Skip to main content

Advanced Security:  2019-2020

Lecturers

Degrees

Schedule C1 (CS&P)Computer Science and Philosophy

Schedule C1Computer Science

Schedule C1Mathematics and Computer Science

Schedule CMSc in Advanced Computer Science

Term

Overview

The Advanced Security course is designed to bring students towards the research boundaries in computer security, covering contemporary topics in depth. It is split into two related modules, each an area of interest to members of the Computer Security research theme. This year the modules will be:

Weeks 1–4 [10 lectures]: Threat Detection, 9 lectures Sadie Creese plus 1 lecture from Professor Rebecca Williams (law)

Attacks on computer systems and how to detect them.

Weeks 5–8: Situational Awareness and Information Defence, 9 lectures, Jassim Happa

Using modern tools to obtain an understanding of how adversaries attack systems and common defence tactics.

The lectures for this course are not going to be recorded in Hilary Term 2020.

Learning outcomes

To attain a deeper understanding of certain contemporary topics in computer security, bridging the gap to research and linking theory to common practice.

Specifically, in HT2020, the learning outcomes will be:

  • To develop an understanding of the breadth of malicious threats faced and techniques used to attack computer systems.
  • To understand the basic components and approach of threat detection systems, and their limitations.
  • To develop a working knowledge of network-based threat detection tools.
  • To be understand the role of situational awareness in detecting threat, the methods that can facilitate it and how situational awareness overall contributes to cyber-defence including its interface with core capablities such as incident response, deception and offensive security.
  • To understand how a wider range of threats malicious and non-malicious (e.g. accidents, wear and tear or unplanned events) can be incorporated into such situational awareness.
  • To develop a working knowledge of how situational awareness can be created using cybersecurity visualisation techniques.

Prerequisites

For both modules, the Computer Security course (or its equivalent) is advised.

The practicals will require programming in Python or C, but only a very basic understanding of the languages will be required.

Synopsis

Attack Detection (weeks 1–4; 2 classes, 4 practical sessions spanning entire term)

  • The range of threats we face, and how we understand them in the context of the risk they pose to our security.
  • The kinds of attack vector used, and models for understanding attacks, and the vulnerabilities exploited when conducting them.
  • The general ways in which we conduct threat detection in systems today, the components used and how they fit into a wider security architecture.
  • We will consider in detail intrusion detection as well as insider threat detection, the use of signatures and rules, as well as anomaly detection.
  • We will cover situational awareness and how threat detection exists in the security operations of large organisations, and the research challenge of how we can analyse and predict the propagation of attacks and resulting risk across our systems.

Situational Awareness and Information Defence (weeks 5–8; 2 classes, practicals continue from first half of course)

  • In-depth examination of misuse and anomaly detection in use and how these facilitate situational awareness. Practices and challenges in implementing and benchmarking cyber defences (pentesting, threat detection). [2 lectures]
  • Cybersecurity visualization: basic concepts, visual analytics and visual abstraction [2 lectures].
  • dependency modelling for predicting attack propagation: dealing with across the infrastructure and also relating to business processes. Cybersecurity vs Resilience. Cyber defences: cyber threat intelligence, incident response, deception and threat modelling. [2 lectures]
  • Real world applications of cybersecurity and use cases: Challenges in insider threat vs external intrusions specific defences. Cyber physical systems. Privacy. Current approaches advantages and limitations. [2 lectures]
  • Wrap up [1 lecture]

Syllabus

Threat Detection. Nature of malign threats.  Organisational risk context. Attack vectors. Models for understanding attacks. Vulnerabilties. Threat detection systems. Security architectures. Intrusion detection. Insider threat detection. Signatures and rules and anomaly detection. Organisational context

The Computer Misuse Act and ethical considerations.

Situational Awareness. Cybersecurity Visualization. Dependency Modelling. Threat Modelling. SOCs. CSIRTs. Cyber Defences. Insider Threat  Detection. Intrusion Detection Systems. Deception. Remaining challenges in social contexts.

 

Examination: both part C undergraduate and MSc students will be examined by take-home assignment over the Easter vacation. Students must answer questions on both modules.

Reading list

 

Attack Detection 

Security Engineering by Ross Anderson - esp. Chapter 21 “Network Attack and Defense” http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c21.pdf 

APT1, Exposing One of Chinas Espionage Units, by Mandiant, https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Framework for Improving Critical Infrastructure Cybersecurity, NIST 2014, https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf 

Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits, by Kymie M. C. Tan, Kvein S. Killourhy, Roy A. Maxion, in Proceedings of RAID 2002, LNCS 2516.

Understanding Insider Threat: A Framework for Characterising Attacks, by Jason R. C. Nurse, Oliver Buckley, Philip A. Legg, Michael Goldsmith and Sadie Creese, in Proceedings of the IEEE Security and Privacy Workshops 2014. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6957307 

Automated Insider Threat Detection System Using User and Role-Based Profile Assessment, by Philip A. Legg, Oliver Buckley, Michael Goldsmith and Sadie Creese, in IEEE Systems Journal, Vol 11, Issue 2 June 2017.

Intrusion detection system: a comprehensive review, by Hung-Jen Liao, Chun-Hung Richard Lin, Ying-Chih Lin and Kuang-Yuan Tung, in Journal of Network and Computer Applications Vol 36 Issue 1 2013.

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, by Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Lockheed Martin Corporation.

Attack Trees, Bruce Schneier, SANS Network Security 1999, http://tnlandforms.us/cs594-cns96/attacktrees.pdf.

Foundations of Attack-Defense Trees, by Barbara Kordy, Sjouke Mauw, Sasa Radomirovic and Patrick Schweitzer, in Proceedings of FAST2010, LNCS  6561.

Managing the Risks of Cyber-Physical Systems, by C. Warren Axelrod, 2013 IEEE.  https://pdfs.semanticscholar.org/5ed2/822de8f87dd862c81cae2ceea8036186ab15.pdf

An Formalised Approach to Designing Signification Systems for Network-Security Monitoring, by Louise Axon, Jason R. C. Nurse, Michael Goldsmith and Sadie Creese, in International Journal on Advances in Security 2017.

Attacker-Parametrised Attack Graphs, by Alastair Janse van Rensburg, Jason R. C. Nurse and Michael Goldsmith, in 10th International conference on Emerging Security Information, Systems and Technologies 2016. 

Intrusion detection: a brief history and overview, by R. A. Kemmerer and G. Vigna, in Computer Vol 35, Issue 4 2002.

An Overview of IP FLow-Based Intrusion Detection by Anna Sperotto, Gregor Schaffrath, Ramin Sadre, Cristian Morariu, Aiko Pras and Burchard Stiller, in IEEE Communications Surveys and Tutorials Vol 12, Issue 3 2010.

An Intrusion-Detection Model, by D. Denning, in IEEE Transactions on Software Engineering Vol SE-13, Issue 2 1987.

Anomaly-based network intrusion detection: Techniques, systems and challenges, by P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macib-Fernandez and E. Vazquez in Computers and Security Vol 28, Issues 1-2 2009.

 

Books worth a read:

Enterprise Cybersecurity - How to Build a Successful Cyberdefense Program Against Advanced Threats, by Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams and Abdul Aslam, 2015.

Network Security Metrics, by Lingyu Wang, Sushi Jajodia and Anoop Singhal, 2017.

Blue Team Field Manual, by Alan J White and Ben Clark, 2017.

Blue Team Handbook: Incident Response Edition, by Don Murdoch 2014.

Inside Network Perimeter Security, by Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Kent and Ronald W. Ritchey, 2005.

Hacking the Human - Social Engineering Techniques and Security Countermeasures, by Ian Mann, 2010.

Cyber Situational Awareness - Issues and Research, by S. Jajodia, P. Liu, V. Swarup and C. Wang 2010.

Threat Modelling: Designing for Security, by Adam Shostack 2014.

Managing the Insider Threat, by Nick Catrantzos, 2012.

Information Warfare and Security, by D. Denning, 1999.

Network Security Assessment, by Chris McNab, 2017.

The Tao of Network Security Monitoring: Beyond Intrusion Detection, by Richard Bejtlich 2004.

 

 

Related research

Themes

Feedback

Students are formally asked for feedback at the end of the course. Students can also submit feedback at any point here. Feedback received here will go to the Head of Academic Administration, and will be dealt with confidentially when being passed on further. All feedback is welcome.

Taking our courses

This form is not to be used by students studying for a degree in the Department of Computer Science, or for Visiting Students who are registered for Computer Science courses

Other matriculated University of Oxford students who are interested in taking this, or other, courses in the Department of Computer Science, must complete this online form by 17.00 on Friday of 0th week of term in which the course is taught. Late requests, and requests sent by email, will not be considered. All requests must be approved by the relevant Computer Science departmental committee and can only be submitted using this form.