CS 708 - Fall 2013 - Advanced Data Security and Privacy
News:
- Templates for final project report: research paper (word,
latex),
survey paper (word,
latex)
- Final exam: December 19, 2013 @ 6pm in FMH 310 (closed books, closed notes)
- 09/12/13: The assignment has been posted (together with additional instructions).
It is due in class on
09/26/13 10/03/13 (new deadline).
- 09/05/13: Location of lectures has been moved to GITC 4415.
Class schedule: Thursday 6:00 - 9:05pm, room: GITC 4415
Instructor: Reza Curtmola ; Email: ; Office: GITC 4301
Office hours (GITC 4301): M 1-2pm, Wed 4-5pm, and also by appointment (email me if you cannot come during office hours).
Overview
This course addresses the ever-growing security and
privacy concerns associated with the massive amount of data that is
collected, stored, shared, and distributed in today's society. New
paradigms are needed to address the security/privacy challenges when data is
outsourced at untrusted servers (such as in cloud computing) or when
data is anonymized in order to be shared among untrusted parties. The
course involves a substantial amount of reading, critically analyzing, and
presenting research papers, participation in class discussions, and a
semester-long project.
The goals of the course are to familiarize students with the main security and privacy challenges associated with managing data throughout its lifecycle (collection, storage, distribution), and to examine how to address these challenges.
A tentative list of topics includes:
- database as a service: security and privacy issues
- secure query evaluation on outsourced databases
- security of cloud services
- searching on encrypted data
- remote data checking
- privacy-preserving data mining
- private information retrieval
- secure file systems and secure deletion
- security threats in long-term storage
- digital rights management
- data anonymization techniques
- secure data provenance
- web metering and click fraud
Course format
The course will involve a substantial amount of reading, participation in
class discussions, and a semester-long research project. Each lecture will
focus on a specific topic and will be based on presentations and class
discussions. Each student is responsible for preparing at least one
presentation (based on research papers) and leading the discussion on the
respective topic. The students are required to read the assigned papers for
each week. In addition, each student is responsible for submitting weekly a
report for one of the papers assigned for that week, which must include: (1)
strengths/weaknesses (2) two possible extensions. This report has to be
turned in at the beginning of class each week.
Course project: Students will work on the course project in teams. There is flexibility on the
nature of the project: Both theoretical and system contributions will be
appreciated, although projects with theoretical contribution should have a
clear practical significance. Potential topics for system-oriented projects
include addressing security aspects of cloud services such as the Amazon Web
Services or Windows Azure Platform. The outcome of the project will be in
the form of a final report, describing the design/implementation efforts.
Students will present their results to the class.
Due to the dynamic nature of this field, there is no one textbook
required for this course. Each selected topic will be based on handouts and
research papers from recent top conferences and journals.
Who should take this course
Graduate students (PhD and MS) interested in having a deeper understanding of the ever-growing security and privacy concerns associated with the massive amount of data that is collected, stored and distributed in today's society.
The course is also an excellent opportunity to conduct research on the security/privacy of cloud services and find research topics for Ph.D. and M.S. theses.
Prerequisites
Students should have taken an introductory course related to information security prior to this course.
For example, any of the following will satisfy this prerequisite:
CS 608/408 OR CS 645 OR CS 696/ECE 683 OR instructor permission.
If in doubt about the prerequisites, please consult with the instructor for permission to take the class. Familiarity with basic security and cryptographic primitives, or storage and database systems will be required to understand the details of the assigned papers. The instructor will review in the first lecture the building blocks that will be used throughout the course.
Grading policy
course assignment | 15% |
course project | 30% |
paper presentations + weekly reports + participation in class discussion | 35% |
final exam | 20% |
Weekly schedule
Date |
Topic |
Discussion Leader |
Paper |
09/05/13 |
Class overview + Building blocks |
Reza |
lecture 1
|
09/12/13 |
Database as a Service |
Reza |
Hacigumus et al. Providing Database as a Service. IEEE ICDE 2002.
|
Reza |
Mykletun et al. Authentication and Integrity in Outsourced Databases. ISOC NDSS 2004.
|
|
lecture 2,
presentation 1,
presentation 2
|
09/19/13 |
Remote Data Integrity Checking |
Reza |
Ateniese et al. Provable Data Possession at Untrusted Stores. ACM CCS 2007.
|
Bo |
Bowers et al. HAIL: A High-Availability and Integrity Layer for Cloud Storage. ACM CCS 2009.
|
|
lecture 3,
presentation 1
|
09/26/13 |
Working over Encrypted Data |
Reza |
Curtmola et al. Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions. ACM CCS 2006.
|
Arwa + Kirtan |
Popa et al. CryptDB: Protecting Confidentiality with Encrypted Query Processing. ACM SOSP 2011.
|
|
lecture 4,
presentation 1,
presentation 2
|
10/03/13 |
Security of Outsourced Databases + Anonymity and Privacy |
Wadood |
Bajaj and Sion. CorrectDB: SQL Engine with Practical Query Authentication. VLDB 2013.
|
Nafi |
Hsiao et al. LAP: Lightweight Anonymity and Privacy. IEEE S&P 2012.
|
|
lecture 5,
presentation 1,
presentation 2
|
10/10/13 |
Privacy in Mobile and Vehicular Systems |
Jigang |
Popa et al. VPriv: Protecting Privacy in Location-Based Vehicular Services. USENIX Security 2009.
|
Susan |
Popa et al.Privacy and Accountability for Location-Based Aggregate Statistics. ACM CCS 2011.
|
|
lecture 6,
presentation 1,
presentation 2
|
10/17/13 |
(De)Anonymization |
Nafize |
Srivatsa and Hicks. Deanonymizing Mobility Traces: Using Social Networks as a Side-Channel. ACM CCS 2012.
|
Tarik |
Narayanan et al. On the Feasibility of Internet-Scale Author Identification. IEEE S&P 2012.
|
|
lecture 7,
presentation 1,
presentation 2
|
10/24/13 |
Attacks against Cloud Storage |
Wadood |
Mulazzani et al. Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space. USENIX Security 2011.
|
Anil |
Halevi et al. Proofs of Ownership in Remote Storage Systems. ACM CCS 2011.
|
|
lecture 8,
presentation 1,
presentation 2
|
10/31/13 |
Security of Search Engines |
Vishal + Arwa |
John et al. deSEO: Combating Search-Result Poisoning. USENIX Security 2011.
|
Jigang |
Lu et al. SURF: detecting and measuring search poisoning. ACM CCS 2011.
|
|
lecture 9,
presentation 1,
presentation 2
|
11/07/13 |
Oblivious RAM + Intermediate Project Presentations |
|
Intermediate project presentations: team 1,
team 2,
team 3,
team 4
|
Reza |
Goldreich and Ostrovsky. Software Protection and Simulation on Oblivious RAMs. JACM 1996.
|
Anil + Nafize |
Stefanov and Shi. ObliviStore: High Performance Oblivious Cloud Storage. IEEE S&P 2013.
|
|
presentation 1,
presentation 2
|
11/14/13 |
Secure Deletion |
Vishal + Tarik |
Wolchok et al. Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs. ISOC NDSS 2010.
|
Kirtan |
Skillen and Mannan. On Implementing Deniable Storage Encryption for Mobile Devices. ISOC NDSS 2013.
|
|
lecture 11,
presentation 1,
presentation 2
|
11/21/13 |
Digital Rights Management |
Stephen |
Halderman and Felten. Lessons from the Sony CD DRM Episode. USENIX Security 2006.
|
|
AACS - DVD Protection,
AACS specifications.
|
Reza |
related readings: Naor, Naor, and Lotspiech. Revocation and Tracing Schemes for Stateless Receivers. IACR CRYPTO 2001.
|
|
lecture 12,
presentation 1,
presentation 2
|
11/26/13 |
Security of Online Advertising |
Nafi |
Toubiana et al. Adnostic: Privacy Preserving Targeted Advertising. ISOC NDSS 2010.
|
Stephen |
Hardt and Nath. Privacy-Aware Personalization for Mobile Advertising. ACM CCS 2012.
|
|
lecture 13,
presentation 1,
presentation 2
|
12/05/13 |
Final Project Presentations |
|
Final project presentations: team 1,
team 2,
team 3,
team 4
|
Academic integrity
The NJIT Honor Code will be upheld, and any violations will be brought to the immediate attention of the Dean of Students.
Modifications to syllabus
The syllabus may be modified at the discretion of the instructor or in the event of extenuating circumstances.
Students will be notified in class of any changes to the syllabus.