14-810: Network Security Engineering: Analysis
& Automation (Special Topics) - Spring, 2021
|
Instructor: |
Professor Ehab Al-Shaer |
|
Email: |
FirstName@cmu.edu |
|
Other contact: |
skype:ealsaher |
|
Office: |
Pittsburgh, INI Building, Office# 125 |
|
Time/Location |
TH 7:00-8:50 & F 3:20-4:10 /
CIC 1201 |
|
Office hours: |
F 4:15-5:15 Skype, or by appointment (send an email,
subject 14-810) |
|
Phone: |
(412) 268-7899 (Office) (803) 792-1067 (Google Voice) |
|
TA: |
TBD |
Course Description
In this course, students will learn the theory
and practice of network defense including designing and optimizing network
security architecture, network security configuration verification and
automation (such as Firewalls, IPSec gateways, IDS,
and NAT), the adversary modeling and analysis using attack tactics, techniques and
procedures (TTP), automated cyber threat hunting and mitigation, quantitative cyber
risk assessment and mitigation, anomaly detection and adaptive intrusion
response.
The goal of the course is to enable students to learn
the formal reasoning and data-driven analysis techniques and tools for developing
for addressing key network security engineering challenges including automated
network security hardening, detecting security misconfigurations, risk
quantification and security measurement, automated response using courses of
actions playbooks, models for adaptive and active cyber defense. In addition,
students will learn the about advanced solutions for emergent network defense such
as cyber deception and cyber deterrence.
Number of Units: 12
Prerequisites
The
course assumes a basic computer networking knowledge, C and UNIX programming,
as well as an elementary logic and probability theory background, but does not
assume any prior exposure to topics in computer or communications security.
Students lacking technical background (e.g., students without any prior
exposure to programming) are expected to catch up through self-study.
Course Philosophy & Objectives
Cybersecurity is one of the most dynamic and rapidly growing fields.
Mastering network security engineering requires learning not only the concepts
but also the science of security foundation, and the analytical and development
skills for creating effective and practical solutions. This course will cover
the concepts of analyzing and automating network security engineering including
design, configuration, and implementation for securing cyber infrastructure. In
successfully completing this course, you will have the opportunity to:
·
Learn how to design the architecture and
configure network access control devices (firewall, IPSec,
IDS, and application-level proxies) consistently and correctly according to
mission properties and/or security policies.
·
Learn how to apply science of security
concept to measure potential risk, implied risks and residual risk and create
plans for automated risk mitigation against evolving threats.
·
Learn how to develop automated orchestration
engine for intrusion response systems (IRS) based on the course of action and
playbook technology.
·
Learn attack modeling based on the Kill Chain concept and ATT&CK
framework.
·
Learn how to develop middle-boxes for filtering, inspecting and
tunneling using socket programming.
·
Learn about emerging advanced cyber defense techniques such as adaptive
cyber deception and moving target defense.
Class
Schedule
@Pittsburgh campus: CIC 1201 in T 7:00 pm -8:50 pm EDT & F
3:20-4:20 EDT.
Textbook
Information
No Text Book is required. Students are expected to read assigned
papers and take good class notes.
Topics
Ø W#1: Cyber Attacks: Taxonomy
and Analytics
o
Overview of Cyber/Cyber-physical Infrastructures and Network Programming
o
Overview of Network Attacks
o
Attack Tactics, Techniques and
Procedures (TTP)
o
Attack Modeling and Simulation
o
Overview of Cyber Defense
framework: (NIST) Identification, Prevention, Detection, Response &
Recovery, cyber dereference, cyber deception
Ø W#2-4: Network Security
Configurations: Design, modeling, verification and synthesis
o
Foundation: Theory and Applications of Formal Methods and Constraint
Satisfaction Problem Solver in Security Configuration Analytics.
o
Firewall Configuration Analytics
o
IPSec
Configuration Analytics
o
End-to-End Network Access Control Analytics: routers/switches, access
points, NAT, network proxies, etc
o
0-Trust Architecture
Ø W#5: Network Intrusion
Analytics and Metrics
o
Foundation: Information Theory and Entropy Measurements
o
Information theory and applications
o
Signature and Anomaly-based Detection
Ø Week#6: Cyber Risk Analytics:
Measurement & Quantification
o
Foundation: Theory and Practice of Science of Security
o
Overview of Risk Management standards and Best Practices
o
Cyber Risk Theory: Qualitative and Quantitative Risk
Assessment
o
Measuring Threat Exposure, Severity, and Impact
Ø Week#7: Cyber Risk Analytics: Formal
Modeling
o
Foundation: Bayesian Analysis and
First Order Logic & Reasoning
o
Implied Cyber Risk
o
Cyber Risk Propagation
o
Measuring Attack Surface
Ø Week#8: Cyber Risk Analytics:
Mitigation & Optimization
o
Risk Mitigation Planning and Optimization
o
Data-driven Predictive Risk Analytics
o
Measuring Network Security Resistance and Residual Risk
Ø Week#9: Attack Graph &
Security Hardening
o
Vulnerability Theory: CVE, CWE
and CAPEC
o
Network Attack Graphs: Construction
o
Network Attack Graphs: Mitigation & Optimization
o
Automated Synthesis of Network Access Control Configuration
Ø W#10: Intrusion Response-
Basic mitigation theory
o
Classification of Mitigation Actions
o
Defense Optimization
Ø W#11-12: Security Orchestration
and Automation Response-- Advanced mitigation theory
o
Foundation: Developing POMDP & Reinforcement agents.
o
OODA & BRITE Loop for Sense-making and Decision-making in Cyber
Defense.
o
Cyber Threat Investigation and Coursed of Actions Standardization and
Formulation.
o
Playbooks Models and Policies.
o
Security Orchestration.
o
Cyber Defense Optimization and Adaptation (Case Study: DDoS and Botnet Mitigation)
Ø W#13-14: Advanced Topics
o
Cyber Deterrence and Moving Target Defense
o
Cyber Deception.
o
Cyber Resilience
Course Deliverables
Students will be assigned several
analytical and programming assignments and they will participate in a course group
project in addition to quizzes, and a final exam. All submissions are to be
made through Canvas. Email submissions will NOT be accepted.
Assignment & Project Topics
(Programming and analytical assignments; each
assignment will have 2 weeks)
1. Attack tactics and techniques simulation using MITRE ATT&CK
2. (a) Firewall verification, (b) Developing proxy firewall with IPSec tunneling capabilities.
3. Risk measurement based on Nessus
data and automated configuration hardening.
4. Developing anomaly-based
classifiers for network traffic analysis.
5. Developing a
basic Security Orchestration and Automation Response (SOAR) System.
Evaluation and Grading
Grades will be determined
based on multiple deliverables including (1) 20-min quizzes (every Sunday), (2)
programming and analytical assignments, (3) the course (group or individual)
project, and the final exam (covers selected topics in the course that quizzes
will not cover). Assignments (4-5) 50% Course Project Demo and
Presentation 20% Quizzes (5-6) 15% Final Exam 15% Course Policies Language This course
is entirely taught in English, and all materials submitted by the students,
including homework, exams, assignments, and quizzes, must be submitted in
English. In-class oral participation must also be in English. Homework,
quizzes, or exams submitted in a language other than English will not be
graded. Please do not worry about making grammatical or vocabulary mistakes. We
will never penalize you for using improper grammar or vocabulary, as long as
your statements remain clear and unambiguous. Lectures Class
attendance is required. In-class participation is encouraged and expected. In
other words, please do ask questions and make constructive comments during
lectures. Additionally, you are only eligible to take quizzes if you attend
class. Auditors & Non-degree Students Auditors are
expected to attend lectures, but cannot submit homework, hand in tests, or take
exams. Auditors only get a record of audit at the end of the semester. On the
other hand, non-degree students are subject to the same rules and expectations
as degree students. Cell Phone
and Wi-Fi Please
remember to turn off or silence your phones (and other alarms) before each
class meeting. We will subtract i points from your
total grade the i-th time your phone/alarm/pager rings in class during the
semester. No exceptions. As a matter of courtesy to the instructor and other
students, please refrain from reading the news, participating in social
networks, or checking your email using your wi-fi
connection during lectures. It is most likely the case that you do not need a
laptop when you come to class. Late
Homework Submission Policy For full
credit, homework must be turned in by 5:00 PM EST on the due date. You have two
“grace days” that you can use at any time during the semester for late homework.
That is, you can turn in a total of two homework assignments a day late (“a day
late” is defined as any delay between 0 and 24 hours after the deadline,) one
homework two days late, etc. You must notify the instructor and T.A.s prior to
using (a) grace day(s). Assignments turned in late without “grace credit” will
be penalized by 10% per day. Homework late by more than three days will not be
graded. Exceptions require either prior arrangement or doctor-validated medical
excuse. Collaboration
Policy Students are
encouraged to talk to each other, to the T.A.(s), to
the instructor, or to anyone else about any of the homework assignments. Any
assistance, though, must be limited to discussion of the problem and sketching
general approaches to a solution. Each student must write out his or her own
solutions to the homework. Consulting another student’s solution is prohibited,
and submitted solutions may not be copied from any source. These and any other
form of collaboration on assignments constitute cheating. Any form of
collaboration is strictly prohibited on the exams and is considered cheating.
If you have any questions about whether some activity would constitute
cheating, please feel free to ask. Cheating on an assignment/exam will
result in failure of the course, and the university administration (department,
college) will be notified per the appropriate procedures. Simply stated, feel
free to discuss problems with each other, but do not cheat. It is not worth it,
and you will get caught. Copyright
Policy All teaching
materials in this class, including course slides, homework, assignments,
practice exams and quizzes, are copyrighted; reproduction, redistribution and
other rights solely belong to the instructors. In particular, it is not
permissible to upload any or part of these materials to public or private
websites without the instructor’s explicit consent. Violating this copyright
policy will be considered as an academic integrity violation, with the
consequences discussed above. Reading materials are also copyrighted by their
respective publishers and cannot be reposted or distributed without prior
authorization from the publisher. ECE Academic
Integrity Policy (http://www.ece.cmu.edu/programs-admissions/masters/academic-integrity.html): The
Department of Electrical and Computer Engineering adheres to the academic
integrity policies set forth by Carnegie Mellon University and by the College
of Engineering. ECE students should review fully and carefully Carnegie Mellon
University's policies regarding Cheating and Plagiarism; Undergraduate Academic
Discipline; and Graduate Academic Discipline. ECE graduate student should
further review the Penalties for Graduate Student Academic Integrity Violations
in CIT outlined in the CIT Policy on Graduate Student Academic Integrity
Violations. In addition to the above university and college-level policies, it
is ECE's policy that an ECE graduate student may not drop a course in which a
disciplinary action is assessed or pending without the course instructor's
explicit approval. Further, an ECE course instructor may set his/her own
course-specific academic integrity policies that do not conflict with
university and college-level policies; course-specific policies should be made
available to the students in writing in the first week of class. This policy
applies, in all respects, to this course. CMU Academic
Integrity Policy (http://www.cmu.edu/academic-integrity/index.htmlLinks to an external site.): In the midst
of self-exploration, the high demands of a challenging academic environment can
create situations where some students have difficulty exercising good judgment. Academic
challenges can provide many opportunities for high standards to evolve if
students actively reflect on these challenges and if the community supports
discussions to aid in this process. It is the responsibility of the entire
community to establish and maintain the integrity of our university. This site is
offered as a comprehensive and accessible resource compiling and organizing the
multitude of information pertaining to academic integrity that is available
from across the university. These pages include practical information
concerning policies, protocols, and best practices as well as articulations of
the institutional values from which the policies and protocols grew. The
Carnegie Mellon Code, while not formally an honor code, serves as the
foundation of these values and frames the expectations of our community with
regard to personal integrity. THE CARNEGIE
MELLON CODE Students at
Carnegie Mellon, because they are members of an academic community dedicated to
the achievement of excellence, are expected to meet the highest standards of
personal, ethical and moral conduct possible. These
standards require personal integrity, a commitment to honesty without
compromise, as well as truth without equivocation and a willingness to place
the good of the community above the good of the self. Obligations once
undertaken must be met, commitments kept. As members
of the Carnegie Mellon community, individuals are expected to uphold the
standards of the community in addition to holding others accountable for said
standards. It is rare that the life of a student in an academic community can
be so private that it will not affect the community as a whole or that the
above standards do not apply. The
discovery, advancement and communication of knowledge are not possible without
a commitment to these standards. Creativity cannot exist without acknowledgment
of the creativity of others. New knowledge cannot be developed without credit
for prior knowledge. Without the ability to trust that these principles will be
observed, an academic community cannot exist. The
commitment of its faculty, staff and students to these standards contributes to
the high respect in which the Carnegie Mellon degree is held. Students must not
destroy that respect by their failure to meet these standards. Students who
cannot meet them should voluntarily withdraw from the university. This policy applies, in all respects, to this
course. Carnegie Mellon University's Policy on Cheating (http://www.cmu.edu/academic-integrity/cheating/index.htmlLinks to an external site.) states the following: According to
the University Policy on Academic Integrity, cheating "occurs when a
student avails her/himself of an unfair or disallowed advantage which includes
but is not limited to: ·
Theft of or unauthorized access to an exam, answer key or other graded
work from previous course offerings. ·
Use of an alternate, stand-in or proxy during an examination. ·
Copying from the examination or work of another person or source. ·
Submission or use of falsified data. ·
Using false statements to obtain additional time or other
accommodation. ·
Falsification of academic credentials.” This policy
applies, in all respects, to this course. Carnegie Mellon University's Policy on
Plagiarism (http://www.cmu.edu/academic-integrity/plagiarism/index.htmlLinks to an external site.) states the following: According to
the University Policy on Academic Integrity, plagiarism "is defined as the
use of work or concepts contributed by other individuals without proper
attribution or citation. Unique ideas or materials taken from another source
for either written or oral use must be fully acknowledged in academic work to
be graded. Examples of sources expected to be referenced include but are not
limited to: ·
Text, either written or spoken, quoted directly or paraphrased. ·
Graphic elements. ·
Passages of music, existing either as sound or as notation. ·
Mathematical proofs. ·
Scientific data. ·
Concepts or material derived from the work, published or unpublished,
of another person." This policy
applies, in all respects, to this course. Carnegie Mellon University's Policy on
Unauthorized Assistance (http://www.cmu.edu/academic-integrity/collaboration/index.htmlLinks to an external site.) states the following: According to
the University Policy on Academic Integrity, unauthorized assistance
"refers to the use of sources of support that have not been specifically
authorized in this policy statement or by the course instructor(s) in the
completion of academic work to be graded. Such sources of support may include
but are not limited to advice or help provided by another individual, published
or unpublished written sources, and electronic sources. Examples of
unauthorized assistance include but are not limited to: ·
Collaboration on any assignment beyond the standards authorized by this
policy statement and the course instructor(s). ·
Submission of work completed or edited in whole or in part by another
person. ·
Supplying or communicating unauthorized information or materials,
including graded work and answer keys from previous course offerings, in any
way to another student. ·
Use of unauthorized information or materials, including graded work and
answer keys from previous course offerings. ·
Use of unauthorized devices. ·
Submission for credit of previously completed graded work in a second
course without first obtaining permission from the instructor(s) of the second
course. In the case of concurrent courses, permission to submit the same work
for credit in two courses must be obtained from the instructors of both
courses." This policy
applies, in all respects, to this course. Carnegie Mellon University's Policy on
Research Misconduct (http://www.cmu.edu/academic-integrity/research/index.htmlLinks to an external site.) states the
following: According to the University Policy For
Handling Alleged Misconduct In Research, “Carnegie Mellon University is
responsible for the integrity of research conducted at the university. As a
community of scholars, in which truth and integrity are fundamental, the
university must establish procedures for the investigation of allegations of
misconduct of research with due care to protect the rights of those accused,
those making the allegations, and the university. Furthermore, federal
regulations require the university to have explicit procedures for addressing
incidents in which there are allegations of misconduct in research.” The
policy goes on to note that “misconduct means: ·
fabrication, falsification, plagiarism, or
other serious deviation from accepted practices in proposing, carrying out, or
reporting results from research; ·
material failure to comply with Federal
requirements for the protection of researchers, human subjects, or the public
or for ensuring the welfare of laboratory animals; or ·
failure to meet other material legal
requirements governing research.” “To be deemed misconduct for the
purposes of this policy, a ‘material failure to comply with Federal
requirements’ or a ‘failure to meet other material legal requirements’ must be
intentional or grossly negligent.” To become familiar with the expectations around the responsible
conduct of research, please review the guidelines for Research Ethics published
by the Office of Research Integrity and Compliance. Other Useful Information Every
individual must be treated with respect. The ways we are diverse are many
and are critical to excellence and an inclusive community. They include but are
not limited to race, color, national origin, sex, disability, age, sexual
orientation, gender identity, religion, creed, ancestry, belief, veteran
status, or genetic information. We at CMU will work to promote diversity,
equity, and inclusion because it is just and necessary for innovation.
Therefore, while we are imperfect, we will work inside and outside of our
classrooms, to increase our commitment to build and sustain a community that
embraces these values. It is the
responsibility of each of us to create a safer and more inclusive environment.
Bias incidents, whether intentional or unintentional in their occurrence,
contribute to creating an unwelcoming environment for individuals and groups at
the university. If you experience or observe unfair or hostile treatment on the
basis of identity, we encourage you to speak out for justice and support at the
moment and/or share your experience anonymously using the following resources: Center for Student Diversity and Inclusion: csdi@andrew.cmu.edu, (412) 268-2150, www.cmu.edu/student-diversityLinks to an external site. Report-It online anonymous reporting
platform: www.reportit.net (Links to an
external site.) username: tartans password: plaid All reports
will be acknowledged, documented and a determination will be made regarding a
course of action.” All experiences shared will be used to transform the campus
climate. Active
Shooter Advice: To prepare for the unlikely event of a campus shooting, please
refer to https://www.cmu.edu/police/Resources/Active%20Shooter.html Earthquake
Preparation: During an earthquake, “drop, cover, and hold on.” Please see
details: https://www.earthquakecountry.org/step5/ Accommodations
for Students with Disabilities: If you have a disability and have an
accommodations letter from the Disability Resources office, I encourage you to
discuss your accommodations and needs with me as early in the semester as
possible. I will work with you to ensure that accommodations are provided as
appropriate. If you suspect that you may have a disability and would benefit
from accommodations but are not yet registered with the Office of Disability
Resources, I encourage you to contact them at access@andrew.cmu.edu. Take Care of Yourself: Please do your best to
maintain a healthy lifestyle this semester by eating well, exercising, avoiding
drugs and alcohol, getting enough sleep and taking some time to relax. This
will help you achieve your goals and cope with stress. Consider
reaching out to a friend, faculty, or family member you trust for help getting
connected to the support that can help. Please let me know if I can be of
assistance to you in this way. It is not my intention to know the details of
what might be bothering you, but simply to let you know I am concerned and that
help, if needed, is available.
All of us benefit from support during times of struggle. You are not alone.
There are many helpful resources available on campus and an important part of
the college experience is learning how to ask for help. Asking for support
sooner rather than later is often helpful.
If you or anyone you know experiences any academic stress, difficult life
events, or feelings like anxiety or depression, I
strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 or visit their
website at http://www.cmu.edu/counseling/Links to an external site..