NORTH CAROLINA STATE UNIVERSITY GRADUATE COURSE ACTION FORM

Transcription

1 NORTH CAROLINA STATE UNIVERSITY GRADUATE COURSE ACTION FORM NOTE: Click once on shaded fields to type data. To check boxes, right click at box, click Properties, and click Checked under Default Values. DEPARTMENT/PROGRAM Computer Science COURSE PREFIX/NUMBER CSC/ECE 574 PREVIOUS PREFIX/NUMBER CSC 474/574 DATE OF LAST ACTION March 2002 COURSE TITLE Computer and Network Security ABBREVIATED TITLE COMP & NETWORK SEC SCHEDULING Fall Spring Summer Every Year Alt. Year Odd Alt. Year Even Other COURSE OFFERED BY DISTANCE EDUCATION ONLY ON CAMPUS ONLY BOTH ON CAMPUS AND BY DISTANCE EDUCATION CREDIT HOURS 3 CONTACT HOURS Lecture/Recitation 3 Seminar Laboratory Problem Studio Independent Study/Research Internship/Practicum/Field Work TYPE OF PROPOSAL New Course Drop Course Course Revision Dual-Level Course REVISION Content Prefix/Number Title Abbreviated Title Credit Hours Contact Hours Grading Method Pre-Corequisites Restrictive Statement Description Scheduling GRADING ABCDF S/U INSTRUCTOR (NAME/RANK) Peng Ning, Assistant Professor; Ting Yu, Assistant Professor Graduate Faculty Status Associate Full ANTICIPATED ENROLLMENT Per semester 60 Max.Section 60 Multiple sections Yes No PREREQUISITE(S) CSC 316 or equivalent and CSC 401 or CSC/ECE 570 or equivalent COREQUISITE(S) PRE/COREQUISITE FOR CSC 716, CSC 743, CSC/ECE 774 RESTRICTIVE STATEMENT CURRICULA/MINORS Required Qualified Elective MCS, MS, MSCN, Ph.D. PROPOSED EFFECTIVE DATE Spring 2006 APPROVED EFFECTIVE DATE CATALOG DESCRIPTION (limit to 80 words): Security policies, models, and mechanisms for secrecy, integrity, and availability. Basic cryptography and its applications; operating system models and mechanisms for mandatory and discretionary controls; introduction to database security; security in distributed systems; network security (firewalls, IPsec, and SSL); and control and prevention of viruses and other rogue programs. DOCUMENTATION AS REQUIRED Please number all document pages Course Justification Proposed Revision(s) with Justification Student Learning Objectives Enrollment for Last 5 Years New Resources Statement Consultation with other Departments Syllabus (Old and New) Explanation of differences in requirements of dual-level courses RECOMMENDED BY: Department Head/Director of Graduate Programs Date ENDORSED BY: Chair, College Graduate Studies Committee Date College Dean(s) Date APPROVED: Dean of the Graduate School Date

2 Documentation Required for Course Revision CSC/ECE 574 Information Systems & Network Security I. Proposed Revision with Justification A. Background Information security has become increasingly important as information systems in many of the world s organizations are switching from the paper to the electronic media. Industry, government agencies and various other organizations are having greater demand for well-trained engineers who are prepared to secure these organizations information systems. The Computer Science Department recognized this demand several years ago when it created and is currently offering two regular graduate level courses, CSC 574 Information Systems Security and CSC/ECE 774 Advanced Network Security, and two undergraduate level courses, CSC 405 Introduction to Computer Security and CSC 474 Information Systems Security (piggybacked with CSC 574). However, information security is a discipline that has been studied for several decades and has many more topics than can be covered in these courses. Many important topics were not covered in these current security courses because of the lack of faculty resources. With Dr. Jun Xu and Dr. Ting Yu joining the department in Fall 2003 and Dr. Khaled Harfoush starting to teach undergraduate level security courses, the Computer Science Department has an opportunity to offer more in information security education. The faculty currently teaching security courses (Harfoush, Ning, Xu, and Yu) propose to revise the present security courses and create two new security courses. The following gives a brief description of the proposed security courses including the revisions of the current courses. Undergraduate Level Security Courses CSC 405 Introduction to Computer Security This course mainly covers introductory information security techniques relevant to protecting computer systems, including access control, authentication, applied cryptography, multi-level security, physical security, etc. CSC 474 Network Security This course mainly covers topics relevant to protecting networks and distributed systems, including applied cryptography, authentication, key management, authentication in distributed systems, firewalls, IPsec, transport layer security, security, etc. Graduate Level Security Courses CSC/ECE 574 Computer and Network Security This course serves as the foundational information security course in the graduate program. It covers topics related to information systems and network security, including applied cryptography, authentication, access control, network and distributed security, malicious software, etc. CSC 716 Design of Secure and Reliable Systems The course covers advanced topics in computer system security and reliability. The course presents algorithms/techniques from both fields. The emphasis is on system level design issues, e.g., how systems fail, how algorithms can be compromised, how protocols can be attacked, and ultimately, 2

3 how application design, compiler, operating systems, and processor architectures can be enhanced to detect and mask attacks/failures. CSC 743 Secure Data Management This course covers advanced topics in data management security, including inference control, Rolebased access control, trust management, privacy policy enforcement in databases, query answering over encrypted databases, as well as anonymity and micro data release in decentralized data sharing. CSC/ECE 774 Advanced Network Security This course covers advanced topics in network security, including electronic payment systems, network intrusion detection and alert correlation, secure group communication, broadcast authentication, and security in mobile ad-hoc and sensor networks. B. Proposed Revision for CSC 574 Revise the course title Old title: Information Systems Security New title: Computer and Network Security Justification: After the course content is revised, CSC 574 will have substantial coverage of both computer and network security and that is why we propose to revise the course title accordingly. Revise the course prefix/number Old prefix/number: CSC 474/574 New prefix/number: CSC/ECE 574 Justification: In this course revision, we propose to revise CSC 474 and CSC 574 separately, considering the difference in undergraduate and graduate programs. Thus, CSC 474 and CSC 574 are no longer piggy-backed. Moreover, ECE Department has requested to cross-list CSC 574 as ECE courses to give ECE students more exposure to security courses. After consulting with the head of the Computer Science Department and the Computer Science DGP about the availability of resources, the proposing faculty decided to support ECE Department s request. Revise the Catalog Description Justification: The content of the course is revised in this proposal and therefore we propose to revise the catalog description accordingly. Move the database security portion (except for the introductory content) from CSC 574 into CSC 743 Secure Data Management. Justification: With the creation of a separate course on secure data management, it is more appropriate to include database security topics in the new course. Move the discussion of classical network security techniques (firewalls, IP security, secure socket layer (SSL)) from CSC/ECE 774 (previous Network Security) into CSC 574. Justification: Issues such as firewalls, IP security, and SSL are potentially relevant to many computer science graduate students future jobs. It is more appropriate to cover these topics in a 500-level course so that the students could learn these topics at an earlier stage of their studies. CSC 774 has been revised to drop the above topics and add more advanced topics on group key management (for secure group communication), security in mobile ad-hoc networks, and security in sensor networks The revision of CSC/ECE 774 has been approved. 3

4 II. Student Learning Objectives See syllabus. III. Enrollment for Last Five Years CSC 574 has been offered since Fall The enrollment starting with that semester is: Fall 2002 Fall 2003 Spring 2004 Fall 2004 Spring IV. Consultation with Other Departments The Electrical and Computer Engineering Department initially requested cross-listing CSC/ECE 574, and the Computer Science Department has agreed. Both departments have consulted on this course and it has been approved by the departments joint networking committee that has responsibility for the course. There are no other relevant departments. V. Old and New Syllabus A. Instructors: New Syllabus Dr. Peng Ning, Office: 250 Venture III, Centennial Campus Phone: (919) URL: Dr. Ting Yu Office: 243 Venture III, Centennial Campus Phone: (919) URL: B. Course prerequisites or restrictive statements: CSC 316 or equivalent and CSC 401 or CSC/ECE 570 or equivalent. C. Student learning objectives: Upon successful completion of this course, students will be able to: - State the basic concepts in information security, including security policies, security models, and various security mechanisms. - Explain the basic number theory required for cryptographic applications as well as various cryptographic systems. - Manually compute using Fermat's theorem, Euler's theorem, Euclid's algorithm, extended Euclid's algorithm. - Manually encrypt/decrypt and sign/verify signatures for small messages using RSA, Diffie- Hellman, and DSA algorithms. - State the requirements and mechanisms for identification and authentication. - Explain and compare the various access control policies and models as well as the assurance of these models. - State the characteristics of typical security architectures, including multi-level security systems. - State the criteria of evaluating secure information systems, including evaluation of secure operating systems and secure network systems. - List the database security issues and solutions, including models, architectures, and mechanisms for database security. 4

5 - List network and distributed systems security issues and solutions, including authentication, key distribution, firewalls, and network security protocols. - Explain the network access control mechanisms, including the basic concepts of firewalls, packet filters, application gateways, and typical firewall configurations. - Design firewall configurations and rules to protect a given network. - Outline the protocols, i.e., AH and ESP protocols, for IP Security and the two modes for both protocols. - Explain in their own words the goals of IP Security protocols (AH and ESP), the - Use combinations of IP security protocols to achieve a given security goal (e.g., source authentication, content authentication, traffic confidentiality, etc.). - Explain SSL and TLS protocols. - Apply the above protocols to protect transport-layer communication. - State program security issues, including virus, worm, and logical bombs. - State the basic concepts and general techniques in security auditing and intrusion detection. - State the issues related to administration security, physical security, and program security. - Determine appropriate mechanisms for protecting information systems ranging from operating systems, to database management systems, and to applications. D. Textbooks: Charlie Kaufman, Radia Perlman, and Mike Speciner, Network Security: Private Communication in a Public World, 2nd Edition, Prentice Hall, 2002, ISBN: (Price: USD 54.99) Handouts 1. Sandhu, R.S. Lattice-based access control models, IEEE Computer, 26(11): 9 19, Nov Sandhu, R.S.; Coyne, E.J.; Feinstein, H.L.; Youman, C.E. Role-based access control models, IEEE Computer, 29(2): 38 47, Feb Peng Ning, Sushil Jajodia, Intrusion Detection Techniques, In H. Bidgoli (Ed.), The Internet Encyclopedia. John Wiley & Sons. ISBN: Dec E. Course Organization and Scope: (Assume each lecture takes 75 minutes. The following topics need 28 lectures. These will be adjusted based on the actual progress in a semester.) T1. Basic Security Concepts (1 lectures) o Confidentiality, integrity, availability o Security policies, security mechanisms, assurance T2. Cryptography and Its Applications (7 lectures) o Basic number theory o Secret key cryptosystems o Public key cryptosystems o Hash function o Key Management T3. Identification and Authentication (2 lectures) o Basic concepts of identification and authentication o Password authentication T4. Access Control (4 lectures) o Basic concepts of access control o Discretionary access control and mandatory access control o Lattice-based Models o Covert Channels o Role based Access Control 5

6 Mid-term Review: topics 1 4 (1 lecture) T5. Network and Distributed Systems Security (8 lectures) o Issues in network and distributed systems security o Kerberos o IPSEC o SSL o Firewalls and virtual private networks o Secure o Auditing and intrusion detection T6. Miscellaneous topics (4 lectures) o Assurance and Evaluation of Secure Information Systems (1 lectures) o TCSEC, TNI, CC, etc. o Introduction to Database Security (Security requirements in databases, Access control and authorization in databases, Inference control) o Multi-level security architecture o Program Security (Virus and other malicious software) o Administrating Security (Risk Analysis, Security Planning, Organizational Security Policies) o Physical Security and Beyond (Physical security, TEMPEST, legal and ethical issues in security, environmental issues) Final review: topics 1 6 (1 lecture) F. Schedule of reading assignments: Topic T1: Chapter 1. Topic T2: Chapters 2 7. Topic T3: Chapters Topic T4: Handouts H1 H2. Topic T5: Chapters 13 19, 23; Handout H3. Topic T6: TBD. G. Projected schedule of homework due dates, quizzes and exams: There are 5 homework assignments and 2 exams. Quizzes are given in the form of pop quizzes. Pop quizzes are adopted to encourage the students to study during the non-exam weeks. The results of pop quizzes are not counted in the final grade. Homework 1: topics T1 and T2, due by week 3 Homework 2: topics T2 and T3, due by week 6 Homework 3: topic T4, due by week 9 Homework 4: topic T5, due by week 11 Homework 5: topics T5 and T6, due by week 13 Mid-term exam: week 8 Research project report: due by week 15 Final exam: decided by the university. H. Grading: Assignments 15%, project 15%, midterm 35%, final 35%. The final grades are computed according to the following rules: o A+: >= 95% o A: >= 90% and < 95% o A-: >= 85% and < 90% o B+: >= 80% and < 85% 6

7 o B: >= 75% and < 80% o B-: >= 70% and < 75% o C+: >= 66% and < 70% o C: >= 63% and < 66% o C-: >= 60% and < 63% o D+: >= 56% and < 60% o D: >= 53% and < 56% o D-: >= 50% and < 53% o F: < 50%. I. Policies on incomplete grade and late assignments: Homework and project deadlines will be enforced. Late homework will be accepted with a 10% reduction in grade for each class period they are late by. However, once a homework assignment is discussed in class or the solution is posted, submissions will no longer be accepted. All assignments must be turned in before the start of class on the due date. J. Policies on absences (excused and unexcused) and scheduling makeup work: The university policy on absences will be enforced. See the university policy at the following URL. The students are responsible for discussing makeup exams if they miss exams due to excused absence. The instructor will choose a mutually agreed date and time for the makeup exam. Late submission of homework assignments due to excused absences is not subject to the policies on late assignments. K. Academic integrity: The university, college, and department policies against academic dishonesty will be strictly enforced. You may obtain copies of the NCSU Code of Student Conduct from the Office of Student Conduct, or from the following URL. The instructor expects honesty in the completion of test and assignments. It is the understanding and expectation of instructor that the student's signature on any test or assignment means that the student neither gave nor received unauthorized aid. L. NC State policy on working with students with disabilities: Reasonable accommodations will be made for students with verifiable disabilities. In order to take advantage of available accommodations, students must register with Disability Service for Students at 1900 Student Health Center, Campus Box 7509, For more information on NC State s policy on working with students with disabilities, please see M. Laboratory Safety or Risk Assumption: Not Applicable. N. Pass-through Charges: Not applicable. O. Statement on transportation: Students have to provide their transportation for all class related trips. 7

8 Old Syllabus 1. Instructor: Dr. Peng Ning, Office: 453 EGRC, Centennial Campus Phone: (919) URL: Office hours: Tuesdays and Thursdays, 3:00 pm 4:00 pm 2. Course Objectives: Students will be able to : 1. State the basic concepts in information security, including security policies, security models, and various security mechanisms. 2. Explain the basic number theory required for cryptographic applications as well as various cryptographic systems. 3. Manually compute using Fermat's theorem, Euler's theorem, Euclid's algorithm, extended Euclid's algorithm. 4. Manually encrypt/decrypt and sign/verify signatures for small messages using RSA, Diffie- Hellman, and DSA algorithms. 5. State the requirements and mechanisms for identification and authentication. 6. Explain and compare the various access control policies and models as well as the assurance of these models. 7. State the characteristics of typical security architectures, including multi-level security systems. 8. State the criteria of evaluating secure information systems, including evaluation of secure operating systems and secure network systems. 9. List the database security issues and solutions, including models, architectures, and mechanisms for database security. 10. List network and distributed systems security issues and solutions, including authentication, key distribution, firewalls, and network security protocols. 11. State program security issues, including virus, worm, and logical bombs. 12. State the basic concepts and general techniques in security auditing and intrusion detection. 13. State the issues related to administration security, physical security, and program security. 14. Determine appropriate mechanisms for protecting information systems ranging from operating systems, to database management systems, and to applications. 3. Textbooks: Charles P. Pfleeger. Security in Computing, 2/e. Prentice-Hall, Englewood Cliffs, NJ, (List price at amazon.com: $67.00) Marshall D. Abrams, Sushil Jajodia, and Harold J. Podell, eds. Information Security: An Integrated Collection of Essays. IEEE Computer Society Press, This book can be freely accessed at Handouts (All handouts are accessible on-line) 1. Sandhu, R.S. Lattice-based access control models, IEEE Computer, 26(11): 9 19, Nov Sandhu, R.S.; Coyne, E.J.; Feinstein, H.L.; Youman, C.E. Role-based access control models, IEEE Computer, 29(2): 38 47, Feb Brewer, D.F.C.; Nash, M.J. The Chinese Wall Security Policy, In Proceedings of IEEE Symposium on Security and Privacy, pages , E. Bertino, P. Samarati, and S. Jajodia, An extended authorization model for relational databases, IEEE Trans. on Knowledge and Data Engineering, 9(1):85-101, N. R. Adam and J. C. Wortmann. Security-control methods for statistical databases: A comparative study. ACM Computing Surveys, 21(4): , December

9 6. B. Mukherjee, L.T. Heberlein, and K.N. Levitt. Network Intrusion Detection, IEEE Network, 8(3): 26-41, May RSA Data Security Inc., RSA Laboratories' Frequently Asked Questions About Today's Cryptography, Version 4.1, Accessible at 4. Course Organization and Scope: (Assume each lecture takes 75 minutes. The following topics need 30 lectures (or 15 weeks).) 1. Basic Security Concepts (1 lectures) o Confidentiality, integrity, availability o Security policies, security mechanisms, assurance 2. Cryptography and Its Applications (7 lectures) o Basic number theory o Secret key cryptosystems o Public key cryptosystems o Hash function 3. Identification and Authentication (2 lectures) o Basic concepts of identification and authentication o Password authentication 4. Access Control (5 lectures) o Basic concepts of access control o Discretionary access control and mandatory access control o Lattice-based Models o Covert Channels o Noninterference Models o Chinese Wall Security Policy o Role based Access Control Mid-term Review: topics 1-4 (1 lecture) 5. Basic Security Architecture and Multilevel Security (1 lecture) 6. Evaluation of Secure Information Systems (1 lecture) o TCSEC, TNI, CC, etc. 7. Database Security (3 lectures) o Security requirements in databases o Access control and authorization in databases. o Inference control 8. Network and Distributed Systems Security (4 lectures) o Issues in Network and Distributed Systems Security o Key Distribution Center (KDC) and Public Key Infrastructure (PKI) o Introduction to IPSEC, SSL, ISAKMP/Oakley, etc. o Introduction to Firewall, Virtual Private Network, Secure , etc. 9. Program Security (Virus and other malicious software) (1 lecture) 10. Auditing and Intrusion Detection (2 lecture) 11. Administrating Security (1 lecture) o Risk Analysis. o Security Planning. o Organizational Security Policies 12. Physical Security and Beyond (1 lecture) o Physical security, TEMPEST, legal and ethical issues in security, environmental issues, etc. 5. Schedule of Reading Assignments: If not specifically identified, the following chapters refer to those in the first textbook. We refer to the second textbook as Abrams et al. 9

10 Topic 1: Chapter 1; essay 2 in Abrams et al. Topic 2: Chapters 2, 3, and 4; chapter 15 in Abrams et al. Topic 3: Chapters 6.5, 6.6; handout 3; Chapters and in handout 7. Topic 4: Chapter 6.3; handouts 1 and 2. Topic 5: Chapter 7. Topic 6: Essays 6 and 12 in Abrams et al. Topic 7: Chapter 8, handouts 4 and 5. Topic 8: Chapter 9. Topic 9: Chapter 5. Topic 10: Handout 6. Topic 11: Chapter 10. Topic 12: Chapter Schedule of homework due dates, quizzes and exams: There are six homework assignments and two exams. Quizzes are given in the form of pop quizzes. Pop quizzes are adopted to encourage the students to study during the non-exam weeks. The results of pop quizzes are not counted in the final grade. Homework 1: topics 1 and 2, due by week 3 Homework 2: topics 2 and 3, due by week 6 Homework 3: topic 4, due by week 9 Homework 4: topics 5 and 6, due by week 11 Homework 5: topics 7 and 8, due by week 13 Homework 6: topics 9, 10, and 11, due by week 15 Mid-term exam: week 8 Research project report: due by week 15 Final exam: decided by the university. 7. Grading: Assignments 30%, project 20%, midterm 25%, final 25%. The final grades are computed according to the following rules: o A+: >= 95% o A: >= 90% and < 95% o A-: >= 85% and < 90% o B+: >=80% and < 85% o B: >= 75% and < 80% o B-: >= 70% and < 75% o C+: >=65% and < 70% o C: >=60% and < 65% o C-: >=55% and < 60% o F: < 55%. 8. Policies on late assignments: Homework and project deadlines will be hard. Late homework will be accepted with a 10% reduction in grade for each class period they are late by. However, once a homework assignment is discussed in class, submissions will no longer be accepted. All assignments must be turned in before the start of class on the due date. 9. Policies on absences (excused and unexcused) and scheduling makeup work: The university policy on absences will be enforced. See the university policy at the following URL. The students are responsible for discussing makeup exams if they miss exams due to excused absence. The instructor will choose a mutually agreed date and time for the makeup exam. 10

11 Late submission of homework assignments due to excused absences is not subject to the policies on late assignments. 10. Course prerequisites: CSC 401, CSC Academic integrity: The university, college, and department policies against academic dishonesty will be strictly enforced. You may obtain copies of the NCSU Code of Student Conduct from the Office of Student Conduct, or from the following URL NC State policy on working with students with disabilities: Reasonable accommodations will be made for students with verifiable disabilities. In order to take advantage of available accommodations, students must register with Disability Service for Students at 1900 Student Health Center, Campus Box 7509, For more information on NC State s policy on working with students with disabilities, please see Laboratory Safety or Risk Assumption: Not Applicable. 14. Pass-through Charges: Not applicable. 11