Topics in Computer Security: Data-Driven Security and Privacy (CMSC 33251-1)
Winter 2018
Tuesdays & Thursdays, 12:30p-1:50p, Cobb Hall 116
Course Staff
| • Blase Ur | blase@uchicago.edu | Ryerson 157 | By appointment |
| • Mainack Mondal | mainack@uchicago.edu | Young 4th Floor | By appointment |
Course Description
This seminar covers current topics related to data's role within security and privacy. These topics may include: tracking technologies and data marketplaces; how machine learning is used to make decisions related to security and privacy; anomaly detection; empirical experiments' impact on security and privacy; and the potential for helping users better understand how data is impacting their security and privacy.
Logistics
| • Syllabus (schedule and assignments) | https://super.cs.uchicago.edu/topics18 |
| • Piazza (announcements and discussion) | https://piazza.com/uchicago/winter2018/cmsc332511/home |
Readings and Textbooks
There is no textbook for the course. Instead, all course readings will be (open access) articles linked from the schedule below. If you lack background on core topics in computer security, Security Engineering by Ross Anderson and the Handbook of Applied Cryptography by Alfred Menezes, Paul van Oorschot and Scott Vanstone are both excellent references.
Course Requirements and Grading
| • 10% | Class participation |
| • 15% | Leading two class discussions |
| • 15% | Paper reviews |
| • 60% | Research project |
This class will have no exams. Final project presentations will be held on the last two days of class.
You are welcome to attend the seminar even if you are not taking the class for a letter grade. If you take the class for a letter grade, it counts as a systems elective for PhD students and as a CMSC elective (as well as towards honors credit) for undergraduates.
Class participation (10%)
This is a discussion-based graduate seminar course. You are expected to attend all class meetings and to participate actively in the discussion. Please mention to Blase or Mainack if you expect not to be able to attend a meeting of the class due to a conference or other major personal or professional obligation.
Leading two class discussions (15%)
You will be the discussion leader for class discussions of two different papers (on two different days). As the discussion leader, you must prepare roughly 15 minutes worth of slides that cover the main technical contributions of the paper, in addition to at least 10 discussion questions. Please include the paper authors, title, and publication venue, as well as your own name, on the title slide. Please include your discussion questions on the final slide or two in a proposed order. Prior to the beginning of class, please upload your slides as a PDF to the Piazza thread for that reading assignment.
Reading Reviews (15%)
We will read 25 research papers over the course of this seminar. You must complete the assigned reading prior to class so that you can participate fully in class discussions. To facilitate productive class discussions, you must submit a "review" of each of the two assigned papers to Piazza by 7am the day of each class. Each review should be its own Piazza private message that is tagged with the "Reviews" tag. Before each class, all of the reviews will be made visible to other students in the course. Late paper reviews will receive no credit.
Reviews should consist of three brief paragraphs of prose (not bullet points) in your own words using approximately the structure listed below:
Paragraph 1 (Summary):
- What problem did this work attempt to solve?
- Is this an important problem? Why / why not?
- What are the main ideas and technical contributions of the work?
- How does this approach compare to prior work?
- How is the proposed solution evaluated?
Paragraph 2 (+/-):
- What are the work's key strengths?
- What are the work's key weaknesses?
Paragraph 3 (Reaction):
- What parts of the work did you find most striking and thought-provoking?
- What future work might you consider in this line of research?
Research Project (60%)
Students will work on a major projects in groups of size 1--3. We will suggest some projects, but you may also propose your own. As part of the project students will:
- Tuesday, January 16th: Submit a rough draft of your project proposal (1 to 2 pages). The proposal should state your research questions; hypotheses (if any); general approach; and evaluation metrics.
- Project groups will meet with Blase and Mainack from January 17th -- January 19th to refine their idea.
- Tuesday, January 23rd: Submit a finalized version of your draft project proposal that also includes a timeline with checkpoints and deliverables at those checkpoints.
- Tuesday, February 6th: Submit a written progress report. Your written progress report should describe your progress to date relative to your proposed timeline, note any problems you have run into, describe your updated plan for the rest of the quarter, and include any preliminary results or technical accomplishments. This written report should also include a draft related work section for your final paper.
- Tuesday, February 20th: Submit a second written progress report following the same format as the first.
- Tuesday, March 6th: Give a 15-minute final project presentation in class.
- Friday, March 16th (11:59pm): Write a paper including an abstract, introduction (including research questions), related work, methodology, results, discussion, references, etc.
Students are encouraged to submit their project as a full paper to a conference with an appropriate deadline. A paper submission will likely require additional work after the end of the quarter.
Your final paper should be written in a style suitable for publication at a conference or workshop. The conference papers in the readings provide good examples of what a conference paper looks like and the style in which they are written. Papers should follow the sigconf template available as part of the ACM LaTeX template. However, your report for the class need not adhere to any particular conference's page limits and should obviously not be a blind submission.
Copyright Policy
All teaching materials in this class are copyrighted. Reproduction, redistribution and other rights solely belong to the instructor. In particular, it is not permissible to upload any or part of these materials to public or private websites without the instructor's explicit consent. Violating this copyright policy will be considered an academic integrity violation, with the consequences discussed above. Reading materials are also copyrighted by their respective publishers and cannot be reposted or distributed without prior authorization from the publisher.
Academic Integrity Policies
The University of Chicago has formal policies related to academic honesty and plagiarism. We abide by these standards in this course. Depending on the severity of the offense, you risk being dismissed altogether from the course. All cases will be referred to the Dean of Students office, which may impose further penalties, including suspension and expulsion. If you have any question about whether some activity would constitute cheating, please feel free to ask.
In addition, we expect all students to treat everyone else in the course with respect, following the norms of proper behavior by members of the University of Chicago community.
Wellness
If a personal emergency comes up that might impact your work in the class, please let Blase know so that the course staff can make appropriate arrangements.
University environments can sometimes be very overwhelming, and all of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. The University of Chicago's counseling services are here to support you. Consider also reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.
If you or someone you know is feeling suicidal or in danger of self-harm, call someone immediately, day or night:
• Student Counseling Urgent Care: (773)702-9800 or in person.
• National Suicide Prevention Lifeline: 1-800-273-8255
01. Thursday, January 4
Introduction and Planning
Due: Nothing
Required readings:
- None
02. Tuesday, January 9
Machine Learning for Good
Due: Reading reviews
Required readings:
- William Melicher, Blase Ur, Sean M. Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor. Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks. In Proceedings of USENIX Security 2016.
- Bin Liu, Mads Schaarup Andersen, Florian Schaub, Hazim Almuhimedi, Shikun Zhang, Norman Sadeh, Alessandro Acquisti, Yuvraj Agarwal. Follow My Recommendations: A Personalized Privacy Assistant for Mobile App Permissions. In Proceedings of SOUPS 2016.
03. Thursday, January 11
Machine Learning for Good
Due: Reading reviews
Required readings:
- Shirin Nilizadeh, François Labrèche, Alireza Sadighian, Ali Zand, José Fernandez, Christopher Kruegel, Gianluca Stringhini, Giovanni Vigna. POISED: Spotting Twitter Spam Off the Beaten Paths. In Proceedings of CCS 2017.
04. Tuesday, January 16
Machine Learning for Evil
Due: Reading reviews and draft project proposal
Required readings:
- Yuanshun Yao, Bimal Viswanath, Jenna Cryan, Haitao Zheng, Ben Y. Zhao. Automated Crowdturfing Attacks and Defenses in Online Review Systems. In Proceedings of CCS 2017.
- Peter Ney, Karl Koscher, Lee Organick, Luis Ceze, Tadayoshi Kohno. Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More. In Proceedings of USENIX Security Symposium 2017.
05. Thursday, January 18
Machine Learning for Evil
Due: Reading reviews
Required readings:
- Congzheng Song, Thomas Ristenpart, Vitaly Shmatikov. Machine Learning Models that Remember Too Much. In Proceedings of CCS 2017.
- Ivan Evtimov, Kevin Eykholt, Earlence Fernandes, Tadayoshi Kohno, Bo Li, Atul Prakash, Amir Rahmati, Dawn Song. Robust physical-world attacks on machine learning models. arXiv preprint (2017).
06. Tuesday, January 23
Fairness, Accountability, and Transparency in Data-Driven Systems
Due: Reading reviews and finalized project proposal
Required readings:
- Florian Tramer, Vaggelis Atlidakis, Roxana Geambasu, Daniel Hsu, Jean-Pierre Hubaux, Mathias Humbert, Ari Juels, Huang Lin. FairTest: Discovering unwarranted associations in data-driven applications. In Proceedings of EuroS&P 2017.
- Nina Grgić-Hlača, Muhammad Bilal Zafar, Krishna P. Gummadi, Adrian Weller. Beyond Distributive Fairness in Algorithmic Decision Making: Feature Selection for Procedurally Fair Learning. In Proceedings of AAAI 2018.
07. Thursday, January 25
Fairness, Accountability, and Transparency in Data-Driven Systems
Due: Reading reviews
Required readings:
- Kexin Pei, Yinzhi Cao, Junfeng Yang, Suman Jana. DeepXplore: Automated Whitebox Testing of Deep Learning Systems. In Proceedings of SOSP 2017.
08. Tuesday, January 30
Tracking and Inferencing
Due: Reading reviews
Required readings:
- Steven Englehardt and Arvind Narayanan. Online tracking: A 1-million-site measurement and analysis. In Proceedings of CCS 2016.
- Giridhari Venkatadri, Athanasios Andreou, Yabing Liu, Alan Mislove, Krishna P. Gummadi, Patrick Loiseau, Oana Goga. Privacy Risks with Facebook's PII-based Targeting: Auditing a Data Broker's Advertising Interface. In Proceedings of IEEE S&P 2018.
09. Thursday, February 1
Tracking and Inferencing
Due: Reading reviews
Required readings:
- Claire Dolin, Ben Weinshel, Shawn Shan, Chang Min Hahn, Euirim Choi, Michelle L. Mazurek, Blase Ur. Unpacking Perceptions of Data-Driven Inferences Underlying Online Targeting and Personalization. In Proceedings of CHI 2018.
10. Tuesday, February 6
Data-Driven Methods on the Web
Due: Reading reviews and first project status report
Required readings:
- Marcela S. Melara, Aaron Blankstein, Joseph Bonneau, Edward W. Felten, Michael J. Freedman. CONIKS: Bringing Key Transparency to End Users. In Proceedings of USENIX Security Symposium 2015.
- Lucas Dixon, Thomas Ristenpart, Thomas Shrimpton. Network Traffic Obfuscation and Automated Internet Censorship. In IEEE S&P Magazine (2016).
11. Thursday, February 8
Data-Driven Methods on the Web
Due: Reading reviews
Required readings:
- Savvas Zannettou, Tristan Caulfield, Emiliano De Cristofaro, Nicolas Kourtellis, Ilias Leontiadis, Michael Sirivianos, Gianluca Stringhini, Jeremy Blackburn. The Web Centipede: Understanding How Web Communities Influence Each Other Through the Lens of Mainstream and Alternative News Sources. In Proceedings of IMC 2017.
12. Tuesday, February 13
Identifying and Visualizing Anomalous Behavior
Due: Reading reviews
Required readings:
- Rosa Romero-Gomez, Yacin Nadji, Manos Antonakakis. Towards Designing Effective Visualizations for DNS-based Network Threat Analysis. In Proceedings of VizSec 2017.
- Hossein Siadati and Nasir Memon. Detecting Structurally Anomalous Logins Within Enterprise Networks. In Proceedings of CCS 2017.
13. Thursday, February 15
Identifying and Visualizing Anomalous Behavior
Due: Reading reviews
Required readings:
- Leyla Bilge, Yufei Han, Matteo Dell'Amico. RiskTeller: Predicting the Risk of Cyber Incidents. In Proceedings of CCS 2017.
14. Tuesday, February 20
The Data Science of Malware
Due: Reading reviews and second project status report
Required readings:
- Amin Kharraz, Sajjad Arshad, Collin Mulliner, William Robertson, Engin Kirda. UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware. In Proceedings of USENIX Security 2016.
- Roberto Jordaney, Kumar Sharad, Santanu K. Dash, Zhi Wang, Davide Papini, Ilia Nouretdinov, Lorenzo Cavallaro. Transcend: Detecting Concept Drift in Malware Classification Models. In Proceedings of USENIX Security Symposium 2017.
15. Thursday, February 22
The Data Science of Malware
Due: Reading reviews
Required readings:
- Aylin Caliskan, Fabian Yamaguchi, Edwin Dauber, Richard Harang, Konrad Rieck, Rachel Greenstadt, Arvind Narayanan. When Coding Style Survives Compilation: De-anonymizing Programmers from Executable Binaries. In Proceedings of NDSS 2018.
16. Tuesday, February 27
Cybercriminals Are Data Scientists, Too
Due: Reading reviews
Required readings:
- Kurt Thomas, Frank Li, Ali Zand, Jake Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, Dan Margolis, Vern Paxson, Elie Bursztein. Data breaches, phishing, or malware? Understanding the risks of stolen credentials. In Proceedings of CCS 2017.
- Samaneh Tajalizadehkhoob, Tom van Goethem, Maciej Korczyński, Arman Noroozian, Rainer Böhme, Tyler Moore, Wouter Joosen, Michel van Eeten. Herding Vulnerable Cats: A Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting. In Proceedings of CCS 2017.
17. Thursday, March 1
Cybercriminals Are Data Scientists, Too
Due: Reading reviews
Required readings:
- Peter Snyder, Periwinkle Doerfler, Chris Kanich, Damon McCoy. Fifteen Minutes of Unwanted Fame: Detecting and Characterizing Doxing. In Proceedings of IMC 2017.
18. Tuesday, March 6
Final project presentations
Due: Final project presentations (before class on March 6), as well as final project report (Friday, March 16 at 11:59pm)
Required readings:
- None