Logistics

Room: ST I, 131
Time: Wed., 4:30 - 7:10

Class Webpage: http://mason.gmu.edu/~icervasa/courses/06-ISA767

http://classweb.gmu.edu/icervasa/courses/06-ISA767

Instructor: Iliano Cervesato
Office hours: Wed. 3:30 - 4:30 or by appointment
Office: ST II, 229
Email: (please put "ISA 767" in the subject line)
Phone: 703-993-8935

Teaching Assistant: Ram Krishan
Office hours: Mon. 2:00 - 3:00, Tue. 2:00 - 3:00, or by appointment
Office: ST II, 468
Email: (please put "ISA 767" in the subject line)
Phone: 703-993-1668

Course Yahoo Group:
Post message:
Subscribe:
Unsubscribe:

News!
1/26/06	Temporary class web page created
1/26/06	created
2/4/06	Homework 1 released
2/8/06	Instructor gets !!!
2/9/06	Project page created
2/9/06	Official class page created
2/26/06	Midterm released
3/26/06	Homework 2 released
4/19/06	Final released

About this course

Description

The goal of this course is to explore recent and advanced security issues in e-commerce. Some tentative topics of this course are access control models (role-based access control, usage control, etc) and architectures, digital rights management, intellectual property and copyrights protections, security in recent and emerging distributed systems such as P2P, trusted computing, identity management, denial of service, etc.

Prerequisites

You must have completed ISA 662/INFS 762 (Information System Security) and ISA 666/INFS 766 (Internet Security Protocols). Concurrent enrollment in ISA 662/INFS 762 or ISA 666/INFS 766 is not sufficient.
You must be familiar with discrete mathematics and formal notation (such as INFS 501).
You must be Internet, Web, PDF (get Acrobat Reader here) and Postscript (get GSview here) capable. Homework and exams must be submitted in PDF or Postscript, not MS Word or other proprietary formats.
You must know how to access ACM, IEEE and any other digital libraries available to the GMU community. On-campus and off-campus access to these libraries is available to all GMU students. Links are conveniently available at University Libraries - Database Wizard.
Well, here are the instuctions anyway: open http://mutex.gmu.edu:2048?login and login with your G-number. Look for ACM digital library (or IEEE as the case may be) and search for the author name (e.g. "Crampton"). If you are off-campus, make sure to click on the icon "Click for EZ off-campus access" on the left. Alternatively, you can go through the GMU library's website->E-journal Finder.

Readings

No text book is required. The course extensively uses papers from literature. Reading the listed papers is mandatory.

Further References

Earlier editions of this course have suggested the following books for further information on issues to e-commerce. While they contain valuable information, it should be noted that e-commerce is evolving so rapidly that any text older than 2 or 3 year risks being obsolete in some aspects.

Suggested books on general e-commerce issues:
- Kenneth C. Laudon, Carol Guercio Traver, E-Commerce: Business, Technology, Society, Second Edition, Addison Wesley, 2003
Suggested books on e-commerce security and privacy:
- Warwick Ford and Michael Baum, Secure Electronic Commerce, 2nd ed. Prentice-Hall, 2000
- M. Greenstein and M. Vasarhelyi, Electronic Commerce: Security, Risk Management, and Control, McGraw Hill, 2002
- Simson Garfinkel and Gene Spafford, Web Security, Privacy, and Commerce, 2nd ed. O'Reilly, 2001
- Rolf Oppliger, Security Technologies for World Wide Web, Artech House, 2000
Suggested books on specific topics
- Bill Rosenblatt, Bill Trippe and Stephen Mooney, Digital Rights Management, Business and Technology, M&T Books, 2002
- Andy Oram (Editor), Peer-to-Peer: Harnessing the Power of Disruptive Technologies, O'Reilly, 2001
- Siani Pearson (Editor), Trusted Computing Platforms: TCPA technology in context, Prentice Hall, 2003
- David Grawrock, The Intel Safer Computing Initiative, Building Blocks for Trusted Computing, Intel Press, 2005
- Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher, Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall, 2004

Grading

Tasks and Percentages

Two homework assignments: 15% each
Research project (paper and presentation): 40%
Midterm exam: 15%
Final exam: 15%

Research Projects

See the project page for details

Objective: The goal of the projects is to produce high quality research papers as well as class presentations on the research performed.
Form: Students may perform this project individually or in a group
Topics: A set of tentative topics will be provided, mostly from research-oriented topics. Students are encouraged to select your own topics which you are interested, with pre-approved by the instructor.
Grading criteria: Plain summary or introduction papers won't be considered as a good output. However, papers with good (comprehensive and systematic) insight and analysis on the issues are welcomed. Some of the important grading factors are creativity, originality, soundness, and presentation. Both good (relevant) references are mandatory. Well-prepared presentation is also critical since this could be your chance to convince me how valuable your research is.
Format guideline: About 12-15 pages including cover page and references, single-spaced, single-column, 11pt font. Abstract should be no longer than 300 words. Submissions should be in PDF or Postscript
Honor code: The papers are expected to include your own ideas in your own words. Please do not attempt to cut-and-paste or borrow others ideas without adequate and clear citations. You will be responsible for the consequences.

Schedule [ week 1, 2, 3, 4, 5, Midterm, 6, Spring Break, 7, 8, 9, 10, 11, 12, 13, Final ]

Week 1 Jan.25	Welcome and Course Introduction Slides (2/page, 6/page) Equipment malfunction caused the class to be dismissed early
Week 2 Feb. 1	Introduction to Secure E-commerce, Role-Based Access Control (RBAC) Slides: Introduction to E-Commerce (2/page, 6/page) Security Review (2/page, 6/page) RBAC (2/page, 6/page) Readings: Butler Lampson, Computer Security in the Real World, IEEE Computer, June 2004. Ravi Sandhu, Engineering Authority and Trust in Cyberspace: The OM-AM and RBAC Way, ACM, RBAC 2000. Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman, Role-Based Access Control Models, IEEE Computer, Volume 29, Number 2, February 1996.
Week 3 Feb. 8	RBAC Administration Slides (2/page, 6/page) Readings: Ravi Sandhu, Ventaka Bhamidipati and Qamar Munawer, The ARBAC97 Model for Role-Based Administration of Roles, ACM Transactions on Information and Systems Security, Volume 2, Number, February 1999. Homework 1 released
Week 4 Feb. 15	Usage Control (UCON) Models Slides (2/page, 6/page) Readings: Jaehong Park and Ravi Sandhu. The UCON_ABC Usage Control Model, ACM Transactions on Information and System Security, Volume 7, Number 1, February 2004. Research Project: Select your topic Xinwen Zhang kindly agreed to give this lecture
Week 5 Feb. 22	Attribute Mutability - UCON Architecture - Windows Right Management System Slides (2/page, 6/page) Readings: Jaehong Park, Xinwen Zhang, and Ravi Sandhu, Attribute Mutability in Usage Control, Proceedings of 18th Annual IFIP WG 11.3 Working Conference on Data and Applications Security, 2004. Jaehong Park, Ravi Sandhu and James Schifalacqua, Security Architectures for Controlled Digital Information Dissemination, ACSAC 2000. Windows Rights Management Services [PDF] Homework 1 due Research Project: Topics and one paragraph (max 1/2 page) of research direction for each research topics due Midterm released
Mar. 1	Midterm exam week (no class)
Week 6 Mar. 8	Digital Rights Management (DRM) Slides (2/page, 6/page) Readings: Renato Iannella, Digital Rights Management (DRM) Architectures John Erickson, Fair Use, DRM, and Trusted Computing , Communication of ACM, April 2003 Edward Felten, A Skeptical View of DRM and Fair Use, Communication of ACM, April 2003 Alex Halderman, Analysis of the MediaMax CD3 Copy-Prevention System, Princeton University Computer Science Technical Report TR-679-03. Midterm due on March 12th Research Project: Abstract, outline with short description for each section and partial references due
Mar. 15	Spring Break
Week 7 Mar. 22	Denial-of-Service (DoS) Slides (2/page, 6/page) Readings: TBA Catherine Meadows, A Cost-Based Framework for Analysis of Denial of Service in Networks, Journal of Computer Security, 9(1/2), pp.143-164, 2000 Ari Juels, John Brainard, Client puzzles: A cryptographic defense against connection depletion attacks, Networks and Distributed Security Systems, pp.151-165, 1999 Homework 2 released
Week 8 Mar. 29	Security Issues in Peer-to-Peer (P2P) Communication Slides (2/page, 6/page) Readings: Dejan Milojicic et. al., Peer-to-Peer computing, Technical Report HPL-2002-57, HP Lab, 2002. Peter Biddle et. al., The Darknet and the Future of Content Distribution, ACM DRM workshop, 2002. M. Einhorn and B. Rosenblatt, Peer-to-Peer Networking and Digital Rights Management: How Market Tools can Solve Copyright Problems, Technical Report, CATO Institute, 2005.
Week 9 Apr. 5	Trusted Computing and Applications for Distributed Systems Slides (2/page, 6/page) Readings: TCG Architecture Overview, Trusted Computing Group NGSCB and LaGrande Technology Overview Ravi Sandhu and Xinwen Zhang, Peer-to-Peer Access Control Architecture Using Trusted Computing Technology, ACM SACMAT, 2005. Midterm discussion.
Week 10 Apr. 12	Federated ID Slides (2/page, 6/page) Readings: Liberty ID Federation Framework Architecture Overview, V.1.2, Liberty Alliance 2003 D. Kormann, A. Rubin, Risks of the Passport Single Signon Protocol, IEEE Computer Networks, July 2000. Homework 2 due
Week 11 Apr. 19	Student Research Project Presentation Farrukh Kamran, Hatim Hussein: Federated Identity Management [slides \| paper] Kory Embrey: Framework for Digital Rights Management of Non-Traditional Digital Contents [slides \| paper] Jaffar Nassiry: Voice over IP [slides \| paper] Constantine Gikas, Anas Lahrim: Digital Rights Management - A Standard in Flux [slides \| paper] Final exam released
Week 12 Apr. 26	Student Research Project Presentation Mike Fuller: M-Commerce and Security [slides \| paper] Chris Feldmeier: Limiting Inheritance of Permission in Access Control Models [slides \| paper] Samson Lemma: Method of Mitigating DDoS Attack by Randomly Selecting and Dynamically Changing the Routing Information [slides \| paper] Prem Jadhwani: The Benefit and Economic Impact of RBAC and Real-World Implementations of RBAC [slides \| paper] Vishnu Paturi: Web services and Security: Different standards and implementation - Comparison [slides \| paper]
Week 13 May 3	Student Research Project Presentation Anis Alazzawe, Murad Mehmet, Asad Nawaz: Game Theory in IDS [slides \| paper] Chan Yoon: Host-Based Anomaly Detection Techniques for Electronic Commerce [slides \| paper] Joshua Davis, Tim Orr: A Case for Increased Protection in Digital Certificates [slides \| paper] Ayman Mohamed, Mohamed Rajani, Clate Stansbury: E-Commerce Security Technologies: An Evaluation Using the Metasploit Framework [slides \| paper] Fouad Al-Kohlany: XML Relational Mapping [slides \| paper]
May 10	Final exam week (no class) Final exam due by Friday May 12 (Strict!) Final research paper due by Friday May 12 (Strict!)

Acknowledgements

The slides posted also include material by Jaehong Park (University of Maryland), Ravi Sandhu (George Mason University), and Xinwen Zhang (George Mason University).

Iliano Cervesato