Threat Detection and ResponseSpring 2023

This course aims to engage in critical discussion around key research topics in threat detection and forensics analysis. This course will cover: system auditing, vulnerability management, ML-based threat detection, forensic investigation via data provenance techniques, threat alert triage, and incident response. Students will be required to study published research papers from top-tier academic venues in computer security and cyber forensics. Why take this course?: You are interested in learning the fundamental principles of audit logging, threat detection, vulnerability finding/defense, cyber attack triage, and forensic analysis. You want to read cutting-edge research publications on these topics. There is ample scope to publish in this area. This course can prepare you to conduct research in threat detection and cyber attack forensics.

Professors	Wajih Ul Hassan (hassan@virginia.edu) Office hours: Monday 3:30PM – 4:30PM and by appointment Office: Rice Hall 522
TA	Faysal Hossain Shezan (fs5ve@virginia.edu) Office hours: Thursday 2:00PM - 3:00 pm over Zoom (link).
Lectures	Mon/Wed: 2:00pm – 3:15pm Olsson Hall 005
Prerequisites	No formal prerequisites. Some background in computer security and operating systems (e.g., equivalence of CS4630 and CS4414) will be helpful.
Communications	We will make use of the following communication methods during this course: Lecture slides and assignment submission: Collab Class discussion/Organization/Announcements: Piazza
Schedule/Paper Signup	Link

Grading

We'll calculate your course grade based on these components:

Class Participation	10%	You will read two research papers for each class. After paper presentation, we will discuss the strengths, weaknesses, scope, and future research areas related to the paper. Please try to attend the class discussions and be prepared to make substantive intellectual contributions. Participation on Piazza discussions will also be considered towards this grade.
Paper Reviews	10%	We will read two papers per class. You are required to submit one review per class read at the beginning of class. You can email me paper reviews at hassan@virginia.edu . Please include the subject line [CS6501] in the email.
Paper Presentations	20%	Students will present research papers and lead the ensuing class discussion. The number of presentations required will be determined by the number of student enrolled in the course.
Course Project	60%	Students will conduct a major research project in the area of system security, with the chief deliverable being a conference-style paper at the end of the semester. Project topics will be discussed in class after the introductory material is completed. Projects teams may include groups of up to 2 students; however, groups of greater size will be expected to make greater progress. The instructors will advise each team/individual independently as needed. The project grade will be a combination of grades received for a number of milestone artifacts and the final conference-quality report.

Course Project Timeline

Your course project should address an important, interesting open problem related to system security. I'm happy to discuss your project ideas individually and help you refine them.

Pre-Proposal Presentation — In class, Feb 8

Give a 7 minutes presentation explaining the problem you want to work on, the most important related work, and your tentative approach. This will be an early opportunity to get feedback from the class. You should use this template for presentation (link).

Written Proposal — Due on Feb 15

Your proposal should consist of a 2–3 page description of your project that includes the following:

Group: Group member names and computing IDs.
Title: What would you call the eventual paper or product?
Problem: A description of the problem you will address and why it is important.
Context: A survey of related work and past approaches to the problem.
Approach: How you will address the problem and how your approach differs from past work.
Evaluation: How you will test how well your approach works (e.g., experimental measurements).
Scope: What you plan to accomplish and deliver by the checkpoint and by the end of the semester.

Upload your proposal to Collab.

Project Status Presentation — In class, March 22

Each group will give an in-class presentation about the status of their project. You'll have 7 minutes to speak. This presentation includes:

Problem statement
Basic idea and technical insights
Motivating examples (at least two examples)
Prototypes
Preliminary evaluation results

Final Project Presentation — In class, May 1

Each group will give an in-class presentation about the status of their project, in the style of a brief conference talk. These will be rapid fire talks; you'll have 12 minutes to speak. This presentation includes:

Problem statement
Design
Implementation
Results

Final Paper — Due on May 4

Your group's final project report should be written in the style of a workshop or conference submission, like most of the papers we have read this semester. Please include at least the following:

An abstract that summarizes your work.
An introduction that motivates the problem you are trying to solve.
A related work section that differentiates your contributions.
Section(s) describing your architecture or methodology.
Results and/or evaluation section(s), with data or figures to support your claims as appropriate.
A brief future work section explaining what is left to do.
Appropriate citations and references from the literature.

See also: Advice on writing technical articles.

The length of your report should not exceed 6 typeset pages, excluding bibliography and well-marked appendices. There is no limit on the length of appendices, but graders are not required to read them. The text must be formatted in two columns, using 10 point Times Roman type on 12 point leading, in a text block of 6.5” by 9”. I strongly encourage you to use LaTeX and the USENIX template files, and Overleaf might be a helpful collaboration platform.

Academic Integrity

Students are expected to be familiar with the university honor code, including the section on academic fraud (http://honor.virginia.edu/academic-fraud).

Students are encouraged to discuss programs in general and to help one another find bugs in existing programs. However, using another's code or writing code for someone else is cheating and a violation of the University's Honor System. This includes consulting solutions to assignments from previous years or tests from previous years. Keep code listings to provide evidence of your creative development.
Unless otherwise noted, exams and individual assignments will be considered pledged that you have neither given nor received help. This means that you are not allowed to describe problems on an exam, assignment, or project to a student who has not taken it yet. You are also not allowed to show exam papers to another student or view another student's exam papers while working on an exam.
Sending, receiving, or otherwise copying or describing the contents of electronic files that are part of course assignments are not allowed collaborations (except for those explicitly allowed in assignment instructions).
Assignments or exams where honor infractions or prohibited collaborations occur will receive a zero grade for that entire assignment or exam. Such infractions will also be submitted to the Honor Committee, if appropriate.

If you have questions on what is allowable, please ask!

Special Accommodations

The University of Virginia strives to provide accessibility to all students. If you anticipate or experience any barriers to learning in this course, please feel welcome to discuss your concerns with us.
If you require an accommodation to fully access this course, please contact the Student Disability Access Center (SDAC) at (434) 243-5180 or sdac@virginia.edu. If you are unsure if you require an accommodation, to request official accommodations, or to learn more about their services, you may contact the SDAC at the number above or by visiting their website at http://sdac.studenthealth.virginia.edu.
If you have already been approved for accommodations through SDAC, please make sure to send us your accommodation letter and meet with us so we can develop an implementation plan together

Religious Accommodations

Students who wish to request academic accommodation for a religious observance should submit their request to the instructors by email as far in advance as possible. If you have questions or concerns about your request, you can contact the University's Office for Equal Opportunity and Civil Rights (EOCR) at UVAEOCR@virginia.edu or 434-924-3200. Accommodations do not relieve you of the responsibility for completion of any part of the coursework you miss as the result of a religious observance.

Discrimination and Violence

The University of Virginia is dedicated to providing a safe and equitable learning environment for all students. To that end, it is vital that you know two values that the University and I hold as critically important:

Power-based personal violence will not be tolerated.
Everyone has a responsibility to do their part to maintain a safe community on Grounds.
Everyone is expected to treat each other with respect and courtesy at all times.

If you or someone you know has been affected by power-based personal violence, more information can be found on the UVA Sexual Violence website that describes reporting options and resources available www.virginia. edu/sexualviolence. As your professor, know that I care about you and your well-being and stand ready to provide support and resources as I can. As a faculty member, I am designated responsible employee, which means that I am required by University policy and federal law to report what you tell me to the University's Title IX Coordinator. The Title IX Coordinator's job is to ensure that the reporting student receives the resources and support that they need, while also reviewing the information presented to determine whether further action is necessary to ensure survivor safety and the safety of the University community. If you wish to report something that you have seen, use the Just Report It portal (http://justreportit.virginia.edu/). The worst possible situation would be for you or your friend to remain silent when there are so many here willing and able to help.

Ethics Statement

This course includes topics related to computer security and privacy. As part of this investigation, we may cover technologies whose abuse could infringe on the rights of others. As computer scientists, we rely on the ethical use of these technologies. Unethical use includes circumvention of an existing security or privacy mechanisms for any purpose, or the dissemination, promotion, or exploitation of vulnerabilities of these services. Any activity outside the letter or spirit of these guidelines will be reported to the proper authorities and may result in dismissal from the class and possibly more severe academic and legal sanctions.

Honor

I trust every student in this course to fully comply with all of the provisions of the University’s Honor Code. By enrolling in this course, you have agreed to abide by and uphold the Honor System of the University of Virginia, as well as the following policies specific to this course.

All graded assignments must be pledged.
All suspected violations will be forwarded to the Honor Committee, and you may, at my discretion, receive an immediate zero on that assignment regardless of any action taken by the Honor Committee.

Please let me know if you have any questions regarding the course Honor policy. If you believe you may have committed an Honor Offense, you may wish to file a Conscientious Retraction by calling the Honor Offices at (434) 924-7602. For your retraction to be considered valid, it must, among other things, be filed with the Honor Committee before you are aware that the act in question has come under suspicion by anyone. More information can be found at http://honor.virginia.edu. Your Honor representatives can be found at: http://honor.virginia.edu/representatives.