CS++: Expanding CS Curriculum via Open Cybersecurity Courseware

Transcription

1 CS++: Expanding CS Curriculum via Open Cybersecurity Courseware Ying Xie State University GA, nesaw.edu Hossain Shahriar State University GA, nnesaw.edu Jing (Selena) He State University GA, esaw.edu Sarah North Ben Setzer Ken Hoganson State State State University University University GA, GA, GA, nesaw.edu nesaw.edu nnesaw.edu ABSTRACT In this paper, we described an ongoing project called CS++ that aims to expanding a CS curriculum in cybersecurity with minimum requirement of additional resources by plugging open cybersecurity courseware in the existing curriculum. Each courseware unit covers a special topic of cybersecurity technology and can be plugged in one or multiple related CS courses; altogether, the open cybersecurity courseware delivers a comprehensive view of cybersecurity knowledge. After being plugged with the open courseware units, a typical CS curriculum is turned to a CS++ curriculum with comprehensive coverage of cybersecurity knowledge. Categories and Subject Descriptors K.3.2 [Computer and Information Science Education]: Computer Science Education, Curriculum General Terms Security Keywords CS++, CS Curriculum, Cybersecurity Courseware, Cloud Courseware Service 1. INTRODUCTION The US economy and infrastructure are driven by huge cyberspace. Cyberspace not only has software and applications, but also includes various supporting entities such as operating systems, data storage systems, and networks (wired and wireless). This huge cyberspace enables us to perform most of our necessary works online on a daily basis. There have been an increased number of cybersecurity related attacks in the recent years that have resulted in security breaches at the individual, organizational, and national levels. According to Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Conference 10, Month 1 2, 2010, City, State, Country. Copyright 2010 ACM /00/0010 $ an Internet Crime Report [1], an increased number of cyber crimes have allowed hackers and intruders to obtain personal and sensitive data, and use it for their advantages. Another survey report [2] indicates that more than 88% of cyberspace users believe that security threats are significant. The attack methodologies vary in targets ranging from system software, applications, networks, and databases [22]. Common examples of attacks include buffer overflow [3, 23], format string bugs [11], virus and worms [4], SQL Injection [12, 24], cross site scripting [13, 25], cross-site request forgery [14, 26], denial of service [5], and statistical attack [6]. Given these situations, generating an increased level of awareness in cybersecurity and preparing our citizens to fight against cybersecurity crimes is becoming a necessity. We believe that cybersecurity education is one of the fundamental yet practical approaches to meet this objective. In recent years, more and more universities started to offer degrees on information security and assurance (ISA) at undergraduate or graduate level. The National Security Agency (NSA) and the Department of Homeland Security (DHS) jointly sponsored more than 100 National Centers of Academic Excellence in IA Education (CAE/IAE) in order to promote higher education ISA [9, 15, 16, 17]. These academic programs contribute significantly to preparing professionals that are familiar with policies, tools, management practices, and legal issues on information security and assurance. Nevertheless, another fundamental problem in cybersecurity education that remains unresolved is that a large population of computing technology creators, such as software engineers, system programmers, application developers, and database designers, lack deep understanding of cybersecurity challenges and technologies. This lack of understanding may often lead to security vulnerability of computing products and services. Given the fact that Computer Science (CS) degree programs in higher education are taking major role in preparing computing technology developers, it is critical to expand existing computer science programs in cybersecurity education. Although the need for equipping CS majors with comprehensive knowledge in cybersecurity has been long recognized in the literature [6, 8, 10, 18, 19, 20], it is far from a norm that an institution of higher education would expand its CS curriculum to include cybersecurity. We have examined the CS curricula published by all Georgia public institutions that offer undergraduate degrees or associate degrees in CS. The result shows that, only a handful institutes offer one or more security related courses in their CS degree programs.

2 There are typically three approaches to cybersecurity education in an undergraduate computer science program: 1) offer degree track, thread or concentration on cybersecurity; 2) offer a couple of elective courses on cybersecurity; 3) cover knowledge on cybersecurity in existing computer science courses. The College of Computing at Georgia Institute of Technology uses the first approach to deliver cybersecurity education. Their program offers eight threads that cover different aspects of computer science to the computer science majors. Although there is no separate thread in cybersecurity, students who are interested in computer security can take those security related courses by weaving two relevant threads together [30]. This approach, which offers a degree thread, track, or concentration in cybersecurity, is difficult to adopt by universities/colleges with limited resources. Moreover, this approach will only expose a relatively small portion of CS majors to cybersecurity education. The second approach can be viewed as a miniature of the first approach. Compared with the first approach, the second requires fewer resources; however, its capacity to cover cybersecurity knowledge is also limited. Implementing the third approach requires the smallest change in a program structure of the three approaches; however, it requires a wide range of faculty members, who teach traditional CS courses such as software engineering and operating systems, to become educated in the field of cybersecurity. After carefully examining current approaches of incorporating cybersecurity in computer science programs, in this paper, we describe an ongoing project called CS++ that aims to expand a CS curriculum with open cybersecurity courseware. The first goal of CS++ is to produce a set of open courseware units, which altogether deliver a comprehensive view of cybersecurity knowledge. Each courseware unit covers a special topic of cybersecurity technology and can be easily plugged into one or multiple related computer science courses. After being plugged with the open courseware units, a typical computer science curriculum (as shown in Figure 2) is expanded with a comprehensive coverage of cybersecurity knowledge (as shown in Figure 3). Similarly to the naming of the programming language C++, CS++ is the expression that adds value (open cybersecurity courseware) to a CS curriculum; after executing CS++, the CS curriculum is enhanced with a comprehensive coverage of cybersecurity knowledge. Furthermore, ++ is a lightweight operation, which means expanding a CS program via the open cybersecurity courseware requires minimum resources. Each open cybersecurity courseware unit contains the following items: learning objectives, suggested host courses, prerequisites, lecture notes, recorded lectures, lab manual, virtual lab environment, assignments, and a set of standard test questions. Ideally, all units are plugged into a CS program to form a comprehensive coverage of cybersecurity technology; however, a CS program would also benefit from choosing a subset of units to plug in since each unit can plug-and-play independently. The CS++ team sets up a cloud platform at State University that will host lab environments that support the CS++ open courseware as offpremise services. The second goal of the CS++ project is to evaluate the effectiveness of the open courseware from different perspectives, including learning objectives, student success, and courseware adoptions. Feedback provided by multi-factor evaluations will help us to refine the CS++ open courseware. Finally, we would like to summarize the aims and significance of the proposed CS++ project by using the following programming code. print(cs); //result is shown in Figure 2 CS++; //a lightweight operation print(cs); //result is shown in Figure 3 2. The CS++ METHOD We use a top-down approach to design the CS++ open cybersecurity courseware. First, we form a comprehensive view of cybersecurity by identifying eight knowledge areas (M0-M7) in a layered model of cybersecurity as shown in Figure 1. Each knowledge area contains a list of security topics, each of which consists of corresponding security issues and solutions. Based on this comprehensive view of cybersecurity, we design the following overall learning objectives of cybersecurity education for CS students, which is called CS++ Program Learning Objectives (PLO) on CyberSecurity. Upon completing the study of CS++ curriculum, students will be able to PLO1. describe fundamental issues and solutions of cybersecurity; explain the trends and evolution in cybersecurity attacks and defenses; identify and mitigate security vulnerabilities in applications and system software. PLO2. describe vulnerability issues in the lifecycle of software development; implement secure software. PLO3. explain the security concepts in database management systems; configure database security with respect to common attacks; implement secure database systems. PLO4. describe security concepts of operating systems; apply mitigation techniques to prevent security breaches. PLO5. describe the security concepts in wired and wireless network; apply mitigation techniques to prevent network level attacks. In order to help CS students to meet these objectives, we design the following method. 1. For each cybersecurity knowledge area identified in Figure 1, we design and implement a group of courseware units. For example, in the knowledge area M2-Wireless Network Security, the following three courseware units will be produced: M2.1- Wireless LAN s security, M2.2-Wireless personal area network security, and M2.3-Mobile device Security; in the knowledge area M7-Web Security, the following three courseware units will be produced: M7.1-Input validation vulnerability and mitigation, M7.2-Session vulnerability and mitigation, and M7.3-Storage vulnerability and mitigation. Each open cybersecurity courseware unit contains the following items: courseware unit learning objectives (CLO), suggested host courses, prerequisites, lecture notes, recorded lectures, lab manual, virtual lab environment, assignments, and a set of standard test questions. Each learning objective of a courseware unit maps to one or more PLOs. That is, successfully completing the study of all courseware units will meet the overall objectives of cybersecurity education for CS majors. 2. We view a typical CS curriculum as a motherboard (as shown in Figure 2) and plug in all open courseware units in the motherboard to form an expanded version of CS curriculum with added value on cybersecurity, which is denoted as CS++ as shown in Figure 3.

3 leverage cloud computing technology to deliver the required lab environments as services. As part of the CS++ project, we will setup a miniature cloud platform that consists of multiple servers in the Department of Computer Science at State University. Our cloud host machines will run the Xen hypervisor with the Xen Cloud Platform (XCP) toolstack for control [27]. All machines participate in a pool-wide Storage Area Network (SAN) [28], and will be managed by Openstack [29]. The major components of the Openstack services can be described as follows. Figure 1. Eight Knowledge Areas of Cybersecurity Therefore, the major activities of the CS++ project will be the production of the whole set of courseware units that cover all cybersecurity knowledge areas identified in Figure 1. We show the design of an example courseware unit M7.1 in Table 1. Figure 2. A Typical CS Curriculum Keystone, an authentication server for the cloud platform in general, used by all the services to authenticate users and actions. Nova, the compute controller. This controller runs in a virtual machine (VM) on each system, and controls the VMs present on each physical host in the pool. The Nova VMs also talk to each other for management of the VMs, migration, etc. Glance, the VM image management system. Glance keeps track of the logical images that the VMs use for their disks. Swift, the object storage server. Swift stores files independent of any certain type of file system or OS, allowing files of any type to be retrieved and used by any particular system. Cinder, block storage server. Cinder manages the block devices (hard drives) that any system uses Quantum, the networking provisioner. Quantum allows deployment of networks as a service, in the same way VMs are deployed Horizon, the web interface to the above services. For each lab environment that supports a courseware unit, we plan to use the following procedure to set the VM image. First create a VM with the specified number/speed of virtual CPUs, and the specified volume in Cinder Once the VM is created, add virtual devices as needed, and then log in and configure the software installed on the server. Power down the VM and save that image back into Glance The saved image allows us to provision many identical machines from it. In order to obtain the virtual lab environment, the user only needs to log into a management interface and create a VM with the specific image by following an easy-to-follow wizard. Figure 3. CS++ Curriculum Most of the CS++ open courseware units require a server environment with proper software installations as the lab settings. Considering that some institutions may not have a budget for additional servers and IT professionals who can set and maintain the lab environments for these courseware units, we plan to It is worthwhile to mention the SEED project [6], which has developed a suite of instructional laboratories for computer security education. However, in order to set up some of the SEED labs, the user needs to do quite a lot installation of required software on the user s own computer. Although the SEED team also provides a 3GB virtual machine image that contains all SEED lab environments, requiring each student to create a VM from the image on their own laptops or PCs could be quite problematic and sometimes hard to manage. Installing the virtual machine on a public server would, again, take additional resources that may not be practical for some institutions. The CS++ project, on the contrary, takes advantages of cloud computing technology that is able to leverage the computing power available at State University to deliver lab environments that are closely tied with the corresponding courseware units as off-premise cloud services.

4 3. CS++ EVALUATION PLAN The evaluation of the CS++ project will be conducted from the following perspectives CS++ Program Learning Objectives on cybersecurity Adoption and peer reviews by peer institutions Student success after program completion First, we evaluate if a student is able to achieve the CS++ Program Learning Objectives on cybersecurity (PLOs) by studying the open courseware units. As illustrated in the previous section, each open courseware unit is associated with a set of learning objectives (CLOs), each of which is evaluated by a pool of test questions/assignments. Furthermore, each CLO is mapping towards one or more PLOs. The relationship among test questions, CLOs, and PLOs is illustrated in Table 3. Therefore, according to the average score of each measuring question obtained by the students, a satisfaction rate can be calculated for each learning outcome of a course unit; and satisfaction rates for learning outcomes of all course units can be further aggregated to an overall satisfaction rate of each CS++ learning objectives on cybersecurity. The satisfaction rates calculated at different levels will indicate strength and weakness of the course unites for our further enhancement. Another important perspective of evaluating the success of the CS++ project is the adoption and peer review of the CS++ open courseware by other institutions. Upon completion, all courseware units will be available at the website for free downloads. We simply require a faculty member, who decides to use one or more components of a course unit in his or her classes, to agree upon on providing a post-use evaluation of the adopted course units. The courseware unit components for evaluation include lecture notes, recorded lectures, lab manual, cloud lab environment, exercises, test questions, and assignments. The following are evaluation questions that will be available on the CS++ website. Do you agree that the learning objectives of this courseware unit are properly set? Do you agree that the lectures of this courseware unit have sufficient coverage to meet the learning objectives? Do you agree that the lab exercises provides sufficient hands-on for students to learn this subject? Do you agree that the cloud lab environment is easy to use? Do you agree that the host courses and the prerequisite are proper for this course unit? The CS++ website will collect the following values: The number of accesses to the CS++ website, denoted as #access. This number can be viewed as an approximate indicator of people s interests in our approach of expanding a CS curriculum in cybersecurity. The number of downloads of each courseware unit, denoted as #download unit(i). The number of agreements signed by faculty members from other institutions who decide to adopt certain courseware units, denoted as #agreement unit(i). Statistics collected from the post-use evaluation for each courseware unit. Therefore, the adoption success of the CS++ project will be evaluated by the following measures: overall_interest = #access download_rate unit(i) = #download unit(i) /overall_interest adoption_rate unit(i) = #agreement unit(i) /#download unit(i) Figure 4. Summarization of the Overall CS++ Evaluation Plan These three measures not only indicates the adoption success of the CS++ project, but also help us to identify necessary actions that need to be taken in order to maximize the success of the project. For instance, if overall_interest is low, we need to take actions to widely spread information on CS++ to peer institutions, such as organizing workshops in major conferences on CS education; sending invitations to a wide range of institutions; publishing papers on designing and evaluating different CS++ courseware units. If download_rate is high but adoption_rate is low, then we need to carefully enhance the quality of the corresponding courseware units. The evaluations provided by peer institutions who adopt certain CS++ courseware units will provide us detailed information on which components of a courseware unit need to be improved. The long term success of the project depends on what CS++ graduates will be able to accomplish in the years following degree completion in the field of Cybersecurity. Therefore, we plan to conduct CS++ alumni survey on a yearly basis to examine the relationship between the CS++ Program Learning Objectives and working competency in cybersecurity. The CS++ Program Learning Objectives and course units will be refined according the valuable feedback provided in the survey. Figure 4 summarizes the overall CS++ evaluation plan. 4. SUMMARY We described an ongoing project called CS++ that aims to expanding a CS curriculum in cybersecurity with minimum requirement of additional resources by plugging open cybersecurity courseware in the existing curriculum. The first goal of CS++ is to produce a set of open courseware units, which altogether deliver a comprehensive view of cybersecurity knowledge. Each courseware unit covers a special topic of cybersecurity technology and can be plugged in one or multiple related CS courses. After being plugged with the open courseware units, a typical CS curriculum is turned to a CS++ curriculum with comprehensive coverage of cybersecurity knowledge. The second goal of CS++ project is to evaluate the effectiveness of the open courseware from different perspectives, including learning objectives, student success, and courseware adoptions. The direct impact of the CS++ project is that a wide range of higher education institutions with limited resources will be able to expand their undergraduate CS curriculum in

5 cybersecurity, such that a larger population of future computing technology creators will be equipped with comprehensive knowledge in cybersecurity. In a broader sense, the CS++ project explores a way to deliver critical education to underrepresented groups in higher education by leveraging cloud computing technology. The CS++ project also seeks to build a nice interface between high schools and institutions of higher education such that a greater number of high school graduates will be attracted to critical areas of college study. 5. REFERENCES [1] Internet Crime Complain Report Center, DOI = [2] Cybersecurity: Everyone s Responsibility, DOI= [3] One, A Smashing the Stack for Fun and Profit, Phrack Magazine, 7, 49 (Nov.1996). DOI= [4] Gollmann, D Computer Security, Wiley, 3 rd Edition. [5] Stamp, M Information Security: Principles and Practice, Wiley, 2 nd Edition. [6] Du, W., Teng, Z., and Wang, R SEED: A Suite for Instructional Laboratories for Computer Science Education. In Proc. of ACM Special Interest Group on Computer Science Education (Kentucky, USA, Mach 2007). [7] White, G., Marti, W., and Huson, M Incorporating Security Issues Throughout the Computer Science Curriculum. Journal of Computing Sciences, 19, 5 (May 2004), [8] Yasinsac, A Information Security Curricula in Computer Science Departments: Theory and Practice. The George Washington University Journal of Information Security. 1, 2 (2002). [9] Bishop, M. and Taylor, C A Critical Analysis of the Centers of Academic Excellence Programs. In Proc. of the 13 th Colloquium for Information Systems Security Education (Seattle, WA., June 2009). [10] Locasto, M. and Sinclair, S An Experience Report on Undergraduate Cyber-Security Education and Outreach. In Proc. of the 2 nd Annual Conference on Education in Information Security (Ames, IA., February 2009). [11] Rig and Gera, Advances in format string exploitation, Phrack Magazine, 59, 7 (2012). [12] SQL Injection OWASP. DOI= [13] Cross-site Scripting (XSS). DOI= [14] Cross-Site Request Forgery (CSRF). DOI= Site_Request_Forgery_(CSRF) [15] Yasinac, A. and Burmester, M. Centers of Academic Excellence: A Case Study. IEEE Security and Privacy. 3, 1, (January 2005), [16] Taylor, C. and Alves-Foss, J An Academic Perspective on the CNSS Standards: A Survey. In Proceedings of the 10 th Colloquium for Information Systems Security Education (Adelphi, MD., June 2006). [17] Bishop, M Academia and Education in Information Security: Four Years Later. In Proceedings of the Fourth National Colloquium on Information System Security Education (May 2000) [18] Logan, Y. and Clarkson, A Teaching students to hack: curriculum issues in information security. In Proceedings of the 36 th ACM SIGCSE technical symposium on Computer science education (New York, NY., 2005) [19] Mateti, P A laboratory-based course on internet security. In Proceedings of the 34 th ACM SIGCSE Technical Symposium on Computer Science Education( New York, NY, 2003) [20] Pashel, A Teaching Students to Hack: Ethical Implications in Teaching Students to Hack at the University Level. In Proceedings of the 3 rd ACM Annual Conference on Information Security Curriculum Development( New York, NY., 2006) [21] Hentea, M., Dhillon, H. and Dhillon, M Towards Changes in Information Security Education. Journal of Information Technology Education, 5 (2006) [22] Shahriar, H. and Zulkernine, M Mitigation of Program Security Vulnerabilities: Approaches and Challenges. ACM Computing Surveys (CSUR). 44, 3 (May 2012), [23] Shahriar, H. and Zulkernine, M A Fuzzy Logic-based Buffer Overflow Vulnerability Auditor. In Proc. of the 9th IEEE International Conference on Dependable, Autonomic and Secure Computing (Sydney, Australia, December 2011), [24] Shahriar, H. and Zulkernine, M MUSIC: Mutationbased SQL Injection Vulnerability Checking. In Proc. of the 8th International Conference on Quality Software (London, August 2008), [25] Shahriar, H. and Zulkernine, M S2XS2: A Server Side Approach to Automatically Detect XSS Attacks. In Proc. of the 9th IEEE International Conference on Dependable, Autonomic and Secure Computing (Sydney, Australia, December 2011), [26] Shahriar, H. and Zulkernine, M Client-Side Detection of Cross-Site Request Forgery Attacks. In Proc. of the 21st IEEE International Symposium on Software Reliability Engineering (San Jose, USA, November 2010), [27] Xen Cloud Platform. DOI= [28] OpenStack Folsom Architecture. DOI= [29] Tate, J., Beck, P., Ibarra, H., Kumaravel, S. and Miklas, L Introduction to Storage Area Networks and System Networking, IBM Redbooks, 5 th Edition, DOI= [30] Bachelor of Science in Computer Science with Threads, Georgia Institute of Technology. DOI= eads.php

6 Table 1: Courseware Unit M7.1: Input Validation Table 2. The relationship among test questions/assignments, CLOs, and PLOs