CS559: Quantitative Security
[Fall 2020]

This one semester graduate be intended for graduate students or seniors from computer science, engineering (including systems engineering) and business. It examines quantitative and algorithmic aspects of cyber security risks and their mitigation approaches.

Prerequisites: College level mathematics including probability and statistics, undergraduate background in CS, ECE or business.

Textbook: No specific text-book is required. In addition to the lecture notes, we will draw information from various publications and reports. The students are required to do research using articles in journals, conferences, technical reports, white-papers and news articles

Instructional format: Both on-campus and on-line students will use Canvas/Piazza for assignments/quizzes. Both sections will use an on-line format in fall 2020, the video recordings will be found in Canvas (Echo360). The on-campus students are expected to participate in the presentations/discussions during the interactive sessions using MS Teams during specific class sessions. It is critically important that students check out the course website and the Canvas page a few times a week. All tests and assignment due dates are posted there. Sometimes this may be the only announcement of an assignment. It is the student's responsibility to continually check for new assignments. Assignment are usually posted 7 days to 10 days ahead of due dates. There will be an on-line almost every week.

Grading (subject to revision):

• Presentations/Research Project (40%)
• Interaction (10%)
• Assignments and quizzes (on-line or in-class)(15-25%)
• Exams (25-35%)

Letter grades will be based on the following standard breakpoints: ≥ 90 is an A, ≥ 88 is an A-, ≥86 is a B+, ≥80 is a B, ≥78 is a B-, ≥76 is a C+, ≥70 is a C, ≥60 is a D, and <60 is an F. I will not cut higher than this, but I may cut lower.

1.      Course Outline (Preliminary):

2.      Introduction

·       Outline

·       Current state

·       Access control

·       Security framework

2.      Risk

·       Risk as the product of breach likelihood and breach cost and their components

·       Discussion of conflicting definitions of risk

·       Linear/logarithmic scales

·       Risk Matrix

·       Time-frame: per event (single breach) vs per year (annual loss expectancy).

3.      Probability/distributions

·       A review of essential concepts from probability, conditional probabilities, Bay&apos;s rule

·       Common distributions used in risk evaluation

·       Monte Carlo simulation

4.      Modeling

·       Modeling approaches

·       Regression

5.      Vulnerabilities types

·       Software: defect vs vulnerabilities

·       system/network/configuration

·       physical vulnerabilities (such as snooping),

·       Social engineering: exploitation of human weaknesses

6.      Vulnerability life cycle

·       Introduction, discovery, disclosure, patching, exploitation.

·       Modeling Vulnerability Discovery process in individual and evolving programs

·       Longer term trends

7.      Vulnerability Metrics & data bases

·       CVSS v2/v3 metrics and scores.

·       Temporal (patches and exploits)

·       Environmental metrics CVSS

·       Databases: NVD, CVEDetails, VulnDB, ExploitDB

8.      Testing for vulnerabilities

o   Testing as exercising input or structure space

o   Coverage metrics

o   Fuzzing

o   Probabilistic vs deterministic testing

o   Test effectiveness

Midterm

9.      Research methodology

·       Potential sources of information

·       Identifying research threads and trends

·       Information extraction and consolidation

·       Assessing promise of a research direction

Attacks

·       Attack types

·       Intrusion detection

·       Mitre ATTack framework

Breach likelihood components

·       vulnerability presence

·       vulnerability exploitability, and reachability

·       motivation/skill/tool support of potential adversaries

·       impact of management policies

Breach cost components

·       Investigation costs, crisis mitigation costs, cost of sanctions and lawsuits

·       Question of insurance coverage, tax breaks

·       Longer term costs: loss of reputation and business opportunity

·       Costs to a government/nation including loss of industrial IP, defensive secrets, tempering with national infrastructure or defenses

Risk mitigation

·       Reducing the breach likelihood

·       Reducing the breach cost

·       Security investment ROI

·       Attack surfaces and connectivity

·       Threat containment strategies and their effectiveness

Discussion sessions

·      Presentations of assigned papers

·      Investigation results and perspectives

Vulnerability markets

·       Legitimate (for example rewards programs)

·       Gray (vulnerability brokers) and black markets

·       Potential buyers and sellers of Zero-day vulnerabilities and exploits

Project Presentations

·       Final presentations of individual project results

·       Per reviews

Final