Introduction - The University of Texas at Dallas
Download
Report
Transcript Introduction - The University of Texas at Dallas
Data and Applications Security
Developments and Directions
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Introduction to the Course
August 29, 2014
Objective of the Unit
This unit provides an overview of the course. The course describes
concepts, developments, challenges, and directions in data and
applications security. Topics include
- database security, distributed data management security, object
security, data warehouse security, data mining for security
applications, privacy, secure semantic web, secure digital
libraries, secure knowledge management and secure sensor
information management, biometrics
Outline of the Unit
Outline of Course
Course Work
Course Rules
Contact
Appendix
Outline of the Course
Unit #1: Introduction to Data and Applications
Part I: Background
- Unit #2: Data Management
- Unit #3: Information Security
- Unit #4: Information Management
Part II: Discretionary Security
- Unit #5: Concepts
- Unit #6: Policy Enforcement
Part III: Mandatory Security
- Unit #7: Concepts
- Unit #8: Architectures
including Semantic Web
Outline of the Course (Continued)
Part IV: Secure Relational Data Management
- Unit #9: Data Model
- Unit #10: Functions
- Unit #11: Prototypes and Products
Part V: Inference Problem
- Unit #12: Concepts
- Unit #13: Constraint Processing
- Unit #14: Conceptual Structures
Part VI: Secure Distributed Data Management
- Unit #15: Secure Distributed data management
- Unit #16: Secure Heterogeneous Data Integration
- Unit #17: Secure Federated Data Management
Outline of the Course (Continued)
Part VII: Secure Object Data Management
-
Unit #18: Secure Object Management
Unit #19: Secure Distributed Objects and Modeling Applications
Unit #20: Secure Multimedia Systems
Part VIII: Data Warehousing, Data Mining and Security
-
Unit #21: Secure Data Warehousing
Unit #22: Data Mining for Security Applications
Unit #23: Privacy
Additional Lectures:
Insider Threat Detection
Reactively Adaptive Malware
Outline of the Course (Continued)
Part IX: Secure Information Management
-
Unit #24: Secure Digital Libraries
Unit #25: Secure Semantic Web (web services, XML security)
Unit #26: Secure Information and Knowledge Management
Additional Topics
Secure Web Services and identity management
Social Network Security and Privacy
Secure cloud computing and secure cloud query processing
Part X: Dependable data management and forensics
-
Unit #27: Secure Dependable Data Management
Unit #28: Secure Sensor and Wireless Data Management
Unit #29: Other Technologies, e.g., digital forensics, biometrics, etc.
Outline of the Course (Continued)
Part XI: Emerging Technologies
-
Papers from ACM CODASPY 2011, 2012, 2013, 2014 on Data and
Applications Security and Privacy
Unit #30 Conclusion to the Course
Topics Covered
August 29, Introduction, Security nodules
September 5: Access control, Malware
September 12 – Dr. Lin Lecture, Multilevel database management
Sept 19 – Inference problem + continuation of Sept 12 lecture
Sept 26 – Secure Dist Data Mgmt, Secure objects
October 3, October 3: Data Warehousing, Data Mining, Security, Privacy
October 10: Secure web services, XML security
October 24 – Secure semantic web, Secure web/knowledge mgmt
October 31 – Secure cloud, Secure social media
November 7 - Digital forensics, Biometrics, + misc other topics
November 14 – paper presentation
November 21 – paper presentation
Course Work
Two term papers; each worth 8 points
Two exams each worth 20 points
Programming project worth 15 points
Four homework assignments each worth 6 points
Paper presentation: 5 points
Total 100 points
Course Reference Book: Database and Applications Security:
Integration Data Management and Information Security,
Bhavani Thuraisingham, CRC Press, 2005
Will also include papers as reading material
Tentative Schedule
Assignment #1: Due September 26, 2014 (posted lecture 7)
Assignment #2: Due October 3, 2014 (lecture 11) – new due date 10/10/14
Term paper #1: October 10. 2014 – new due date – 10/13/14
Exam #1: October 17, 2014
Assignment #3: October 31, 2014
Assignment #4: November 7, 2014
Term paper #2: November 14, 2014
Programming project: November 21, 2014
Exam #2: December 5, 2014
Assignment #1, 2, 3, 4
Assignment #1: Posted in Lecture 8
Assignment #2 Posted in Lecture 11
Assignment #3: Posted in Lecture 16
Assignment #4: Posted in Lecture 26
Some Topics for Papers: Any topic in data and
applications security
XML Security
Inference Problem
Privacy
Secure Biometrics (after exam #1)
Intrusion Detection
E-Commerce Security (will be discussed after exam #1)
Secure Sensor Information Management (after exam #1)
Secure Distributed Systems
Secure Semantic Web (after exam #1)
Secure Data Warehousing
Insider Threat Analysis
Secure Multimedia/geospatial Systems
Malware detection
Policies and access control
Designs of multilevel secure databases
Term Papers: Example Format
Abstract
Introduction
Background on the Topic
Survey of various techniques, designs etc, (e.g., access
control policies, inference control methods)
Analyze the techniques, designs etc. and give your opinions
Directions for further work
Summary and Conclusions
References
Term Papers: Example Format - II
Abstract
Introduction
Background on the Topic and Related Work
Discuss strengths and weaknesses of others’ work
Give your own design and say why it is better
Directions for further work
Summary and Conclusions
References
Project Report Format
Overview of the Project
Design of the System
Input/Output
Future Enhancements
References
Some Project Topics
Query Modification on XML Documents
Access control for web systems
Intrusion detection system
Access control for multimedia systems
- E.g., access control for image, video
Role-based access control system
Access control for object systems
Secure data warehouse
Course Rules
Course attendance is mandatory; unless permission is obtained
from instructor for missing a class with a valid reason
(documentation needed for medical emergency for student or a
close family member – e.g., spouse, parent, child). Attendance will
be collected every lecture. 3 points will be deducted out of 100 for
each lecture missed without approval.
Each student will work individually
Late assignments will not be accepted. All assignments have to be
turned in just after the lecture on the due date
No make up exams unless student can produce a medical certificate
or give evidence of close family emergency
Copying material from other sources will not be permitted unless the
source is properly referenced
Any student who plagiarizes from other sources will be reported to
the appropriate UTD authroities
Index to Lectures for Exam #1
Introduction to course
Lecture 1: Introduction to data and applications security
Lecture 2: Cyber security modules (extra credit)
Lecture 3: Information Management (not included in exam)
Lecture 4: Access control
Lecture 5: Dr. Lin’s guest lecture (not included in the exam)
Lecture 6: Multilevel secure data management
Lecture 7: Assignment #1
Lecture 8: Inference problem – 1
Lecture 9: Inference problem – 2
Lecture 10: Assignment 3
Lecture 11: Secure Distributed Data Management
Index to Lectures for Exam #1
Lecture 12: Secure Object Systems
Lecture 13: Data Warehousing, Data Mining Security
Lecture 14: Privacy
Lecture 15: Data Mining for Malware Detection
Lecture 16: Assignment #3
Lecture 17: Malware (guest lecture)
Lecture 18: Insider Threat Detection
Papers to Read for Exam #1
- RBAC: Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein,
-
-
Charles E. Youman: Role-Based Access Control Models. IEEE
Computer 29(2): 38-47 (1996)
UCON: Jaehong Park, Ravi S. Sandhu: The UCONABC usage
control model. ACM Trans. Inf. Syst. Secur. 7(1): 128-174
(2004) - first 20 pages
DCON: Roshan K. Thomas, Ravi S. Sandhu: Towards a Multidimensional Characterization of Dissemination Control.
POLICY 2004: 197-200 (IEEE)
Bhavani M. Thuraisingham: Mandatory Security in ObjectOriented Database Systems. OOPSLA 1989: 203-210
Bhavani M. Thuraisingham, William Ford: Security Constraints
in a Multilevel Secure Distributed Database Management
System. IEEE Trans. Knowl. Data Eng. 7(2): 274-293 (1995)
(distributed inference control)
Papers to Read for Exam #1
- Rakesh Agrawal, Ramakrishnan Srikant: Privacy-Preserving
-
-
-
Data Mining. SIGMOD Conference 2000: 439-450
Elisa Bertino, Bhavani M. Thuraisingham, Michael
Gertz, Maria Luisa Damiani: Security and privacy for
geospatial data: concepts and research directions. SPRINGL
2008: 6-19
Bhavani M. Thuraisingham: Data Mining, National Security,
Privacy and Civil Liberties. SIGKDD Explorations 4(2): 1-5
(2002)
Mohammad M. Masud, Latifur Khan, Bhavani M.
Thuraisingham: A Hybrid Model to Detect Malicious
Executables. ICC 2007: 1443-1448
Pallabi Parveen, Nate McDaniel, Varun S. Hariharan, Bhavani
M. Thuraisingham, Latifur Khan: Unsupervised Ensemble
Based Learning for Insider Threat
Detection SocialCom/PASSAT 2012: 718-727
Suggested papers for Malware detection (NOT
Mandatory for Exam)
- Mohammad M. Masud, Latifur Khan, Bhavani M. Thuraisingham: EMail Worm Detection Using Data Mining. IJISP 1(4): 47-61 (2007)
- Mohammad M. Masud, Latifur Khan, Bhavani M.
Thuraisingham, Xinran Wang, Peng Liu, Sencun Zhu: Detecting
Remote Exploits Using Data Mining. IFIP Int. Conf. Digital Forensics
2008: 177-189
- Latifur Khan, Mamoun Awad, Bhavani M. Thuraisingham: A new
intrusion detection system using support vector machines and
hierarchical clustering. VLDB J. 16(4): 507-521 (2007)
Index to Lectures for Exam #2
Lecture 19: XML Security
Lecture 20: Assured Information Sharing in the Cloud
Lecture 21: Guest Lecture (cloud query processing)
Lecture 22: Secure Cloud Computing
Lecture 23: Secure SOA
Lecture 24: Guest Lecture (Intro to semantic web)
Lecture 25: Trustworthy semantic web
Lecture 26: Assignment #4
Lecture 27: Secure knowledge mgmt and web security
Lecture 28: Guest Lecture: Semantic Web and Social Net
Lecture 29: Security/Privacy for social net.
Index to Lectures for Exam #2
Lecture 30: Secure Dependable Data Mgmt
Lecture 31: Attacks to databases
Lecture 32: Digital Forensics and Biometrics
Lecture 33: Database Forensics
Papers to Read for Presentations: CODASPY
2011
Lei Jin, Hassan Takabi, James B. D. Joshi: Towards active
detection of identity clone attacks on online social networks. 27-38
Tyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu,
Bhavani M. Thuraisingham: A language for provenance access
control. 133-144
Philip W. L. Fong: Relationship-based access control: protection
model and policy language. 191-202
Mohammad Jafari, Philip W. L. Fong, Reihaneh Safavi-Naini, Ken
Barker, Nicholas Paul Sheppard: Towards defining semantic
foundations for purpose-based privacy policies. 213-224
Igor Bilogrevic, Murtuza Jadliwala, Jean-Pierre Hubaux, Imad Aad,
Valtteri Niemi: Privacy-preserving activity scheduling on mobile
devices. 261-272
Barbara Carminati, Elena Ferrari, Sandro Morasca, Davide Taibi: A
probability-based approach to modeling the risk of unauthorized
propagation of information in on-line social networks. 51-62
Papers to Read for Presentations: CODASPY
2012
Yuhao Yang, Jonathan Lutes, Fengjun Li, Bo Luo, Peng Liu:
Stalking online: on user privacy in social networks. 37-48
Suhendry Effendy, Roland H. C. Yap, Felix Halim: Revisiting
link privacy in social networks. 61-70
Ninghui Li, Haining Chen, Elisa Bertino: On practical
specification and enforcement of obligations. 71-82
Ian Molloy, Luke Dickens, Charles Morisset, Pau-Chen Cheng,
Jorge Lobo, Alessandra Russo: Risk-based security
decisions under uncertainty. 157-168
Musheer Ahmed, Mustaque Ahamad: Protecting health
information on mobile devices. 229-240
Papers to Read for Presentations: CODASPY
2013
Daniel Le Métayer: Privacy by design: a formal framework for
the analysis of architectural choices. 95-104
Sanae Rosen, Zhiyun Qian, Zhuoqing Morley Mao:
AppProfiler: a flexible method of exposing privacy-related
behavior in android applications to end users. 221-232
Rimma V. Nehme, Hyo-Sang Lim, Elisa Bertino: FENCE:
continuous access control enforcement in dynamic data
stream environments. 243-254
Wei Wei, Ting Yu, Rui Xue: iBigTable: practical data integrity
for bigtable in public cloud. 341-352
Majid Arianezhad, L. Jean Camp, Timothy Kelley, Douglas
Stebila: Comparative eye tracking of experts and novices in
web single sign-on. 105-116
Papers to Read for Presentations: CODASPY
2014
William C. Garrison III, Yechen Qiao, Adam J. Lee: On the
suitability of dissemination-centric access control systems
for group-centric sharing. 1-12
Ebrahim Tarameshloo, Philip W. L. Fong, Payman Mohassel:
On protection in federated social computing systems. 75-86
Michael Mitchell, Guanyu Tian, Zhi Wang: Systematic audit of
third-party android phones. 175-186
Tien Tuan Anh Dinh, Anwitaman Datta: Streamforce:
outsourcing access control enforcement for stream data to
the clouds. 13-24
Mohammad Saiful Islam, Mehmet Kuzu, Murat Kantarcioglu:
Inference attack against encrypted range queries on
outsourced databases. 235-246
Papers to Read for Exam #2: From Presentations
Lei Jin, Hassan Takabi, James B. D. Joshi: Towards active
detection of identity clone attacks on online social networks.
27-38
Tyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu,
Bhavani M. Thuraisingham: A language for provenance access
control. 133-144
Musheer Ahmed, Mustaque Ahamad: Protecting health
information on mobile devices. 229-240
Yuhao Yang, Jonathan Lutes, Fengjun Li, Bo Luo, Peng Liu:
Stalking online: on user privacy in social networks. 37-48
Suhendry Effendy, Roland H. C. Yap, Felix Halim: Revisiting link
privacy in social networks. 61-70
Ian Molloy, Luke Dickens, Charles Morisset, Pau-Chen Cheng,
Jorge Lobo, Alessandra Russo: Risk-based security decisions
under uncertainty. 157-168
Papers to Read for Exam #2: From Presentations
Daniel Le Métayer: Privacy by design: a formal framework for
the analysis of architectural choices. 95-104
Sanae Rosen, Zhiyun Qian, Zhuoqing Morley Mao:
AppProfiler: a flexible method of exposing privacy-related
behavior in android applications to end users. 221-232
Wei Wei, Ting Yu, Rui Xue: iBigTable: practical data integrity
for bigtable in public cloud. 341-352
Ebrahim Tarameshloo, Philip W. L. Fong, Payman Mohassel:
On protection in federated social computing systems. 75-86
Michael Mitchell, Guanyu Tian, Zhi Wang: Systematic audit of
third-party android phones. 175-186
Mohammad Saiful Islam, Mehmet Kuzu, Murat Kantarcioglu:
Inference attack against encrypted range queries on
outsourced databases. 235-246
Papers to Read for Exam #2: From Lectures
- Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M.
-
-
Thuraisingham, Amar Gupta: Selective and Authentic ThirdParty Distribution of XML Documents. IEEE Trans. Knowl. Data
Eng. 16(10): 1263-1278 (2004) (first 6 sections, proofs not
needed for exam)
Barbara Carminati, Elena Ferrari, Raymond Heatherly, Murat
Kantarcioglu, Bhavani M. Thuraisingham: A semantic web
based framework for social network access control. SACMAT
2009: 177-186
Jack Lindamood, Raymond Heatherly, Murat Kantarcioglu,
Bhavani M. Thuraisingham: Inferring private information using
social network data. WWW 2009: 1145-1146
Tyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu,
Bhavani M. Thuraisingham: A cloud-based RDF policy engine
for assured information sharing. SACMAT 2012: 113-116
Contacts: Instructor
- Dr. Bhavani Thuraisingham
- Louis Beecherl Distinguished Professor of Computer Science
- Executive Director of the Cyber Security Research and
Education Institute
- Erik Jonsson School of Engineering and Computer Science
- The University of Texas at Dallas Richardson, TX 75080
- Phone: 972-883-4738
- Fax: 972-883-2399
- Email: [email protected]
- URL:http://www.utdallas.edu/~bxt043000/
Contacts: Teaching Assistant
Mohammed Iftekhar
[email protected]
Teaching Assistant
Computer Science
PhD, Computer Science
Erik Jonsson Sch of Engr & Com