Objective

The objective of this course is to introduce students to the concepts, technologies, practices and challenges associated with Information Security and Privacy, and related policy issues. The course takes a broad view of Information Security and Privacy, which includes looking at relevant business, organizational, human, legal and policy issues. In the process, students will learn what it takes to design, develop, deploy and maintain information systems, services and software products that are secure and comply with expectations of privacy. They will develop an appreciation for the multifaceted challenges associated with this space and the complex trade-offs that are often entailed in addressing these challenges in practice. The course mixes technical discussions with a wealth of examples spanning enterprise and government systems, social networking, mobile computing, the Internet of Things (IoT), cloud computing and much more. Course material combines formal lectures with the discussion of recent/hot topics and how they relate to material covered in the lectures. 

 

Format

Lectures, discussions, and project presentations. 

Important Note About Lectures over Zoom

Zoom links for lectures can be found under:  the Zoom tab.

Due to personal circumstances (approved by the University), one of the instructors, Prof. Norman Sadeh, will be delivering most of his lectures remotely. Please make sure to consult the syllabus weekly to check whether his lectures the following week will be delivered in the classroom or over zoom. All lectures, whether delivered in-person or not, will also be delivered over Zoom and will be recorded.

Team Projects

An important part of taking this course involves working on a team project (teams of 4 students). Projects typically involve the development of an innovative application or service along with the study of relevant security, privacy, business and usability issues. Emphasis is typically on making good design decisions rather than on hacking, though we are open to a wide range of team projects. For instance, team projects can also be used to study specific technologies, extend prior research, study policy questions, study and compare the usability of different solutions, etc.

 

Meeting Time and Venue

Tuesday and Thursday, 10:10 am to 11:30 am ET

Location: 151 Posner Hall

 

Instructors

1.     Prof. Ehab Al-Shaer
Office Hours: Tuesday and Thursday, 11:45 am to 1:00 pm ET

Note: Students should reserve 15 minute time slots using the Google sheets link below:
https://docs.google.com/spreadsheets/d/10lHFc8gcOsZYOStC7xN6nZ9jAQV1w6aUnjgnTlKbWAY/edit?usp=sharing (Links to an external site.)

Zoom Link for Prof. Al-Shaer’s office hours: Please make sure to join at the allotted time and not earlier.
https://cmu.zoom.us/j/91649980283?pwd=dVZUR1lQdFRHZjBWNHBCeWFaZ0JVdz09 (Links to an external site.)
Meeting ID: 916 4998 0283
Passcode: 313438

2.     Prof. Norman Sadeh (https://normsadeh.org (Links to an external site.)) 
Office Hours: Tuesday and Thursday, 3:00 pm to 4:00 pm ET 
(No office hours on 11/24 and 11/26 - Thanksgiving week)

Note: Students should reserve 15 minute time slots using the Google sheets link below:
https://docs.google.com/spreadsheets/d/18xKSINgdcN_808PuZOJwiOj2E9KEKWSEr8YdHbicdgo/edit?usp=sharing (Links to an external site.) 

Zoom Link for Prof. Sadeh’s office hours: Please make sure to join at the allotted time and not earlier.
https://cmu.zoom.us/j/98216341965?pwd=elhqbm1SbjBNOWNwTGt3N3oyekZSZz09 (Links to an external site.)
Meeting ID: 982 1634 1965
Passcode: 829023

 

Teaching Assistant

Rex Chen - rexc@andrew.cmu.edu

Office Hours: Monday and Friday, 4:00 pm to 5:00 pm ET

Note: Please email before office hours begin, and he will send you a Zoom link.

 

Communication

General rule: Please email the TA first. You will get a faster response. If for some reason the TA doesn’t know the answer, he will contact the instructor(s).

 

Grading

·        Quizzes: 7%

·        Midterm exam: 20%

·        Final exam: 20%

·        Class participation, including class discussions: 3%

·        Course projects:

o   Mid-semester project presentation: 10%

o   Final project presentation: 10%

o   Final project report: 30%

Late submission policy for the final project report: you lose 10% of your course project grade per late day. All assignments should be submitted using the dropbox on Canvas. 

 

Textbooks & Reading Material

There is no required textbook for this course.

The following two textbooks contain useful reference materials but are not required:

·        Simson Garfinkel, Web Security, Privacy and Commerce, 2nd edition, O’Reilly Media Inc., 2002.

·        Anderson, Ross, Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edition, Wiley, 2008. Freely available at http://www.cl.cam.ac.uk/~rja14/book.html   (Links to an external site.)

 

Course Content

Please refer to Modules.

 

Important Word of Advice from the Faculty

This course is expected to take about 12 hours of your time per week, though time and workload will likely vary from one week to the next. Make sure to take care of yourself and make sure to plan ahead to avoid a last minute dash at the end of the semester or right before a due date. Do your best to maintain a healthy lifestyle this semester by eating well, exercising, avoiding drugs and alcohol, getting enough sleep and taking some time to relax. This will help you achieve your goals and cope with stress.

This semester is unlike any other. We are all under a lot of stress and uncertainty at this time. Attending Zoom classes all day can take its toll on our mental health. Again, make sure to move regularly, eat well, and reach out to your support system, either or both instructors, Prof. Al-Shaer and Prof. Sadeh, or the TA, Rex Chen, if you need to. We can all benefit from support in times of stress, and this semester is no exception. 

Specifically, if you find yourself struggling with the material or workload, please ask for help. All of us benefit from support during times of struggle. You are not alone. There are many helpful resources available at CMU and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful.

If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 and visit their website at http://www.cmu.edu/counseling/Links to an external site.. Consider reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.

 

Important Note About Academic Integrity, Including Cheating and Plagiarism

Students taking this class should expect CMU’s policy on academic integrity and plagiarism to be strictly enforced. Make sure to familiarize yourself with CMU’s policy at:

https://www.cmu.edu/student-affairs/ocsi/academic-integrity/index.htmlLinks to an external site. 

https://www.cmu.edu/policies/student-and-student-life/academic-integrity.htmlLinks to an external site.

In case of doubt, please talk to the instructors or the TAs before doing anything that might potentially get you in trouble.

 

Important Note About Diversity and Respect

It is our intent that students from all diverse backgrounds and perspectives be well served by this course, that students’ learning needs be addressed both in and out of class, and that the diversity that students bring to this class be viewed as a resource, strength and benefit. It is our intent to present materials and activities that are respectful of diversity, including but not limited to gender, sexuality, disability, age, socioeconomic status, ethnicity, race, religion, creed, belief, culture, veteran status or national origin. Your suggestions are encouraged and appreciated. Please let us know ways to improve the effectiveness of the course for you personally or for other students or student groups. In addition, if any of our class activities conflict with your religious events, please let us know so that we can make arrangements for you.

 

A Note About the Use of Zoom in this Course

In our class, we will be using Zoom for synchronous (same time) sessions. The link is available on Canvas. If you are joining the class using Zoom (e.g. because it’s a Zoom class, or because you are in quarantine), please make sure that your Internet connection and equipment are set up to use Zoom and able to share audio and video during class meetings. (See https://www.cmu.edu/computing/services/comm-collab/web-conferencing/zoom/Links to an external site. for additional details) Let the TA, Rex Chen, know if there is a gap in your technology set-up as soon as possible, and we can see about finding solutions.

Sharing video: In this course, being able to see one another helps to facilitate a better learning environment and promote more engaging discussions. Therefore, our default will be to expect students to have their cameras on during lectures and discussions. However, we also completely understand there may be reasons students would not want to have their cameras on. If you have any concerns about sharing your video, please email the instructors as soon as possible and we can discuss possible adjustments.

 

A Few Additional Notes about Zoom

·        You may use a background image in your video if you wish; just check in advance that this works with your device(s) and internet bandwidth. 

·        During our class meetings, please keep your mic muted unless you are sharing with the class or your breakout group. 

·        If you have a question or want to answer a question, please use the chat or the “raise hand” feature (available when the participant list is pulled up). Our TA, Rex Chen, will be monitoring these channels in order to call on students to contribute.

 

Recording of Class Sessions

Class sessions will be recorded to share with students who cannot attend class synchronously. Please note that you are NOT allowed to share the recordings with anyone not enrolled in the class, as this footage is protected under FERPA. Also please let us, the instructors, know ASAP if you have concerns about class sessions being recorded so we can make alternative arrangements to accommodate you. The Zoom recordings will be made available on Canvas to students enrolled in the class.

 

Sharing Your Project Work with Future Students

Over the years we have found that it helps students in the class if they are given a chance to look at the projects on which their predecessors worked in prior years. We will post on canvas sample project reports from teams from previous years. In return, we request that you agree to let us share your final project report with students who take this course in the future. We will ask you to sign and upload a short statement to that extent. Thank you for your cooperation.

 

List of Suggested Project Topics and Research Directions

The following are suggested topics/areas. This list is provided to stimulate your thinking. Please make sure to also look at examples of  projects from earlier years  (see under "file" for reports from previous years). And above all, feel free to come up with your own project idea. Make sure to take advantage of office hours and to start discussing project ideas with the instructors as soon as possible. One thing we don't want is a team re-doing a project that was already done in an earlier year. In general, we expect you to do something that has not been done before (e.g. evaluating or comparing some techniques, studying some issues, extending some techniques). We generally like projects that are multi-disciplinary in nature such as projects combining technical, human and policy issues and projects that give you a chance to be creative and/or show critical thinking... And we believe in being very flexible when it comes to accommodating your interests.

 Cybersecurity topics [Initial list  - Additional suggestions may be added over the next few days]

·        

o   Deception and Moving target projects: creating honey cyber objects that confuse adversaries (APT or malware) and provide early detection of security and privacy attacks.

§  Honey cookies: what could be good vs bad cookies and how to create and track honey cookies

§  HoneyLogs: bogus logs entries but consistent and believable story

§  HoneyBug: insert bug dynamically to allude to adversaries’ goals and motivation [HoneyBug].

§  Randomized Web beacons or browser configuration: anonymizing browsers activity tracking or identification [CONCEAL]

o   Dynamic Intrusion response based on MITRE ATT&CK: Given incomplete observations of potential attack activities, how to reason about the optimal response to block or deceive attackers [CNS 2021]

o   Discovering new TTPs from published papers and reports: Using mining of unstructured text and deep learning, how to extract new TTPs including attack vector: what, where, how, and why adversary actions take place for security or privacy violations.

o   Effective penetration testing of web services: Using reinforcement learning (proactive discovery of vulnerabilities and misconfiguration for privacy and security policies).

·        Phishing/NLP: 

o   Email content analysis for detecting Spear-phishing email: Developing a language model for individuals and identifying the ASK-Phrase for soliciting sensitive information – what are labels for sensitive information?

·        Privacy Topics

o   Using NLP to automatically extract specific privacy disclosures in the text of privacy policies and using these disclosures to find possible privacy compliance issues (e.g. in mobile apps).

o   Evaluating the usefulness of iOS mobile app privacy nutrition labels.

o   Evaluating whether mobile app developers are capable of accurately disclosing their data practices using mobile app nutrition labels

o   Evaluating the understandability of privacy policy disclosures

o   Developing and evaluation privacy notification interfaces for the Internet of Things (e.g. building on CMU's IoT Privacy Infrastructure at https://iotprivacy.io (Links to an external site.)

o   Privacy-preserving in threat information sharing using STIX: Organizations using STIX (defacto standard of CTI information sharing) to share security incidents, however, there is a high demand to sanitize/anonymize STIX report to ensure the privacy of contributing sources (semi-perfect anonymization)

o   Measuring privacy (paper: ”Technical Privacy Metrics: A Systematic Survey” and Empirical Measurement of Perceived Privacy Risk)

o   Privacy penetration testing using reinforcement learning: AI agents can continuously solicit and combine information based on user activities to discover privacy breaches.

o   Privacy modeling and verification (focus on information leakage): privacy violation is not discovered based on information leakage but information “transformation”. Information can be integrated to infer high-order knowledge about the victim. The Privacy Verifier (PV) ensures that public sensors are not subject to this attack. Specifically, information composition in case of accessing multiple logs or opting-in multiple proactive does not cause leaking sensitive information [log2vec].

o   Automated Privacy Policy Analysis and Recommendation

§  Text2Policy for privacy policy synthesis: from unstructured policy guidelines (from text -> NLP -> logic) [From Prescription to Description: Mapping the GDPR to a Privacy Policy Corpus Annotation Scheme].

§  Text2Policy for analyzing the risk of opting-in a privacy policy [Semantic Incompleteness in Privacy Policy Goals]