Characterization of Dissemination Control. POLICY 2004: 197-200 (IEEE)
-
 Privacy (Lecture #8)
-
Suggested papers
-
Rakesh Agrawal, Ramakrishnan Srikant: Privacy-Preserving Data Mining. SIGMOD
Conference 2000: 439-450
Papers to Read for Exam #2
 Data Mining for Malware Detection (Lecture #3)
-
Suggested Papers
-
Mohammad M. Masud, Latifur Khan, Bhavani M. Thuraisingham: A Hybrid Model to
Detect Malicious Executables. ICC 2007: 1443-1448
 Secure Third Part Publication of XML Data in the Cloud (Lecture #23)
-
Suggested Papers
-
Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M. Thuraisingham, Amar
Gupta: Selective and Authentic Third-Party Distribution of XML Documents. IEEE
Trans. Knowl. Data Eng. 16(10): 1263-1278 (2004) (first 6 sections, proofs not
needed for exam)
 Cloud-basd Assured Information Sharing (Lecture #24)
-
Suggested Papers
-
Tyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu, Bhavani M.
Thuraisingham: A cloud-based RDF policy engine for assured information sharing.
SACMAT 2012: 113-116
Papers to Read for Exam #2
 Secure Social Media (Lecture #25)
-
Suggested Papers
-
Barbara Carminati, Elena Ferrari, Raymond Heatherly, Murat Kantarcioglu, Bhavani
M. Thuraisingham: A semantic web based framework for social network access
control. SACMAT 2009: 177-186
-
Jack Lindamood, Raymond Heatherly, Murat Kantarcioglu, Bhavani M.
Thuraisingham: Inferring private information using social network data. WWW
2009: 1145-1146
Papers to Read for Presentations: CODASPY
2011
Lei Jin, Hassan Takabi, James B. D. Joshi: Towards active detection of identity
clone attacks on online social networks. 27-38 (Sachin)
Philip W. L. Fong: Relationship-based access control: protection model and policy
language. 191-202
Mohammad Jafari, Philip W. L. Fong, Reihaneh Safavi-Naini, Ken Barker, Nicholas
Paul Sheppard: Towards defining semantic foundations for purpose-based privacy
policies. 213-224 (Jane)
Igor Bilogrevic, Murtuza Jadliwala, Jean-Pierre Hubaux, Imad Aad, Valtteri Niemi:
Privacy-preserving activity scheduling on mobile devices. 261-272
Barbara Carminati, Elena Ferrari, Sandro Morasca, Davide Taibi: A probabilitybased approach to modeling the risk of unauthorized propagation of information in
on-line social networks. 51-62 (Chitra)
Papers to Read for Presentations: CODASPY
2012
 Yuhao Yang, Jonathan Lutes, Fengjun Li, Bo Luo, Peng Liu: Stalking online:
on user privacy in social networks. 37-48 (Jason)
 Suhendry Effendy, Roland H. C. Yap, Felix Halim: Revisiting link privacy in
social networks. 61-70 (Kruthika)
 Ninghui Li, Haining Chen, Elisa Bertino: On practical specification and
enforcement of obligations. 71-82 (Ankita)
 Ian Molloy, Luke Dickens, Charles Morisset, Pau-Chen Cheng, Jorge Lobo,
Alessandra Russo: Risk-based security decisions under uncertainty. 157-168
(Navya)
 Musheer Ahmed, Mustaque Ahamad: Protecting health information on mobile
devices. 229-240 (Ajay)
Papers to Read for Presentations: CODASPY
2013
 Sanae Rosen, Zhiyun Qian, Zhuoqing Morley Mao: AppProfiler: a flexible
method of exposing privacy-related behavior in android applications to end
users. 221-232 (Akshay)
 Rimma V. Nehme, Hyo-Sang Lim, Elisa Bertino: FENCE: continuous access
control enforcement in dynamic data stream environments. 243-254
 Wei Wei, Ting Yu, Rui Xue: iBigTable: practical data integrity for bigtable in
public cloud. 341-352 (Ashwin)
 Majid Arianezhad, L. Jean Camp, Timothy Kelley, Douglas Stebila:
Comparative eye tracking of experts and novices in web single sign-on. 105116
Papers to Read for Presentations: CODASPY
2014
 William C. Garrison III, Yechen Qiao, Adam J. Lee: On the suitability of
dissemination-centric access control systems for group-centric sharing. 1-12
(Pratyusha)
 Ebrahim Tarameshloo, Philip W. L. Fong, Payman Mohassel: On protection in
federated social computing systems. 75-86 (Aishwarya)
 Michael Mitchell, Guanyu Tian, Zhi Wang: Systematic audit of third-party
android phones. 175-186
 Tien Tuan Anh Dinh, Anwitaman Datta: Streamforce: outsourcing access
control enforcement for stream data to the clouds. 13-24 (Arpita)
 Mohammad Saiful Islam, Mehmet Kuzu, Murat Kantarcioglu: Inference attack
against encrypted range queries on outsourced databases. 235-246
Papers to Read for Presentations – ACM CCS
Cloud Security Workshop 2011
 All Your Clouds are Belong to us - Security Analysis of Cloud Management
Interfaces
Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Joerg Schwenk, Nils
Gruschka and Luigi Lo Iacono (Kirupa)
 Trusted Platform-as-a-Service: A Foundation for Trustworthy Cloud-Hosted
Applications
Andrew Brown and Jeff Chase (Rohit)
 Detecting Fraudulent Use of Cloud Resources
Joseph Idziorek, Mark Tannian and Doug Jacobson
Papers to Read for Presentations – ACM CCS
Cloud Security Workshop 2012
 Fast Dynamic Extracted Honeypots in Cloud Computing
Sebastian Biedermann, Martin Mink, Stefan Katzenbeisser (Anirudh)
 Unity: Secure and Durable Personal Cloud Storage
Beom Heyn Kim, Wei Huang, David Lie
 Exploiting Split Browsers for Efficiently Protecting User Data
Angeliki Zavou, Elias Athanasopoulos, Georgios Portokalidis, Angelos
Keromytis (Rahul)
 CloudFilter: Practical Control of Sensitive Data Propagation to the Cloud
Ioannis Papagiannis, Peter Pietzuch
Papers to Read for Presentations – ACM CCS
Cloud Security Workshop 2013
 Structural Cloud Audits that Protect Private Information
Hongda Xiao; Bryan Ford; Joan Feigenbaum
 Cloudoscopy: Services Discovery and Topology Mapping
Amir Herzberg; Haya Shulman; Johanna Ullrich; Edgar Weippl (Ahmed)
 Cloudsweeper: Enabling Data-Centric Document Management for Secure
Cloud Archives
Chris Kanich; Peter Snyder (Greeshma)
 Supporting Complex Queries and Access Policies for Multi-user Encrypted
Databases
Muhammad Rizwan Asghar; Giovanni Russello; Bruno Crispo
Papers to Read for Presentations – ACM CCS
Cloud Security Workshop 2014
 CloudSafetyNet: Detecting Data Leakage between Cloud Tenants
Christian Priebe; Divya Muthukumaran; Dan O'Keeffe; David Eyers; Brian
Shand; Ruediger Kapitza; Peter Pietzuch (Sowmaya)
 Reconciling End-to-End Confidentiality and Data Reduction In Cloud Storage,
Nathalie Baracaldo; Elli Androulaki; Joseph Glider; Alessandro Sorniotti
 A Framework for Outsourcing of Secure Computation
Jesper Buus Nielsen; Claudio Orlandi (Ajay)
 Guardians of the Clouds: When Identity Providers Fail
Andreas Mayer; Marcus Niemietz; Vladislav Mladenov; Joerg Schwenk
(Viswesh)
 Your Software at my Service
Vladislav Mladenov, Christian Mainka; Florian Feldmann; Julian Krautwald;
Joerg Schwenk