Cyber Security Essentials

Dr. Bhavani Thuraisingham

The University of Texas at Dallas

Introduction to the Course

May 29, 2015

Text Book

CISSP All-in-One Exam Guide, Sixth Edition Author: Shon Harris Publisher: McGraw-Hill Osborne Media; 6th edition Language: English

Course Rules

Unless special permission is obtained from the instructor, each student will work individually.

Copying material from other sources will not be permitted unless the source is properly referenced.

Any student who plagiarizes from other sources will be reported to the Computer Science department and any other committees as advised by the department

No copying of anything from a paper except for about 10 words in quotes. No copying of figure even if it is attributed. You have to draw all figures.

Course Attendance is Mandatory unless prior permission is obtained

Course Plan

Exam #1: 20 points – July 10 Exam #2: 20 points - August 7?? Two term papers 10 points each: Total 20 points

- June 26, July 24 Programming project : 20 points

- July 31 Two Assignments: 10 points each: Total: 20 points

- June 19, July 17

Assignment #1

Explain with examples the following

- Discretionary access control

- Mandatory access control

- Role-based access control (RBAC)

- Privacy aware role based access control

- Temporal role based access control

- Risk aware role-based access control

- Attribute-based access control

- Usage control (UCON)

Assignment #2

Suppose you are give the assignment of the Chief Security Officer of a major bank (e.g., Bank of America) or a Major hospital (e.g., Massachusetts General)

Discuss the steps you need to take with respect to the following (you need to keep the following in mining: Confidentiality, Integrity and Availability;; you also need to understand the requirements of banking or healthcare applications and the policies may be:

- Information classification

- Risk analysis

- Secure networks

- Secure data management

- Secure applications

Term Papers

Write two papers on any topic discussed in class (that is, any of the 10 CISSP modules)

Sample format - 1

Abstract Introduction Survey topics – e..g, access control models Analysis (compare the models) Future Directions References

Sample format - 2

Abstract Introduction Literature survey and what are the limitations Your own approach and why it is better Future Directions References

Project

Software Design document

- Project description

- Architecture (prefer with a picture) and description (software – e.g., Oracle, Jena etc.)

- Results

- Analysis

- Potential improvements

- References

Sample projects

Risk analysis tool Query modification for XACML Data mining tool for malware Trust management system - - - -

Paper: Original – you can use material from sources, reword (redraw) and give reference

Abstract Introduction Body of the paper

- Comparing different approaches and analyzing

- Discuss your approach,

- Survey Conclusions References

- ([1]. [2], - - -[THUR99].

- Embed the reference also within the text.

- E.g., Tim Berners Lee has defined the semantic web to be -- -- [2].

Contact

For more information please contact

- Dr. Bhavani Thuraisingham

- Professor of Computer Science and

- Director of Cyber Security Research Center Erik Jonsson School of Engineering and Computer Science EC31, The University of Texas at Dallas Richardson, TX 75080

- Phone: 972-883-4738

- Fax: 972-883-2399

- Email: bhavani.thuraisingham@utdallas.edu

- URL:

- http://www.utdallas.edu/~bxt043000/

Index to Lectures for Exam #2Lecture #3: Data Mining for Malware Detection

Lecture #7: Digital Forensics

Lecture #8: Privacy

Lecture #11: Access Control in Data Management Systems

Lecture #13: Secure Data Architectures

Lecture #20: Introduction to SOA, Secure SOA, Secure Cloud

Lecture #21: Secure Cloud Computing (some duplication with Lecture #20)

Lecture #22: Comprehensive Overview of Cloud Computing

Lecture #23: Secure Publication of XML Documents in the Cloud

Lecture #24: Cloud-based Assured Information Sharing

Lecture #25: Secure Social Media

Also read the paper Managing Multi-Jurisdictional Requirements in the Cloud: Towards a Computational Legal Landscape, David Gordon and Travis Breaux; ACM CCS Cloud Security Workshop 2011

Papers to Read for Exam #2

Managing Multi-Jurisdictional Requirements in the Cloud: Towards a Computational Legal Landscape, David Gordon and Travis Breaux; ACM CCS Cloud Security Workshop 2011

Access Control in Data Management Systems (Lecture #11)

- Suggested Papers

- RBAC: Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, Charles E. Youman: Role-Based Access Control Models. IEEE Computer 29(2): 38-47 (1996)

- UCON: Jaehong Park, Ravi S. Sandhu: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1): 128-174 (2004) - first 20 pages

- DCON: Roshan K. Thomas, Ravi S. Sandhu: Towards a Multi-dimensional Characterization of Dissemination Control. POLICY 2004: 197-200 (IEEE)

Privacy (Lecture #8)

- Suggested papers

- Rakesh Agrawal, Ramakrishnan Srikant: Privacy-Preserving Data Mining. SIGMOD Conference 2000: 439-450

Papers to Read for Exam #2

Data Mining for Malware Detection (Lecture #3)

- Suggested Papers

- Mohammad M. Masud, Latifur Khan, Bhavani M. Thuraisingham: A Hybrid Model to Detect Malicious Executables. ICC 2007: 1443-1448

Secure Third Part Publication of XML Data in the Cloud (Lecture #23)

- Suggested Papers

- Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M. Thuraisingham, Amar Gupta: Selective and Authentic Third-Party Distribution of XML Documents. IEEE Trans. Knowl. Data Eng. 16(10): 1263-1278 (2004) (first 6 sections, proofs not needed for exam)

Cloud-basd Assured Information Sharing (Lecture #24)

- Suggested Papers

- Tyrone Cadenhead, Vaibhav Khadilkar, Murat Kantarcioglu, Bhavani M. Thuraisingham: A cloud-based RDF policy engine for assured information sharing. SACMAT 2012: 113-116

Papers to Read for Exam #2

Secure Social Media (Lecture #25)

- Suggested Papers

- Barbara Carminati, Elena Ferrari, Raymond Heatherly, Murat Kantarcioglu, Bhavani

M. Thuraisingham: A semantic web based framework for social network access

control. SACMAT 2009: 177-186

- Jack Lindamood, Raymond Heatherly, Murat Kantarcioglu, Bhavani M.

Thuraisingham: Inferring private information using social network data. WWW 2009

: 1145-1146

Papers to Read for Presentations: CODASPY 2011Lei Jin, Hassan Takabi, James B. D. Joshi: Towards active detection of identity clone attacks on online social networks. 27-38 (Sachin)

Philip W. L. Fong: Relationship-based access control: protection model and policy language. 191-202

Mohammad Jafari, Philip W. L. Fong, Reihaneh Safavi-Naini, Ken Barker, Nicholas Paul Sheppard: Towards defining semantic foundations for purpose-based privacy policies. 213-224 (Jane)

Igor Bilogrevic, Murtuza Jadliwala, Jean-Pierre Hubaux, Imad Aad, Valtteri Niemi: Privacy-preserving activity scheduling on mobile devices. 261-272

Barbara Carminati, Elena Ferrari, Sandro Morasca, Davide Taibi: A probability-based approach to modeling the risk of unauthorized propagation of information in on-line social networks. 51-62 (Chitra)

Papers to Read for Presentations: CODASPY 2012

Yuhao Yang, Jonathan Lutes, Fengjun Li, Bo Luo, Peng Liu: Stalking online: on user privacy in social networks. 37-48 (Jason)

Suhendry Effendy, Roland H. C. Yap, Felix Halim: Revisiting link privacy in social networks. 61-70 (Kruthika)

Ninghui Li, Haining Chen, Elisa Bertino: On practical specification and enforcement of obligations. 71-82 (Ankita)

Ian Molloy, Luke Dickens, Charles Morisset, Pau-Chen Cheng, Jorge Lobo, Alessandra Russo: Risk-based security decisions under uncertainty. 157-168 (Navya)

Musheer Ahmed, Mustaque Ahamad: Protecting health information on mobile devices. 229-240 (Ajay)

Papers to Read for Presentations: CODASPY 2013

Sanae Rosen, Zhiyun Qian, Zhuoqing Morley Mao: AppProfiler: a flexible method of exposing privacy-related behavior in android applications to end users. 221-232 (Akshay)

Rimma V. Nehme, Hyo-Sang Lim, Elisa Bertino: FENCE: continuous access control enforcement in dynamic data stream environments. 243-254

Wei Wei, Ting Yu, Rui Xue: iBigTable: practical data integrity for bigtable in public cloud. 341-352 (Ashwin)

Majid Arianezhad, L. Jean Camp, Timothy Kelley, Douglas Stebila: Comparative eye tracking of experts and novices in web single sign-on. 105-116

Papers to Read for Presentations: CODASPY 2014

William C. Garrison III, Yechen Qiao, Adam J. Lee: On the suitability of dissemination-centric access control systems for group-centric sharing. 1-12 (Pratyusha)

Ebrahim Tarameshloo, Philip W. L. Fong, Payman Mohassel: On protection in federated social computing systems. 75-86 (Aishwarya)

Michael Mitchell, Guanyu Tian, Zhi Wang: Systematic audit of third-party android phones. 175-186

Tien Tuan Anh Dinh, Anwitaman Datta: Streamforce: outsourcing access control enforcement for stream data to the clouds. 13-24 (Arpita)

Mohammad Saiful Islam, Mehmet Kuzu, Murat Kantarcioglu: Inference attack against encrypted range queries on outsourced databases. 235-246

Papers to Read for Presentations – ACM CCS Cloud Security Workshop 2011

All Your Clouds are Belong to us - Security Analysis of Cloud Management Interfaces Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Joerg Schwenk, Nils Gruschka and Luigi Lo Iacono (Kirupa)

Trusted Platform-as-a-Service: A Foundation for Trustworthy Cloud-Hosted Applications Andrew Brown and Jeff Chase (Rohit)

Detecting Fraudulent Use of Cloud Resources Joseph Idziorek, Mark Tannian and Doug Jacobson

Papers to Read for Presentations – ACM CCS Cloud Security Workshop 2012

Fast Dynamic Extracted Honeypots in Cloud Computing Sebastian Biedermann, Martin Mink, Stefan Katzenbeisser (Anirudh)

Unity: Secure and Durable Personal Cloud Storage Beom Heyn Kim, Wei Huang, David Lie

Exploiting Split Browsers for Efficiently Protecting User Data Angeliki Zavou, Elias Athanasopoulos, Georgios Portokalidis, Angelos Keromytis (Rahul)

CloudFilter: Practical Control of Sensitive Data Propagation to the Cloud Ioannis Papagiannis, Peter Pietzuch

Papers to Read for Presentations – ACM CCS Cloud Security Workshop 2013

Structural Cloud Audits that Protect Private InformationHongda Xiao; Bryan Ford; Joan Feigenbaum

Cloudoscopy: Services Discovery and Topology MappingAmir Herzberg; Haya Shulman; Johanna Ullrich; Edgar Weippl (Ahmed)

Cloudsweeper: Enabling Data-Centric Document Management for Secure Cloud ArchivesChris Kanich; Peter Snyder (Greeshma)

Supporting Complex Queries and Access Policies for Multi-user Encrypted DatabasesMuhammad Rizwan Asghar; Giovanni Russello; Bruno Crispo

Papers to Read for Presentations – ACM CCS Cloud Security Workshop 2014

CloudSafetyNet: Detecting Data Leakage between Cloud TenantsChristian Priebe; Divya Muthukumaran; Dan O'Keeffe; David Eyers; Brian Shand; Ruediger Kapitza; Peter Pietzuch (Sowmaya)

Reconciling End-to-End Confidentiality and Data Reduction In Cloud Storage, Nathalie Baracaldo; Elli Androulaki; Joseph Glider; Alessandro Sorniotti

A Framework for Outsourcing of Secure ComputationJesper Buus Nielsen; Claudio Orlandi (Ajay)

Guardians of the Clouds: When Identity Providers Fail Andreas Mayer; Marcus Niemietz; Vladislav Mladenov; Joerg Schwenk (Viswesh)

Your Software at my Service Vladislav Mladenov, Christian Mainka; Florian Feldmann; Julian Krautwald; Joerg Schwenk