Nuova ricerca


Professore Associato
Dipartimento di Ingegneria "Enzo Ferrari"

Home | Curriculum(pdf) | Didattica |


2023 - A Framework for Automating Security Assessments with Deductive Reasoning [Relazione in Atti di Convegno]
Andreolini, M.; Artioli, A.; Ferretti, L.; Marchetti, M.; Colajanni, M.; Righi, C.

Proper testing of hardware and software infrastructure and applications has become mandatory. To this purpose, security researchers and software companies have released a plethora of domain specific tools, libraries and frameworks that assist human operators (penetration testers, red teamers, bug hunters) in finding and exploiting specific vulnerabilities, and orchestrating the activities of a security assessment. Most tools also require minor reconfigurations in order to operate properly with isomorphic systems, characterized by the same exploitation path even in presence of different configurations. In this paper we present a human-assisted framework that tries to overcome the aforementioned limitations. Our proposal is based on a Prolog-based expert system with facts and deductive rules that allow to infer new facts from existing ones. Rules are bound to actions whose results are fed back into the knowledge base as further facts. In this way, a security assessment is treated like a theorem that has to be proven. We have built an initial prototype and evaluated it in different security assessments of increasing complexity (jeopardy and boot-to-root machines). Our preliminary results show that the proposed approach can address the following challenges; (a) reaching non-standard goals (which would be missed by most tools and frameworks); (b) solving isomorphic systems without the need for reconfiguration; (c) identifying vulnerabilities from chained weaknesses and exposures.

2023 - ARGANIDS: A novel Network Intrusion Detection System based on adversarially Regularized Graph Autoencoder [Relazione in Atti di Convegno]
Venturi, A.; Ferrari, M.; Marchetti, M.; Colajanni, M.

Machine Learning (ML) algorithms are largely adopted in modern Network Intrusion Detection Systems (NIDS). The most recent researches propose the use of Graph Neural Networks (GNN) to improve the detection performance. Instead of analyzing each network flow independently, these novel algorithms operate over a graph representation of the data that can take into account the network topology. This paper presents a novel NIDS based on the Adversarially Regularized Graph Autoencoder (ARGA) algorithm. Unlike existing proposals, ARGA offers several advantages as it encodes both the topological information of the graph and the node features in a compact latent representation through an un-supervised autoencoder. Moreover, it derives robust embedding through an additional regularization phase based on adversarial training. We consider also two ARGA variants, namely ARVGA for variational autoencoder and ARVGA-AX for content information reconstruction. A large experimental campaign using two public datasets demonstrates that our proposals are able to outperform other state-of-the-art GNN-based algorithms that already provide good results for network intrusion detection.

2023 - Are VANETs pseudonyms effective? An experimental evaluation of pseudonym tracking in adversarial scenario [Relazione in Atti di Convegno]
Gambigliani Zoccoli, G.; Stabili, D.; Marchetti, M.

With the increasing adoption of Vehicular Ad Hoc Networks (VANETs) for the development of Cooperative Intelligent Transportation Systems (C-ITS) many concerns regarding privacy and anonymity in VANETs have been raised by security researchers and practitioners, highlighting the need for effective mechanisms to protect sensitive information exchanged by connected vehicles. One of the first concerns is related to the vehicle's identifier, a field contained in the messages sent from the vehicle and that can be used to track the vehicle across the infrastructure, with consequent severe implications on the privacy of the driver. Consequently, VANET communications leverage short-lived pseudonyms instead of persistent vehicle's identifiers, aiming to enhance the privacy of the vehicle. Pseudonym change schemes proposed in the literature are effective in masking the real sender of a given message, but they do not guarantee privacy against attackers that can monitor and correlate multiple messages among themselves. This paper evaluates 5 different pseudonym change mechanisms against a realistic threat model. Our results demonstrate that it is possible for a realistic attacker to reliably track multiple vehicles, with minor differences across different pseudonym change schemes.

2023 - How (Not) to Index Order Revealing Encrypted Databases [Relazione in Atti di Convegno]
Ferretti, L.; Trabucco, M.; Andreolini, M.; Marchetti, M.

Order Reveling Encryption (ORE) enables efficient range queries on encrypted databases, but may leak information that could be exploited by inference attacks. State-of-the-art ORE schemes claim different security guarantees depending on the adversary attack surface. Intuitively, online adversaries who access the database server at runtime may access information leakage; offline adversaries who access only a snapshot of the database data should not be able to gain useful information. We focus on offline security of the ORE scheme proposed by Lewi and Wu (LW-ORE, CCS 2016), which guarantees semantic security of ciphertexts stored in the database, but requires that ciphertexts are maintained sorted with regard to the corresponding plaintexts to support sublinear time queries. The design of LW-ORE does not discuss how to build indexing data structures to maintain sorting. The risk is that practitioners consider indexes as a technicality whose design does not affect security. We show that indexes can affect offline security of LW-ORE because they may leak duplicate plaintext values, and statistical information on plaintexts distribution and on transactions history. As a real-world demonstration, we found two open source implementations related to academic research (JISA 2018, VLDB 2019), and both adopt standard search trees which may introduce such vulnerabilities. We discuss necessary conditions for indexing data structures to be secure for ORE databases, and we outline practical solutions. Our analyses could represent an insightful lesson in the context of security failures due to gaps between theoretical modeling and actual implementation, and may also apply to other cryptographic techniques for securing outsourced databases.

2023 - Practical Evaluation of Graph Neural Networks in Network Intrusion Detection [Relazione in Atti di Convegno]
Venturi, A.; Pellegrini, D.; Andreolini, M.; Ferretti, L.; Marchetti, M.; Colajanni, M.

The most recent proposals of Machine and Deep Learning algorithms for Network Intrusion Detection Systems (NIDS) leverage Graph Neural Networks (GNN). These techniques create a graph representation of network traffic and analyze both network topology and netflow features to produce more accurate predictions. Although prior research shows promising results, they are biased by evaluation methodologies that are incompatible with real-world online intrusion detection. We are the first to identify these issues and to evaluate the performance of a state-of-the-art GNN-NIDS under real-world constraints. The experiments demonstrate that the literature overestimates the detection performance of GNN-based NIDS. Our results analyze and discuss the trade-off between detection delay and detection performance for different types of attacks, thus paving the way for the practical deployment of GNN-based NIDS.

2022 - Comparison of Machine Learning-based anomaly detectors for Controller Area Network [Relazione in Atti di Convegno]
Venturi, A.; Stabili, D.; Pollicino, F.; Bianchi, E.; Marchetti, M.

This paper presents a comparative analysis of different Machine Learning-based detection algorithms designed for Controller Area Network (CAN) communication on three different datasets. This work focuses on addressing the current limitations of related scientific literature, related to the quality of the publicly available datasets and to the lack of public implementations of the detection solutions presented in literature. Since these issues are preventing the reproducibility of published results and their comparison with novel detection solutions, we remark that it is necessary that all security researchers working in this field start to address them properly to advance the current state-of-the-art in CAN intrusion detection systems. This paper strives to solve these issues by presenting a comparison of existing works on publicly available datasets.

2022 - DAGA: Detecting Attacks to in-vehicle networks via n-Gram Analysis [Articolo su rivista]
Stabili, D.; Ferretti, L.; Andreolini, M.; Marchetti, M.

Recent research showcased several cyber-attacks against unmodified licensed vehicles, demonstrating the vulnerability of their internal networks. Many solutions have already been proposed by industry and academia, aiming to detect and prevent cyber-attacks targeting in-vehicle networks. The majority of these proposals borrow security algorithms and techniques from the classical ICT domain, and in many cases they do not consider the inherent limitations of legacy automotive protocols and resource-constrained microcontrollers. This paper proposes DAGA, an anomaly detection algorithm for in-vehicle networks exploiting n-gram analysis. DAGA only uses sequences of CAN message IDs for the definition of the n-grams used in the detection process, without requiring the content of the payload or other CAN message fields. The DAGA framework allows the creation of detection models characterized by different memory footprints, allowing their deployment on microcontrollers with different hardware constraints. Experimental results based on three prototype implementations of DAGA showcase the trade off between hardware requirements and detection performance. DAGA outperforms the state-of-the-art detectors on the most performing microcontrollers, and can execute with lower performance on simple microcontrollers that cannot support the vast majority of IDS approaches proposed in literature. As additional contributions, we publicly release the full dataset and our reference DAGA implementations.

2022 - Modeling Realistic Adversarial Attacks against Network Intrusion Detection Systems [Articolo su rivista]
Apruzzese, Giovanni; Andreolini, Mauro; Ferretti, Luca; Marchetti, Mirco; Colajanni, Michele

2022 - Robustness Evaluation of Network Intrusion Detection Systems based on Sequential Machine Learning [Relazione in Atti di Convegno]
Venturi, A.; Zanasi, C.; Marchetti, M.; Colajanni, M.

The rise of sequential Machine Learning (ML) methods has paved the way for a new generation of Network Intrusion Detection Systems (NIDS) which base their classification on the temporal patterns exhibited by malicious traffic. Previous work presents successful algorithms in this field, but just a few attempts try to assess their robustness in real-world contexts. In this paper, we aim to fill this gap by presenting a novel evaluation methodology. In particular, we propose a new time-based adversarial attack in which we simulate a delay in the malicious communications that changes the arrangement of the samples in the test set. Moreover, we design an innovative evaluation technique simulating a worst-case training scenario in which the last portion of the training set does not include any malicious flow. Through them, we can evaluate how much sequential ML-based NIDS are sensible to modifications that an adaptive attacker might apply at temporal level, and we can verify their robustness to the unpredictable traffic produced by modern networks. Our experimental campaign validates our proposal against a recent NIDS trained on a public dataset for botnet detection. The results demonstrate its high resistance to temporal adversarial attacks, but also a drastic performance drop when even just 1% of benign flows are injected at the end of the training set. Our findings raise questions about the reliable deployment of sequential ML-NIDS in practice, and at the same time can guide researchers to develop more robust defensive tools in the future.

2022 - SixPack v2: enhancing SixPack to avoid last generation misbehavior detectors in VANETs [Relazione in Atti di Convegno]
Zoccoli, G. G.; Pollicino, F.; Stabili, D.; Marchetti, M.

This paper proposes SixPack v2, an enhanced version of the SixPack attack that allows to evade even state-of-the-art misbehavior detection systems. As the original SixPack, SixPack v2 is a dynamic attack targeting other C-ITS entities by simulating the sudden activation of the braking system with consequent activation of the Anti-lock Braking System. SixPack v2 achieves better evasion by improving the main phases of the attack (FakeBrake, Recovery, and Rejoin) through a novel path-reconstruction algorithm that generates a more realistic representation of the real vehicle trajectory. We experimentally evaluate the evasion capabilities of SixPack v2 using the F2MD framework on the LuSTMini city scenario, and we compared the detection performance of the F2MD framework on both versions of SixPack. Results show that SixPack v2 evades detection with a significantly higher likelihood with respect to the initial version of the attack, even against the latest version of F2MD.

2021 - Accountable and privacy-aware flexible car sharing and rental services [Relazione in Atti di Convegno]
Pollicino, F.; Ferretti, L.; Stabili, D.; Marchetti, M.

The transportation sector is undergoing rapid changes to reduce pollution and increase life quality in urban areas. One of the most effective approaches is flexible car rental and sharing to reduce traffic congestion and parking space issues. In this paper, we envision a flexible car sharing framework where vehicle owners want to make their vehicles available for flexible rental to other users. The owners delegate the management of their vehicles to intermediate services under certain policies, such as municipalities or authorized services, which manage the due infrastructure and services that can be accessed by users. We investigate the design of an accountable solution that allow vehicles owners, who want to share their vehicles securely under certain usage policies, to control that delegated services and users comply with the policies. While monitoring users behavior, our approach also takes care of users privacy, preventing tracking or profiling procedures by other parties. Existing approaches put high trust assumptions on users and third parties, do not consider users' privacy requirements, or have limitations in terms of flexibility or applicability. We propose an accountable protocol that extends standard delegated authorizations and integrate it with Security Credential Management Systems (SCMS), while considering the requirements and constraints of vehicular networks. We show that the proposed approach represents a practical approach to guarantee accountability in realistic scenarios with acceptable overhead.

2021 - Analysis, prevention and detection of ransomware attacks on Industrial Control Systems [Relazione in Atti di Convegno]
Santangelo, G. V.; Colacino, V. G.; Marchetti, M.

2021 - Cyber attacks and defenses: Current capabilities and future trends [Capitolo/Saggio]
Colajanni, M.; Marchetti, M.

In the new cyber landscape, the legal rules apply only to defenders. Even nonprimary countries and companies may constitute a harmful adversarial scenario for politics, military, intelligence, and enterprises. Attackers can leverage physical distance from targets, different laws, anonymity, and almost impossible attribution, known and unknown software vulnerabilities, human weaknesses, and many freely available tools. Defenders need expensive security frameworks, cyber procedures and competent people guarding vulnerable surfaces with no defined perimeters. This asymmetric scenario generates a dangerous cyber arms race where national investments focus more on aggressive tools and attackers than on defense technologies. Two emerging factors - integration of cyber-attacks with artificial intelligence and the diffusion of smart devices and autonomous vehicles - are creating an even more risky battleground where cyber security will permeate social safety. This paper analyzes the main cyber capabilities and actors involved in the past, present and visible future cyber landscape.

2021 - DReLAB - Deep REinforcement Learning Adversarial Botnet: A benchmark dataset for adversarial attacks against botnet Intrusion Detection Systems [Articolo su rivista]
Venturi, A.; Apruzzese, G.; Andreolini, M.; Colajanni, M.; Marchetti, M.

We present the first dataset that aims to serve as a benchmark to validate the resilience of botnet detectors against adversarial attacks. This dataset includes realistic adversarial samples that are generated by leveraging two widely used Deep Reinforcement Learning (DRL) techniques. These adversarial samples are proved to evade state of the art detectors based on Machine- and Deep-Learning algorithms. The initial corpus of malicious samples consists of network flows belonging to different botnet families presented in three public datasets containing real enterprise network traffic. We use these datasets to devise detectors capable of achieving state-of-the-art performance. We then train two DRL agents, based on Double Deep Q-Network and Deep Sarsa, to generate realistic adversarial samples: the goal is achieving misclassifications by performing small modifications to the initial malicious samples. These alterations involve the features that can be more realistically altered by an expert attacker, and do not compromise the underlying malicious logic of the original samples. Our dataset represents an important contribution to the cybersecurity research community as it is the first including thousands of automatically generated adversarial samples that are able to thwart state of the art classifiers with a high evasion rate. The adversarial samples are grouped by malware variant and provided in a CSV file format. Researchers can validate their defensive proposals by testing their detectors against the adversarial samples of the proposed dataset. Moreover, the analysis of these samples can pave the way to a deeper comprehension of adversarial attacks and to some sort of explainability of machine learning defensive algorithms. They can also support the definition of novel effective defensive techniques.

2021 - Hardware limitations to secure C-ITS: experimental evaluation and solutions [Articolo su rivista]
Pollicino, F.; Stabili, D.; Ferretti, L.; Marchetti, M.

Cooperative Intelligent Transportation Systems (C-ITS) improve driving experience and safety through secure Vehicular Ad-hoc NETworks (VANETs) that satisfy strict security and performance constraints. Relevant standards, such as the IEEE 1609.2, prescribe network-efficient cryptographic protocols to reduce communication latencies through a combination of the Elliptic Curve Qu-Vanstone (ECQV) implicit certificate scheme and the Elliptic Curve Digital Signature Algorithm (ECDSA). However, literature lacks open implementations and performance evaluations for vehicular systems. This paper assesses the applicability of IEEE 1609.2 and of ECQV and ECDSA schemes to C-ITSs. We release an open implementation of the standard ECQV scheme to benchmark its execution time on automotive-grade hardware. Moreover, we evaluate its performance in real road and traffic scenarios and show that compliance with strict latency requirements defined for C-ITS requires computational resources that are not met by many automotive-grade embedded hardware platforms. As a final contribution, we propose and evaluate novel heuristics to reduce the number of signatures to be verified in real C-ITS scenarios.

2021 - SixPack: Abusing ABS to avoid Misbehavior detection in VANETs [Relazione in Atti di Convegno]
Pollicino, F.; Stabili, D.; Bella, G.; Marchetti, M.

This paper presents SixPack, a cyber attack to VANET communications that is able to go undetected by the current state-of-the-art anomaly detectors. The SixPack attack is a dynamic attack conducted by an insider attacker who modifies the content of the Basic Safety Messages to pretend a sudden activation of the braking system with the consequent activation of the Anti-lock Braking System, and create a fake representation of the vehicle. The attacker then rejoins the fake representation of the vehicle with the real one, avoiding the current state-of-the-art anomaly detectors. We experimentally evaluated the evasion capabilities of the SixPack attack using the F2MD test framework on the LuST and LuSTMini city scenarios, demonstrating the ability of the attacker to generate a high percentage of false positives that prevent the attack from being detected consistently.

2021 - Towards the COSCA framework for “COnseptualing Secure CArs” [Relazione in Atti di Convegno]
Bella, G.; Biondi, P.; Costantino, G.; Matteucci, I.; Marchetti, M.

Cyber risks associated with modern cars are often referred to safety. However, modern cars expose a variety of digital services and process a variety of personal data, at least of the driver's. This paper unfolds the argument that car (cyber-)security and drivers' privacy are worthy of additional consideration, and does so by advancing “COSCA”, a framework for “COnceptualising Secure CArs” as interconnected nodes of the Next Generation Internet. COSCA adopts an innovative socio-technical approach. It crowdsources drivers' perceptions on core privacy topics and it classifies the data collected by cars and processed by manufacturers pursuant the General Data Protection Regulation. These steps inform a risk assessment which highlights the more relevant mitigation strategies and cyber security technologies. Finally, COSCA aims at designing novel interfaces to enable drivers to exercise their rights about personal data collection and processing.

2020 - A Framework for the Evaluation of Trainee Performance in Cyber Range Exercises [Articolo su rivista]
Andreolini, M.; Colacino, V. G.; Colajanni, M.; Marchetti, M.

This paper proposes a novel approach for the evaluation of the performance achieved by trainees involved in cyber security exercises implemented in modern cyber ranges. Our main contributions include: the definition of a distributed monitoring architecture for gathering relevant information about trainees activities; an algorithm for modeling the trainee activities using directed graphs; novel scoring algorithms, based on graph operations, that evaluate different aspects (speed, precision) of a trainee during an exercise. With respect to previous work, our proposal allows to measure exactly how fast a user is progressing towards an objective and where he does wrong. We highlight that this is currently not possible in the most popular cyber ranges.

2020 - An experimental analysis of ECQV implicit certificates performance in VANETs [Relazione in Atti di Convegno]
Pollicino, F.; Stabili, D.; Ferretti, L.; Marchetti, M.

Emerging Cooperative Intelligent Transportation Systems (C-ITS) enable improved driving experience and safety guarantees, but require secure Vehicular Ad-hoc NETworks (VANETs) that must comply to strict performance constraints. Specialized standards have been defined to these aims, such as the IEEE 1609.2 that uses network-efficient cryptographic protocols to reduce communication latencies. The reduced latencies are achieved through a combination of the Elliptic Curve Qu-Vantstone (ECQV) implicit certificate scheme and the Elliptic Curve Digital Signature Algorithm (ECDSA), to guarantee data integrity and authenticity. However, literature lacks implementations and evaluations for vehicular systems. In this paper, we consider the IEEE 1609.2 standard for secure VANETs and investigate the feasibility of ECQV and ECDSA schemes when deployed in C-ITSs. We propose a prototype implementation of the standard ECQV scheme to evaluate its performance on automotive-grade hardware. To the best of our knowledge, this is the first open implementation of the scheme for constrained devices that are characterized by low computational power and low memory. We evaluate its performance against C-ITS communication latency constraints and show that, although even highly constrained devices can support the standard, complying with stricter requirements demands for higher computational resources.

2020 - AppCon: Mitigating evasion attacks to ML cyber detectors [Articolo su rivista]
Apruzzese, G.; Andreolini, M.; Marchetti, M.; Colacino, V. G.; Russo, G.

Adversarial attacks represent a critical issue that prevents the reliable integration of machine learning methods into cyber defense systems. Past work has shown that even proficient detectors are highly affected just by small perturbations to malicious samples, and that existing countermeasures are immature. We address this problem by presenting AppCon, an original approach to harden intrusion detectors against adversarial evasion attacks. Our proposal leverages the integration of ensemble learning to realistic network environments, by combining layers of detectors devoted to monitor the behavior of the applications employed by the organization. Our proposal is validated through extensive experiments performed in heterogeneous network settings simulating botnet detection scenarios, and consider detectors based on distinct machine-and deep-learning algorithms. The results demonstrate the effectiveness of AppCon in mitigating the dangerous threat of adversarial attacks in over 75% of the considered evasion attempts, while not being affected by the limitations of existing countermeasures, such as performance degradation in non-adversarial settings. For these reasons, our proposal represents a valuable contribution to the development of more secure cyber defense platforms.

2020 - Deep Reinforcement Adversarial Learning against Botnet Evasion Attacks [Articolo su rivista]
Apruzzese, G.; Andreolini, M.; Marchetti, M.; Venturi, A.; Colajanni, M.

As cybersecurity detectors increasingly rely on machine learning mechanisms, attacks to these defenses escalate as well. Supervised classifiers are prone to adversarial evasion, and existing countermeasures suffer from many limitations. Most solutions degrade performance in the absence of adversarial perturbations; they are unable to face novel attack variants; they are applicable only to specific machine learning algorithms. We propose the first framework that can protect botnet detectors from adversarial attacks through deep reinforcement learning mechanisms. It automatically generates realistic attack samples that can evade detection, and it uses these samples to produce an augmented training set for producing hardened detectors. In such a way, we obtain more resilient detectors that can work even against unforeseen evasion attacks with the great merit of not penalizing their performance in the absence of specific attacks. We validate our proposal through an extensive experimental campaign that considers multiple machine learning algorithms and public datasets. The results highlight the improvements of the proposed solution over the state-of-the-art. Our method paves the way to novel and more robust cybersecurity detectors based on machine learning applied to network traffic analytics.

2020 - Detection and Threat Prioritization of Pivoting Attacks in Large Networks [Articolo su rivista]
Apruzzese, Giovanni; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco

Several advanced cyber attacks adopt the technique of "pivoting" through which attackers create a command propagation tunnel through two or more hosts in order to reach their final target. Identifying such malicious activities is one of the most tough research problems because of several challenges: command propagation is a rare event that cannot be detected through signatures, the huge amount of internal communications facilitates attackers evasion, timely pivoting discovery is computationally demanding. This paper describes the first pivoting detection algorithm that is based on network flows analyses, does not rely on any a-priori assumption on protocols and hosts, and leverages an original problem formalization in terms of temporal graph analytics. We also introduce a prioritization algorithm that ranks the detected paths on the basis of a threat score thus letting security analysts investigate just the most suspicious pivoting tunnels. Feasibility and effectiveness of our proposal are assessed through a broad set of experiments that demonstrate its higher accuracy and performance against related algorithms.

2020 - Glyph: Efficient ML-Based Detection of Heap Spraying Attacks [Articolo su rivista]
Pierazzi, F.; Cristalli, S.; Bruschi, D.; Colajanni, M.; Marchetti, M.

Heap spraying is probably the most simple and effective memory corruption attack, which fills the memory with malicious payloads and then jumps at a random location in hopes of starting the attacker's routines. To counter this threat, GRAFFITI has been recently proposed as the first OS-agnostic framework for monitoring memory allocations of arbitrary applications at runtime; however, the main contributions of GRAFFITI are on the monitoring system, and its detection engine only considers simple heuristics which are tailored to certain attack vectors and are easily evaded. In this article, we aim to overcome this limitation and propose GLYPH as the first ML-based heap spraying detection system, which is designed to be effective, efficient, and resilient to evasive attackers. GLYPH relies on the information monitored by GRAFFITI, and we investigate the effectiveness of different feature spaces based on information entropy and memory n-grams, and discuss the several engineering challenges we have faced to make GLYPH efficient with an overhead compatible with that of GRAFFITI. To evaluate GLYPH, we build a representative dataset with several variants of heap spraying attacks, and assess GLYPH's resilience against evasive attackers through selective hold-out experiments. Results show that GLYPH achieves high accuracy in detecting spraying and is able to generalize well, outperforming the state-of-the-art approach for heap spraying detection, NOZZLE. Finally, we thoroughly discuss the trade-offs between detection performance and runtime overhead of GLYPH's different configurations.

2020 - Hardening Random Forest Cyber Detectors Against Adversarial Attacks [Articolo su rivista]
Apruzzese, G.; Andreolini, M.; Colajanni, M.; Marchetti, M.

Machine learning algorithms are effective in several applications, but they are not as much successful when applied to intrusion detection in cyber security. Due to the high sensitivity to their training data, cyber detectors based on machine learning are vulnerable to targeted adversarial attacks that involve the perturbation of initial samples. Existing defenses assume unrealistic scenarios; their results are underwhelming in non-adversarial settings; or they can be applied only to machine learning algorithms that perform poorly for cyber security. We present an original methodology for countering adversarial perturbations targeting intrusion detection systems based on random forests. As a practical application, we integrate the proposed defense method in a cyber detector analyzing network traffic. The experimental results on millions of labelled network flows show that the new detector has a twofold value: it outperforms state-of-the-art detectors that are subject to adversarial attacks; it exhibits robust results both in adversarial and non-adversarial scenarios.

2020 - Vehicle Safe-Mode, Concept to Practice Limp-Mode in the Service of Cybersecurity [Articolo su rivista]
Dagan, Tsvika; Montvelisky, Yuval; Marchetti, Mirco; Stabili, Dario; Colajanni, Michele; Wool, Avishai

This article describes both a concept and an implementation of vehicle safe-mode (VSM) - a mechanism that may help reduce the damage of an identified cyberattack to the vehicle, its driver, the passengers, and its surroundings. Unlike other defense mechanisms that try to block the attack or simply notify of its existence, the VSM mechanism responds to a detected intrusion by limiting the vehicle’s functionality to safe operations and optionally activating additional security countermeasures. This is done by adopting ideas from the existing mechanism of Limp-mode that was originally designed to limit the damage of a mechanical, or an electrical, malfunction and let the vehicle “limp back home” in safety. Like Limp-mode, the purpose of safe-mode is to limit the vehicle from performing certain functions when conditions arise that could render full operation dangerous: Detecting a malfunction in the Limp-mode case is analogous to detecting an active cybersecurity breach in the safe-mode case, and the reactions should be analogous as well. The authors demonstrate that the VSM can be implemented, possibly even as an aftermarket add-on: to do so the authors developed a proof-of-concept (PoC) system and actively tested it in real time on an operating vehicle. Once activated, the authors' VSM system restricts the vehicle to Limp-mode behavior by guiding it to remain in low gear, taking into account the vehicle’s speed and the driver’s actions. The authors' system does not require any changes to the electronic control units (ECUs), or to any other part of the vehicle, beyond connecting the safe-mode manager (SMManager) to the correct bus. The authors note that their system can rely upon any deployed anomaly-detection system to identify the potential attack. The authors point out that restricting the vehicle to Limp-mode-like behavior by an aftermarket system is just an example. If a car manufacturer would integrate such a system into a vehicle, they would have many more options, and the resulting system would probably be safer and with a better human-machine interface.

2019 - Addressing Adversarial Attacks Against Security Systems Based on Machine Learning [Relazione in Atti di Convegno]
Apruzzese, Giovanni; Colajanni, M.; Ferretti, Luca; Marchetti, M.

2019 - Detection of missing CAN messages through inter-arrival time analysis [Relazione in Atti di Convegno]
Stabili, D.; Marchetti, M.

Recent cyber-attacks to real vehicles demonstrated the risks related to connected vehicles, and spawned several research effort aimed at proposing algorithms and architectural solutions to improve the security of these vehicles. Most of the documented attacks to the connected vehicles require the injection of maliciously forged messages to subvert the normal behaviour of the electronic microcontrollers. More recently, researchers discovered that by abusing error isolation mechanisms of the Controller Area Network (CAN), one of the protocols deployed for in-vehicle networking, it is possible to isolate a microcontroller from the vehicle internal network (namely bus-off attack), with possible severe implication on both safety and security. This vulnerability has already been exploited for gaining remote control of a vehicle, by driving a targeted microcontroller in bus-off and impersonating it through the injection of malicious messages on the CAN bus. This paper strives to counter bus-off attacks by proposing an algorithm for the detection of missing messages from the in- vehicle CAN bus. Bus-off attacks to in-vehicle network are simulated by removing messages from valid CAN traces recorded from an unmodified licensed vehicle. Experimental evaluations of our proposal and comparisons with previous work demonstrate that the proposed algorithms outperforms other detection algorithms, achieving almost perfect detection (F-score equal or near to 1.0) across different tests.

2019 - Evaluating the effectiveness of Adversarial Attacks against Botnet Detectors [Relazione in Atti di Convegno]
Apruzzese, Giovanni; Colajanni, Michele; Marchetti, Mirco

2019 - Fog-based secure communications for low-power IoT devices [Articolo su rivista]
Ferretti, L.; Marchetti, M.; Colajanni, M.

Designing secure, scalable, and resilient IoT networks is a challenging task because of resource-constrained devices and no guarantees of reliable network connectivity. Fog computing improves the resiliency of IoT, but its security model assumes that fog nodes are fully trusted. We relax this latter constraint by proposing a solution that guarantees confidentiality of messages exchanged through semi-honest fog nodes thanks to a lightweight proxy re-encryption scheme. We demonstrate the feasibility of the solution by applying it to IoT networks of low-power devices through experiments on microcontrollers and ARM-based architectures.

2019 - Message from the Program Chairs [Relazione in Atti di Convegno]
Gkoulalas-Divanis, A.; Marchetti, M.

2019 - READ: Reverse engineering of automotive data frames [Articolo su rivista]
Marchetti, M.; Stabili, D.

Security analytics and forensics applied to in-vehicle networks are growing research areas that gained relevance after recent reports of cyber-attacks against unmodified licensed vehicles. However, the application of security analytics algorithms and tools to the automotive domain is hindered by the lack of public specifications about proprietary data exchanged over in-vehicle networks. Since the controller area network (CAN) bus is the de-facto standard for the interconnection of automotive electronic control units, the lack of public specifications for CAN messages is a key issue. This paper strives to solve this problem by proposing READ: A novel algorithm for the automatic Reverse Engineering of Automotive Data frames. READ has been designed to analyze traffic traces containing unknown CAN bus messages in order to automatically identify and label different types of signals encoded in the payload of their data frames. Experimental results based on CAN traffic gathered from a licensed unmodified vehicle and validated against its complete formal specifications demonstrate that the proposed algorithm can extract and classify more than twice the signals with respect to the previous related work. Moreover, the execution time of signal extraction and classification is reduced by two orders of magnitude. Applications of READ to CAN messages generated by real vehicles demonstrate its usefulness in the analysis of CAN traffic.

2018 - A symmetric cryptographic scheme for data integrity verification in cloud databases [Articolo su rivista]
Ferretti, Luca; Marchetti, Mirco; Andreolini, Mauro; Colajanni, Michele

Cloud database services represent a great opportunity for companies and organizations in terms of management and cost savings. However, outsourcing private data to external providers leads to risks of confidentiality and integrity violations. We propose an original solution based on encrypted Bloom filters that addresses the latter problem by allowing a cloud service user to detect unauthorized modifications to his outsourced data. Moreover, we propose an original analytical model that can be used to minimize storage and network overhead depending on the database structure and workload. We assess the effectiveness of the proposal as well as its performance improvements with respect to existing solutions by evaluating storage and network costs through micro-benchmarks and the TPC-C workload standard.

2018 - Analyses of secure automotive communication protocols and their impact on vehicles life-cycle [Relazione in Atti di Convegno]
Stabili, D.; Ferretti, L.; Marchetti, M.

Modern vehicles are complex cyber physical systems where communication protocols designed for physically isolated networks are now employed to connect Internet-enabled devices. This unforeseen increase in connectivity creates novel attack surfaces, and exposes safety-critical functions of the vehicle to cyber attacks. As standard security solutions are not applicable to vehicles due to resource constraints and compatibility issues, research is proposing tailored approaches to cope with existing systems and to design next generations vehicles. In this paper we focus on solutions based on cryptographic protocols to protect in-vehicle communications and prevent unauthorized manipulation of the vehicle behaviors. Existing proposals consider vehicles as monolithic systems and evaluate performance and costs of the proposed solutions without considering the complex life-cycle of automotive components and the multifaceted automotive ecosystem that includes a large number of actors. The main contribution of this paper is a study of the impact of security solutions by considering vehicles life-cycle. We model existing proposals and highlight their impacts on vehicles production and maintenance operations by taking into consideration interactions among multiple players. Finally, we give insights on the requirements of architectures for secure intra-vehicular protocols.

2018 - Cybersecurity of Connected Autonomous Vehicles : A ranking based approach [Relazione in Atti di Convegno]
Burzio, G.; Cordella, G. F.; Colajanni, M.; Marchetti, M.; Stabili, D.

The concordant vision of the future automotive landscape foresees vehicles that are always connected to infrastructure and Cloud services, and that are equipped with autonomous driving or advanced driver assistance systems. It is clear that in a similar scenario cybersecurity of modern and future vehicles is paramount. With connected autonomous vehicles the protection from external attack will be an essential requirement, motivated by the outstanding safety implications of an autonomous vehicles remotely controlled by an attacker or a malware. However, the automotive industry still lacks reliable and repeatable methods to assess the cybersecurity level of modern cars. This paper has a twofold contribution. First, it describes the ongoing effort of regulatory bodies within the European Union toward the definition of cybersecurity certification schemes. Second, it outlines the main requirements of a cybersecurity ranking approach that is suitable for certifying the security level of connected vehicles. Since improved cybersecurity guarantees will come at the expense of increased complexity and costs, the proposed ranking approach allows to assess whether the cybersecurity level is appropriate by considering the potential safety risks of a successful attack to the ranked system or subsystem.

2018 - Message from the program chairs [Relazione in Atti di Convegno]
Gkoulalas-Divanis, A.; Correia, M. P.; Marchetti, M.; Avresky, D.

2018 - Message from the siw 2018 workshop chairs [Relazione in Atti di Convegno]
Bringer, J.; Ferretti, L.; Marchetti, M.

2018 - On the effectiveness of machine and deep learning for cyber security [Relazione in Atti di Convegno]
Apruzzese, G.; Colajanni, M.; Ferretti, L.; Guido, A.; Marchetti, M.

2017 - Anomaly detection of CAN bus messages through analysis of ID sequences [Relazione in Atti di Convegno]
Marchetti, Mirco; Stabili, Dario

This paper proposes a novel intrusion detection algorithm that aims to identify malicious CAN messages injected by attackers in the CAN bus of modern vehicles. The proposed algorithm identifies anomalies in the sequence of messages that flow in the CAN bus and is characterized by small memory and computational footprints, that make it applicable to current ECUs. Its detection performance are demonstrated through experiments carried out on real CAN traffic gathered from an unmodified licensed vehicle.

2017 - Detecting attacks to internal vehicle networks through Hamming distance [Relazione in Atti di Convegno]
Stabili, Dario; Marchetti, Mirco; Colajanni, Michele

Analysis of in-vehicle networks is an open research area that gained relevance after recent reports of cyber attacks against connected vehicles. After those attacks gained international media attention, many security researchers started to propose different algorithms that are capable to model the normal behaviour of the CAN bus to detect the injection of malicious messages. However, despite the automotive area has different constraint than classical IT security, many security research have been conducted by applying sophisticated algorithm used in IT anomaly detection, thus proposing solutions that are not applicable on current Electronic Control Units (ECUs). This paper proposes a novel intrusion detection algorithm that aims to identify malicious CAN messages injected by attackers in the CAN bus of modern vehicles. Moreover, the proposed algorithm has been designed and implemented with the very strict constraint of low-end ECUs, having low computational complexity and small memory footprints. The proposed algorithm identifies anomalies in the sequence of the payloads of different classes of IDs by computing the Hamming distance between consecutive payloads. Its detection performance are evaluated through experiments carried out using real CAN traffic gathered from an unmodified licensed vehicle.

2017 - Identifying malicious hosts involved in periodic communications [Relazione in Atti di Convegno]
Apruzzese, Giovanni; Marchetti, Mirco; Colajanni, Michele; GAMBIGLIANI ZOCCOLI, Gabriele; Guido, Alessandro

After many research efforts, Network Intrusion Detection Systems still have much room for improvement. This paper proposes a novel method for automatic and timely analysis of traffic generated by large networks, which is able to identify malicious external hosts even if their activities do not raise any alert by existing defensive systems. Our proposal focuses on periodic communications, since our experimental evaluation shows that they are more related to malicious activities, and it can be easily integrated with other detection systems. We highlight that periodic network activities can occur at very different intervals ranging from seconds to hours, hence a timely analysis of long time-windows of the traffic generated by large organizations is a challenging task in itself. Existing work is primarily focused on identifying botnets, whereas the method proposed in this paper has a broader target and aims to detect external hosts that are likely involved in any malicious operation. Since malware-related network activities can be considered as rare events in the overall traffic, the output of the proposed method is a manageable graylist of external hosts that are characterized by a considerably higher likelihood of being malicious compared to the entire set of external hosts contacted by the monitored large network. A thorough evaluation on a real large network traffic demonstrates the effectiveness of our proposal, which is capable of automatically selecting only dozens of suspicious hosts from hundreds of thousands, thus allowing security operators to focus their analyses on few likely malicious targets.

2017 - Scalable architecture for online prioritization of cyber threats [Relazione in Atti di Convegno]
Pierazzi, Fabio; Apruzzese, Giovanni; Colajanni, Michele; Guido, Alessandro; Marchetti, Mirco

This paper proposes an innovative framework for the early detection of several cyber attacks, where the main component is an analytics core that gathers streams of raw data generated by network probes, builds several layer models representing different activities of internal hosts, analyzes intra-layer and inter-layer information. The online analysis of internal network activities at different levels distinguishes our approach with respect to most detection tools and algorithms focusing on separate network levels or interactions between internal and external hosts. Moreover, the integrated multi-layer analysis carried out through parallel processing reduces false positives and guarantees scalability with respect to the size of the network and the number of layers. As a further contribution, the proposed framework executes autonomous triage by assigning a risk score to each internal host. This key feature allows security experts to focus their attention on the few hosts with higher scores rather than wasting time on thousands of daily alerts and false alarms.

2017 - Vehicle Safe-Mode, Limp-Mode in the Service of Cyber Security [Relazione in Atti di Convegno]
Dagan, Tsvika; Marchetti, Mirco; Stabili, Dario; Colajanni, Michele; Avishai, Wool

This paper describes a concept for vehicle safe-mode, that may help reduce the potential damage of an identified cyber-attack. Unlike other defense mechanisms, that try to block the attack or simply notify of its existence, our mechanism responds to the detected breach, by limiting the vehicle’s functionality to relatively safe operations, and optionally activating additional security counter-measures. This is done by adopting the already existing mechanism of Limp-mode, that was originally designed to limit the potential damage of either a mechanical or an electrical malfunction and let the vehicle “limp back home” in relative safety. We further introduce two modes of safe-modemoperation: In Transparent-mode, when a cyber-attack is detected the vehicle enters its pre-configured Limp-mode; In Extended-mode we suggest to use custom messages that offer additional flexibility to both the reaction and the recovery plans. While Extended-mode requires modifications to the participating ECUs, Transparent-mode may be applicable to existing vehicles since it does not require any changes in the vehicle’s systems—in other words, it may even be deployed as an external component connected through the OBD-II port. We suggest an architectural design for the given modes, and include guidelines for a safe-mode manager, its clients, possible reactions, and recovery plans. We note that our system can rely upon any deployed anomaly-detection system to identify the potential attack.

2017 - Verifiable Delegated Authorization for User-Centric Architectures and an OAuth2 Implementation [Relazione in Atti di Convegno]
Ferretti, Luca; Marchetti, Mirco; Colajanni, Michele

Delegated authorization protocols have become wide-spread to implement Web applications and services, where some popular providers managing people identity information and personal data allow their users to delegate third party Web services to access their data. In this paper, we analyze the risks related to untrusted providers not behaving correctly, and we solve this problem by proposing the first verifiable delegated authorization protocol that allows third party services to verify the correctness of users data returned by the provider. The contribution of the paper is twofold: we show how delegated authorization can be cryptographically enforced through authenticated data structures protocols, we extend the standard OAuth2 protocol by supporting efficient and verifiable delegated authorization including database updates and privileges revocation.

2016 - Analysis of high volumes of network traffic for Advanced Persistent Threat detection [Articolo su rivista]
Marchetti, Mirco; Pierazzi, Fabio; Colajanni, Michele; Guido, Alessandro

Advanced Persistent Threats (APTs) are the most critical menaces to modern organizations and the most challenging attacks to detect. They span over long periods of time, use encrypted connections and mimic normal behaviors in order to evade detection based on traditional defensive solutions. We propose an innovative approach that is able to analyze efficiently high volumes of network traffic to reveal weak signals related to data exfiltrations and other suspect APT activities. The final result is a ranking of the most suspicious internal hosts; this rank allows security specialists to focus their analyses on a small set of hosts out of the thousands of machines that typically characterize large organizations. Experimental evaluations in a network environment consisting of about 10K hosts show the feasibility and effectiveness of the proposed approach. Our proposal based on security analytics paves the way to novel forms of automatic defense aimed at early detection of APTs in large and continuously varying networked systems.

2016 - Countering Advanced Persistent Threats through Security Intelligence and Big Data Analytics [Relazione in Atti di Convegno]
Marchetti, Mirco; Pierazzi, Fabio; Guido, Alessandro; Colajanni, Michele

Advanced Persistent Threats (APTs) represent the most challenging threats to the security and safety of the cyber landscape. APTs are human-driven attacks backed by complex strategies that combine multidisciplinary skills in information technology, intelligence, and psychology. Defending large organisations with tens of thousands of hosts requires similar multi-factor approaches. We propose a novel framework that combines different techniques based on big data analytics and security intelligence to support human analysts in prioritising the hosts that are most likely to be compromised. We show that the collection and integration of internal and external indicators represents a step forward with respect to the state of the art in the field of early detection and mitigation of APT activities.

2016 - Evaluation of anomaly detection for in-vehicle networks through information-theoretic algorithms [Relazione in Atti di Convegno]
Marchetti, Mirco; Stabili, Dario; Guido, Alessandro; Colajanni, Michele

This paper evaluates the effectiveness of information-theoretic anomaly detection algorithms applied to networks included in modern vehicles. In particular, we focus on providing an experimental evaluation of anomaly detectors based on entropy. Attacks to in-vehicle networks were simulated by injecting different classes of forged CAN messages in traces captured from a modern licensed vehicle. Experimental results show that if entropy-based anomaly detection is applied to all CAN messages it is only possible to detect attacks that comprise a high volume of forged CAN messages. On the other hand, attacks characterized by the injection of few forged CAN messages attacks can be detected only by applying several independent instances of the entropy based anomaly detector, one for each class of CAN messages.

2016 - Exploratory security analytics for anomaly detection [Articolo su rivista]
Pierazzi, Fabio; Casolari, Sara; Colajanni, Michele; Marchetti, Mirco

The huge number of alerts generated by network-based defense systems prevents detailed manual inspections of security events. Existing proposals for automatic alerts analysis work well in relatively stable and homogeneous environments, but in modern networks, that are characterized by extremely complex and dynamic behaviors, understanding which approaches can be effective requires exploratory data analysis and descriptive modeling. We propose a novel framework for automatically investigating temporal trends and patterns of security alerts with the goal of understanding whether and which anomaly detection approaches can be adopted for identifying relevant security events. Several examples referring to a real large network show that, despite the high intrinsic dynamism of the system, the proposed framework is able to extract relevant descriptive statistics that allow to determine the effectiveness of popular anomaly detection approaches on different alerts groups.

2016 - Guaranteeing correctness of bulk operations in outsourced databases [Relazione in Atti di Convegno]
Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco

The adoption of public cloud services, as well as other data outsourcing solutions, raises concerns about confidentiality and integrity of information managed by a third party. By focusing on data integrity, we propose a novel protocol that allows cloud customers to verify the correctness of results produced by key-value databases. The protocol is designed for supporting efficient insertion and retrieval of large sets of data through bulk operations in read and append-only workloads. In these contexts, the proposed protocol improves state-of-the-art by reducing network overheads thanks to an original combination of aggregate bilinear map signatures and extractable collision resistant hash functions.

2016 - Implementation of verified set operation protocols based on bilinear accumulators [Relazione in Atti di Convegno]
Ferretti, L.; Colajanni, M.; Marchetti, M.

This paper proposes an efficient protocol for verifiable delegation of computation over outsourced set collections. It improves state of the art protocols by using asymmetric bilinear pairing settings for improved performance with respect to previous proposals based on symmetric settings. Moreover, it extends update operations by supporting efficient modifications over multiple sets. With respect to previous work the proposed protocol has a modular design, that clearly identifies its main building blocks and well-defined interfaces among them. This novel conceptualization allows easier auditing of the protocol security properties and serves as the blueprint of a novel implementation that is released publicly ( To the best of our knowledge, this is the first public implementation of a protocol for verifiable sets operations.

2015 - A collaborative framework for intrusion detection in mobile networks [Articolo su rivista]
Andreolini, Mauro; Colajanni, Michele; Marchetti, Mirco

Abstract Mobile devices are becoming the most popular way of connection, but protocols supporting mobility represent a serious source of concerns because their initial design did not enforce strong security. This paper introduces a novel class of stealth network attacks, called mobility-based evasion, where an attacker splits a malicious payload in such a way that no part can be recognized by existing defensive mechanisms including the most modern network intrusion detection systems operating in stateful mode. We propose an original cooperative framework for intrusion detection that can prevent mobility-based evasion. The viability and performance of the proposed solution is shown through a prototype applied to Mobile IPv4, Mobile IPv6 and WiFi protocols.

2015 - Enforcing Correct Behavior without Trust in Cloud Key-Value Databases [Relazione in Atti di Convegno]
Andreoli, Andrea; Ferretti, Luca; Marchetti, Mirco; Colajanni, Michele

Traditional computation outsourcing and modern cloud computing are affected by a common risk of distrust between service requestor and service provider. We propose a novel protocol, named Probus, that offers guarantees of correct behavior to both parts without assuming any trust relationship between them in the context of cloud-based key-value databases. Probus allows a service requestor to have evidence of cloud provider misbehavior on its data, and a cloud provider to defend itself from false accusations by demonstrating the correctness of its operations. Accusation and defense proofs are based on cryptographic mechanisms that can be verified by a third party. Probus improves the state-of-the-art by introducing novel solutions that allow for efficient verification of data security properties and by limiting the overhead required to provide its security guarantees. Thanks to Probus it is possible to check the correctness of all the results generated by a cloud service, thus improving weaker integrity assurance based on probabilistic verifications that are adopted by related work.

2015 - Supporting sense-making and decision-making through time evolution analysis of open sources [Relazione in Atti di Convegno]
Balboni, Andrea; Marchetti, Mirco; Colajanni, Michele; Melegari, Andrea

Modern societies produce a huge amount of open source information that is often published on the Web in a natural language form. The impossibility of reading all these documents is paving the way to semantic-based technologies that are able to extract from unstructured documents relevant information for analysts. Most solutions extract uncorrelated pieces of information from individual documents; few of them create links among related documents and, to the best of our knowledge, no technology focuses on the time evolution of relations among entities. We propose a novel approach for managing, querying and visualizing temporal knowledge extracted from unstructured documents that can open the way to novel forms of sense-making and decision-making processes. We leverage state-of-the-art natural language processing engines for the semantic analysis of textual data sources to build a temporal graph database that highlights relationships among entities belonging to different documents and time frames. Moreover, we introduce the concept of temporal graph query that analysts can use to identify all the relationships of an entity and to visualize their evolution over time. This process enables the application of statistical algorithms that can be oriented to the automatic analysis of anomalies, state change detection, forecasting. Preliminary results demonstrate that the representation of the evolution of entities and relationships allows an analyst to highlight relevant events among the large amount of open source documents.

2015 - The network perspective of cloud security [Relazione in Atti di Convegno]
Pierazzi, Fabio; Balboni, Andrea; Guido, Alessandro; Marchetti, Mirco

The cloud computing paradigm has become really popular, and its adoption is constantly increasing. Hence, also network activities and security alerts related to cloud services are increasing and are likely to become even more relevant in the upcoming years. In this paper, we propose the first characterization of real security alerts related to cloud activities and generated by a network sensor at the edge of a large network environment over several months. Results show that the characteristics of cloud security alerts differ from those that are not related to cloud activities. Moreover, alerts related to different cloud providers exhibit peculiar and different behaviors that can be identified through temporal analyses. The methods and results proposed in this paper are useful as a basis for the design of novel algorithms for the automatic analysis of cloud security alerts, that can be aimed at forecasting, prioritization, anomaly and state-change detection.

2014 - Distributed, concurrent and independent access to encrypted cloud databases [Articolo su rivista]
Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco

Placing critical data in the hands of a cloud provider should come with the guarantee of security and availability for data at rest, in motion, and in use. Several alternatives exist for storage services, while data confidentiality solutions for the database as a service paradigm are still immature. We propose a novel architecture that integrates cloud database services with data confidentiality and the possibility of executing concurrent operations on encrypted data. This is the first solution supporting geographically distributed clients to connect directly to an encrypted cloud database, and to execute concurrent and independent operations including those modifying the database structure. The proposed architecture has the further advantage of eliminating intermediate proxies that limit the elasticity, availability, and scalability properties that are intrinsic in cloud-based solutions. The efficacy of the proposed architecture is evaluated through theoretical analyses and extensive experimental results based on a prototype implementation subject to the TPC-C standard benchmark for different numbers of clients and network latencies.

2014 - Efficient detection of unauthorized data modification in cloud databases [Relazione in Atti di Convegno]
Ferretti, Luca; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco; Missiroli, Marcello

Cloud services represent an unprecedented opportunity, but their adoption is hindered by confidentiality and integrity issues related to the risks of outsourcing private data to cloud providers. This paper focuses on integrity and proposes an innovative solution that allows cloud tenants to detect unauthorized modifications to outsourced data while minimizing storage and network overheads. Our approach is based on encrypted Bloom filters, and is designed to allow efficient integrity verification for databases stored in the cloud. We assess the effectiveness of the proposal as well as its performance improvements with respect to existing solutions by evaluating storage and network costs.

2014 - Performance and cost evaluation of an adaptive encryption architecture for cloud databases [Articolo su rivista]
Ferretti, Luca; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco

The cloud database as a service is a novel paradigm that can support several Internet-based applications, but its adoption requires the solution of information confidentiality problems. We propose a novel architecture for adaptive encryption of public cloud databases that offers an interesting alternative to the trade-off between the required data confidentiality level and the flexibility of the cloud database structures at design time. We demonstrate the feasibility and performance of the proposed solution through a software prototype. Moreover, we propose an original cost model that is oriented to the evaluation of cloud database services in plain and encrypted instances and that takes into account the variability of cloud prices and tenant workload during a medium-term period.

2014 - Scalable architecture for multi-user encrypted SQL operations on cloud database services [Articolo su rivista]
Ferretti, Luca; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco

The success of the cloud database paradigm is strictly related to strong guarantees in terms of service availability, scalability and security, but also of data confidentiality. Any cloud provider assures the security and availability of its platform, while the implementation of scalable solutions to guarantee confidentiality of the information stored in cloud databases is an open problem left to the tenant. Existing solutions address some preliminary issues through SQL operations on encrypted data. We propose the first complete architecture that combines data encryption, key management, authentication and authorization solutions, and that addresses the issues related to typical threat scenarios for cloud database services. Formal models describe the proposed solutions for enforcing access control and for guaranteeing confidentiality of data and metadata. Experimental evaluations based on standard benchmarks and real Internet scenarios show that the proposed architecture satisfies also scalability and performance requirements.

2013 - Access control enforcement on query-aware encrypted cloud databases [Relazione in Atti di Convegno]
Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco

The diffusion of cloud database services requires a lot of efforts to improve confidentiality of data stored in external infrastructures. We propose a novel scheme that integrates data encryption with users access control mechanisms. It can be used to guarantee confidentiality of data with respect to a public cloud infrastructure, and to minimize the risks of internal data leakage even in the worst case of a legitimate user colluding with some cloud provider personnel. The correctness and feasibility of the proposal is demonstrated through formal models, while the integration in a cloud-based architecture is left to future work.

2013 - Cooperative approaches to SIEM and Intrusion Detection [Capitolo/Saggio]
Marchetti, Mirco; Colajanni, Michele

The original approach to intrusion detection was based on the deployment of a centralized component that gathers and analyzes events at system or network level. In this chapter we present architectures that leverage multiple components and cooperation techniques for the analysis and management of large numbers of security events generated by complex information systems. Their goal is to enhance the system capability and/or to improve the analysis efficacy by merging and correlating security alerts coming from different sources.

2013 - Security and Confidentality Solutions for Public Cloud Database Services [Relazione in Atti di Convegno]
Ferretti, Luca; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco

The users perception that the confidentiality of their data is endangered by internal and external attacks is limiting the diffusion of public cloud database services. In this context, the use of cryptography is complicated by high computational costs and restrictions on supported SQL operations over encrypted data. In this paper, we propose an architecture that takes advantage of adaptive encryption mechanisms to guarantee at runtime the best level of data confidentiality for any type of SQL operation. We demonstrate through a large set of experiments that these encryption schemes represent a feasible solution for achieving data confidentiality in public cloud databases, even from a performance point of view.

2013 - Transparent access on encrypted data distributed over multiple cloud infrastructures [Relazione in Atti di Convegno]
Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco; Adriano Enrico, Scaruffi

Using cloud infrastructures to store and backup data is becoming a popular alternative that guarantees performance and scalability at reasonable prices. However, standard cloud solutions could raise some concerns about data confidentiality and dependency on a single provider. We aim to address these issues by using cloud storage of multiple cloud providers. Our solution ciphers, partitions and replicates data among multiple cloud architectures, thus augmenting availability and confidentiality, and avoiding lock-in of one cloud provider. The proposed model is implemented through open source software that leverages data storage offered by multiple providers. This prototype demonstrates the effectiveness of the geographically distributed architecture in several real case scenarios.

2012 - Collaborative Attack Detection Using Distributed Hash Tables [Capitolo/Saggio]
Angori, Enrico; Colajanni, Michele; Marchetti, Mirco; Messori, Michele

This chapter describes a distributed architecture for collaborative detection of cyber attacks and network intrusions based on distributed hash tables (DHTs). We present a high-level description of the distributed architecture for collaborative attack detection. In particular, we highlight the two main functional blocks: the collaboration layer, realized through a DHT, and the engine for complex event processing. We then describe the implementation of a working prototype of the proposed architecture that represents one of the Semantic Rooms of the CoMiFin project. Our reference implementation is implemented through well-known open source software. In particular, the DHT leverages Scribe and PAST, while we use Esper as the CEP engine. We demonstrate how the proposed implementation can be used to realize a collaborative architecture for the early detection of real-world attacks carried out against financial institutions. We focus on the detection of Man-in-the-Middle attacks to demonstrate the effectiveness of our proposal. Finally, we highlight the main advantages of the proposed architecture with respect to traditional (centralized and hierarchical) solutions for intrusion detection. In particular, we address the issues of fault tolerance, scalability, and load balancing.

2012 - Cyber Attacks on Financial Critical Infrastructures [Capitolo/Saggio]
Marchetti, Mirco; Colajanni, Michele; Messori, Michele; L., Aniello; Y., Vigfusson

This chapter focuses on attack strategies that can be (and have been) used against financial IT infrastructures. The first section presents an overview and a classification of the different kinds of frauds and attacks carried out against financial institutions and their IT infrastructures. We then restrict our focus by analyzing in detail five attack scenarios, selected among the ones presented in the previous section. These attack scenarios are: Man in the Middle (and its variant, Man in the Browser), distributed denial of service (DDoS), distributed portscan, session hijacking, and malware-based attacks against Internet banking customers. These scenarios have been selected because of their distributed nature: all of them involve multiple, geographically distributed financial institutions. Hence their detection will benefit greatly from the deployment of new technologies and best practices for information sharing and cooperative event processing. For each scenario we present a theoretical description of the attack as well as implementation details and consequences of past attacks carried out against real financial institutions.

2012 - Supporting security and consistency for cloud database [Relazione in Atti di Convegno]
Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco

Typical Cloud database services guarantee high availability and scalability, but they rise many concerns about data confidentiality. Combining encryption with SQL operations is a promising approach although it is characterized by many open issues. Existing proposals, which are based on some trusted intermediate server, limit availability and scalability of original cloud database services. We propose an alternative architecture that avoids any intermediary component, thus achieving availability and scalability comparable to that of unencrypted cloud database services. Moreover, our proposal guarantees data consistency in scenarios in which independent clients concurrently execute SQL queries, and the structure of the database can be modified.

2011 - Defeating NIDS evasion in Mobile IPv6 networks [Relazione in Atti di Convegno]
Colajanni, Michele; DAL ZOTTO, Luca; Marchetti, Mirco; Messori, Michele

The diffusion of mobile devices and technologies supportingtransparent network mobility can have detrimental effects onnetwork security. We describe how an attacker can leverage mobility in IPv6 networks to perpetrate known attackswhile evading detection by state-of-the-art Network IntrusionDetection Systems (NIDSs). We then propose a new defensestrategy based on the exchange of state information amongdistributed NIDSs. We demonstrate the effectiveness of the proposed solution through a prototype implementation, evaluatedexperimentally in a Mobile IPv6 network.

2011 - Framework and Models for Multistep Attack Detection [Articolo su rivista]
Marchetti, Mirco; Colajanni, Michele; F., Manganiello

Cyber attacks are becoming increasingly complex, especially when the target is a modern IT infrastructure, characterized by a layered architecture that integrates several security technologies such as firewalls and intrusion detection systems. These contexts can be violated by a multistep attack, that is a complex attack strategy that comprises multiple correlated intrusion activities. While a modern Intrusion Detection System detects single intrusions, it is unable to link them together and to highlight the strategy that underlies a multistep attack.Hence, a single multistep attack may generate a high number of uncorrelated intrusion alerts. The critical task of analyzing and correlating all these alerts is then performed manually by security experts. This process is time consuming and prone to human errors. This paper proposes a novel framework for the analysis and correlation of security alerts generated by state-of-the-art Intrusion Detection Systems. Our goal is to help security analysts in recognizing and correlating intrusion activities that are part of the same multistep attack scenario. The proposed framework produces correlation graphs, in which all the intrusion alerts that are part of the same multistep attack are linked together. By looking at these correlation graphs, a security analyst can quickly identify the relationships that link together seemingly uncorrelated intrusion alerts, and can easily recognize complex attack strategies and identify their final targets. Moreover, the proposed framework is able to leverage multiple algorithms for alert correlation.

2011 - Identification of correlated network intrusion alerts [Relazione in Atti di Convegno]
Marchetti, Mirco; Colajanni, Michele; Manganiello, Fabio

Attacks to information systems are becoming moresophisticated and traditional algorithms supporting NetworkIntrusion Detection Systems may be ineffective or cause toomany false alarms. This paper describes a new algorithm for thecorrelation of alerts generated by Network Intrusion DetectionSystems. It is specifically oriented to face multistep attacks wheremultiple intrusion activities belonging to the same attack scenarioare performed within a small time window. This algorithm takesas its input the security alerts generated by a NIDS and, througha pseudo-bayesian alert correlation, is able to identify those thatare likely to belong to the same multistep attack scenario. Theproposed approach is completely unsupervised and applicable tosecurity alerts generated by any kind of NIDS.

2011 - Multistep attack detection and alert correlation in intrusion detection systems [Relazione in Atti di Convegno]
Manganiello, Fabio; Marchetti, Mirco; Colajanni, Michele

A growing trend in the cybersecurity landscape is repre-sented by multistep attacks that involve multiple correlated intrusionactivities to reach the intended target. The duty of correlating secu-rity alerts and reconstructing complete attack scenarios is left to sys-tem administrators because current Network Intrusion Detection Sys-tems (NIDS) are still oriented to generate alerts related to single attacks,with no or minimal correlation analysis among dierent security alerts.We propose a novel approach for the automatic analysis of multiple se-curity alerts generated by state-of-the-art signature-based NIDS. Ourproposal is able to group security alerts that are likely to belong to thesame attack scenario, and to identify correlations and causal relation-ships among them. This goal is achieved by combining alert classicationthrough Self Organizing Maps and unsupervised clustering algorithms.The ecacy of the proposal is demonstrated through a prototype testedagainst network trac traces containing multistep attacks.

2011 - The problem of NIDS evasion in mobile networks [Relazione in Atti di Convegno]
Colajanni, Michele; DAL ZOTTO, Luca; Marchetti, Mirco; Messori, Michele

This paper presents a novel NIDS evasion strategy that allows attackers to exploit network mobility to perform attacks undetectable by modern NIDSs. Mobility-based NIDS evasion works by combining traditional evasion techniques and node mobility. It represents a generally applicable evasion strategy that works on several protocols for node mobility, and it is effective against state-of-the- art and well configured signature-based NIDSs. We describe three evasion scenarios based on node mobility, and demonstrate the practical applicability of the proposed evasion strategy through a proof of concept attack in a realistic network environment. We conclude the paper by presenting some ideas addressing mobility-based NIDS evasion.

2010 - Selective and early threat detection in large networked systems [Relazione in Atti di Convegno]
Colajanni, Michele; Marchetti, Mirco; Messori, Michele

The complexity of modern networked informationsystems, as well as all the defense-in-depth best practices,require distributed intrusion detection architectures relying onthe cooperation of multiple components. Similar solutions causea multiplication of alerts, thus increasing the time needed for alertmanagement and hiding the few critical alerts as needles in ahay stack. We propose an innovative distributed architecture forintrusion detection that is able to provide system administratorswith selective and early security warnings. This architecture issuitable to large networks composed by several departmentsbecause it leverages hierarchical and peer-to-peer cooperationschemes among distributed NIDSes. Moreover, it embeds adistributed alert ranking system that makes it possible to evaluatethe real level of risk represented by a security alert generatedby a NIDS, and it allows independent network departments toexchange early warnings about critical threats. Thanks to thesefeatures, a system administrator can focus on the few alertsthat represent a real threat for the controlled infrastructure andcan be notified about the most dangerous intrusions before hisdepartment is attacked.

2009 - BFT: The time is now [Relazione in Atti di Convegno]
Clement, Allen; Marchetti, Mirco; Wong, Edmund; Alvisi, Lorenzo; Dahlin, Mike

Data centers strive to provide reliable access to the data and services that they host. This reliable access requires the hosted data and services hosted by the data center to be both consistent and available. Byzantine fault tolerance (BFT) replication offers the promise of services that are consistent and available despite arbitrary failures by a bounded number of servers and an unbounded number of clients.

2009 - Defending financial infrastructures through early warning systems: the intelligence cloud approach [Relazione in Atti di Convegno]
G., Lodi; L., Querzoni; R., Baldoni; Marchetti, Mirco; Colajanni, Michele; V., Bortnikov; G., Chockler; E., Dekel; G., Laventman; A., Roytman

Recent evidence of successful Internet-based attacks and frauds involving financial institutions highlights the inadequacy of the existing protection mechanisms, in which each instutition implements its own isolated monitoring and reaction strategy. Analyzing on-line activity and detecting attacks on a large scale is an open issue due to the huge amounts of events that should be collected and processed. In this paper, we propose a large-scale distributed event processing system, called intelligence cloud, allowing the financial entities to participate in a widely distributed monitoring and detection effort through the exchange and processing of information locally available at each participating site. We expect this approach to be able to handle large amounts of events arriving at high rates from multiple domains of the financial scenario. We describe a framework based on the intelligence cloud where each participant can receive early alerts enabling them to deploy proactive countermeasures and mitigation strategies.

2009 - Making Byzantine Fault Tolerant Systems Tolerate Byzantine Faults [Relazione in Atti di Convegno]
Clement, Allen; Wong, Edmund; Alvisi, Lorenzo; Dahlin, Mike; Marchetti, Mirco

This paper argues for a new approach to building Byzantine fault tolerant replication systems. We observe that although recently developed BFT state machine replication protocols are quite fast, they don't tolerate Byzantine faults very well: a single faulty client or server is capable of rendering PBFT, Q/U, HQ, and Zyzzyva virtually unusable. In this paper, we (1) demonstrate that existing protocols are dangerously fragile, (2) define a set of principles for constructing BFT services that remain useful even when Byzantine faults occur, and (3) apply these principles to construct a new protocol, Aardvark. Aardvark can achieve peak performance within 40% of that of the best existing protocol in our tests and provide a significant fraction of that performance when up to f servers and any number of clients are faulty. We observe useful throughputs between 11706 and 38667 requests per second for a broad range of injected faults.

2009 - Peer-to-peer architecture for collaborative intrusion and malware detection on a large scale [Relazione in Atti di Convegno]
Marchetti, Mirco; Messori, Michele; Colajanni, Michele

The complexity of modern network architectures and the epidemic diffusion of malware require collaborative approaches for defense. We present a novel distributed system where each component collaborates to the intrusion and malware detection and to the dissemination of the local analyses. The proposed architecture is based on a decentralized, peer-to-peer and sensor-agnostic design that addresses dependability and load unbalance issues affecting existing systems based on centralized and hierarchical schemes. Load balancing properties, ability to tolerate churn, self-organization capabilities and scalability are demonstrated through a prototype integrating different open source defensive software.

2008 - Adaptive traffic filtering for efficient and secure IP mobility [Relazione in Atti di Convegno]
Marchetti, Mirco; Colajanni, Michele

The Mobile IP (MIP) protocol that supports node mobility in IP networks may be implemented through two routing schemes: triangular routing and reverse tunneling. While triangular routing guarantees better performance because of shorter routing paths, it is not compatible with egress filtering policies enforced by many firewalls. As a result, it is necessary to recur to the slower reverse tunneling routing scheme that causes lower mobile connection throughput and higher round trip times. In this paper, we propose an innovative adaptive traffic filtering technique in which egress filtering rules are dynamically and automatically modified to reflect the presence of mobile nodes inside the protected network. The proposed scheme, called secure triangular routing, guarantees the best trade-off between performance and security because it enables triangular routing without violating network security policies. Viability and performance improvements of the proposed solution have been demonstrated by experiments carried out through a prototype. The proposed solution does not require any modification in correspondent nodes or in their networks, and it fully complies with the MIP protocol specifications.

2008 - Collaborative architecture for malware detection and analysis [Relazione in Atti di Convegno]
Colajanni, Michele; Gozzi, Daniele; Marchetti, Mirco

The constant increase of malware threats clearly shows that the present countermeasures are not sufficient especially because most actions are put in place only when infections have already spread. In this paper, we present an innovative collaborative architecture for malware analysis that aims to early detection and timely deployment of countermeasures. The proposed system is a multi-tier architecture where the sensor nodes are geographically distributed over multiple organizations. These nodes send alerts to intermediate managers that, in their turn, communicate with one logical collector and analyzer. Relevant information, that is determined by the automatic analysis of the malware behavior in a sandbox, and countermeasures are sent to all the cooperating networks. There are many other novel features in the proposal. The architecture is extremely scalable and flexible because multiple levels of intermediate managers can be utilized depending on the complexity of the network of the participating organization. Cyphered communications among components help preventing the leakage of sensitive information and allow the pairwise authentication of the nodes involved in the information sharing. The feasibility of the proposed architecture is demonstrated through an operative prototype realized using open source software.

2008 - FlightPath: obedience vs. choice in cooperative services [Relazione in Atti di Convegno]
Li, Harri C.; Clement, Allen; Marchetti, Mirco; Kapritsos, Manos; Robison, Luke; Alvisi, Lorenzo; Dahlin, Mike

We present FlightPath, a novel peer-to-peer streaming application that provides a highly reliable data stream to a dynamic set of peers. We demonstrate that FlightPath reduces jitter compared to previous works by several orders of magnitude. Furthermore, FlightPath uses a number of run-time adaptations to maintain low jitter despite 10% of the population behaving maliciously and the remaining peers acting selfishly. At the core of FlightPath's success are approximate equilibria. These equilibria allow us to design incentives to limit selfish behavior rigorously, yet they provide sufficient flexibility to build practical systems. We show how to use an Ɛ-Nash equilibrium, instead of a strict Nash, to engineer a live streaming system that uses bandwidth efficiently, absorbs flash crowds, adapts to sudden peer departures, handles churn, and tolerates malicious activity.

2008 - Selective alerts for run-time protection of distributed systems [Relazione in Atti di Convegno]
Colajanni, Michele; Gozzi, Daniele; Marchetti, Mirco

Network Intrusion Detection Systems (NIDS) are popular components for a fast detection of network attacks and intrusions, but their efficacy is limited by the high numbers of false alarms that affect them. As a consequence, system administrators,that have to manually manage an overwhelming amount of intrusion alerts, tend to decrease the alarm threshold or even to deactivate most NIDS functions. These weaknesses are frequently exploited by the attackers to avoid or to delay attackdetection.In order to improve the efficacy of attack detection and reduce the amount of false positives, we propose a novel scheme for runtime lert management. It filters innocuous attacks by taking advantage of the correlation between the NIDS alerts and detailed information concerning the protected information systems, that is retrieved from heterogeneous and unstructured data sources. Thanks to the proposed scheme, an alert is sent to the system administrator only if an attack threatens some real vulnerability of the protected hosts. Otherwise, as it occurs in the large majority of the cases, the alert is stored for a subsequent offline analysis. The viability and efficacy of the proposed solution are demonstrated through an operative prototype that has been tested in networks subject to realistic attacks.

2007 - Dynamic load balancing for network intrusion detection systems based on distributed architectures [Relazione in Atti di Convegno]
Andreolini, Mauro; Casolari, Sara; Colajanni, Michele; Marchetti, Mirco

Increasing traffic and the necessity of stateful analyses impose strong computational requirements on network intrusion detection systems (NIDS), and motivate the need of distributed architectures with multiple sensors. In a context of high traffic with heavy tailed characteristics, static rules for dispatching traffic slices among distributed sensors cause severe imbalance. Hence, the distributed NIDS architecture must be combined with adequate mechanisms for dynamic load redistribution.In this paper, we propose and compare different policies for the activation/deactivation of the dynamic load balancer. In particular, we consider and compare single vs. double threshold schemes, and load representations based on resource measures vs. load aggregation models.Our experimental results show that the best combination of a double threshold scheme with a linear aggregation of resource measures is able to achieve a really satisfactory balance of the sensor loads together with a sensible reduction of the number of load balancer activations.

2007 - Enhancing interoperability and stateful analysis of cooperative network intrusion detection systems [Relazione in Atti di Convegno]
Colajanni, Michele; D., Gozzi; Marchetti, Mirco

A traditional Network Intrusion Detection System (NIDS) isbased on a centralized architecture that does not satisfy theneeds of most modern network infrastructures characterizedby high traffic volumes and complex topologies. The problemof decentralized NIDS based on multiple sensors is thateach of them gets just a partial view of the network trafficand this prevents a stateful and fully reliable traffic analysis.We propose a novel cooperation mechanism that addressesthe previous issues through an innovative state managementand state migration framework. It allows multipledecentralized sensors to share their internal state, thus accomplishing innovative and powerful traffic analysis. Theadvanced functionalities and performance of the proposedcooperative framework for network intrusion detection systemsare demonstrated through a fully operative prototype.

2006 - A Parallel Architecture for Stateful Intrusion Detection in High Traffic Networks [Relazione in Atti di Convegno]
Colajanni, Michele; Marchetti, Mirco

Abstract—In a scenario where network bandwidth and traffic are continuously growing, network appliances that have to monitor and analyze all flowing packets are reaching their limits. These issues are critical especially for Network Intrusion Detection Systems (NIDS) that need to trace and reassemble every connection, and to examine every packet flowing on the monitored link(s), to guarantee high security levels. Any NIDS based on a single component cannot scale over certain thresholds, even if it has some parts built in hardware. Hence, parallel architectures appear as the most valuable alternative for the future. In this paper, we propose a parallel NIDS architecture that is able to provide us with fully reliable analysis, high performance and scalability. These properties come together with the low costs and high flexibility that are guaranteed by a total software implementation. The load balancing mechanism of the proposed NIDS distributes the traffic among a configurable number of parallel sensors, so that each of them is reached by a manageable amount of traffic. The parallelism and traffic distribution do not alter the results of the traffic analysis that remains reliable and stateful.