Introduction - The University of Texas at Dallas

Download Report

Transcript Introduction - The University of Texas at Dallas

Data and Applications Security
Developments and Directions
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Introduction to the Course
August 29, 2014
Objective of the Unit
 This unit provides an overview of the course. The course describes
concepts, developments, challenges, and directions in data and
applications security. Topics include
- database security, distributed data management security, object
security, data warehouse security, data mining for security
applications, privacy, secure semantic web, secure digital
libraries, secure knowledge management and secure sensor
information management, biometrics
Outline of the Unit
 Outline of Course
 Course Work
 Course Rules
 Contact
 Appendix
Outline of the Course
 Unit #1: Introduction to Data and Applications
 Part I: Background
- Unit #2: Data Management
- Unit #3: Information Security
- Unit #4: Information Management
 Part II: Discretionary Security
- Unit #5: Concepts
- Unit #6: Policy Enforcement
 Part III: Mandatory Security
- Unit #7: Concepts
- Unit #8: Architectures
including Semantic Web
Outline of the Course (Continued)
 Part IV: Secure Relational Data Management
- Unit #9: Data Model
- Unit #10: Functions
- Unit #11: Prototypes and Products
 Part V: Inference Problem
- Unit #12: Concepts
- Unit #13: Constraint Processing
- Unit #14: Conceptual Structures
 Part VI: Secure Distributed Data Management
- Unit #15: Secure Distributed data management
- Unit #16: Secure Heterogeneous Data Integration
- Unit #17: Secure Federated Data Management
Outline of the Course (Continued)
 Part VII: Secure Object Data Management
-
Unit #18: Secure Object Management
Unit #19: Secure Distributed Objects and Modeling Applications
Unit #20: Secure Multimedia Systems
 Part VIII: Data Warehousing, Data Mining and Security
-
Unit #21: Secure Data Warehousing
Unit #22: Data Mining for Security Applications
Unit #23: Privacy
Additional Lectures:

Insider Threat Detection

Reactively Adaptive Malware
Outline of the Course (Continued)
 Part IX: Secure Information Management
-
Unit #24: Secure Digital Libraries
Unit #25: Secure Semantic Web (web services, XML security)
Unit #26: Secure Information and Knowledge Management
Additional Topics

Secure Web Services and identity management

Social Network Security and Privacy

Secure cloud computing and secure cloud query processing
 Part X: Dependable data management and forensics
-
Unit #27: Secure Dependable Data Management
Unit #28: Secure Sensor and Wireless Data Management
Unit #29: Other Technologies, e.g., digital forensics, biometrics, etc.
Outline of the Course (Continued)
 Part XI: Emerging Technologies
-
Papers from ACM CODASPY 2011, 2012, 2013, 2014 on Data and
Applications Security and Privacy
 Unit #30 Conclusion to the Course
Topics Covered
 August 29, Introduction, Security nodules
 September 5: Access control, Malware
 September 12 – Dr. Lin Lecture, Multilevel database management
 Sept 19 – Inference problem + continuation of Sept 12 lecture
 Sept 26 – Secure Dist Data Mgmt, Secure objects
 October 3, October 3: Data Warehousing, Data Mining, Security, Privacy
 October 10: Secure web services, XML security
 October 24 – Secure semantic web, Secure web/knowledge mgmt
 October 31 – Secure cloud, Secure social media
 November 7 - Digital forensics, Biometrics, + misc other topics
 November 14 – paper presentation
 November 21 – paper presentation
Course Work
 Two term papers; each worth 8 points
 Two exams each worth 20 points
 Programming project worth 15 points
 Four homework assignments each worth 6 points
 Paper presentation: 5 points
 Total 100 points
 Course Reference Book: Database and Applications Security:
Integration Data Management and Information Security,
Bhavani Thuraisingham, CRC Press, 2005
 Will also include papers as reading material
Tentative Schedule
 Assignment #1: Due September 26, 2014 (posted lecture 7)
 Assignment #2: Due October 3, 2014 (lecture 11) – new due date 10/10/14
 Term paper #1: October 10. 2014 – new due date – 10/13/14
 Exam #1: October 17, 2014
 Assignment #3: October 31, 2014
 Assignment #4: November 7, 2014
 Term paper #2: November 14, 2014
 Programming project: November 21, 2014
 Exam #2: December 5, 2014
Assignment #1, 2, 3, 4
Assignment #1: Posted in Lecture 8
Assignment #2 Posted in Lecture 11
Assignment #3: Posted in Lecture 16
Assignment #4: Posted in Lecture 26
Some Topics for Papers: Any topic in data and
applications security
 XML Security
 Inference Problem
 Privacy
 Secure Biometrics (after exam #1)
 Intrusion Detection
 E-Commerce Security (will be discussed after exam #1)
 Secure Sensor Information Management (after exam #1)
 Secure Distributed Systems
 Secure Semantic Web (after exam #1)
 Secure Data Warehousing
 Insider Threat Analysis
 Secure Multimedia/geospatial Systems
 Malware detection
 Policies and access control
 Designs of multilevel secure databases
Term Papers: Example Format
 Abstract
 Introduction
 Background on the Topic
 Survey of various techniques, designs etc, (e.g., access
control policies, inference control methods)
 Analyze the techniques, designs etc. and give your opinions
 Directions for further work
 Summary and Conclusions
 References
Term Papers: Example Format - II
 Abstract
 Introduction
 Background on the Topic and Related Work
 Discuss strengths and weaknesses of others’ work
 Give your own design and say why it is better
 Directions for further work
 Summary and Conclusions
 References
Project Report Format
 Overview of the Project
 Design of the System
 Input/Output
 Future Enhancements
 References
Some Project Topics
 Query Modification on XML Documents
 Access control for web systems
 Intrusion detection system
 Access control for multimedia systems
- E.g., access control for image, video
 Role-based access control system
 Access control for object systems
 Secure data warehouse
Course Rules
 Course attendance is mandatory; unless permission is obtained
from instructor for missing a class with a valid reason
(documentation needed for medical emergency for student or a
close family member – e.g., spouse, parent, child). Attendance will
be collected every lecture. 3 points will be deducted out of 100 for
each lecture missed without approval.
 Each student will work individually
 Late assignments will not be accepted. All assignments have to be
turned in just after the lecture on the due date
 No make up exams unless student can produce a medical certificate
or give evidence of close family emergency
 Copying material from other sources will not be permitted unless the
source is properly referenced
 Any student who plagiarizes from other sources will be reported to
the appropriate UTD authroities
Index to Lectures for Exam #1
Introduction to course
Lecture 1: Introduction to data and applications security
Lecture 2: Cyber security modules (extra credit)
Lecture 3: Information Management (not included in exam)
Lecture 4: Access control
Lecture 5: Dr. Lin’s guest lecture (not included in the exam)
Lecture 6: Multilevel secure data management
Lecture 7: Assignment #1
Lecture 8: Inference problem – 1
Lecture 9: Inference problem – 2
Lecture 10: Assignment 3
Lecture 11: Secure Distributed Data Management
Index to Lectures for Exam #1
Lecture 12: Secure Object Systems
Lecture 13: Data Warehousing, Data Mining Security
Lecture 14: Privacy
Lecture 15: Data Mining for Malware Detection
Lecture 16: Assignment #3
Lecture 17: Malware (guest lecture)
Lecture 18: Insider Threat Detection
Papers to Read for Exam #1
- RBAC: Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein,
-
-
Charles E. Youman: Role-Based Access Control Models. IEEE
Computer 29(2): 38-47 (1996)
UCON: Jaehong Park, Ravi S. Sandhu: The UCONABC usage
control model. ACM Trans. Inf. Syst. Secur. 7(1): 128-174
(2004) - first 20 pages
DCON: Roshan K. Thomas, Ravi S. Sandhu: Towards a Multidimensional Characterization of Dissemination Control.
POLICY 2004: 197-200 (IEEE)
Bhavani M. Thuraisingham: Mandatory Security in ObjectOriented Database Systems. OOPSLA 1989: 203-210
Bhavani M. Thuraisingham, William Ford: Security Constraints
in a Multilevel Secure Distributed Database Management
System. IEEE Trans. Knowl. Data Eng. 7(2): 274-293 (1995)
(distributed inference control)
Papers to Read for Exam #1
- Rakesh Agrawal, Ramakrishnan Srikant: Privacy-Preserving
-
-
-
Data Mining. SIGMOD Conference 2000: 439-450
Elisa Bertino, Bhavani M. Thuraisingham, Michael
Gertz, Maria Luisa Damiani: Security and privacy for
geospatial data: concepts and research directions. SPRINGL
2008: 6-19
Bhavani M. Thuraisingham: Data Mining, National Security,
Privacy and Civil Liberties. SIGKDD Explorations 4(2): 1-5
(2002)
Mohammad M. Masud, Latifur Khan, Bhavani M.
Thuraisingham: A Hybrid Model to Detect Malicious
Executables. ICC 2007: 1443-1448
Pallabi Parveen, Nate McDaniel, Varun S. Hariharan, Bhavani
M. Thuraisingham, Latifur Khan: Unsupervised Ensemble
Based Learning for Insider Threat
Detection SocialCom/PASSAT 2012: 718-727
Suggested papers for Malware detection (NOT
Mandatory for Exam)
- Mohammad M. Masud, Latifur Khan, Bhavani M. Thuraisingham: EMail Worm Detection Using Data Mining. IJISP 1(4): 47-61 (2007)
- Mohammad M. Masud, Latifur Khan, Bhavani M.
Thuraisingham, Xinran Wang, Peng Liu, Sencun Zhu: Detecting
Remote Exploits Using Data Mining. IFIP Int. Conf. Digital Forensics
2008: 177-189
- Latifur Khan, Mamoun Awad, Bhavani M. Thuraisingham: A new
intrusion detection system using support vector machines and
hierarchical clustering. VLDB J. 16(4): 507-521 (2007)
Index to Lectures for Exam #2
Lecture 19: XML Security
Lecture 20: Assured Information Sharing in the Cloud
Lecture 21: Guest Lecture (cloud query processing)
Lecture 22: Secure Cloud Computing
Lecture 23: Secure SOA
Lecture 24: Guest Lecture (Intro to semantic web)
Lecture 25: Trustworthy semantic web
Lecture 26: Assignment #4
Lecture 27: Secure knowledge mgmt and web security
Lecture 28: Guest Lecture: Semantic Web and Social Net
Lecture 29: Security/Privacy for social net.
Index to Lectures for Exam #2
Lecture 30: Secure Dependable Data Mgmt
Lecture 31: Attacks to databases
Lecture 32: Digital Forensics and Biometrics
Lecture 33: Database Forensics
Papers to Read for Presentations: CODASPY
2011
Lei Jin, Hassan Takabi, James B. D. Joshi: Towards active
detection of identity clone attacks on online social networks. 27-38
Tyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu,
Bhavani M. Thuraisingham: A language for provenance access
control. 133-144
Philip W. L. Fong: Relationship-based access control: protection
model and policy language. 191-202
Mohammad Jafari, Philip W. L. Fong, Reihaneh Safavi-Naini, Ken
Barker, Nicholas Paul Sheppard: Towards defining semantic
foundations for purpose-based privacy policies. 213-224
Igor Bilogrevic, Murtuza Jadliwala, Jean-Pierre Hubaux, Imad Aad,
Valtteri Niemi: Privacy-preserving activity scheduling on mobile
devices. 261-272
Barbara Carminati, Elena Ferrari, Sandro Morasca, Davide Taibi: A
probability-based approach to modeling the risk of unauthorized
propagation of information in on-line social networks. 51-62
Papers to Read for Presentations: CODASPY
2012
 Yuhao Yang, Jonathan Lutes, Fengjun Li, Bo Luo, Peng Liu:
Stalking online: on user privacy in social networks. 37-48
 Suhendry Effendy, Roland H. C. Yap, Felix Halim: Revisiting
link privacy in social networks. 61-70
 Ninghui Li, Haining Chen, Elisa Bertino: On practical
specification and enforcement of obligations. 71-82
 Ian Molloy, Luke Dickens, Charles Morisset, Pau-Chen Cheng,
Jorge Lobo, Alessandra Russo: Risk-based security
decisions under uncertainty. 157-168
 Musheer Ahmed, Mustaque Ahamad: Protecting health
information on mobile devices. 229-240
Papers to Read for Presentations: CODASPY
2013
 Daniel Le Métayer: Privacy by design: a formal framework for
the analysis of architectural choices. 95-104
 Sanae Rosen, Zhiyun Qian, Zhuoqing Morley Mao:
AppProfiler: a flexible method of exposing privacy-related
behavior in android applications to end users. 221-232
 Rimma V. Nehme, Hyo-Sang Lim, Elisa Bertino: FENCE:
continuous access control enforcement in dynamic data
stream environments. 243-254
 Wei Wei, Ting Yu, Rui Xue: iBigTable: practical data integrity
for bigtable in public cloud. 341-352
 Majid Arianezhad, L. Jean Camp, Timothy Kelley, Douglas
Stebila: Comparative eye tracking of experts and novices in
web single sign-on. 105-116
Papers to Read for Presentations: CODASPY
2014
 William C. Garrison III, Yechen Qiao, Adam J. Lee: On the
suitability of dissemination-centric access control systems
for group-centric sharing. 1-12
 Ebrahim Tarameshloo, Philip W. L. Fong, Payman Mohassel:
On protection in federated social computing systems. 75-86
 Michael Mitchell, Guanyu Tian, Zhi Wang: Systematic audit of
third-party android phones. 175-186
 Tien Tuan Anh Dinh, Anwitaman Datta: Streamforce:
outsourcing access control enforcement for stream data to
the clouds. 13-24
 Mohammad Saiful Islam, Mehmet Kuzu, Murat Kantarcioglu:
Inference attack against encrypted range queries on
outsourced databases. 235-246
Papers to Read for Exam #2: From Presentations
Lei Jin, Hassan Takabi, James B. D. Joshi: Towards active
detection of identity clone attacks on online social networks.
27-38
Tyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu,
Bhavani M. Thuraisingham: A language for provenance access
control. 133-144
Musheer Ahmed, Mustaque Ahamad: Protecting health
information on mobile devices. 229-240
Yuhao Yang, Jonathan Lutes, Fengjun Li, Bo Luo, Peng Liu:
Stalking online: on user privacy in social networks. 37-48
Suhendry Effendy, Roland H. C. Yap, Felix Halim: Revisiting link
privacy in social networks. 61-70
Ian Molloy, Luke Dickens, Charles Morisset, Pau-Chen Cheng,
Jorge Lobo, Alessandra Russo: Risk-based security decisions
under uncertainty. 157-168
Papers to Read for Exam #2: From Presentations
 Daniel Le Métayer: Privacy by design: a formal framework for
the analysis of architectural choices. 95-104
 Sanae Rosen, Zhiyun Qian, Zhuoqing Morley Mao:
AppProfiler: a flexible method of exposing privacy-related
behavior in android applications to end users. 221-232
 Wei Wei, Ting Yu, Rui Xue: iBigTable: practical data integrity
for bigtable in public cloud. 341-352
 Ebrahim Tarameshloo, Philip W. L. Fong, Payman Mohassel:
On protection in federated social computing systems. 75-86
 Michael Mitchell, Guanyu Tian, Zhi Wang: Systematic audit of
third-party android phones. 175-186
 Mohammad Saiful Islam, Mehmet Kuzu, Murat Kantarcioglu:
Inference attack against encrypted range queries on
outsourced databases. 235-246
Papers to Read for Exam #2: From Lectures
- Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M.
-
-
Thuraisingham, Amar Gupta: Selective and Authentic ThirdParty Distribution of XML Documents. IEEE Trans. Knowl. Data
Eng. 16(10): 1263-1278 (2004) (first 6 sections, proofs not
needed for exam)
Barbara Carminati, Elena Ferrari, Raymond Heatherly, Murat
Kantarcioglu, Bhavani M. Thuraisingham: A semantic web
based framework for social network access control. SACMAT
2009: 177-186
Jack Lindamood, Raymond Heatherly, Murat Kantarcioglu,
Bhavani M. Thuraisingham: Inferring private information using
social network data. WWW 2009: 1145-1146
Tyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu,
Bhavani M. Thuraisingham: A cloud-based RDF policy engine
for assured information sharing. SACMAT 2012: 113-116
Contacts: Instructor
- Dr. Bhavani Thuraisingham
- Louis Beecherl Distinguished Professor of Computer Science
- Executive Director of the Cyber Security Research and
Education Institute
- Erik Jonsson School of Engineering and Computer Science
- The University of Texas at Dallas Richardson, TX 75080
- Phone: 972-883-4738
- Fax: 972-883-2399
- Email: [email protected]
- URL:http://www.utdallas.edu/~bxt043000/
Contacts: Teaching Assistant
 Mohammed Iftekhar
 [email protected]
Teaching Assistant
Computer Science
PhD, Computer Science
Erik Jonsson Sch of Engr & Com