To create effective security mechanisms, you must understand the capabilities of real-world attackers. Practical experience suggests that many security technologies (e.g. firewalls, access control, password protection, vulnerability patching) are not enough for defending against skilled and persistent hackers. ENEE 657 therefore aims to complement an understanding of the design and implementation of secure systems with knowledge of data analytics techniques, to measure the effectiveness of security mechanisms or to infer malicious activity from large volumes of data.
ENEE 657 is a graduate security class. This means that knowledge is not delivered mainly through lectures where you sit back and listen; instead, you will learn by reading, explaining and doing. You will read 2-3 recent papers per week; most of the information from these papers is not covered in any textbook. Before each class you will submit critiques for the papers you read, using a defined written template. During the lecture, selected students will debate the technical merits of the papers using a structured discussion format. You will also apply some of the ideas discussed in a semester long project, for which you are encouraged to form teams with 2+ members. Your grades will be based on two background homeworks, the paper critiques, class participation, and the course project.
No required textbook. Reading materials will be provided on the course website and/or distributed in class. If you lack the basic background in security, the following textbooks may be helpful:
Your final grade for the course will be based on the following weights:
Submit your homeworks and critiques using the GRACE system.
Paper critiques are due at 12 PM one week before class, unless otherwise indicated.
Project and homework submissions are due at midnight on the indicated days.
Also available as an ical file that you can subscribe to.
| # | Date | Topics | Notes | Readings |
|---|---|---|---|---|
| Part 1: Fundamental Principles | ||||
| 1 | Mon 08/28 | Introduction to security: trust, threat models, attack vectors and security properties [pdf] |
||
| 2 | Wed 08/30 | Memory corruption and vulnerability exploits Hands-on lab: Buffer overflow [pdf] |
Homework 1 out | Low-Level Software Security by Example |
| Mon 09/04 | Labor Day |
|||
| 3 | Wed 09/06 | Cryptography: guarantees provided and common misuse patterns [pdf] |
Homework 1 due on Friday, 09/08 | Cryptographic Misuse in Android Applications |
| 4 | Mon 09/11 | OS protection mechanisms: least privilege, reference monitors, confinement [pdf] |
Pilot-project proposals due | SETUID Demystified |
| Wed 09/13 | Hands-on lab: Security analytics [pdf] |
Homework 2 out | ||
| 5 | Mon 09/18 | Network security fundamentals: threats and attack detection [pdf] |
First critiques due (for readings on 09/25) | A Look Back at "Security Problems in the TCP/IP Protocol Suite" |
| Part 2: Software Security | ||||
| Wed 09/20 | Hands-on lab: Presenting security concepts [pdf] |
Homework 2 due | ||
| 6 | Mon 09/25 | Automatic exploit generation and obfuscation |
Template Pilot-project reports due First structured discussions Big Ideas |
Automatic Patch-Based Exploit Generation, Infeasibility of Modeling Polymorphic Shellcode |
| 7 | Wed 09/27 | Software fault isolation |
Template Pilot-projet reviews due Big Ideas |
Efficient Software-Based Fault Isolation |
| 8 | Mon 10/02 | Impact of vulnerability exploits |
Template Group-project proposals due Big Ideas |
How to 0wn the Internet in Your Spare Time, Exploit-as-a-service |
| 9 | Wed 10/04 | Quantitative information flow |
Template Big Ideas |
Measuring Channel Capacity |
| Part 3: Protection Mechanisms | ||||
| 10 | Mon 10/09 | Confinement |
Template Big Ideas |
Practical Problems in System Call Interposition Based Security Tools |
| 11 | Wed 10/11 | Trustworthy computing |
Template Big Ideas |
Flicker, KISS Corporate Key Management |
| 12 | Mon 10/16 | Updates and revocations |
Template Big Ideas |
When Private Keys are Public, The Process of Updating Software |
| 13 | Wed 10/18 | Reputation-based security |
Template Big Ideas |
Guilt by-Association: Large Scale Malware Detection by Mining File-relation Graphs |
| 14 | Mon 10/23 | Password security |
Template Big Ideas |
The Science of Guessing, Modeling Password Guessability Using Neural Networks |
| Wed 10/25 | Project Checkpoint #1 |
|||
| 15 | Mon 10/30 | Frontiers: IoT Security |
Template Big Ideas |
Security Analysis of Emerging Smart Home Applications |
| Part 4: Real-World Cybercrime | ||||
| 16 | Wed 11/01 | Spam |
Template Big Ideas |
Spamalytics, Click Trajectories |
| 17 | Mon 11/06 | Man-In-The-Middle Attacks |
Template Big Ideas |
Analyzing Forged SSL Certificates in the Wild, Empirical Analysis of Email Delivery Security |
| 18 | Wed 11/08 | Zero-day attacks |
Template Big Ideas |
Zero-Day Attacks In The Real World, Zero Days, Thousands of Nights |
| 19 | Mon 11/13 | Spearphishing |
Template Big Ideas |
Detecting Credential Spearphishing Attacks in Enterprise Settings |
| 20 | Wed 11/15 | Cyber conflict |
Template Big Ideas |
A Technical Analysis of What Stuxnet’s Creators Tried to Achieve, Deterrence and Dissuasion in Cyberspace |
| Mon 11/20 | Project Checkpoint #2 |
|||
| Part 6: Security of Machine Learning | ||||
| 21 | Mon 11/27 | Evasion attacks |
Template Big Ideas |
The Security of Machine Learning, Towards Evaluating the Robustness of Neural Networks |
| 22 | Wed 11/29 | Model extraction attacks |
Template Big Ideas |
Stealing Machine Learning Models via Prediction APIs |
| 23 | Mon 12/04 | Adversarial samples in the real world |
Template Big Ideas |
Hidden Voice Commands, Accessorize to a Crime |
| Wed 12/06 | Group-Project Presentations |
Group-project reports due | ||
| Mon 12/11 | Group-Project Presentations |
|||
Created with coursegen. Last updated: 2017-10-24 18:43:41 -0400 [validate xhtml]