Home
Research Profile
Teaching Profile
Professional Profile
Personal Profile
Contact Information

Course Title

EECS710: Information Security and Assurance - Fall 2014
Thursday, 6:10-9:00 PM, 153 Regnier Hall (Course Number: 29810)
Course Web Site: people.eecs.ku.edu/~saiedian/Teaching

Prerequisites and Expected Audience.   This course is intended for graduate and senior students in IT, computer science or computer engineering programs as well as for IT professionals with appropriate professional experience.

Instructor

Professor Hossein Saiedian
Offices: BEST 250 and Nichols 155
Telephone 785-864-8812
E-Mail: saiedian@eecs.ku.edu
WWW: people.eecs.ku.edu/~saiedian
Office Hours: Wednesdays and Thursdays, 1:00-4:00 PM (and by appointment)

Course Overview

We will explore and survey important issues related to the provision of information and computer security and will provide an overview of the security problems, fundamental principles, and the technical aspects of computer security as it relates to operating systems, databases, and computer networks. As usual, students are expected to conduct some independent study as described under the "special projects."

Catalog Course Description.   Critical information assets, information security, operating systems security, database security, network security, e-commerce security, security risks, encryption and cryptography, security management, security models.

Course topics: Computer Security Concepts (Threats, Attacks, and Assets); Fundamental Security Design Principles; Attack Surfaces and Attack Trees; Cryptography; User Authentication; Access Control Principles; Database and Cloud Security; SQL Injection Attacks; Malicious Software; Denial-of-Service Attacks; Intrusion Detection; Firewalls and Intrusion Prevention Systems; Software Security; Operating System Security; Trusted Computing and Multilevel Security; IT Security Management and Risk Assessment; Internet Authentication Applications

Required Textbooks

William Stallings and Lawrie Brown, Computer Security: Principles and Practice, 3rd edn, Prentice-Hall, 2015.

Matt Bishop, Introduction to Computer Security, Addison Wesley, 2005 (optional).

Please visit the textbooks' websites for updates and errata.

The order of chapter coverage may be different from the textbook. In addition to the materials from the main textbook, students are responsible for lecture notes, reading assignments, as well as items distributed during the classroom sessions. Important reading materials as well as lecture slides will be placed on the class website.

Lecture Notes/Suggested Readings

Lecture Notes

Additional Readings

Evaluation Criteria (Subject to revisions)

Students will be evaluated as follows:

  • Grade Distribution
    Quizzes and Exams: 60%
    Assignments: 20%
    Special Project: 20%
  • Grading Scale
    A = 90%..100%
    B = 80%..89%
    C = 70%..79%
    D = 60%..69%
  • No make-up quizzes are given. No late work will be accepted. (Certain exceptions may be made for family emergencies, religious observance, and illnesses.)
  • All written work must be typed. It is OK to draw diagrams by hand and then scan them, but they must be legible.

Special Project Options

The "special project" provides an opportunity for each student to become expert in an area related to the topic of the course. It can include a term paper or a thorough, workshop-like, 120 minute presentation that covers a related topic in-depth. A special project topic will have to be approved.

Those interested in a presentation should have experience in long, lively, and engaging presentations and should begin their preparation immediately. Carefully follow the Guidelines for Making a Presentation. A proposal (workshop topic, justification, list of resources, and the tentative date for the presentation) should be submitted by the third week of the semester.

Those who would like to do a term paper may choose an applied research topic, e.g., an evaluation or comparison of certain methodologies for a real case study (or a reconstruction of a case study reported in literature). Another option is to make an objective evaluation of several research projects tackling the same problem. Other ideas are welcome. Guidelines for Writing a Term Paper have to be strictly followed. The paper decision and the tentative topic should be made by the third week of the semester.

Those interested in weekly paper reading: you'll need to read 10 articles and prepare a two-page summary. The papers you choose should be primarily from the recent issues of the following three journals: Communications of the ACM, IEEE Security and Privacy, and IEEE Computer . The list of the papers should be provided by the third week of the semester.

Weekly Schedule

The following is the weekly semester schedule of lecture topics and all related curricular activities. Some referenced documents may be password-protected. The password will be publicized in class.

Thursday August 28

  1. Review course syllabus and the semester plan
  2. An overview of information security concepts and key terms (chapter 1)
  3. Additional notes: NIST key terms
  4. Additional notes: Government entities involved  in IT security
  5. Additional notes: The threat environment
  6. Additional notes: Types of attacks experienced
  7. Assignment 1 (due 9/5)
  8. Additional assignment: decide on special project
  9. Introduction to the encryption concepts (leading to chapter 2)

Thursday September 4

  1. Cryptography and encryption
  2. Cryptographic tools (chapter 2)
  3. Additional notes: Introduction to Cryptography
  4. Additional notes: The GPG tool
  5. Assignment 2 (due 9/12)

Thursday September 11

  1. User authentication (chapter 3)
  2. Access control (chapter 4)
  3. Additional notes: Understanding Unix Permissions
  4. Assignment 3 (due 9/19)
  5. Decision regarding the special project is due

Thursday September 18

  1. Database security (chapter 5)
  2. Additional notes: Database tracker
  3. Additional notes: Cloud storage security
  4. Assignment 4 (due 9/26)
  5. Review for exam 1 (chapters 1--5 and lecture notes)

Thursday September 25

  1. Exam 1 (90 minutes)  [see sample exam]
  2. Malicious software (chapter 6)
  3. Additional notes: Email and Internet Use Policy
  4. Assignment 5 (due 10/2)

Thursday October 2

  1. Denial of service attacks (chapter 7)
  2. Intrusion detection (chapter 8)
  3. Additional note: Common network ports and protocols
  4. Exam 1 will be returned; exam 1 key will be distributed and reviewed
  5. Assignment 6 (due 10/9)

Thursday October 9

  1. Intrusion detection systems (chapter 8 continued)
  2. Firewalls and intrusion prevention (chapter 9)
  3. NIST intrusion detection systems
  4. Detailed outline for the term paper or workshop is due (see guidelines)
  5. Assignment 7 (due 10/16)

Thursday October 16

  1. Firewalls and intrusion prevention (chapter 9)
  2. NIST Special publication:  Intrusion Detection System
  3. Mini-Project 1: Firewall Simulation (due November 5)

Thursday October 23

  1. Software security: buffer overflow (chapter 10)
  2. Software security issues (chapter 11)
  3. Note: Smashing The Stack For Fun And Profit
  4. Review for exam 2
  5. Continue working on project 1; prepare for exam; no assignment

Thursday October 30

  1. Operating systems security (chapter 12)
  2. Linux security
  3. Exam 2 (90 minuets)   [see sample exam]
  4. No assignment; complete mini project 1 (due next week)

Thursday November 6

  1. Exam 2 will be returned; exam 2 key will be distributed and reviewed
  2. Trusted and MLS system (chapter 13)
  3. Additional note: BLP
  4. Assignment 8 (due 11/13)
  5. Mini-Project 1 due

Thursday November 13

  1. Additional notes: Looking Back at the Bell-La Padula Model
  2. Physical and Infrastructure Security (chapter 16)
  3. Security Auditing (chapter 18)
  4. Assignment 9 (due 11/20)

Thursday November 20

  1. Internet security protocols and standards (chapter 22)
  2. Additional notes: Web security
  3. Internet authentication (chapter 23)
  4. First draft of the term paper is due
  5. Mini-Project 2: Website hacking (due December 11)

Thursday November 27: No class (Thanksgiving break)

Thursday December 4

  1. IPsec Presetnation/Workshop (Scott Daniel). IPsec is a suite of protocols (developed by IETF) for securing network connections and communications by authenticating and encrypting each IP packet during a communication session.

Thursday December 11

  1. The Perils of Unauthenticated Encryption
  2. Wireless Security (chapter 24)
  3. Mini-Project 2 due
  4. Term paper is due
  5. Last day of classes (review for the final exam)

Thursday December 18

  1. Final exam (comprehensive, 6:00-8:800 PM)  [see sample exam]

Important Dates

  • First class day: Thursday August 28
  • Labor day: Monday September 1 (EECS710 unaffected)
  • Special project proposal: Thursday September 11
  • Exam 1: Thursday September 25
  • Detailed outline for the term paper or workshop: October 9
  • Fall break: October 11--October 14 (EECS710 unaffected)
  • Exam 2: Thursday October 30
  • Mini-project 1: Thursday November 6
  • First draft of the term paper: November 20
  • Thanksgiving break: November 26--November 30
  • Final draft of the term paper: Thursday December 11
  • Mini-project 2: Thursday December 11
  • Last class day: Thursday December 11
  • Comprehensive final exam: Thursday December 18, 6:00-8:00 PM

Attendance

Attendance is important and required. If a student misses a class session, he or she will be entirely responsible for learning the materials missed without the benefit of a private lecture on the instructor's part. Furthermore, the student will be responsible for finding out what assignments may have been given and when they are due.

We will have both instructor and students' presentations. Students are expected to read assigned articles from the textbook or the reading list. Students are expected to actively participate in classroom discussions, make presentations, and regularly make contributions such as offering comments, asking interesting questions, and responding with good answers.

Suggested Readings

The textbook is an excellent survey and tutorial resource. Most up-to-date topics on information and computer security can be found in technical journals and recent conference proceedings. Students should develop a habit of regularly browsing such journals as IEEE Software, IEEE Computer, and Communications of the ACM.

E-Mail Communication

E-mail communication is fast, flexible, and effective. You are expected to have an @ku.edu email account and regularly check it. Important classroom notes will be communicated via email.

Do not send email in HTML format; it will not be processed. Unless you are specifically asked to send a document (in PDF format), send text-only emails in text-only format.  See the Guidelines for Submitting Electronic Documents.

Video Discs

A number of networking, computer, and information security video discs (mostly from the DoD and NIST) have been obtained to show in the classroom (but only if time allows). Students are expected to take notes during each video presentation.

Other Policies

Students are expected to conduct themselves very professionally, engage in informative discussion, and avoid anything that could cause a distraction either for other students or for the instructor.

Attendance Policy. Attendance is important and required. If a student misses a class session, he or she will be entirely responsible for learning the materials missed without the benefit of a private lecture on the instructor's part. Furthermore, the student will be responsible for finding out what assignments may have been given and when they are due. Exceptions will be made for family emergencies, religious observance, and illnesses.

Cell Phone Policy. Cell phones should be turned off before coming to the classroom.

Laptop Policy. It is OK to use laptops, tablets or similar devices for taking notes but turn off audio and avoid any possible uses (e.g., Web surfing or social media visits) that could cause distraction for others.

Academic Integrity/Dishonesty Policy. The definitions and consequences of institutional academic integrity policies will used. Academic dishonesty "includes giving or receiving of unauthorized aid on examinations or in the preparation of assignments or reports, knowingly misrepresenting the source of any academic work, falsification of research results, and plagiarizing of another's work."

Please take the KU Academic Integrity Quiz.

Incomplete Grade Policy. "Incomplete (I) grades are used to note, temporarily, that students have been unable to complete a portion of the required course work during that semester due to circumstances beyond their control. Incomplete work must be completed and assigned an A-F or S/U grade within the time period prescribed by the course instructor. After one calendar year from the original grade due date, an Incomplete (I) grade will automatically convert to a grade of F or U, or the lapsed grade assigned by the course instructor."

Common policies

Attendance. Attendance is important and required. Throughout the semester, attendance may randomly be taken; each three absences (in classroom or lab) will result in a letter-grade drop (will show when the final grade is posted). Furthermore, if a student misses a class session, he or she will be entirely responsible for learning the materials missed without the benefit of a private lecture on the instructor's part. Furthermore, the student will be responsible for finding out what assignments may have been given and when they are due, any updates to the term project, schedule or the course syllabus.

Late-work, makeup policy. No late work will be accepted. No makeup option (for a lab, quiz, or exam) will be provided.

Exceptions will be made for .

Verification (documentation) of an excusable absence will be required. An excusable absence requests must be submitted in advance and approved by the instructor, unless it is an emergency. Verification documents must be attached to the request.

Make-up quizzes and exams for excused absences will have to be completed before the following session when the quiz/exam key becomes public.

Technical problems. If you experience technical problems with your EECS account or the EECS servers or the lab equipment, please submit a support request help at: https://tsc.ku.edu/request-support-engineering-tsc.

Inside classroom policy. Students are expected to come to the class on time, be attentive and engaged, conduct themselves professionally, and avoid anything that could cause a distraction or detrimental either for other students learning or for the instructor's presentations. Profanity and swearing is not allowed.

Students are expected to actively participate in all classroom presentations and discussions, ask questions, and regularly make contributions such as offering comments, responding with good answers, and providing feedback.

Canvas announcements. Announcements is a Canvas tool to post important information and updates to all members of a course. It is your responsibility to regularly check your Canvas account for such announcements (students may also receive an email notification when a new announcement is posted).

Email communications E-mail communication is fast, flexible, and effective. You have an @ku.edu email account and you are expected to regularly check it. Important information will also be communicated via email.

You are a student registered in a course offered by the School of Engineering at the University of Kansas, a top regional and a nationally ranked institution. Your communications, especially written communications (composition, grammar, spelling, punctuation, etc), must reflect that status. Please follow these email guidelines and etiquettes.

Send text-only emails in text-only format. All classroom assignments, labs, or projects should be typeset and submitted on Canvas. Other documents (e.g., documents for an excusable absence) shoud be emailed in PDF or a well-known image format (e.g., JPG or PNG). See the Guidelines for submitting electronic documents.

Grade and absence clarification or correction. If you believe your grades on an assignment, lab, quiz, or exam are incorrect, you should formally submit a grade appeal via email to the instructor within one week of receiving the graded work. Similarly, if you have an excusable absence, and you did not provide documentation prior to the absence, submit relevant documentation within one week of the absence. Failure to address concerns within these timeframes will result in the decision becoming final. This timeline ensures timely resolution and fairness for all parties involved.

Late exam-taking policy. If a student will have to take an exam or a quiz at a later time (due to an excused and verified absence), he or she will be asked to make the following statement: I understand that I have been granted the opportunity to take this exam or quiz on [date of rescheduled exam] due to an excused absence from the original exam on [date of original exam]. In making this arrangement, I affirm that I did not and will not, by any means (in writing, speaking, or through digital communications), obtain any information about the exam content or details from anyone who has taken it at the original time. I understand that violating this pledge may result in disciplinary action, including receiving a failing grade on the exam.

Cell phone policy. Cell phones should be turned off before coming to the classroom. Cell phone use for the purposes of texting, email or other social media should be avoided. Earphones for music are OK during lab work or individualized problem solving, as long as the volume allows you to hear announcements. Also cell phone or other cameras may be used to photograph projects and the whiteboard but avoid shots that include the presenter or other students.

Laptop/electronic device policy. The use of laptops, tablets or similar devices is common for taking notes but turn off audio and avoid any possible uses that could cause distraction for others (e.g., Web surfing or social media visits).

Incomplete grade policy. "Incomplete (I) grades are used to note, temporarily, that students have been unable to complete a portion of the required course work during that semester due to circumstances beyond their control. Incomplete work must be completed and assigned an A-F or S/U grade within the time period prescribed by the course instructor. After one calendar year from the original grade due date, an Incomplete (I) grade will automatically convert to a grade of F or U, or the lapsed grade assigned by the course instructor."

Accommodations for students with disabilities. The University of Kansas is committed to providing equal opportunity for participation in all programs, services and activities. Requests for special accommodations may be made thru the KU Student Access Services.

KU's diversity policy statement. As a premier international research university, the University of Kansas is committed to an open, diverse and inclusive learning and working environment that nurtures the growth and development of all. KU holds steadfast in the belief that an array of values, interests, experiences, and intellectual and cultural viewpoints enrich learning and our workplace. The promotion of and support for a diverse and inclusive community of mutual respect require the engagement of the entire university.

The University of Kansas prohibits discrimination on the basis of race, color, ethnicity, religion, sex, national origin, age, ancestry, disability, status as a veteran, sexual orientation, marital status, parental status, gender identity, gender expression, and genetic information in the University's programs and activities. Retaliation is also prohibited by University policy. If you have questions about filing a report of discrimination, contact the Office of Civil Rights and Title IX at civilrights@ku.edu.

KU's sexual harassment policy. The University of Kansas prohibits sexual harassment and is committed to preventing, correcting, and disciplining incidents of unlawful harassment, including sexual harassment and sexual assault. Sexual harassment, sexual violence, and a hostile environment because of sex are forms of sex discrimination and should be reported. (“Sexual Harassment” means behavior, including physical contact, advances, and comments in person, through an intermediary, and/or via phone, text message, email, social media, or other electronic medium, that is unwelcome; based on sex or gender stereotypes; and is so severe, pervasive and objectively offensive that it has the purpose or effect of substantially interfering with a person’s academic performance, employment or equal opportunity to participate in or benefit from University programs or activities or by creating an intimidating, hostile or offensive working or educational environment.)

Under Title IX of the Education Amendments of 1972, harassment based on sex, including sexual assault, stalking, domestic and dating violence, and harassment or discrimination based on the individual’s sexual orientation, gender identity, gender expression, and pregnancy or related conditions, is prohibited. If a student would like to file a complaint for Title IX discrimination or has any questions, please contact KU’s Title IX Coordinator (Lauren Jones McKown, Associate Vice Chancellor for Civil Rights and Title IX, Dole Human Development Center, 1000 Sunnyside Ave, Suite 1082, Lawrence, KS 66045, civilrights@ku.edu, 785.864.6414).

Mandatory reporter statement. The University of Kansas has decided that all employees, with few exceptions, are responsible employees or mandatory reporters who must report incidents of discrimination, harassment, and sexual violence that they learn of in their employment at KU to the Office of Civil Rights and Title IX. This includes faculty members. As such, if you share information about discrimination, harassment, or sexual violence with me, I will have to relay that information to the Office of Civil Rights and Title IX. I truly value your trust in me to share that information and I want to be upfront about my requirement as a mandatory reporter. If you are interested in contacting KU’s confidential resources (those who do not have to make disclosures to OCRTIX), there are: the Care Coordinator, Melissa Foree; CAPS therapists; Watkins Health Care Providers; and the Ombuds Office.

Commercial note-taking ventures. Pursuant to the University of Kansas’ Policy on Commercial Note-Taking Ventures, commercial note-taking is not permitted in this course. Lecture notes and course materials may be taken for personal use, for the purpose of mastering the course material, and may not be sold to any person or entity in any form. Any student engaged in or contributing to the commercial exchange of notes or course materials will be subject to discipline, including academic misconduct charges, in accordance with University policy. Please note: note-taking provided by a student volunteer for a student with a disability, as a reasonable accommodation under the ADA, is not the same as commercial note-taking and is not covered under this policy. In fact, we often have students needing help with note taking (including this very course). If you are able to take well-organized and detailed notes, have legible handwriting, and regularly attend the class, your help will be greatly appreciated and will be recognized with a a KU certificate. Please visit with me.

Concealed handguns. Individuals who choose to carry concealed handguns are solely responsible to do so in a safe and secure manner in strict conformity with state and federal laws and KU weapons policy. Safety measures outlined in the KU weapons policy specify that a concealed handgun:

  • Must be under the constant control of the carrier.
  • Must be out of view, concealed either on the body of the carrier, or backpack, purse, or bag that remains under the carriers custody and control.
  • Must be in a holster that covers the trigger area and secures any external hammer in an un-cocked position.
  • Must have the safety on, and have no round in the chamber.

Suggested readings Textbooks are excellent survey and tutorial resources. Most up-to-date topics on topics discussed in class can be found in technical journals and recent conference proceedings. Students should develop a habit of regularly browsing IEEE Software, IEEE Computer, Communications of the ACM, IEEE Security & Privacy, IEEE Network, IEEE IT Professional, IEEE Cloud Computing, and similar magazines.