CS 6264: Information Security Lab—System and Network Defenses

Wenke Lee
Wenke Lee
Creator, Instructor
Buzz
Ding Zhang
Head TA

Overview

This course will help students develop both in-depth knowledge and hands-on skills in a number of important cybersecurity areas, including software security, malware and threat analysis, end-point security, network security, web security, mobile security, and machine learning based security analytics. The lecture materials of each topic area are drawn from latest research papers and prototypes, and comprehensive projects are assigned to help students master each area. The main topics include:

  1. Software security: we will study software vulnerabilities such as memory safety errors and protection mechanisms such as CFI, ASLR, and DEP. We will also study program analysis techniques such as symbolic execution and fuzzing for finding software vulnerabilities and generate exploits. A project can involve applying and extending program analysis tools to find exploitable bugs in programs and generate input that can trigger these bugs.
  2. Malware analysis: we will study how to build a malware analysis environment that is both save and live. In particular, we will study how to analyze malware to find its triggering, or, dispatching behaviors, and configure a virtualized environment where that malware gets the input it needs so that it reveals its intended activities. We will also study threat analysis, in particular, how to obtain and share threat intelligence. A project can involve applying and extending a malware analysis system to examine the behaviors of a new malware family.
  3. End-point security: we will study how to monitor computer activities through system call hooking and virtual machine introspection. We will also study forensic analysis using systemwide record-and-replay technologies. A project can involve using a record-and-replay system to identify the root cause, or, the entry point, of a long-running attack.
  4. Network security, we will first review vulnerabilities of network protocols such as spoofing and standard prevention mechanisms such as TLS. We will then study network monitoring, including network intrusion detection and alert correlation. A project can involve extending an open-source intrusion detection system to detect stealthy network attacks.
  5. Web security: we will first review browser security models such as same-origin policy and content-security policy. We will then study more advanced topics including how to provide fine-grained access control to third-party scripts, and the security vulnerabilities of WebView. A project can involve implementing a phishing attack using iframes/popups in WebView and then implementing a defense.
  6. Mobile security: we will first review the iOS and Android security models. Then we will study Android malware and gray-ware, that is, those that leak user privacy. We will also discuss the attack ecosystem including rooting attacks and third-party app stores. A project can involve implementing an Android malware clustering algorithm that atomically classify Android malware and gray-ware.
  7. Machine learning for security analytics: we will first study how machine learning algorithms, in particular, deep learning, can be used to automatically produce security models such as malware classifiers and intrusion detection rules. We will then study how the machine learning process can be subverted by attackers and how to improve the robustness of machine learning. A project can involve using and extending an evaluation system to generate evasion attacks against a machine learning based model and produce the more robust model.

Sample Syllabus

Fall 2024 syllabus (PDF)
Summer 2024 syllabus (PDF)
Summer 2023 syllabus (PDF)

Note: Sample syllabi are provided for informational purposes only. For the most up-to-date information, consult the official course documentation.​

Before Taking This Class...

Suggested Background Knowledge

You should have taken an introductory course on, or be otherwise familiar with, the basic concepts of information security (there is very little overlap between this course and CS 6035). Ideally, you should also have taken a network security course (there is only a small amount of overlap between this course and CS 6262). Prior programming experience with C or Java (or similar language) is required.

Technical Requirements and Software
  • Browser and connection speed: An up-to-date version of Chrome or Firefox is strongly recommended. 2+ Mbps is recommended.
  • Operating system:
    • PC: Windows XP or higher with latest updates installed
    • Mac: OS X 10.6 or higher with latest updates installed
    • Linux: any recent distribution will work so long as you can install Python and OpenCV
  • Virtual Machine: You will be provided a virtual machine (VM) useful for performing class assignments and projects. For the projects, the supplied resources are identical to those used to test your submissions. Details for downloading and installing the VM can be found on Canvas.​

Academic Integrity

All Georgia Tech students are expected to uphold the Georgia Tech Academic Honor Code. This course may impose additional academic integrity stipulations; consult the official course documentation for more information.