KU Home  |  Kyou  |  Email   |  Canvas   |  News   |  Calendar   |  Directories   |  Maps  

Electrical Engineering & Computer Science

Course Title

EECS710: Information Security and Assurance - Fall 2014
Thursday, 6:10-9:00 PM, 153 Regnier Hall (Course Number: 29810)
Course Web Site: people.eecs.ku.edu/~saiedian/Teaching

Prerequisites and Expected Audience.   This course is intended for graduate and senior students in IT, computer science or computer engineering programs as well as for IT professionals with appropriate professional experience.

Instructor

Professor Hossein Saiedian
Offices: BEST 250 and Nichols 155
Telephone 785-864-8812
E-Mail: saiedian@eecs.ku.edu
WWW: people.eecs.ku.edu/~saiedian
Office Hours: Wednesdays and Thursdays, 1:00-4:00 PM (and by appointment)

Course Overview

We will explore and survey important issues related to the provision of information and computer security and will provide an overview of the security problems, fundamental principles, and the technical aspects of computer security as it relates to operating systems, databases, and computer networks. As usual, students are expected to conduct some independent study as described under the "special projects."

Catalog Course Description.   Critical information assets, information security, operating systems security, database security, network security, e-commerce security, security risks, encryption and cryptography, security management, security models.

Course topics: Computer Security Concepts (Threats, Attacks, and Assets); Fundamental Security Design Principles; Attack Surfaces and Attack Trees; Cryptography; User Authentication; Access Control Principles; Database and Cloud Security; SQL Injection Attacks; Malicious Software; Denial-of-Service Attacks; Intrusion Detection; Firewalls and Intrusion Prevention Systems; Software Security; Operating System Security; Trusted Computing and Multilevel Security; IT Security Management and Risk Assessment; Internet Authentication Applications

Required Textbooks

William Stallings and Lawrie Brown, Computer Security: Principles and Practice, 3rd edn, Prentice-Hall, 2015.

Matt Bishop, Introduction to Computer Security, Addison Wesley, 2005 (optional).

Please visit the textbooks' websites for updates and errata.

The order of chapter coverage may be different from the textbook. In addition to the materials from the main textbook, students are responsible for lecture notes, reading assignments, as well as items distributed during the classroom sessions. Important reading materials as well as lecture slides will be placed on the class website.

Lecture Notes/Suggested Readings

Lecture Notes

Additional Readings

Evaluation Criteria (Subject to revisions)

Students will be evaluated as follows:

• Grade Distribution

  Quizzes and Exams:	60%
  Assignments:	20%
  Special Project:	20%
• Grading Scale

  A =	90%..100%
  B =	80%..89%
  C =	70%..79%
  D =	60%..69%
• No make-up quizzes are given. No late work will be accepted. (Certain exceptions may be made for family emergencies, religious observance, and illnesses.)
• All written work must be typed. It is OK to draw diagrams by hand and then scan them, but they must be legible.

Special Project Options

The "special project" provides an opportunity for each student to become expert in an area related to the topic of the course. It can include a term paper or a thorough, workshop-like, 120 minute presentation that covers a related topic in-depth. A special project topic will have to be approved.

Those interested in a presentation should have experience in long, lively, and engaging presentations and should begin their preparation immediately. Carefully follow the Guidelines for Making a Presentation. A proposal (workshop topic, justification, list of resources, and the tentative date for the presentation) should be submitted by the third week of the semester.

Those who would like to do a term paper may choose an applied research topic, e.g., an evaluation or comparison of certain methodologies for a real case study (or a reconstruction of a case study reported in literature). Another option is to make an objective evaluation of several research projects tackling the same problem. Other ideas are welcome. Guidelines for Writing a Term Paper have to be strictly followed. The paper decision and the tentative topic should be made by the third week of the semester.

Those interested in weekly paper reading: you'll need to read 10 articles and prepare a two-page summary. The papers you choose should be primarily from the recent issues of the following three journals: Communications of the ACM, IEEE Security and Privacy, and IEEE Computer . The list of the papers should be provided by the third week of the semester.

Weekly Schedule

The following is the weekly semester schedule of lecture topics and all related curricular activities. Some referenced documents may be password-protected. The password will be publicized in class.

Thursday August 28

1. Review course syllabus and the semester plan
2. An overview of information security concepts and key terms (chapter 1)
3. Additional notes: NIST key terms
4. Additional notes: Government entities involved  in IT security
5. Additional notes: The threat environment
6. Additional notes: Types of attacks experienced
7. Assignment 1 (due 9/5)
8. Additional assignment: decide on special project
9. Introduction to the encryption concepts (leading to chapter 2)

Thursday September 4

1. Cryptography and encryption
2. Cryptographic tools (chapter 2)
3. Additional notes: Introduction to Cryptography
4. Additional notes: The GPG tool
5. Assignment 2 (due 9/12)

Thursday September 11

1. User authentication (chapter 3)
2. Access control (chapter 4)
3. Additional notes: Understanding Unix Permissions
4. Assignment 3 (due 9/19)
5. Decision regarding the special project is due

Thursday September 18

1. Database security (chapter 5)
2. Additional notes: Database tracker
3. Additional notes: Cloud storage security
4. Assignment 4 (due 9/26)
5. Review for exam 1 (chapters 1--5 and lecture notes)

Thursday September 25

1. Exam 1 (90 minutes)  [see sample exam]
2. Malicious software (chapter 6)
3. Additional notes: Email and Internet Use Policy
4. Assignment 5 (due 10/2)

Thursday October 2

1. Denial of service attacks (chapter 7)
2. Intrusion detection (chapter 8)
3. Additional note: Common network ports and protocols
4. Exam 1 will be returned; exam 1 key will be distributed and reviewed
5. Assignment 6 (due 10/9)

Thursday October 9

1. Intrusion detection systems (chapter 8 continued)
2. Firewalls and intrusion prevention (chapter 9)
3. NIST intrusion detection systems
4. Detailed outline for the term paper or workshop is due (see guidelines)
5. Assignment 7 (due 10/16)

Thursday October 16

1. Firewalls and intrusion prevention (chapter 9)
2. NIST Special publication:  Intrusion Detection System
3. Mini-Project 1: Firewall Simulation (due November 5)

Thursday October 23

1. Software security: buffer overflow (chapter 10)
2. Software security issues (chapter 11)
3. Note: Smashing The Stack For Fun And Profit
4. Review for exam 2
5. Continue working on project 1; prepare for exam; no assignment

Thursday October 30

1. Operating systems security (chapter 12)
2. Linux security
3. Exam 2 (90 minuets)   [see sample exam]
4. No assignment; complete mini project 1 (due next week)

Thursday November 6

1. Exam 2 will be returned; exam 2 key will be distributed and reviewed
2. Trusted and MLS system (chapter 13)
3. Additional note: BLP
4. Assignment 8 (due 11/13)
5. Mini-Project 1 due

Thursday November 13

1. Additional notes: Looking Back at the Bell-La Padula Model
2. Physical and Infrastructure Security (chapter 16)
3. Security Auditing (chapter 18)
4. Assignment 9 (due 11/20)

Thursday November 20

1. Internet security protocols and standards (chapter 22)
2. Additional notes: Web security
3. Internet authentication (chapter 23)
4. First draft of the term paper is due
5. Mini-Project 2: Website hacking (due December 11)

Thursday November 27: No class (Thanksgiving break)

Thursday December 4

1. IPsec Presetnation/Workshop (Scott Daniel). IPsec is a suite of protocols (developed by IETF) for securing network connections and communications by authenticating and encrypting each IP packet during a communication session.

Thursday December 11

1. The Perils of Unauthenticated Encryption
2. Wireless Security (chapter 24)
3. Mini-Project 2 due
4. Term paper is due
5. Last day of classes (review for the final exam)

Thursday December 18

1. Final exam (comprehensive, 6:00-8:800 PM)  [see sample exam]

Important Dates

• First class day: Thursday August 28
• Labor day: Monday September 1 (EECS710 unaffected)
• Special project proposal: Thursday September 11
• Exam 1: Thursday September 25
• Detailed outline for the term paper or workshop: October 9
• Fall break: October 11--October 14 (EECS710 unaffected)
• Exam 2: Thursday October 30
• Mini-project 1: Thursday November 6
• First draft of the term paper: November 20
• Thanksgiving break: November 26--November 30
• Final draft of the term paper: Thursday December 11
• Mini-project 2: Thursday December 11
• Last class day: Thursday December 11
• Comprehensive final exam: Thursday December 18, 6:00-8:00 PM

Attendance

Attendance is important and required. If a student misses a class session, he or she will be entirely responsible for learning the materials missed without the benefit of a private lecture on the instructor's part. Furthermore, the student will be responsible for finding out what assignments may have been given and when they are due.

We will have both instructor and students' presentations. Students are expected to read assigned articles from the textbook or the reading list. Students are expected to actively participate in classroom discussions, make presentations, and regularly make contributions such as offering comments, asking interesting questions, and responding with good answers.

Suggested Readings

The textbook is an excellent survey and tutorial resource. Most up-to-date topics on information and computer security can be found in technical journals and recent conference proceedings. Students should develop a habit of regularly browsing such journals as IEEE Software, IEEE Computer, and Communications of the ACM.

E-Mail Communication

E-mail communication is fast, flexible, and effective. You are expected to have an @ku.edu email account and regularly check it. Important classroom notes will be communicated via email.

Do not send email in HTML format; it will not be processed. Unless you are specifically asked to send a document (in PDF format), send text-only emails in text-only format.  See the Guidelines for Submitting Electronic Documents.

Video Discs

A number of networking, computer, and information security video discs (mostly from the DoD and NIST) have been obtained to show in the classroom (but only if time allows). Students are expected to take notes during each video presentation.

Other Policies

Students are expected to conduct themselves very professionally, engage in informative discussion, and avoid anything that could cause a distraction either for other students or for the instructor.

Attendance Policy. Attendance is important and required. If a student misses a class session, he or she will be entirely responsible for learning the materials missed without the benefit of a private lecture on the instructor's part. Furthermore, the student will be responsible for finding out what assignments may have been given and when they are due. Exceptions will be made for family emergencies, religious observance, and illnesses.

Cell Phone Policy. Cell phones should be turned off before coming to the classroom.

Laptop Policy. It is OK to use laptops, tablets or similar devices for taking notes but turn off audio and avoid any possible uses (e.g., Web surfing or social media visits) that could cause distraction for others.

Academic Integrity/Dishonesty Policy. The definitions and consequences of institutional academic integrity policies will used. Academic dishonesty "includes giving or receiving of unauthorized aid on examinations or in the preparation of assignments or reports, knowingly misrepresenting the source of any academic work, falsification of research results, and plagiarizing of another's work."

Please take the KU Academic Integrity Quiz.

Incomplete Grade Policy. "Incomplete (I) grades are used to note, temporarily, that students have been unable to complete a portion of the required course work during that semester due to circumstances beyond their control. Incomplete work must be completed and assigned an A-F or S/U grade within the time period prescribed by the course instructor. After one calendar year from the original grade due date, an Incomplete (I) grade will automatically convert to a grade of F or U, or the lapsed grade assigned by the course instructor."

Common policies

Attendance. Regular attendance is essential for success in this course and its labs. Attendance may be taken randomly throughout the semester. Three or more unexcused absences will result in a one-letter grade reduction in the final course grade, which will be reflected when grades are posted at the end of the semester.

Students who miss class without a valid excuse are responsible for obtaining missed materials and assignments. The instructor or the TAs will not provide individual makeup lectures or one-on-one instruction. It is the student's responsibility to stay informed about course content, assignments, and course updates.

Late-work, makeup policy. Late work will not be accepted. Make-up options for labs, quizzes, or exams are not available. Exceptions will be made for excusable absences.

Examples of excusable absences include:

• Illness or injury
• Verifiable personal mental health or medical crisis or that of a relative
• Unforeseen life event or compelling circumstances beyond the student's control (e.g., divorce, birth or adoption of a child, death, loss of employment, sexual assault, domestic violence)
• Academic field trips or conferences
• Participation in university activities at the request of university authorities (e.g., an approved concert or athletic event)
• Jury duty or officially mandated court appearances

Requests for excused absences must be submitted in advance and approved by the instructor, except in emergencies. In such cases, notify the instructor as soon as possible after the absence. Please attach verification documents to the request.

Make-up quizzes and exams for excused absences must be completed before the following session when the quiz/exam content will be discussed in classroom or its key becomes public. Make-up for an excused lab absence should be completed within one week.

Technical problems. If you experience technical problems with your EECS account or the EECS servers or the lab equipment, please submit a support request help at: https://tsc.ku.edu/request-support-engineering-tsc.

Inside classroom policy. Students are expected to come to the class on time, be attentive and engaged, conduct themselves professionally, and avoid anything that could cause a distraction or detrimental either for other students learning or for the instructor's presentations. Profanity and swearing is not allowed.

Students are expected to actively participate in all classroom presentations and discussions, ask questions, and regularly make contributions such as offering comments, responding with good answers, and providing feedback.

Canvas announcements. Announcements is a Canvas tool to post important information and updates to all members of a course. It is your responsibility to regularly check your Canvas account for such announcements (students may also receive an email notification when a new announcement is posted).

Email communications E-mail communication is fast, flexible, and effective. You have an @ku.edu email account and you are expected to regularly check it. Important information will also be communicated via email.

You are a student registered in a course offered by the School of Engineering at the University of Kansas, a top regional and a nationally ranked institution. Your communications, especially written communications (composition, grammar, spelling, punctuation, etc), must reflect that status. Please follow these email guidelines and etiquettes.

Send text-only emails in text-only format. All classroom assignments, labs, or projects should be typeset and submitted on Canvas. Other documents (e.g., documents for an excusable absence) shoud be emailed in PDF or a well-known image format (e.g., JPG or PNG). See the Guidelines for submitting electronic documents.

Grade and absence clarification or correction. If you believe your grades on an assignment, lab, quiz, or exam are incorrect, you should formally submit a grade appeal via email to the instructor within one week of receiving the graded work. Similarly, if you have an excusable absence, and you did not provide documentation prior to the absence, submit relevant documentation within one week of the absence. Failure to address concerns within these timeframes will result in the decision becoming final. This timeline ensures timely resolution and fairness for all parties involved.

Late exam-taking policy. If a student will have to take an exam or a quiz at a later time (due to an excused and verified absence), he or she will be asked to make the following statement: I understand that I have been granted the opportunity to take this exam or quiz on [date of rescheduled exam] due to an excused absence from the original exam on [date of original exam]. In making this arrangement, I affirm that I did not and will not, by any means (in writing, speaking, or through digital communications), obtain any information about the exam content or details from anyone who has taken it at the original time. I understand that violating this pledge may result in disciplinary action, including receiving a failing grade on the exam.

Cell phone policy. Cell phones should be turned off before coming to the classroom. Cell phone use for the purposes of texting, email or other social media should be avoided. Earphones for music are OK during lab work or individualized problem solving, as long as the volume allows you to hear announcements. Also cell phone or other cameras may be used to photograph projects and the whiteboard but avoid shots that include the presenter or other students.

Laptop/electronic device policy. The use of laptops, tablets or similar devices is common for taking notes but turn off audio and avoid any possible uses that could cause distraction for others (e.g., Web surfing or social media visits).

Incomplete grade policy. "Incomplete (I) grades are used to note, temporarily, that students have been unable to complete a portion of the required course work during that semester due to circumstances beyond their control. Incomplete work must be completed and assigned an A-F or S/U grade within the time period prescribed by the course instructor. After one calendar year from the original grade due date, an Incomplete (I) grade will automatically convert to a grade of F or U, or the lapsed grade assigned by the course instructor."

Accommodations for students with disabilities. The University of Kansas is committed to providing equal opportunity for participation in all programs, services and activities. Requests for special accommodations may be made thru the KU Student Access Services.

The Provost's freedom of expression statement . "Our IRISE values will guide us and our students as we all engage with each other in respectful freedom of expression.

In a setting as diverse as KU, we will inevitably encounter ideas, opinions and philosophies that are different than our own and which some personally find uncomfortable or offensive. To be clear, threats, incitement of violence and targeted harassment are not protected speech under the First Amendment. Offensive speech, although it can be painful, is generally considered protected speech. We need to strongly encourage and facilitate civil and respectful discussion and interaction. We simply must not inhibit or penalize expression protected by the First Amendment."

KU's diversity policy statement. "As a premier international research university, the University of Kansas is committed to an open, diverse and inclusive learning and working environment that nurtures the growth and development of all. KU holds steadfast in the belief that an array of values, interests, experiences, and intellectual and cultural viewpoints enrich learning and our workplace. The promotion of and support for a diverse and inclusive community of mutual respect require the engagement of the entire university..."

"The University of Kansas prohibits discrimination on the basis of race, color, ethnicity, religion, sex, national origin, age, ancestry, disability, status as a veteran, sexual orientation, marital status, parental status, gender identity, gender expression, and genetic information in the University's programs and activities."

KU's sexual harassment policy. "The University of Kansas prohibits sexual harassment and is committed to preventing, correcting, and disciplining incidents of unlawful harassment, including sexual harassment and sexual assault."

Mandatory reporter statement. "The University of Kansas has decided that all employees, with few exceptions, are responsible employees or mandatory reporters who must report incidents of discrimination, harassment, and sexual violence that they learn of in their employment at KU to the Office of Civil Rights and Title IX. This includes faculty members. As such, if you share information about discrimination, harassment, or sexual violence with me, I will have to relay that information to the Office of Civil Rights and Title IX. I truly value your trust in me to share that information and I want to be upfront about my requirement as a mandatory reporter. If you are interested in contacting KU’s confidential resources (those who do not have to make disclosures to OCRTIX), there are: the Care Coordinator, Melissa Foree; CAPS therapists; Watkins Health Care Providers; and the Ombuds Office."

Commercial note-taking ventures. "Pursuant to the University of Kansas’ Policy on Commercial Note-Taking Ventures, commercial note-taking is not permitted in this course. Lecture notes and course materials may be taken for personal use, for the purpose of mastering the course material, and may not be sold to any person or entity in any form. Any student engaged in or contributing to the commercial exchange of notes or course materials will be subject to discipline, including academic misconduct charges, in accordance with University policy. Please note: note-taking provided by a student volunteer for a student with a disability, as a reasonable accommodation under the ADA, is not the same as commercial note-taking and is not covered under this policy."

Concealed handguns. "Individuals who choose to carry concealed handguns are solely responsible to do so in a safe and secure manner in strict conformity with state and federal laws and KU weapons policy. Safety measures outlined in the KU weapons policy specify that a concealed handgun:

• Must be under the constant control of the carrier.
• Must be out of view, concealed either on the body of the carrier, or backpack, purse, or bag that remains under the carriers custody and control.
• Must be in a holster that covers the trigger area and secures any external hammer in an un-cocked position.
• Must have the safety on, and have no round in the chamber."

Suggested readings Textbooks are excellent survey and tutorial resources. Most up-to-date topics on topics discussed in class can be found in technical journals and recent conference proceedings. Students should develop a habit of regularly browsing IEEE Software, IEEE Computer, Communications of the ACM, IEEE Security & Privacy, IEEE Network, IEEE IT Professional, IEEE Cloud Computing, and similar magazines.