EECS 395, 495: Advanced and Persistent Threats (APT)

Quarter Offered

None ;


BRIEF OVERVIEW: Research on detecting intrusions flourished in the 80s and 90s. Post-2000, most security research has been focused on software hardening and offensive research. Meanwhile, the threat landscape has changed considerably, leading to several high profile intrusion and data exfiltration incidents. This has led to a renewed interest in intrusion detection methods.

An Advanced and Persistent Threat (APT) is a form of intrusion activity that is targeted for a specific enterprise that is aimed at data exfiltration. APTs have been the focus of cyber-criminals as well as state actors. The recent Chinese and Russian Cyber-Espionage operations are instances of APTs that are well documented in the literature.

While traditional IDS methods (including signature based and anomaly based methods) are not be a good match the longitudinal characteristics of APTs, there is light at the end of the tunnel in terms of detection methods that leverage the recent advances in information flow analysis as well as data analytics. This will be the main theme that will be explored in this class.

To the best of the faculty members’ knowledge, this will be the **first** course specifically devoted to this topic that is offered in any university in the US or elsewhere.

  • Approved for Systems Depth and Security Depth in the CS curriculum in McCormick and Weinberg

COURSE INSTRUCTORS: Prof. Yan Chen & Prof. Venkat Venkatakrishnan (UIC)

SYNOPSIS: This course will examine methods for APT detection by introducing various topics in the broad areas of intrusion detection, alert correlation, containment and recovery. Simultaneously, more foundational topics on information flow analysis and graph analytics will be covered.

FORMAT & SCHEDULE: This class will meet 12-3pm on each Tue. Students will be assigned required readings for each class (that will be made available during the first day of class) and the faculty member will summarize the essence of the reading with a lecture. This will be followed by a critical discussion of the specific topic of discussion. Participants will be assigned to red (blue) teams focused on critically examining the attack (defense) aspects of defense (attack) papers.

Topic list and hours:
Course Introduction, logistics and discussion of APTs   - 3

More APT scenarios and state-of-art in defenses   - 3

            (survey of state-of-art in academia as well as industry)

Intrusion Detection Methods –  9 hours

-       (Sensing and Alert correlation, anomaly detection, control flow models, data flow models)

Information flow based tracking - 6 hours

-       (Tracking data-flows and provenance,  tracking system efficiency and correctness issues, attack detection)

Machine Learning and Data Analytics fundamentals – 6 hours

-       (survey of statistical methods and graph analytics made in the context of security problems)

Research Project discussion – 3 hours


  • EECS 213 (Introduction to Systems) or EECS 205/231 required
  • EECS 321 (Programming Languages) and EECS 322 (Compiler) highly recommended

  • EECS 354 or 343 (Operating Systems) highly recommended

EVALUATION: There will be regularly assigned readings for each class. A critical written review of the papers (in a suggested format) will be assigned homework at the beginning of each class.  This will constitute about 30% of the grade. The remaining 70% of the grade will come from an evaluation of the student’s class project. There will be no exams, and TA support is not expected.

OTHER INFORMATION: This course will be co-taught by Venkat, Professor at Northwestern’s Chicago campus.  Students are expected to form small groups to collaborate on the class project, and groups composed of students from both UIC and Northwestern will be encouraged for cross-pollination of ideas.

The location will be at a location in Northwestern’s downtown campus. UIC’s student will take public transportation to the downtown location, and students from the Evanston campus will take their inter-campus shuttle.

Northwestern runs on a quarter system and UIC runs on a semester system which is expected to last 5 more weeks. After the end of Northwestern’s term, instruction will resume in UIC’s campus location.  UIC’s students will be expected to complete a preliminary version of the project by the 10th week, and based on the feed-back received from the instructors, pursue to the project to completion by the end of the semester.