Danfeng (Daphne) Yao.

Office hours: Wednesday 3:30-4:30pm in CoRE 318A Busch Campus

Email: danfeng at cs dot rutgers dot edu

Class Hour and Place

Tuesday 12:00-3:00 PM HLL-250 Busch

Announcements

• (11/13) In order for all of you to complete your project with acceptable techical quality, the deadline for your *final* project report is extended to December 21st (Monday) midnight. Note that the intermediate report is still due on November 17th.
• (09/30) Due to scheduling problems, there will be no mid-term exam. Instead, a requirement on an intermediate project report is added that is due on 11/17. Please see the schedule page for the updates.
• (09/28) Danfeng put a copy of the textbook in the Math library reserve.
• Due to time constraints, there will be no project presentations.
• I made some changes to our schedule, please see the updated list.
• There will be no class on 09/08 (Monday classes instead).
• First class will be on Tuesday September 1st.

Course Descriptions

This course is a 3-credit B-area (systems) graduate-level seminar. The course will provide participants with a broad and in-depth understanding of important research problems and approaches in the areas of computer security and privacy by reading and discussing relevant research papers. The instructor will give several lectures and the rest of the classes will consist of student presentations.

Prerequisite

There is no formal prerequisite. However, knowledge on undergraduate-level discrete math, operating systems, and networking is expected.

Textbook

REQUIRED textbook: The Craft Of System Security By Sean Smith and John Marchesini.

Recommended readings (available in the Math Library):

• Computer Security: Art and Science by Matt Bishop.
• Security in Computing (fourth edition) by Charles P. Pfleeger and Shari Lawrence Pfleeger.

Topics (see also Schedule):

• Network security
• Malware detection
• System integrity
• Data privacy
• Application security
• Applied cryptography
• System evaluation
• Human issues in security/privacy

Paper List is here.

Grading:

• Class participation: 10%

  You are required to make at least one intelligent comment for each paper discussed.

• Written summaries for each paper: 10%

  1-2 paragraphs on each paper using your own words posted to sakai.rutgers.edu before the class. Please do NOT copy sentences from the paper.

• Presentation: 25%

  Slides preparation: 15% (intuitive yet with technical depth)

  Organization of the talk and question-handling ability 10% -- Reading slides is not allowed

• Project: 55%

  (2-paragraph proposal: 15%, 1-page intermediate report: 15%, 3-page final report: 25%, no need to prepare slides for presentation)
  

Expected work:

Students are required to attend all lectures, read all required papers, and participate in the class discussion. Each student is assigned about 2 papers to present (number may vary depending on the enrollment). Students should give Powerpoint presentations on the assigned papers. Students may work in groups of two on the presentations.
There will be a final project. Final projects cannot be done in groups.

ACADEMIC INTEGRITY:

Please carefully read our university's policies on academic integrity here -- IMPORTANT! The policies will be strictly enforced.

Important Dates

• Project proposal due: 10/21 midnight (Wednesday)
• Project intermediate report due: 11/17 midnight (Tuesday)
• Project final report due: 12/21 midnight (Monday -- FIRM!)

Schedule

	Dates		Theme			Readings	Slides
	09/01:		Basic concepts in computer security			Part I in Smith & Marchesini, Chapter 1 in Bishop	network-intro.ppt, security-intro.ppt
	09/15:		Network Security			Detecting stepping stones (USENIX Security 00), Providing process origin information to aid in network traceback (USENIX Technical 02)	Lucas Marxen and David Menendez
	09/22:		Network Security Read Chapter 5.1.3 thru 5.1.5 in S & M			Design and Implementation of an Extrusion-based Break-In Detector for Personal Computers (ACSAC 05), Tamper-resistant, application-aware blocking of malicious network connections (RAID 07)	Rick Ramstetter and Hans Woithe
	09/29:		Web & Email Security Read Chapter 12 in S & M			Predicting Web spam with HTTP session information (CIKM 08), Privacy-aware collaborative spam filtering (IEEE TPDS 09)	Krithika Saikrishnan and Chirag Pandya
	10/06:		System Integrity/Human Aspect Read Chapter 4.4 in S & M			Automatic Inference and Enforcement of Kernel Data Structure Invariants (ACSAC 08), Crying wolf: an empirical study of SSL warning effectiveness	Luying Li; William Katsak
	10/13:		Web & Email Security Read Chapter 12 in S & M			The Ghost In The Browser: Analysis of Web-based Malware , The multi-principal OS construction of the Gazelle Web browser (USENIX 09)	Swathi Srivathsan and Janani Venkatesan
	10/20:		System Integrity Read Chapter 16.3.3 and 6.4 in S & M			Design and implementation of a TCG-based integrity measurement architecture (USENIX Security 04), Not-A-Bot (NAB): improving service availability in the face of botnet attacks (NSDI 09)	Qiang Ma and Chih-Cheng Chang
	10/27:		Applied Cryptography Read Chapter 7 in S & M			Efficient data structure for tamper-evident logging (USENIX Security 09), Integrity checking in cryptographic file systems with constant trusted storage (USENIX 07)	Md Pavel Mahmud and Arzoo Zehra
	11/3:		Privacy			Privacy oracle: a system for finding application leaks with black box differential testing (CCS 08), Protecting confidential data on personal computers with storage capsules (USENIX Security 09)	Subhashni Balakrishnan and Swathi Bheemanathini
	11/10:		Characterization of Bots			Measurement and classification of humans and bots in internet chat (USENIX Security 08), P2P as botnet command and control: a deeper insight (Malware 08)	Rohit Indukuri and Srividya Iyer
	11/17:		System Integrity, Prof. Sean Smith's talk at 10:30AM in CORE 301			(Meeting at 1:30PM in Hill 250) Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense (NDSS 09)	Karthik Vi Devaraj
	11/24:		Human Aspects Read Chapter 18 in S & M			It's no secret. Measuring the security and reliability of authentication via secret questions (IEEE S&P 09), The User is Not the Enemy: Fighting Malware by Tracking User Intentions, reCAPTCHA: Human-Based Character Recognition via Web Security Measures (Science)	Chen Jiang; Apoorva Chaudhari; and Aparna Rao

Project

Every participant will carry out an individual class project that is related to the analysis and design of a security model or method. Prototype implementation is a plus but is not required for this course. The instructor will give a list of candidate topics to choose from. But you are welcome to select whatever project that interests you. Individual project only, no group project please!

Recent Advances in Computer Security and Privacy Please send your project related writeups as email attachments to the instructor by the due dates. Put CS673 project in the email subject. Late project writeups will not be accepted.

• 2-paragraph proposal: Please be brief in the proposal. Add necessary references. The proposal should be organized as follows. The first paragraph states the motivation for the project -- what is the problem that you want to solve. The second paragraph states your approach -- what is your plan to solve the problem. The third paragraph states the expected advantages of your approach -- why your solution would be better than the existing ones. The instructor will give feedbacks on your proposal.
• 1-page intermediate report on the project.
• 3-page final report: Please write a short paper on your project with the complete story: introduction with motivation and examples, your approach/method, challenges, advantages of your approach, future work, and references.

Candidate project topics: TBA

Resources

Information Security Dictionary