14-810: Network Security Engineering: Analysis
& Automation (Special Topics) - Spring, 2021
Professor Ehab Al-Shaer
Pittsburgh, INI Building, Office# 125
TH 7:00-8:50 & F 3:20-4:10 /
Skype, or by appointment (send an email,
(412) 268-7899 (Office)
(803) 792-1067 (Google Voice)
In this course, students will learn the theory
and practice of network defense including designing and optimizing network
security architecture, network security configuration verification and
automation (such as Firewalls, IPSec gateways, IDS,
and NAT), the adversary modeling and analysis using attack tactics, techniques and
procedures (TTP), automated cyber threat hunting and mitigation, quantitative cyber
risk assessment and mitigation, anomaly detection and adaptive intrusion
The goal of the course is to enable students to learn
the formal reasoning and data-driven analysis techniques and tools for developing
for addressing key network security engineering challenges including automated
network security hardening, detecting security misconfigurations, risk
quantification and security measurement, automated response using courses of
actions playbooks, models for adaptive and active cyber defense. In addition,
students will learn the about advanced solutions for emergent network defense such
as cyber deception and cyber deterrence.
Number of Units: 12
course assumes a basic computer networking knowledge, C and UNIX programming,
as well as an elementary logic and probability theory background, but does not
assume any prior exposure to topics in computer or communications security.
Students lacking technical background (e.g., students without any prior
exposure to programming) are expected to catch up through self-study.
Course Philosophy & Objectives
Cybersecurity is one of the most dynamic and rapidly growing fields.
Mastering network security engineering requires learning not only the concepts
but also the science of security foundation, and the analytical and development
skills for creating effective and practical solutions. This course will cover
the concepts of analyzing and automating network security engineering including
design, configuration, and implementation for securing cyber infrastructure. In
successfully completing this course, you will have the opportunity to:
Learn how to design the architecture and
configure network access control devices (firewall, IPSec,
IDS, and application-level proxies) consistently and correctly according to
mission properties and/or security policies.
Learn how to apply science of security
concept to measure potential risk, implied risks and residual risk and create
plans for automated risk mitigation against evolving threats.
Learn how to develop automated orchestration
engine for intrusion response systems (IRS) based on the course of action and
Learn attack modeling based on the Kill Chain concept and ATT&CK
Learn how to develop middle-boxes for filtering, inspecting and
tunneling using socket programming.
Learn about emerging advanced cyber defense techniques such as adaptive
cyber deception and moving target defense.
@Pittsburgh campus: CIC 1201 in T 7:00 pm -8:50 pm EDT & F
No Text Book is required. Students are expected to read assigned
papers and take good class notes.
Ø W#1: Cyber Attacks: Taxonomy
Overview of Cyber/Cyber-physical Infrastructures and Network Programming
Overview of Network Attacks
Attack Tactics, Techniques and
Attack Modeling and Simulation
Overview of Cyber Defense
framework: (NIST) Identification, Prevention, Detection, Response &
Recovery, cyber dereference, cyber deception
Ø W#2-4: Network Security
Configurations: Design, modeling, verification and synthesis
Foundation: Theory and Applications of Formal Methods and Constraint
Satisfaction Problem Solver in Security Configuration Analytics.
Firewall Configuration Analytics
End-to-End Network Access Control Analytics: routers/switches, access
points, NAT, network proxies, etc
Ø W#5: Network Intrusion
Analytics and Metrics
Foundation: Information Theory and Entropy Measurements
Information theory and applications
Signature and Anomaly-based Detection
Ø Week#6: Cyber Risk Analytics:
Measurement & Quantification
Foundation: Theory and Practice of Science of Security
Overview of Risk Management standards and Best Practices
Cyber Risk Theory: Qualitative and Quantitative Risk
Measuring Threat Exposure, Severity, and Impact
Ø Week#7: Cyber Risk Analytics: Formal
Foundation: Bayesian Analysis and
First Order Logic & Reasoning
Implied Cyber Risk
Cyber Risk Propagation
Measuring Attack Surface
Ø Week#8: Cyber Risk Analytics:
Mitigation & Optimization
Risk Mitigation Planning and Optimization
Data-driven Predictive Risk Analytics
Measuring Network Security Resistance and Residual Risk
Ø Week#9: Attack Graph &
Vulnerability Theory: CVE, CWE
Network Attack Graphs: Construction
Network Attack Graphs: Mitigation & Optimization
Automated Synthesis of Network Access Control Configuration
Ø W#10: Intrusion Response-
Basic mitigation theory
Classification of Mitigation Actions
Ø W#11-12: Security Orchestration
and Automation Response-- Advanced mitigation theory
Foundation: Developing POMDP & Reinforcement agents.
OODA & BRITE Loop for Sense-making and Decision-making in Cyber
Cyber Threat Investigation and Coursed of Actions Standardization and
Playbooks Models and Policies.
Cyber Defense Optimization and Adaptation (Case Study: DDoS and Botnet Mitigation)
Ø W#13-14: Advanced Topics
Cyber Deterrence and Moving Target Defense
Students will be assigned several
analytical and programming assignments and they will participate in a course group
project in addition to quizzes, and a final exam. All submissions are to be
made through Canvas. Email submissions will NOT be accepted.
Assignment & Project Topics
(Programming and analytical assignments; each
assignment will have 2 weeks)
1. Attack tactics and techniques simulation using MITRE ATT&CK
2. (a) Firewall verification, (b) Developing proxy firewall with IPSec tunneling capabilities.
3. Risk measurement based on Nessus
data and automated configuration hardening.
4. Developing anomaly-based
classifiers for network traffic analysis.
5. Developing a
basic Security Orchestration and Automation Response (SOAR) System.
Evaluation and Grading
Grades will be determined
based on multiple deliverables including (1) 20-min quizzes (every Sunday), (2)
programming and analytical assignments, (3) the course (group or individual)
project, and the final exam (covers selected topics in the course that quizzes
will not cover).
Course Project Demo and
This course is entirely taught in
English, and all materials submitted by the students, including homework,
exams, assignments, and quizzes, must be submitted in English. In-class oral
participation must also be in English. Homework, quizzes, or exams submitted in
a language other than English will not be graded. Please do not worry about
making grammatical or vocabulary mistakes. We will never penalize you for using
improper grammar or vocabulary, as long as your statements remain clear and
Class attendance is required. In-class
participation is encouraged and expected. In other words, please do ask
questions and make constructive comments during lectures. Additionally, you are
only eligible to take quizzes if you attend class.
Auditors & Non-degree Students
Auditors are expected to attend
lectures, but cannot submit homework, hand in tests, or take exams. Auditors
only get a record of audit at the end of the semester. On the other hand,
non-degree students are subject to the same rules and expectations as degree
Cell Phone and Wi-Fi
Please remember to turn off or
silence your phones (and other alarms) before each class meeting. We will
subtract i points from your total grade the i-th
time your phone/alarm/pager rings in class during the semester. No exceptions.
As a matter of courtesy to the instructor and other students, please refrain
from reading the news, participating in social networks, or checking your email
using your wi-fi connection during lectures. It is
most likely the case that you do not need a laptop when you come to class.
Late Homework Submission
For full credit, homework must be
turned in by 5:00 PM EST on the due date. You have two “grace days” that you
can use at any time during the semester for late homework. That is, you can turn
in a total of two homework assignments a day late (“a day late” is defined as
any delay between 0 and 24 hours after the deadline,) one homework two days
late, etc. You must notify the instructor and T.A.s prior to using (a) grace
day(s). Assignments turned in late without “grace credit” will be penalized by
10% per day. Homework late by more than three days will not be graded.
Exceptions require either prior arrangement or doctor-validated medical excuse.
Students are encouraged to talk
to each other, to the T.A.(s), to the instructor, or
to anyone else about any of the homework assignments. Any assistance, though,
must be limited to discussion of the problem and sketching general approaches
to a solution. Each student must write out his or her own solutions to the
homework. Consulting another student’s solution is prohibited, and submitted
solutions may not be copied from any source. These and any other form of
collaboration on assignments constitute cheating. Any form of collaboration is
strictly prohibited on the exams and is considered cheating. If you have any
questions about whether some activity would constitute cheating, please feel
free to ask. Cheating on an assignment/exam will result in failure of the
course, and the university administration (department, college) will be
notified per the appropriate procedures. Simply stated, feel free to discuss
problems with each other, but do not cheat. It is not worth it, and you will
All teaching materials in this
class, including course slides, homework, assignments, practice exams and
quizzes, are copyrighted; reproduction, redistribution and other rights solely
belong to the instructors. In particular, it is not permissible to upload any
or part of these materials to public or private websites without the
instructor’s explicit consent. Violating this copyright policy will be
considered as an academic integrity violation, with the consequences discussed
above. Reading materials are also copyrighted by their respective publishers
and cannot be reposted or distributed without prior authorization from the
ECE Academic Integrity Policy
The Department of Electrical and
Computer Engineering adheres to the academic integrity policies set forth by
Carnegie Mellon University and by the College of Engineering. ECE students
should review fully and carefully Carnegie Mellon University's policies
regarding Cheating and Plagiarism; Undergraduate Academic Discipline; and
Graduate Academic Discipline. ECE graduate student should further review the
Penalties for Graduate Student Academic Integrity Violations in CIT outlined in
the CIT Policy on Graduate Student Academic Integrity Violations. In addition
to the above university and college-level policies, it is ECE's policy that an
ECE graduate student may not drop a course in which a disciplinary action is
assessed or pending without the course instructor's explicit approval. Further,
an ECE course instructor may set his/her own course-specific academic integrity
policies that do not conflict with university and college-level policies;
course-specific policies should be made available to the students in writing in
the first week of class.
This policy applies, in all
respects, to this course.
CMU Academic Integrity Policy (http://www.cmu.edu/academic-integrity/index.htmlLinks to an external site.):
In the midst of self-exploration,
the high demands of a challenging academic environment can create situations
where some students have difficulty exercising good judgment.
Academic challenges can provide
many opportunities for high standards to evolve if students actively reflect on
these challenges and if the community supports discussions to aid in this
process. It is the responsibility of the entire community to establish and
maintain the integrity of our university.
This site is offered as a
comprehensive and accessible resource compiling and organizing the multitude of
information pertaining to academic integrity that is available from across the
university. These pages include practical information concerning policies,
protocols, and best practices as well as articulations of the institutional
values from which the policies and protocols grew. The Carnegie Mellon Code,
while not formally an honor code, serves as the foundation of these values and
frames the expectations of our community with regard to personal
THE CARNEGIE MELLON CODE
Students at Carnegie Mellon,
because they are members of an academic community dedicated to the achievement
of excellence, are expected to meet the highest standards of personal, ethical
and moral conduct possible.
These standards require personal
integrity, a commitment to honesty without compromise, as well as truth without
equivocation and a willingness to place the good of the community above the
good of the self. Obligations once undertaken must be met, commitments kept.
As members of the Carnegie Mellon
community, individuals are expected to uphold the standards of the community in
addition to holding others accountable for said standards. It is rare that the
life of a student in an academic community can be so private that it will not
affect the community as a whole or that the above standards do not apply.
The discovery, advancement and
communication of knowledge are not possible without a commitment to these
standards. Creativity cannot exist without acknowledgment of the creativity of
others. New knowledge cannot be developed without credit for prior knowledge.
Without the ability to trust that these principles will be observed, an
academic community cannot exist.
The commitment of its faculty,
staff and students to these standards contributes to the high respect in which
the Carnegie Mellon degree is held. Students must not destroy that respect by
their failure to meet these standards. Students who cannot meet them should
voluntarily withdraw from the university. This policy
applies, in all respects, to this course.
Mellon University's Policy on Cheating (http://www.cmu.edu/academic-integrity/cheating/index.htmlLinks to an external site.) states the following:
According to the University
Policy on Academic Integrity, cheating "occurs when a student avails
her/himself of an unfair or disallowed advantage which includes but is not
· Theft of or unauthorized access to an exam, answer key or other graded work from previous course offerings.
· Use of an alternate, stand-in or proxy during an examination.
· Copying from the examination or work of another person or source.
· Submission or use of falsified data.
· Using false statements to obtain additional time or other accommodation.
· Falsification of academic credentials.”
This policy applies, in all
respects, to this course.
Mellon University's Policy on Plagiarism (http://www.cmu.edu/academic-integrity/plagiarism/index.htmlLinks to an external site.) states the following:
According to the University
Policy on Academic Integrity, plagiarism "is defined as the use of work or
concepts contributed by other individuals without proper attribution or
citation. Unique ideas or materials taken from another source for either
written or oral use must be fully acknowledged in academic work to be graded.
Examples of sources expected to be referenced include but are not limited to:
· Text, either written or spoken, quoted directly or paraphrased.
· Graphic elements.
· Passages of music, existing either as sound or as notation.
· Mathematical proofs.
· Scientific data.
· Concepts or material derived from the work, published or unpublished, of another person."
This policy applies, in all
respects, to this course.
Mellon University's Policy on Unauthorized Assistance (http://www.cmu.edu/academic-integrity/collaboration/index.htmlLinks to an external site.) states the following:
According to the University
Policy on Academic Integrity, unauthorized assistance "refers to the use
of sources of support that have not been specifically authorized in this policy
statement or by the course instructor(s) in the completion of academic work to
be graded. Such sources of support may include but are not limited to advice or
help provided by another individual, published or unpublished written sources,
and electronic sources. Examples of unauthorized assistance include but are not
· Collaboration on any assignment beyond the standards authorized by this policy statement and the course instructor(s).
· Submission of work completed or edited in whole or in part by another person.
· Supplying or communicating unauthorized information or materials, including graded work and answer keys from previous course offerings, in any way to another student.
· Use of unauthorized information or materials, including graded work and answer keys from previous course offerings.
· Use of unauthorized devices.
· Submission for credit of previously completed graded work in a second course without first obtaining permission from the instructor(s) of the second course. In the case of concurrent courses, permission to submit the same work for credit in two courses must be obtained from the instructors of both courses."
This policy applies, in all
respects, to this course.
Carnegie Mellon University's Policy on
Research Misconduct (http://www.cmu.edu/academic-integrity/research/index.htmlLinks to an external site.) states the following: According to the
University Policy For Handling Alleged Misconduct In
Research, “Carnegie Mellon University is responsible for the integrity of
research conducted at the university. As a community of scholars, in which
truth and integrity are fundamental, the university must establish procedures
for the investigation of allegations of misconduct of research with due care to
protect the rights of those accused, those making the allegations, and the
university. Furthermore, federal regulations require the university to have
explicit procedures for addressing incidents in which there are allegations of
misconduct in research.” The policy goes on to note that “misconduct
fabrication, falsification, plagiarism, or other serious deviation
from accepted practices in proposing, carrying out, or reporting results from
material failure to comply with Federal requirements for the
protection of researchers, human subjects, or the public or for ensuring the welfare
of laboratory animals; or
failure to meet other material legal requirements governing
research.” “To be deemed misconduct for the purposes of this policy, a
‘material failure to comply with Federal requirements’ or a ‘failure to meet
other material legal requirements’ must be intentional or grossly negligent.”
familiar with the expectations around the responsible conduct of research,
please review the guidelines for Research Ethics published by the Office of
Research Integrity and Compliance.
Every individual must be treated
with respect. The ways we
are diverse are many and are critical to excellence and an inclusive community.
They include but are not limited to race, color, national origin, sex,
disability, age, sexual orientation, gender identity, religion, creed,
ancestry, belief, veteran status, or genetic information. We at CMU will work
to promote diversity, equity, and inclusion because it is just and necessary
for innovation. Therefore, while we are imperfect, we will work inside
and outside of our classrooms, to increase our commitment to build and sustain
a community that embraces these values.
It is the responsibility of each
of us to create a safer and more inclusive environment. Bias incidents, whether
intentional or unintentional in their occurrence, contribute to creating an
unwelcoming environment for individuals and groups at the university. If you
experience or observe unfair or hostile treatment on the basis of identity, we
encourage you to speak out for justice and support at the moment and/or share
your experience anonymously using the following resources:
Student Diversity and Inclusion: [email protected], (412) 268-2150, www.cmu.edu/student-diversityLinks to an external site.
online anonymous reporting platform: www.reportit.net (Links to an external site.) username: tartans password: plaid
All reports will be acknowledged,
documented and a determination will be made regarding a course of action.” All
experiences shared will be used to transform the campus climate.
Active Shooter Advice: To prepare for the unlikely event of a campus
shooting, please refer to https://www.cmu.edu/police/Resources/Active%20Shooter.html
Earthquake Preparation: During an earthquake, “drop, cover, and hold
on.” Please see details: https://www.earthquakecountry.org/step5/
Accommodations for Students with
Disabilities: If you have
a disability and have an accommodations letter from the Disability Resources
office, I encourage you to discuss your accommodations and needs with me as
early in the semester as possible. I will work with you to ensure that
accommodations are provided as appropriate. If you suspect that you may have a
disability and would benefit from accommodations but are not yet registered
with the Office of Disability Resources, I encourage you to contact them
at [email protected].
Take Care of
do your best to maintain a healthy lifestyle this semester by eating well,
exercising, avoiding drugs and alcohol, getting enough sleep and taking some
time to relax. This will help you achieve your goals and cope with stress.
All of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful.
If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, I strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 or visit their website at http://www.cmu.edu/counseling/Links to an external site..
Consider reaching out to a
friend, faculty, or family member you trust for help getting connected to the
support that can help. Please let me know if I can be of assistance to you in
this way. It is not my intention to know the details of what might be bothering
you, but simply to let you know I am concerned and that help, if needed, is