Nuova ricerca


DIPENDENTE ALTRA UNIVERSITA presso: Dipartimento di Ingegneria "Enzo Ferrari"

Home |


2017 - A Probabilistic Logic of Cyber Deception [Articolo su rivista]
Jajodia, Sushil; Park, Noseong; Pierazzi, Fabio; Pugliese, Andrea; Serra, Edoardo; Simari, Gerardo I.; Subrahmanian, V. S.

Malicious attackers often scan nodes in a network in order to identify vulnerabilities that they may exploit as they traverse the network. In this paper, we propose that the system generates a mix of true and false answers in response to scan requests. If the attacker believes that all scan results are true, then he will be on a wrong path. If he believes some scan results are faked, he would have to expend time and effort in order to separate fact from fiction. We propose a probabilistic logic of deception and show that various computations are NP-hard. We model the attacker's state and show the effects of faked scan results. We then show how the defender can generate fake scan results in different states that minimize the damage the attacker can produce. We develop a Naive-PLD algorithm and a Fast-PLD heuristic algorithm for the defender to use and show experimentally that the latter performs well in a fraction of the run time of the former. We ran detailed experiments to assess the performance of these algorithms and further show that by running Fast-PLD off-line and storing the results, we can very efficiently answer run-time scan requests.

2017 - Detection and Threat Prioritization of Pivoting Attacks in Large Networks [Articolo su rivista]
Apruzzese, Giovanni; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco

Several advanced cyber attacks adopt the technique of "pivoting" through which attackers create a command propagation tunnel through two or more hosts in order to reach their final target. Identifying such malicious activities is one of the most tough research problems because of several challenges: command propagation is a rare event that cannot be detected through signatures, the huge amount of internal communications facilitates attackers evasion, timely pivoting discovery is computationally demanding. This paper describes the first pivoting detection algorithm that is based on network flows analyses, does not rely on any a-priori assumption on protocols and hosts, and leverages an original problem formalization in terms of temporal graph analytics. We also introduce a prioritization algorithm that ranks the detected paths on the basis of a threat score thus letting security analysts investigate just the most suspicious pivoting tunnels. Feasibility and effectiveness of our proposal are assessed through a broad set of experiments that demonstrate its higher accuracy and performance against related algorithms.

2017 - EC2: Ensemble Clustering & Classification for predicting Android malware families [Articolo su rivista]
Chakraborty, Tanmoy; Pierazzi, Fabio; Subrahmanian, V. S.

As the most widely used mobile platform, Android is also the biggest target for mobile malware. Given the increasing number of Android malware variants, detecting malware families is crucial so that security analysts can identify situations where signatures of a known malware family can be adapted as opposed to manually inspecting behavior of all samples. We present EC2 (Ensemble Clustering and Classification), a novel algorithm for discovering Android malware families of varying sizes - ranging from very large to very small families (even if previously unseen). We present a performance comparison of several traditional classification and clustering algorithms for Android malware family identification on DREBIN, the largest public Android malware dataset with labeled families. We use the output of both supervised classifiers and unsupervised clustering to design EC2. Experimental results on both the DREBIN and the more recent Koodous malware datasets show that EC2 accurately detects both small and large families, outperforming several comparative baselines. Furthermore, we show how to automatically characterize and explain unique behaviors of specific malware families, such as FakeInstaller, MobileTx, Geinimi. In short, EC2 presents an early warning system for emerging new malware families, as well as a robust predictor of the family (when it is not new) to which a new malware sample belongs, and the design of novel strategies for data-driven understanding of malware behaviors.

2017 - Scalable architecture for online prioritization of cyber threats [Relazione in Atti di Convegno]
Pierazzi, Fabio; Apruzzese, Giovanni; Colajanni, Michele; Guido, Alessandro; Marchetti, Mirco

This paper proposes an innovative framework for the early detection of several cyber attacks, where the main component is an analytics core that gathers streams of raw data generated by network probes, builds several layer models representing different activities of internal hosts, analyzes intra-layer and inter-layer information. The online analysis of internal network activities at different levels distinguishes our approach with respect to most detection tools and algorithms focusing on separate network levels or interactions between internal and external hosts. Moreover, the integrated multi-layer analysis carried out through parallel processing reduces false positives and guarantees scalability with respect to the size of the network and the number of layers. As a further contribution, the proposed framework executes autonomous triage by assigning a risk score to each internal host. This key feature allows security experts to focus their attention on the few hosts with higher scores rather than wasting time on thousands of daily alerts and false alarms.

2016 - Analysis of high volumes of network traffic for Advanced Persistent Threat detection [Articolo su rivista]
Marchetti, Mirco; Pierazzi, Fabio; Colajanni, Michele; Guido, Alessandro

Advanced Persistent Threats (APTs) are the most critical menaces to modern organizations and the most challenging attacks to detect. They span over long periods of time, use encrypted connections and mimic normal behaviors in order to evade detection based on traditional defensive solutions. We propose an innovative approach that is able to analyze efficiently high volumes of network traffic to reveal weak signals related to data exfiltrations and other suspect APT activities. The final result is a ranking of the most suspicious internal hosts; this rank allows security specialists to focus their analyses on a small set of hosts out of the thousands of machines that typically characterize large organizations. Experimental evaluations in a network environment consisting of about 10K hosts show the feasibility and effectiveness of the proposed approach. Our proposal based on security analytics paves the way to novel forms of automatic defense aimed at early detection of APTs in large and continuously varying networked systems.

2016 - Countering Advanced Persistent Threats through Security Intelligence and Big Data Analytics [Relazione in Atti di Convegno]
Marchetti, Mirco; Pierazzi, Fabio; Guido, Alessandro; Colajanni, Michele

Advanced Persistent Threats (APTs) represent the most challenging threats to the security and safety of the cyber landscape. APTs are human-driven attacks backed by complex strategies that combine multidisciplinary skills in information technology, intelligence, and psychology. Defending large organisations with tens of thousands of hosts requires similar multi-factor approaches. We propose a novel framework that combines different techniques based on big data analytics and security intelligence to support human analysts in prioritising the hosts that are most likely to be compromised. We show that the collection and integration of internal and external indicators represents a step forward with respect to the state of the art in the field of early detection and mitigation of APT activities.

2016 - Exploratory security analytics for anomaly detection [Articolo su rivista]
Pierazzi, Fabio; Casolari, Sara; Colajanni, Michele; Marchetti, Mirco

The huge number of alerts generated by network-based defense systems prevents detailed manual inspections of security events. Existing proposals for automatic alerts analysis work well in relatively stable and homogeneous environments, but in modern networks, that are characterized by extremely complex and dynamic behaviors, understanding which approaches can be effective requires exploratory data analysis and descriptive modeling. We propose a novel framework for automatically investigating temporal trends and patterns of security alerts with the goal of understanding whether and which anomaly detection approaches can be adopted for identifying relevant security events. Several examples referring to a real large network show that, despite the high intrinsic dynamism of the system, the proposed framework is able to extract relevant descriptive statistics that allow to determine the effectiveness of popular anomaly detection approaches on different alerts groups.

2015 - The network perspective of cloud security [Relazione in Atti di Convegno]
Pierazzi, Fabio; Balboni, Andrea; Guido, Alessandro; Marchetti, Mirco

The cloud computing paradigm has become really popular, and its adoption is constantly increasing. Hence, also network activities and security alerts related to cloud services are increasing and are likely to become even more relevant in the upcoming years. In this paper, we propose the first characterization of real security alerts related to cloud activities and generated by a network sensor at the edge of a large network environment over several months. Results show that the characteristics of cloud security alerts differ from those that are not related to cloud activities. Moreover, alerts related to different cloud providers exhibit peculiar and different behaviors that can be identified through temporal analyses. The methods and results proposed in this paper are useful as a basis for the design of novel algorithms for the automatic analysis of cloud security alerts, that can be aimed at forecasting, prioritization, anomaly and state-change detection.

2014 - Efficient detection of unauthorized data modification in cloud databases [Relazione in Atti di Convegno]
Luca Ferretti; Fabio Pierazzi; Michele Colajanni; Mirco Marchetti;Marcello Missiroli

Cloud services represent an unprecedented opportunity, but their adoption is hindered by confidentiality and integrity issues related to the risks of outsourcing private data to cloud providers. This paper focuses on integrity and proposes an innovative solution that allows cloud tenants to detect unauthorized modifications to outsourced data while minimizing storage and network overheads. Our approach is based on encrypted Bloom filters, and is designed to allow efficient integrity verification for databases stored in the cloud. We assess the effectiveness of the proposal as well as its performance improvements with respect to existing solutions by evaluating storage and network costs.

2014 - Performance and cost evaluation of an adaptive encryption architecture for cloud databases [Articolo su rivista]
Ferretti, Luca; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco

The cloud database as a service is a novel paradigm that can support several Internet-based applications, but its adoption requires the solution of information confidentiality problems. We propose a novel architecture for adaptive encryption of public cloud databases that offers an interesting alternative to the trade-off between the required data confidentiality level and the flexibility of the cloud database structures at design time. We demonstrate the feasibility and performance of the proposed solution through a software prototype. Moreover, we propose an original cost model that is oriented to the evaluation of cloud database services in plain and encrypted instances and that takes into account the variability of cloud prices and tenant workload during a medium-term period.

2014 - Scalable architecture for multi-user encrypted SQL operations on cloud database services [Articolo su rivista]
Ferretti, L.; Pierazzi, F.; Colajanni, M.; Marchetti, M.

The success of the cloud database paradigm is strictly related to strong guarantees in terms of service availability, scalability and security, but also of data confidentiality. Any cloud provider assures the security and availability of its platform, while the implementation of scalable solutions to guarantee confidentiality of the information stored in cloud databases is an open problem left to the tenant. Existing solutions address some preliminary issues through SQL operations on encrypted data. We propose the first complete architecture that combines data encryption, key management, authentication and authorization solutions, and that addresses the issues related to typical threat scenarios for cloud database services. Formal models describe the proposed solutions for enforcing access control and for guaranteeing confidentiality of data and metadata. Experimental evaluations based on standard benchmarks and real Internet scenarios show that the proposed architecture satisfies also scalability and performance requirements.

2014 - Security and privacy of location-based services for in-vehicle device systems [Relazione in Atti di Convegno]
Missiroli, Marcello; Pierazzi, Fabio; Colajanni, Michele

Location-based services relying on in-vehicle devices are becoming so common that it is likely that, in the near future, devices of some sorts will be installed on new vehicles by default. The pressure for a rapid adoption of these devices and services is not yet counterbalanced by an adequate awareness about system security and data privacy issues. For example, service providers might collect, elaborate and sell data belonging to cars, drivers and locations to a plethora of organizations that may be interested in acquiring such personal information. We propose a comprehensive scenario describing the entire process of data gathering, management and transmission related to in-vehicle devices, and for each phase we point out the most critical security and privacy threats. By referring to this scenario, we can outline issues and challenges that should be addressed by the academic and industry communities for a correct adoption of in-vehicle devices and related services.

2013 - Security and Confidentality Solutions for Public Cloud Database Services [Relazione in Atti di Convegno]
Ferretti, Luca; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco

The users perception that the confidentiality of their data is endangered by internal and external attacks is limiting the diffusion of public cloud database services. In this context, the use of cryptography is complicated by high computational costs and restrictions on supported SQL operations over encrypted data. In this paper, we propose an architecture that takes advantage of adaptive encryption mechanisms to guarantee at runtime the best level of data confidentiality for any type of SQL operation. We demonstrate through a large set of experiments that these encryption schemes represent a feasible solution for achieving data confidentiality in public cloud databases, even from a performance point of view.