Skip to main content

Advanced Security:  2023-2024



Schedule C1 (CS&P)Computer Science and Philosophy

Schedule C1Computer Science

Schedule C1Mathematics and Computer Science

Hilary TermMSc in Advanced Computer Science



There are 22 lectures. 

The Advanced Security course is designed to bring students towards the research boundaries in cyber-security, covering contemporary topics in depth. It is split into two highly related modules: Threat Detection, Situational Awareness and Cyber-Defence.

Weeks 1–4 [11 lectures]: Threat Detection, ~9 lectures Sadie Creese, 1 lecture Arnau Erola, 1 lecture from Professor Rebecca Williams (law)

Attacks on computer systems and how to detect them.

Weeks 5–8 [11 lectures]: Situational Awareness and Cyber-Defence, ~11 lectures Sadie Creese

Using modern tools to obtain an understanding of how adversaries attack systems and common defence tactics.

In both halves we may bring in practioners to give additional insights.

Learning outcomes


  • To develop an understanding of the breadth of malicious threats faced and techniques used to attack computer systems.
  • To understand the basic components and approach of threat detection systems, the principles of the methods, and their limitations when in use.
  • To develop a working knowledge of network-based threat detection tools.
  • To understand the role of situational awareness in detecting threat, the methods that can facilitate it, and how situational awareness contributes to cyber-defence.
  • To understand the interface between situational awareness and other core cyber-security capablities such as incident response, deception and offensive security.
  • To understand how a wide range of threats both malicious and non-malicious (e.g. accidents, wear and tear or unplanned events) can be incorporated into such situational awareness.
  • To develop a working knowledge of how situational awareness can be created using cybersecurity visualisation techniques.


For both modules, the Computer Security course (or its equivalent) is advised.

The practicals will require programming in Python or C, but only a very basic understanding of the languages will be required.


Attack Detection (weeks 1–4; 2 classes, plus practicals)

  • The range of threats we face, and how we understand them in the context of the risk they pose to our security.
  • The kinds of attack vector used, and models for understanding attacks, and the vulnerabilities exploited when conducting them.
  • The general ways in which we conduct threat detection in systems today, the components used and how they fit into a wider security architecture.
  • We will consider in detail intrusion detection as well as insider threat detection, the use of signatures and rules, as well as anomaly detection.
  • We will introduce the research challenge of analysing and predicting the propagation of attacks and resulting risk across our systems.

Situational Awareness and Information Defence (weeks 5–8; 2 classes, plus practicals)

  • We will consider situational awareness in detail, in so far as it relates to cyber-attacks.
  • In-depth examination of misuse and anomaly detection in operations, and how these facilitate situational awareness. Practices and challenges in implementing and benchmarking cyber defences (pentesting, threat detection).
  • Cybersecurity visualization: basic concepts, visual analytics and visual abstraction.
  • Dependency modelling for predicting attack propagation: dealing with across the infrastructure and also relating to business processes. Cyber-security vs Resilience. Other aspects of cyber-defence: cyber threat intelligence, incident response, deception and threat modelling.
  • Real world applications of cybersecurity and use cases: challenges in insider threat vs external intrusions specific defences. Cyber physical systems. Privacy. Current approaches advantages and limitations.


Threat Detection. Nature of malign threats.  Organisational risk context. Attack vectors. Models for understanding attacks. Vulnerabilties. Threat detection systems. Security architectures. Intrusion detection. Insider threat detection. Signatures and rules and anomaly detection. Organisational context

The Computer Misuse Act and ethical considerations.

Situational Awareness. Cybersecurity Visualization. Dependency Modelling. Threat Modelling. SOCs. CSIRTs. Cyber Defences. Insider Threat  Detection. Intrusion Detection Systems. Deception. Remaining challenges in social contexts.


Examination: both part C undergraduate and MSc students will be examined by take-home assignment over the Easter vacation. Students must answer questions on both modules.

Reading list

NEW HT2023: Survey of Attack Graph Analysis Methods from the Perspective of Data and Knowledge Processing, by Zeng, Wu, Chen , Zeng and Wu, Published in Security and Communication Networks, 2019.

MITRE Adversarial Tactics, Techniques & Common Knowledge:ATT&CK, for resources.

MITRE Common Attack Pattern enumeration and classification CAPEC,

Understanding cyber-attacks by Hodges and Creese, in Cyber Warfare published by Routledge 2015.

AVOIDIT: A cyber attack taxonomy, by Simmons et al, in proceedings of the 9th Annual Symposium on Information Assurance ASIA'14.

Security Engineering by Ross Anderson - esp. Chapter 21 “Network Attack and Defense” 

APT1, Exposing One of Chinas Espionage Units, by Mandiant,

Framework for Improving Critical Infrastructure Cybersecurity, NIST 2014, 

A cyber attack modeling and impact assessment framework, by I. Kotenko and A. Chechulin, in proceedings of the 5th International Conference on Cyber Conflict (CyCon) 2013, NATO CCD COE Publications.

Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits, by Kymie M. C. Tan, Kvein S. Killourhy, Roy A. Maxion, in Proceedings of RAID 2002, LNCS 2516.

Understanding Insider Threat: A Framework for Characterising Attacks, by Jason R. C. Nurse, Oliver Buckley, Philip A. Legg, Michael Goldsmith and Sadie Creese, in Proceedings of the IEEE Security and Privacy Workshops 2014. 

Automated Insider Threat Detection System Using User and Role-Based Profile Assessment, by Philip A. Legg, Oliver Buckley, Michael Goldsmith and Sadie Creese, in IEEE Systems Journal, Vol 11, Issue 2 June 2017.

Intrusion detection system: a comprehensive review, by Hung-Jen Liao, Chun-Hung Richard Lin, Ying-Chih Lin and Kuang-Yuan Tung, in Journal of Network and Computer Applications Vol 36 Issue 1 2013.

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, by Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Lockheed Martin Corporation.

Attack Trees, Bruce Schneier, SANS Network Security 1999,

Foundations of Attack-Defense Trees, by Barbara Kordy, Sjouke Mauw, Sasa Radomirovic and Patrick Schweitzer, in Proceedings of FAST2010, LNCS  6561.

Managing the Risks of Cyber-Physical Systems, by C. Warren Axelrod, 2013 IEEE.

An Formalised Approach to Designing Signification Systems for Network-Security Monitoring, by Louise Axon, Jason R. C. Nurse, Michael Goldsmith and Sadie Creese, in International Journal on Advances in Security 2017.

Attacker-Parametrised Attack Graphs, by Alastair Janse van Rensburg, Jason R. C. Nurse and Michael Goldsmith, in 10th International conference on Emerging Security Information, Systems and Technologies 2016. 

Intrusion detection: a brief history and overview, by R. A. Kemmerer and G. Vigna, in Computer Vol 35, Issue 4 2002.

An Overview of IP FLow-Based Intrusion Detection by Anna Sperotto, Gregor Schaffrath, Ramin Sadre, Cristian Morariu, Aiko Pras and Burchard Stiller, in IEEE Communications Surveys and Tutorials Vol 12, Issue 3 2010.

An Intrusion-Detection Model, by D. Denning, in IEEE Transactions on Software Engineering Vol SE-13, Issue 2 1987.

Anomaly-based network intrusion detection: Techniques, systems and challenges, by P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macib-Fernandez and E. Vazquez in Computers and Security Vol 28, Issues 1-2 2009.

A New Take on Detecting Insider Threats: Exploring the use of Hidden Markov Models, by Rashid, Agrafiotis and Nurse, proceedings of 8th ACM CCS and found here:


Some useful links:


Books worth a read:

Enterprise Cybersecurity - How to Build a Successful Cyberdefense Program Against Advanced Threats, by Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams and Abdul Aslam, 2015.

Network Security Metrics, by Lingyu Wang, Sushi Jajodia and Anoop Singhal, 2017.

Blue Team Field Manual, by Alan J White and Ben Clark, 2017.

Blue Team Handbook: Incident Response Edition, by Don Murdoch 2014.

Inside Network Perimeter Security, by Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Kent and Ronald W. Ritchey, 2005.

Hacking the Human - Social Engineering Techniques and Security Countermeasures, by Ian Mann, 2010.

Cyber Situational Awareness - Issues and Research, by S. Jajodia, P. Liu, V. Swarup and C. Wang 2010.

Threat Modelling: Designing for Security, by Adam Shostack 2014.

Managing the Insider Threat, by Nick Catrantzos, 2012.

Information Warfare and Security, by D. Denning, 1999.

Network Security Assessment, by Chris McNab, 2017.

The Tao of Network Security Monitoring: Beyond Intrusion Detection, by Richard Bejtlich 2004.



Related research



Students are formally asked for feedback at the end of the course. Students can also submit feedback at any point here. Feedback received here will go to the Head of Academic Administration, and will be dealt with confidentially when being passed on further. All feedback is welcome.

Taking our courses

This form is not to be used by students studying for a degree in the Department of Computer Science, or for Visiting Students who are registered for Computer Science courses

Other matriculated University of Oxford students who are interested in taking this, or other, courses in the Department of Computer Science, must complete this online form by 17.00 on Friday of 0th week of term in which the course is taught. Late requests, and requests sent by email, will not be considered. All requests must be approved by the relevant Computer Science departmental committee and can only be submitted using this form.