[Note: The most recent updates (if any) are  highlighted]

 

Syllabus for

CS 5950 – Computer Security and Information Assurance (CSIA)

Fall 2008

Department of Computer Science, Western Michigan University

 

Instructor:      Dr. Leszek (LEH-shek) Lilien

CEAS B-249, phone: (269) 276-3116 (email preferred)

Email: llilien@cs.wmich.edu Only messages conforming to the following email requirements will be read by me.

Email requirements for CS 5950-F08

 

Messages must be from an address ending with “wmich.edu” (e.g., from “wmich.edu” or “cs.wmich.edu”).

Each message must have a descriptive subject, preceded by one of prefixes indicated next:

 

(b.1) If your message is related to your project (required for graduate students taking this course), use the following Subject line format:

CS5950-CSIA-F08--PT<id>: <subject>

where PT = Project Team, and id is the id of your Project Team.

Examples:

for id = 4:              CS5950-CSIA-F08--PT4: selected papers

for id = 8A:           CS5950-CSIA-F08--PT8A: selected papers

 

IMPORTANT: Any member of a PT sending a message to me _must_ Cc it to all members of this PT, so: (a) all PT members are informed, and (b) I can easily reply to all.

 

 (b.2) For your messages related to other CS5950-CSIA topics, use the following Subject line format:

CS5950-CSIA-F08--<your last name>: <subject>

Example:  CS5950-CSIA-F08--Smith: final exam date

 

NOTE: Don't use "<" and ">" — they are only elements of format specifications

 

Attached files must be scanned with up-to-date anti-viral software, and the message including them must contain the following statement:

 I have scanned the enclosed file(s) with <name of software,   its version>, which was last updated on <date>.

where <date> should be the current date. (You should have the habit of updating your anti-viral software daily!)

 

Classes:                T and R 1:00 pm – 2:15 pm, CEAS C-122

Office Hours:     T 2:45 pm – 3:45 pm, R 5:00 pm – 6:00 pm

 

Lecture Web Pages:

Syllabus - main page (this page): index.htm

Detailed course outline: outline.htm

Announcements and slides: announcements+slides.htm

 

Lab Web Page:

Lab information main page (TA: TBD): TBD

 

Prerequisites:                     

Grade C or better in CS 4540: Operating Systems or equivalent, or instructor’s permission.

Grade C or better in CS 5550: Computer Networks or equivalent, or instructor’s permission.

 

Texts:

Required:  Pfleeger and Pfleeger, Security in Computing. Fourth Edition, Prentice

Hall PTR, 2007, ISBN-10: 0132390779, ISBN-13: 9780132390774

                  (http://vig.prenhall.com/catalog/academic/product/0,1144,0132390779,00.html)

 

Highly recommended (for lab exercises):   V.J. Nestler, W.A. Conklin, G.B. White, and M.P. Hirsch, Computer Security Lab Manual, McGraw-Hill/Irwin, 2005, ISBN 0-07-225508-0 (http://www.securitylabmanual.com)

 

Course Overview:     

This course is a survey of topics in the realm of computer/network security and information assurance.  It introduces a broad range of topics including: cryptographic techniques, network security, program security, privacy, and ethics in the computing profession.  Students will learn fundamental concepts of security that can be applied to many traditional aspects of computer programming and computer system design.

 

Course Objectives:    

The course is designed to provide knowledge including the following:

Security terminology

Basic cryptographic techniques: terminology, basic ciphers, private and public key encryption, uses of encryption

Network security: threats (incl. impersonation, spoofing, DoS, DDoS),  controls (incl. encryption, strong authentication), selected network security tools (firewalls, intrusion detection)

Program security: nonmalicious program errors (incl. buffer overflows), viruses, other malicious code, targeted malicious code, controls against program threats

Legal, ethical, privacy issues in Computer Security

If time permits: Protection in operating systems: protected objects, methods of protection, access control, authentication

If time permits: Database security: security requirements, sensitive data, inference, multilevel databases

 

Performance Objectives:

At the end of the course, all students should be able to:

Describe and correctly use fundamental terminology in the area of computer/network security and information assurance

Describe fundamental concepts of cryptography and assess the strengths and weaknesses of common cryptographic protocols

Understand security threats and available controls in networks

Identify weaknesses in program design and be able to categorize basic forms of attack against programs

Appreciate and understand the legal, ethical, and privacy issues in computer security

If time permits: Understand the basic concepts of security with regards to operating systems and access control

If time permits: Describe database attacks and protections against such attacks

 

Grading:

Lab                                                      30%

Midterm                                               30%

Final                                                    40%

Lab                                                      20%

Midterm                                               20%

Final                                                    30%

Project                                                 30%

 

Course Policies:

  1. Lecture

Lecture notes will be available on-line on the “slides and announcements” page or emailed to the class. You should study the slides and read announcements (if any) after/before each lecture.

Taking notes during classes is highly encouraged.  Especially, you should write down anything that is written down using the board or the document projector. You are encouraged to slow me down if you need more time to take notes.

Attendance is required. If you must miss a lecture, make sure that you don’t miss announcements.

  1. Lab

I expect to have a lab assistant’s support for the lab. Lab assistant’s web page for the lab is given above under the Lab Web Page header.

Lab assignments, based on the recommended textbook (“Computer Security Lab Manual”), will be weekly or bi-weekly.

The assignments must be run entirely in the secure environment of the Computer Security Lab (CEAS C-208). Running them in any other environment, including your own desktop or laptop, is prohibited since it may cause security threats to you or others.

Reports or demonstrations (to the lab TA) will be required for each lab assignment.

Each assignment will have a due date/time.  For each day an assignment is late, 10% of the maximum assignment score will be deducted.  Weekends and holidays are not counted when calculating lateness.  No assignments will be accepted after 11:59 pm on the day of the last class (during the week preceding the final Examination Week).

3. Group Projects – for Graduate Students Only

The group projects will be done in Project Teams (PTs) consisting normally of 2-4 students.

I will propose a set of topics for the project to help students in project selection. PTs are free to propose their own topics for the project but must obtain my buy-in before starting their work.

The results obtained in the final project will be communicated by the PTs: (a) in written reports submitted to me by the end of the semester, (b) maybe also in slides presented  in class before the end of the semester. Both technical contents and quality of (written or oral) presentation will be evaluated for the project grade (normally the same for all PT members).

All projects will be due no later than on the last day of regular classes (during the week preceding the Final Examination week).

More details about project requirements, including presentation and report requirements, will be provided later.

4. Exams

There will be two exams for the class. 

The midterm exam will be announced at least a week in advance (most probably, it will be held during the sixth week of the semester).  It will be held during the normal class time.

The final exam will be held during the finals week, as scheduled by the Registrar’s Office (for “All Tuesday 1 p.m.  classes:  Wednesday, Dec. 10, 2:45 pm-4:45 pm” 

 see: http://www.wmich.edu/registrar/finalexam-200804.html)

If you miss an exam and are excused, you will be required to take a make-up exam. To be excused, there must be significant circumstances beyond the student’s control.  Generally this will require documentation, such as a doctor’s note in case of an illness.   You should inform the instructor before the exam if there are circumstances beyond your control that will cause missing an exam.

 

NOTE: No make-up exams will be given for reasons other than emergency situations completely beyond student’s control. If you know ahead of time that the final exam time conflicts with your plans, do not register for this class. (In particular, early flight reservations are not an acceptable reason for a make up exam.)

5. Incomplete Grades

The incomplete grade - I - is intended for a student who has missed a relatively small portion of work due to circumstances beyond his/her control.  In general, performance on work done must be at a level of C or better in order to qualify for an incomplete.  An I grade will not be given to replace an otherwise low or failing grade in the class. 

 

6. Other Issues

By registering in this class you agree that your presentations and term papers, if any, will be posted on the publically available web site for the course.  No requests to remove your name will be accepted.

 

 

Use of Electronic Devices:     [courtesy of Prof. Ajay Gupta and Prof. James Yang]

You are expected to stay alert and pay attention to the directions/announcements in the class. Cellphones, PDAs, and other electronic devices should NOT be used during the lecture and should be turned off.

If available, you may bring your laptop to the class. Your laptop speakers must be turned off. Web-surfing of material other than lecture slides or another material indicated by the instructor is not permitted during the class. You may surf the web only when specifically told to do so. In order to maintain the integrity of the classroom and if I feel it is distracting you or others, I may ask you to turn-off your laptop.

 

 

Other Notes:

Since email and telephone limit interactions, please see me during my office hours in case of any course difficulties.  (In justified cases, a special appointment can be made.)

No questions will be answered on the date of a quiz/exam. No office hours will be held on the days of the midterm and final exams.

A make-up quiz/exam can be given  only when a student presents a valid emergency reason for missing the quiz/exam, with well-documented evidence. Without such a reason and evidence, the student will loose all quiz/exam points.

 

Academic Integrity:  

Academic Honesty Statement (WMU Policy)

You are responsible for making yourself aware of and understanding the policies and procedures in the Undergraduate and Graduate Catalogs that pertain to Academic Honesty. These policies include cheating, fabrication, falsification and forgery, multiple submission, plagiarism, complicity and computer misuse. [The policies can be found at www.www.wmich.edu/catalog under Academic Policies, Student Rights and Responsibilities.] If there is reason to believe you have been involved in academic dishonesty, you will be referred to the Office of Student Conduct. You will be given the opportunity to review the charge(s). If you believe you are not responsible, you will have the opportunity for a hearing. You should consult with me if you are uncertain about an issue of academic honesty prior to the submission of an assignment or test.

(The Code of Honor passed by the Faculty Senate in November 2004 and administration in December 2004, can also be found at www.wmich.edu/catalog; cf. “Students Rights and Responsibilities”)

Note:    This is a course for honest and ethical students only!

            I will not tolerate any breaches of  academic integrity, including abuses of a lab (if used), lab procedures, or projects.

 

Anybody found responsible for violation of academic honesty in the course, will receive a penalty up to and including an E grade in the class. Additional disciplinary actions can be taken by the Department, the College, and the University.

In addition, due to the nature of this course, a course on security, should a student use any information learned or any facilities provided by the course in an unethical way, I will ask the Office of Student Conduct for the harshest penalties applicable. This applies to acts committed both during and after the course (for example, if I hear about an incident in a faculty meeting).

 

 [This paragraph based on text courtesy of Prof. Ajay Gupta and Prof. James Yang.]

Submission of another person’s work in part or whole is not permitted. Learning can certainly occur with discussion of class material and assignments with other students, but at all times ensure that you don’t represent the work of another person as your own. 

If you are copying another’s work in part or whole, either by hand or electronically, without giving credits due (see below) you are going too far

If two or more people or teams are working so closely together that the outcomes, particularly on significant portions of project reports or computer programs, are essentially the same in the logical structure, they are going too far.

You should not give your completed work to someone else or accept another’s completed work to “review or look at” in either hardcopy or electronic form.  This too easily facilitates copying. 

Easy availability of information, material, source codes, lecture notes, etc., on the Internet may make it possible to find text useful for your report, slides, etc. It is permitted (even required for your projects) to refer to those, understand them and use them to enhance your solutions, generate your own ideas, etc. However, you must give proper and full credit to original authors of the work if you include their ideas or solutions (complete references and/or indication of quoted material, as specified below, are required).

 

In particular, remember the following requirements for avoiding any accusations of plagiarism:

If you rephrase ideas presented by others in your text, you must provide a reference in this text, and then list full bibliographic information for the reference at the end of your report, slide presentation, etc.

Any quotes (as opposed to references) must be clearly indicated in at least two ways: (a) with a clear phrase or sentence (e.g. “Quoting Smith et al.:”), and (b) with a different form of the text (e.g., written in italics, boxed, etc.) visible in black-and-white documents.

Sharing information between Project Teams is encouraged. A PT using rephrased ideas from another PT must give a full reference to the “source PT.” A PT quoting text from another PT must clearly indicate the quotes and give a full reference.

 

Students Rights and Responsibilities:

You are also encouraged to familiarize yourself with University policies on human rights, diversity issues, and students with disabilities.

 

 

© 2007-2008 by Leszek T. Lilien                                                                       Last updated on 9/1/08