U. of CINCINNATI
DEPT. ELECTRICAL ENGINEERING & COMPUTER SYSTEMS
DECEMBER 2013
20-CS-XXXX CYBER DEFENSE OVERVIEW
Catalog Data:
20-CS-XXXX. Cyber Defense Overview. Credits 3. Hands-on treatment of
techniques for hardening computer systems and components against attacks,
principally via the internet, and for controlling damage and possibly launching
countermeasures in case of attack.
Textbooks:
Randy Weaver, Dawn Weaver, Guide to Network Defense and Countermeasures,
Cengage Learning, 3rd edition, ISBN-13: 978-1133727941, 2013.
Debra S. Herrmann, Using the Common Criteria for IT Security Evaluation, Auerbach
Publications, 1st edition, ISBN-13: 978-0849314049, 2002.
References:
Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, John
Wiley & Sons, New York, 2nd Edition, 1996.
Prasanta Gogoi, D.K. Bhattacharyya, B. Borah and Jugal K. Kalita, “A Survey of
Outlier Detection Methods in Network Anomaly Identification,” The Computer Journal,
54(4):570-588, 2011.
Hyunsang Choi, Bin B. Zhu, and Heejo Lee, "Detecting malicious web links and
identifying their attack types," Proceedings of the 2nd USENIX conference on Web
application development. USENIX Association, 2011.
Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution
1.0, Cisco Systems, 2012.
Siraj A. Shaikh, Howard Chivers, Philip Nobels, John A. Clark, and Hao Chen,
"Network reconnaissance,” Network Security, 11:12-16, 2008.
Robert J. Houghton, Chris Baber, Richard McMaster, Neville A. Stanton, Paul
Salmon, Rebecca Stewart, and Guy Walker, "Command and control in emergency
services operations: a social network analysis," Ergonomics 49(12-13):1204-1225,
2006.
Diego Fernandez Vazquez, Sarah Brown, Emily Reid, Oscar P. Acosta, and
Christopher Spirito, "Conceptual framework for cyber defense information sharing
within trust relationships," Proc. 4th International Conference on Cyber Conflict.
IEEE, 2012.
Lawrence C. Miller, “Network Security in Virtualized Data Centers,” John Wiley and
Sons, 2012.
DoD dictionary of military terms
http://www.dtic.mil/doctrine/dod_dictionary/
W. S. Harrison, N. Hanebutte, P. Oman, and J. Alves-Foss, “The MILS Architecture
for a Secure Global Information Grid,” CrossTalk 18(10):20–24, 2005.
National Information Assurrance Partnership Common Criteria Evaluation and
Validation Scheme.
https://www.niap­ccevs.org/Documents_and_Guidance/cc_docs.cfm?
&CFID=18260059&CFTOKEN=30454721dc0fd4ce­17EDC205­D7AB­F40D­
A4FE067F47B1A7AA
EC-Council, Certified Network Defense Architect
http://www.eccouncil.org/Certification/certified­network­defense­
architects
U. of CINCINNATI
DEPT. ELECTRICAL ENGINEERING & COMPUTER SYSTEMS
DECEMBER 2013
Common Criteria project. http://www.commoncriteriaportal.org/cc/
Coordinator:
John Franco, Professor, Computer Science
Knowledge and
Comprehension
Goals
The student will know:
1. Network security methods, protocols, and systems to achieve confidentiality,
integrity, and authentication, and kinds of network attacks
2. Where to use firewalls and how to configure them to achieve a desired level
of security
3. Techniques for detecting intruders
4. How to detect network reconnaissance operations that may be initiated by an
intruder
5. Techniques for preventing intruders from entering a local network
6. How to detect and identify malicious code, especially via signatures
7. How to detect and identify anomalies
8. How to establish and evaluate command and control procedures and
operations to be better able to withstand and recover from an attack
9. System architectures that better support network security, including MILS
10. Challenges in securing a virtualized data center and how to address them
11. Levels of trust and how to establish trust to a desired level
12. How to design a layered defense strategy
Application
Goals:
The student will be able to:
1. Design secure authentication/handshake protocols and explain how they are
resistant to well-known attacks
2. Design secure protocols which, when added to existing infrastructure, do not
compromise security
3. Develop and use tools to detect intrusion
4. Develop and use tools to detect and identify anomalous behavior that is likely
due to malware
5. Use firewalls to secure as well as possible a virtualized data center
6. Determine that an attack is imminent under certain circumstances, for
example by detecting reconnaissance operations originating from outside the
secured perimeter
7. Be able to design procedures and operations that minimize damage and
recovery time in case of some catastrophe – such procedures may span
multiple systems
Prerequisites by The usual programming courses that a senior will have taken including 20-CS-2029,
Software Development in C++ and 15-MATH-2053, Calculus 3. The student is
Topic:
expected to be experienced in C coding, particularly kernel programming, and Object
Oriented Programming in C++ and Java. Also, the Essential Information Security
Concepts course, the Network Security course, and the Vulnerabilities course are
highly recommended.
Topics by the
week:
1. Overview of network security including public-key cryptography, secret-key
cryposystems, PKI, KDC, block ciphers, stream ciphers
2. Continuation of network security overview including protocols (e.g. OtwayReese) and systems (e.g. Kerberos) plus firewalls, their levels of protection,
and configuration of firewalls (expanded later).
3. Overview of classes of network attacks, such as Return Oriented
Programming, what these attacks rely on to succeed, for example buffer
overflows, and how to mitigate and even prevent such attacks, for example
through Address Space Layout Randomization.
U. of CINCINNATI
DEPT. ELECTRICAL ENGINEERING & COMPUTER SYSTEMS
DECEMBER 2013
Continuation of classes of attacks with emphasis on attacks at all system
levels including physical, authentication, protocols (e.g. ICMP), TCP (e.g.
rougue packet), operating system, communication, and mechanisms and
methods for protection such as VPN, auditing, logging, firewalls (expanded),
routing and access control. Social-engineering attacks. Attacks against
encrypted data. Spoofing.
5. Intrusion detection and identification. Standard tools for detecting intrusion.
Changes in information flow. Signatures. Detection and identification of
reconnaissance operations (which often preceed an attack), packet header
inconsistencies.
6. Continuation of Intrusion detection and identification. Examples from industry
(for example, defense contractors in the Cincinnati area).
7. Special consideration of mobile devices. Antennas, access points and
gateways, remote wireless bridges. Man-in-the-middle attacks. Best
practices, auditing, and other techniques to mitigate risk.
8. Malicious attack and anomaly detection and identification. Examples from
industry (e.g. defense contractors in the Cincinnati area).
9. Trust levels and security policies. Needs assessment. Risk analysis.
Security policies from risk assessment, identification of criminal computer
actions, enforcement of policies.
10. System security architectures. Layered defenses. Adding a non-critical
component to a system with a critical component. Multiple Independent
Levels of Security. Defense-in-depth.
11. Security of applications that interface with the world wide web. Understanding
the structure of the web. Social-engineering attacks, attacks against servers,
attacks against users. SQL injection attacks. Countermeasures: hardening a
DNS server, configuring a web server.
12. Securing virtualized servers, (distributed) data centers, and the cloud.
Security challenges that arise due to the features that virtualization provide
such as self-service resource activation, segmentation of different virtual
machines with different trust levels, and the ability to associate security
policies upon VM instantiation. Attack life cycle. Security solutions.
Evaluation of security.
13. Recovery in case of disaster. Command-and-control operations and
procedures.
14. One week is reserved for a mid-course examination
4.
Sample Labs:
1. Given an actual piece of malicious code, determine the behavior of the code
and the conditions under which it performs some malicious action and identify
the action.
2. Monitor a linux or windows operating system for intrusions using off-the-shelf
tools. Record times at which intrusions took place. This is a class contest:
the student getting the least total difference in reported and actual times wins
a prize.
3. Attempt to harden an android phone against being rooted.
4. Given binary code that is vulnerable to ROP and source code for an ROP
attack, devise a countermeasure that will at least make it more difficult for the
attack to succeed.
5. Three people design and develop a system, compliant with a given
specification, that supports trades among several people, with authentication,
integrity, and confidentiality features. A global monitor maintains a data base
of transaction records and profits from the trades and established ownership
of properties and wealth of all participants. Three other people design
attacks on the first system that are intended to result in the transfer of
U. of CINCINNATI
DEPT. ELECTRICAL ENGINEERING & COMPUTER SYSTEMS
DECEMBER 2013
ownership of the properties and wealth recorded by the monitor for the first
system. Source code of the monitor is available to the attackers and the
attacked. Players of the first system must trade to make money. But trading
makes them vulnerable. They must devise a layered defense based on
security policy definitions. If an attack is successful because a policy
assumption was wrong or omitted, the attacking team wins a prize.
Otherwise, the total wealth owned by the attackers and the attacked
determines who wins the prize. The attackers start with zero wealth – they
can only steal wealth. The attacked also start with zero wealth but they can
accrue wealth through transactions with the monitor.
Prepared by:
John Franco., Ph.D.
Date: December 2013