CSC 474/574 Information Systems Security


1.    Instructor:

Dr. Peng Ning,

Office: Room 250 Venture III (in Suite 243), Centennial Campus

Phone: (919) 513-4457

Email: pning (at)


Office hours: Mondays and Wednesdays, 3:00 pm – 4:00 pm

2.    Course Objectives:

By the end of this course, students will be able to:

-       State the basic concepts in information security, including security policies, security models, and various security mechanisms.

-       Explain the basic number theory required for cryptographic applications as well as various cryptographic systems.

-       Manually compute using Fermat's theorem, Euler's theorem, Euclid's algorithm, extended Euclid's algorithm.

-       Manually encrypt/decrypt and sign/verify signatures for small messages using RSA, Diffie-Hellman, and DSA algorithms.

-       State the requirements and mechanisms for identification and authentication.

-       Explain and compare the various access control policies and models as well as the assurance of these models.

-       State the characteristics of typical security architectures, including multi-level security systems.

-       State the criteria of evaluating secure information systems, including evaluation of secure operating systems and secure network systems.

-       List the database security issues and solutions, including models, architectures, and mechanisms for database security.

-       List network and distributed systems security issues and solutions, including authentication, key distribution, firewalls, and network security protocols.

-       Explain the network access control mechanisms, including the basic concepts of firewalls, packet filters, application gateways, and typical firewall configurations

-       Design firewall configurations and rules to protect a given network

-       Outline the protocols, i.e., AH and ESP protocols, for IP Security and the two modes for both protocols.

-       Explain in their own words the goals of IP Security protocols (AH and ESP), the

-       Use combinations of IP security protocols to achieve a given security goal (e.g., source authentication, content authentication, traffic confidentiality, etc.)

-       Explain SSL and TLS protocols.

-       Apply the above protocols to protect transport-layer communication.

-       State program security issues, including virus, worm, and logical bombs.

-       State the basic concepts and general techniques in security auditing and intrusion detection.

-       State the issues related to administration security, physical security, and program security.

-       Determine appropriate mechanisms for protecting information systems ranging from operating systems, to database management systems, and to applications.

3.    Textbooks:

H1. Sandhu, R.S. Lattice-based access control models, IEEE Computer, 26(11): 9 –19, Nov. 1993. 

H2. Sandhu, R.S.; Coyne, E.J.; Feinstein, H.L.; Youman, C.E. Role-based access control models, IEEE Computer, 29(2): 38 –47, Feb. 1996.

H3. Peng Ning, Sushil Jajodia, “Intrusion Detection Techniques,” In H. Bidgoli (Ed.), The Internet Encyclopedia. John Wiley & Sons. ISBN: 0-471-22201-1. December 2003.

4.    Course Organization and Scope:

(Assume each lecture takes 75 minutes. The following topics need 28 lectures. These will be adjusted based on the actual progress in a semester.)


T1. Basic Security Concepts (1 lectures)

o      Confidentiality, integrity, availability

o      Security policies, security mechanisms, assurance

T2. Cryptography and Its Applications (7 lectures)

o      Basic number theory

o      Secret key cryptosystems

o      Public key cryptosystems

o      Hash function

o      Key Management

T3. Identification and Authentication (4 lectures)

o      Basic concepts of identification and authentication

o      Password authentication

T4. Access Control (4 lectures)

o      Basic concepts of access control

o      Discretionary access control and mandatory access control

o      Lattice-based Models

o      Covert Channels

o      Role based Access Control

T5. Network and Distributed Systems Security (8 lectures)

o      Issues in network and distributed systems security

o      Kerberos

o      IPSEC

o      SSL

o      Firewalls and virtual private networks

o      Secure email

o      Auditing and intrusion detection

T6. Miscellaneous topics (4 lectures)

o      Assurance and Evaluation of Secure Information Systems (1 lectures)

o      TCSEC, TNI, CC, etc.

o      Introduction to Database Security (Security requirements in databases, Access control and authorization in databases, Inference control)

o      Multi-level security architecture

o      Program Security (Virus and other malicious software)

o      Administrating Security (Risk Analysis, Security Planning, Organizational Security Policies)

o      Physical Security and Beyond (Physical security, TEMPEST, legal and ethical issues in security, environmental issues)

5.    Schedule of Reading Assignments:


Š       Topic T1: Chapter 1.

Š       Topic T2: Chapters 2 – 7.

Š       Topic T3: Chapters 9 – 12.

Š       Topic T4: Handouts H1 – H2.

Š       Topic T5: Chapters 13 – 19, 23; Handout H3.

Š       Topic T6: TBD.

6.    Schedule of homework due dates, quizzes and exams:

There are 5 homework assignments and 2 exams. Quizzes are given in the form of pop quizzes. Pop quizzes are adopted to encourage the students to study during the non-exam weeks. The results of pop quizzes are not counted in the final grade.

7.    Grading:

o               A+: >= 95%

o               A: >= 90% and < 95%

o               A-: >= 85% and < 90%

o               B+: >= 80% and < 85%

o               B: >= 75% and < 80%

o               B-: >= 70% and < 75%

o               C+: >= 66% and < 70%

o               C: >= 63% and < 66%

o               C-: >= 60% and < 63%

o               D+: >= 56% and < 60%

o               D: >= 53% and < 56%

o               D-: >= 50% and < 53%

o               F: < 50%.

8.    Policies on late assignments:

Homework and project deadlines will be hard. Late homework will be accepted with a 10% reduction in grade for each class period they are late by. However, once a homework assignment is discussed in class or the solution is postedq, submissions will no longer be accepted. All assignments must be turned in before the start of class on the due date.

9.    Policies on absences (excused and unexcused) and scheduling makeup work:

The university policy on absences will be enforced. See the university policy at the following URL.

10.Course prerequisites:

CSC 401, CSC 440.

11.Academic integrity:

The university, college, and department policies against academic dishonesty will be strictly enforced. You may obtain copies of the NCSU Code of Student Conduct from the Office of Student Conduct, or from the following URL.

12.NC State policy on working with students with disabilities:

“Reasonable accommodations will be made for students with verifiable disabilities. In order to take advantage of available accommodations, students must register with Disability Service for Students at 1900 Student Health Center, Campus Box 7509, 515-7653.

For more information on NC State’s policy on working with students with disabilities, please see

13.Laboratory Safety or Risk Assumption: Not Applicable.

14.“Pass-through” Charges: Not applicable.