Courses

Core Courses

14-740: Fundamentals of Telecommuncation Networks

14-740 is a graduate-level, first-course in computer and telecommunication networks. There is no pre-requisite of an undergraduate equivalent, but basic computer, programming and probability theory background is required.

The primary objective of this course is for you to learn the fundamental principles underlying computer and telecommunication networks. Using a top-down approach, we will cover topics in the application, transport, network and link layers of the protocol stack. We will also go over advanced topics, including network management, traffic engineering, and router internals. Besides learning about the nuts and bolts, you will gain an understanding as well in engineering tradeoffs made and design principles used in computer and telecommunication networks. Another objective is for you to apply some of this knowledge in the context of systems projects. We will follow an aggressive pace in this course.

14-741: Intro to Information Security

The growing importance of information systems, and their use to support safety-critical applications, has made information security a central issue for modern systems. The course introduces the technical and policy foundations of information security. The main objective of the course is to enable students to reason about information systems from a security engineering perspective. Topics covered in the course include elementary cryptography; access control; common software vulnerabilities; common network vulnerabilities; digital rights management; policy and export control law; privacy; management and assurance; and special topics in information security. Prerequisites: The course assumes a basic working knowledge of computers, networks, C and UNIX programming, as well as an elementary mathematics background, but does not assume any prior exposure to topics in computer or communications security.

14-815: Special Topics: Advanced Elements of Network Security

This course offers the opportunity to explore in depth some pressing issues that are plaguing the Internet, as well as strengthen the understanding of how economics and usability, touched on by previous courses, are inextricable from security issues, making them extremely difficult to solve. The course is also aimed at fast-tracking students who are interested in doing research in the areas covered, namely phishing, distributed denial-of-service (DDoS) attacks including its economic counterpart (eDDoS) and web application security, by providing a broad coverage of existing research, a summary of the root causes, reasons why problems are difficult and the pros/cons of different approaches explored thus far.

95-750: Security Architecture and Analysis

Growing societal dependence on large-scale, highly distributed network systems amplifies the consequences of intrusion and compromise. Such systems face security threats that continue to grow in sophistication and scope. System architectures must incorporate security capabilities to deal with these threats. These capabilities include such techniques as boundary control, security protocols, encryption, authentication, intrusion detection, multi-level security and network partitioning.

This course provides you with analytical methods to assess and improve system security and survivability. Topics covered include architecture fundamentals, security and survivability methods, and development of secure and survivable systems. Architecture analysis and trade-offs can assess the relative merits of security strategies for particular environments of system use. In addition, systems must be analyzed and designed for survivability of critical mission functions. The Survivable Network Analysis method is used to evaluate and improve survivability.

Development of secure and survivable architectures likewise requires rigorous software engineering methods to ensure reliable implementation of security strategies. Relevant topics include fundamentals of system architecture representation, definition, and analysis, system survivability analysis, security threats and architecture strategies, and security architecture implementation and lifecycle management. An additional major component of the course is a team project that may require programming. Prerequisites: 14-741: Intro to Information Security

95-756: Information Security Risk Analysis

This course assumes a basic grounding in statistics and elementary economics. This course approaches information security as a management problem, where the organization has to decide on how much to spend on information security and how, and trade off information security risks with other risks. Students will learn analytical tools for calculating the costs and benefits of investment security decisions, and how to calculate the return on investments in a hands-on setting. Additional topics covered include a brief introduction to commercially available tools for risk management, an introduction to vulnerability management, risk aversion and insurance. Learning objectives: Upon completion of this course students will understand:

• Basic understanding of information security risks and the need to manage them.
• Key economic concepts in uncertainty, decision making, insurance and risk management framework.
• How to calculate ROI on a security investment.

95-757: Information Security Risk Policy and Management

The goal of this course is to provide an overview of the security marketplace, an understanding of decision making when multiple parties are involved and the role of policy making in the context of information security. Policy is treated broadly and need not be necessarily government laws and regulations. Policy can be intra-organization. For example, it is an organization policy to disconnect an unpatched computer from its network. We will discuss the role of market and competition on security provision and then some of the key causes of market failure, namely externalities. We will then analyze how various policy tools can be applied to mitigate market failure. We will also discuss some key laws and regulation on product liability, and security standards. The course also aims to provide an overview of security industry (that is key trends, technologies and various strategies by vendors and users) as well. By the end of the course, the students are expected to know key managerial and policy issues surrounding information security provision and when and how policy intervention is needed.

95-760: Decision Making Under Uncertainty

During the past years, business people discovered that one of the most effective ways to evaluate decision alternatives involves using electronic spreadsheets to build a computer model of a given decision problem. A computer model is a set of mathematical relationships and logical assumptions implemented in a computer as a representation of some real-world decision problem. As a potential business decision maker, you will learn how to analyze decision alternatives before having to choose a specific plan for implementation. This course introduces you a set of techniques from the field of management science that can be applied to assist in decision making process. It is an advanced course which requires sufficient statistics background. Prerequisites: 95-796 Statistics for IT Managers.

95-796: Statistics for IT Managers

This introductory course in data analysis and statistical inference requires no background in statistics. Its objective is to provide individuals who aspire to enter management positions in firms that use the Internet to market and serve its clients with the basic statistical tools for analyzing and interpreting internet data. The course is divided into three distinct components: descriptive statistics, fundamentals of statistical inference, and regression analysis. The emphasis of the classes on descriptive statistics is the calculation and interpretation of summary statistical measures for describing raw data. The sessions on fundamentals of statistical inferences are designed to provide you with the background for executing and interpreting hypothesis tests and confidence intervals. The latter half of the course focuses on regression analysis, a widely used statistical methodology. Throughout the course you will regularly analyze internet data using the statistical software package Minitab. Prerequisites: none.

Electives

14-742: Security in Networked Systems

Some of today's most damaging attacks on computer systems involve exploitation of network infrastructure, either as the target of attack or as a vehicle to advance attacks on end systems. This course provides an in-depth study of network attack techniques and methods to defend against them. Topics include network- and transport-layer attacks and defenses; network intrusion detection; denial of service (DoS) and distributed denial-of-service (DDoS) detection and reaction; worm and virus propagation; tracing the source of attacks; traffic analysis; techniques for hiding the source or destination of network traffic; secure routing protocols; content poisoning attacks; and advanced techniques for reacting to network attacks. Prerequisites: Students must have passed Introduction to Information Security (14-741) and Fundamentals of Telecommunication Networks (14-740), or an equivalent set of courses offered at Carnegie Mellon (e.g., 18-730 and 15-441). In addition, solid background in C and UNIX programming will prove helpful for the several assignments this course involves. Please check with the instructor directly if you are concerned about the requirements.

14-747: Predictable Professional Performance

This course provides the student an opportunity to develop an insight into their own development productivity and quality capabilities in quantitative terms. It allows them to improve their skills through repeated use of a defined approach. Having only qualitative information about one's capabilities (e.g. I'm reasonably fast and my code does not have that many defects) does not equate to being able to make business commitments that are easily honored. A "real" professional should be able to analyze requirements and then provide a solid work effort estimate in order to produce a product. For example, being able to answer the questions "How long will it take?", "How much will it cost?", and "What problems am I likely to experience?". The main objective of the course is to enable students with the skills they need to answer these questions.

14-761: Applied Information Assurance

This class focuses on practical applications of Information Security/Assurance policies and technologies in enterprise network environments. The course will include lecture and demonstrations, but is designed around a virtual lab environment that provides for robust and realistic hands-on experiences in dealing with a range of information assurance topic areas. Students will be provided numerous opportunities to apply information security practices and technologies to solve real world I.A. problems. This course requires students to have a Windows XP Professional computer and VMWare Workstation 4.5.

14-810: Speical Topics: Information Security Warfare

This course covers the security strategies and tactics in the application to knowing your enemy and the defense of information. The course contents consist of topics relating to defense strategies of information networks and hosts against attacks, including understanding, recognition and defense strategy to attacks and warfare.

18-732: Secure Software Systems

Poor software design and engineering are the root causes of most security vulnerabilities in deployed systems today. Moreover, with code mobility now commonplace -- particularly in the context of web technologies and digital rights management -- system designers are increasingly faced with protecting hosts from foreign software and protecting software from foreign hosts running it. This class takes a close look at software as a mechanism for attack, as a tool for protecting resources, and as a resource to be defended. Topics covered include the software design process; choices of programming languages, operating systems, databases and distributed object platforms for building secure systems; common software vulnerabilities, such as buffer overflows and race conditions; auditing software; proving properties of software; software and data watermarking; code obfuscation; tamper resistant software; and the benefits of open and closed source development. Prerequisites: Introduction to Information Security (14-741).

18-733: Applied Cryptography

This course covers materials of modern applied cryptography that are appropriate for information assurance specialists. Applications and their current status of security are primarily focused. Topics include (but are not limited to) provable security, symmetric encryption, asymmetric encryption, one-way functions (aka hashing), digital signature, Public Key Infrastructure, and cryptographic applications for the Internet. As a result of completing this course, students are able to specifically identify cryptographic technologies and their current status concerning security (i.e. how secure or vulnerable they are), and they are able to present the concepts to various types of audiences. Besides the lectures, students engage in "hands-on" assignments that require some programming, discussions concerning the current status of security for selected cryptographic technologies, and practical small lectures on selected cryptographic applications for the Internet. Prerequisites: Introduction to Information Security (14-741).

90-758: Ethics and Public Policy

This course will introduce students to the basic concepts, principles and theories of ethics and demonstrate the role that these might play in the formation of public policy. The course will also survey various social issues, explore current policies that deal with them and subject these policies to an ethics analysis. Among such issues that will be so addressed are: reproductive rights matters, end-of-life decisions, the death penalty, questions about free speech, information technology, pornography, social and economic justice and policy considerations dealing with environmental issues. The overall aim of the course is to assist students in developing their critical thinking skills and to persuasively argue their position on the ethics of individual public policy programs.

95-703: Database Management

Database systems are ubiquitous in today's society, and are an essential productivity tool. The ability to store, access, and manage data in such systems is becoming more and more critical for any organization. Therefore, databases are central to most organizations information system strategies. At any organizational level, users can expect to have frequent contact with database systems. Therefore, skill in using such systems' understanding their capabilities and limitations, knowing how to access data directly or through technical specialists, knowing how to effectively use the information that such systems can provide, and ability in designing new systems and related applications is a distinct advantage and necessity today. The Relational Database Management System (RDBMS) is the predominant type of database systems these days, and is the primary focus of this course.

95-705: Telecommunications Management

This course will help students to understand the technical, business, and industry fundamentals necessary for the effective management of organizations that develop, operate, and/or use telecommunications. These issues will be explored in the context of the decisions they influence in areas of strategic telecommunications planning, developing and deploying business applications, procuring and delivering services, and managing technical personnel and processes. Topics will include the underlying technical fundamentals of voice and data networks, the protocols and services built from those fundamentals, industry and regulatory structures and practices, and practical questions that arise from these issues.

The goals are for students to understand the telecommunications technology and industry well enough to make intelligent short-term and long-term business and technical decisions, and to manage technical people wisely and effectively.

95-710: Economic Analysis

Economic analysis is critical to successful management of technology, including information technology. Whether you are interested in managing the information resources and technology inside an organization or in formulating a strategy for electronic commerce, the set of tools and analytical perspectives that economics provides play a vital role. The key unifying theme is the analysis of trade-offs in allocating scarce resources, how markets affect these trade-offs and allocate resources and rewards, and the implications of externalities.

After a quick review of the theory of consumer choice and the theory of production, where we will develop the analytical tools, we shall proceed to apply them. We shall study a variety of topics including the pricing of information goods and price discrimination, investment decision making, competition and competitive strategy, markets for information goods and the structure of such markets.

95-728: Introduction to Electronic Commerce

The internet, and associated technologies, are now an established element of the IT portfolio of organizations in both the public and private sectors. This course will discuss the two themes that have emerged, the emergence of services delivered over the Internet and the related policy issues. This course will provide students with an overview of technology infrastructure, management, and policy of electronic commerce.

95-835: Advanced Topics in Data Privacy

A philosophical debate about the notion of privacy has been going on for many years. Following the debate, a set of interesting issues are as follows: What is privacy? What is the relationship between security and privacy. Why do we need protect data privacy? How to achieve privacy? The goal of the work presented in this course is to explore computational techniques for releasing useful information in such a way that data privacy cannot be violated. We begin by defining the notion of privacy and demonstrating ways to learn private information from available information. We then provide a formal framework for privacy enhancing technologies. We formally define and present various models of protection. We discuss the strengths and weaknesses of these protection models and provide real-world examples. After that, we will discuss privacy enhancement from the economic, legal, and policy aspects. Finally, we will introduce cutting-edge privacy-preserving frameworks such as privacy-preserving data mining systems.