Papers by Mirco Marchetti
ACM Transactions on Cyber-Physical Systems
This work presents an experimental evaluation of the detection performance of eight different alg... more This work presents an experimental evaluation of the detection performance of eight different algorithms for anomaly detection on the Controller Area Network (CAN) bus of modern vehicles based on the analysis of the timing or frequency of CAN messages. This work solves the current limitations of related scientific literature, that is based on private dataset, lacks of open implementations, and detailed description of the detection algorithms. These drawback prevent the reproducibility of published results, and makes it impossible to compare a novel proposal against related work, thus hindering the advancement of science. This paper solves these issues by publicly releasing implementations, labeled datasets and by describing an unbiased experimental comparisons.
2022 IEEE 21st International Symposium on Network Computing and Applications (NCA)
2022 International Conference on Control, Robotics and Informatics (ICCRI)
This paper proposes a novel approach for the study of cyber-attacks against the powertrain of a g... more This paper proposes a novel approach for the study of cyber-attacks against the powertrain of a generic vehicle. The proposed model is composed by a a generic Internal Combustion engine and a speed controller, that communicate through a Controller Area Network (CAN) bus. We consider a threat model composed by three representative attack scenarios designed to modify the output of the model, thus affecting the rotational speed of the engine. Two attack scenarios target both vehicle sensor systems and CAN communication, while one attack scenario only requires injection of CAN messages. To the best of our knowledge, this is the first attempt of modeling the consequences of realistic cyber attacks against a modern vehicle.
2022 IEEE 95th Vehicular Technology Conference: (VTC2022-Spring)
2021 IEEE 93rd Vehicular Technology Conference (VTC2021-Spring)
This paper presents SixPack, a cyber attack to VANET communications that is able to go undetected... more This paper presents SixPack, a cyber attack to VANET communications that is able to go undetected by the current state-of-the-art anomaly detectors. The SixPack attack is a dynamic attack conducted by an insider attacker who modifies the content of the Basic Safety Messages to pretend a sudden activation of the braking system with the consequent activation of the Anti-lock Braking System, and create a fake representation of the vehicle. The attacker then rejoins the fake representation of the vehicle with the real one, avoiding the current state-of-the-art anomaly detectors. We experimentally evaluated the evasion capabilities of the SixPack attack using the F2MD test framework on the LuST and LuSTMini city scenarios, demonstrating the ability of the attacker to generate a high percentage of false positives that prevent the attack from being detected consistently.
IEEE Transactions on Information Forensics and Security
Heap spraying is probably the most simple and effective memory corruption attack, which fills the... more Heap spraying is probably the most simple and effective memory corruption attack, which fills the memory with malicious payloads and then jumps at a random location in hopes of starting the attacker’s routines. To counter this threat, GRAFFITI has been recently proposed as the first OS-agnostic framework for monitoring memory allocations of arbitrary applications at runtime; however, the main contributions of GRAFFITI are on the monitoring system, and its detection engine only considers simple heuristics which are tailored to certain attack vectors and are easily evaded. In this article, we aim to overcome this limitation and propose GLYPH as the first ML-based heap spraying detection system, which is designed to be effective, efficient, and resilient to evasive attackers. GLYPH relies on the information monitored by GRAFFITI, and we investigate the effectiveness of different feature spaces based on information entropy and memory n-grams, and discuss the several engineering challenges we have faced to make GLYPH efficient with an overhead compatible with that of GRAFFITI. To evaluate GLYPH, we build a representative dataset with several variants of heap spraying attacks, and assess GLYPH’s resilience against evasive attackers through selective hold-out experiments. Results show that GLYPH achieves high accuracy in detecting spraying and is able to generalize well, outperforming the state-of-the-art approach for heap spraying detection, NOZZLE. Finally, we thoroughly discuss the trade-offs between detection performance and runtime overhead of GLYPH’s different configurations.
2021 IEEE 20th International Symposium on Network Computing and Applications (NCA), 2021
With the advent of Industry 4.0, Industrial Control Systems (ICS) are becoming a prime target for... more With the advent of Industry 4.0, Industrial Control Systems (ICS) are becoming a prime target for many cyber criminals. We are witnessing a steady increase in the number of ransomware attacks specifically designed to compromise in-dustrial control systems. The consequences of these attacks can be devastating, as they are able to block production processes for days, resulting in a loss of revenue, violation of contractual terms, reputational damage, and sanctions in regulated markets. This paper analyzes two relevant cases of ICS ransomware and proposes a novel solution that is able to detect these infections and stop them before the actual compromise of the systems that control industrial machines and production plants. Experimental evaluation demonstrates the effectiveness of our approach against real malware samples in simulated, realistic ICS environments.
Data centers strive to provide reliable access to the data and services that they host. This reli... more Data centers strive to provide reliable access to the data and services that they host. This reliable access requires the hosted data and services hosted by the data center to be both consistent and available. Byzantine fault tolerance (BFT)
Technology and International Relations, 2021
In the new cyber landscape, the legal rules apply only to defenders. Even nonprimary countries an... more In the new cyber landscape, the legal rules apply only to defenders. Even nonprimary countries and companies may constitute a harmful adversarial scenario for politics, military, intelligence, and enterprises. Attackers can leverage physical distance from targets, different laws, anonymity, and almost impossible attribution, known and unknown software vulnerabilities, human weaknesses, and many freely available tools. Defenders need expensive security frameworks, cyber procedures and competent people guarding vulnerable surfaces with no defined perimeters. This asymmetric scenario generates a dangerous cyber arms race where national investments focus more on aggressive tools and attackers than on defense technologies. Two emerging factors – integration of cyber-attacks with artificial intelligence and the diffusion of smart devices and autonomous vehicles – are creating an even more risky battleground where cyber security will permeate social safety. This paper analyzes the main...
Mobile Networks and Applications, 2019
This paper proposes a novel approach for the evaluation of the performance achieved by trainees i... more This paper proposes a novel approach for the evaluation of the performance achieved by trainees involved in cyber security exercises implemented through modern cyber ranges. Our main contributions include: the definition of a distributed monitoring architecture for gathering relevant information about trainees activities; an algorithm for modeling the trainee activities using directed graphs; novel scoring algorithms, based on graph operations, that evaluate different aspects (speed, precision) of a trainee during an exercise. With respect to previous work, our proposal allows to measure exactly how fast a user is progressing towards an objective and where he does wrong. We highlight that this is currently not possible in the most popular cyber ranges.
Lecture Notes in Computer Science, 2016
This paper proposes an efficient protocol for verifiable delegation of computation over outsource... more This paper proposes an efficient protocol for verifiable delegation of computation over outsourced set collections. It improves state of the art protocols by using asymmetric bilinear pairing settings for improved performance with respect to previous proposals based on symmetric settings. Moreover, it extends update operations by supporting efficient modifications over multiple sets. With respect to previous work the proposed protocol has a modular design, that clearly identifies its main building blocks and well-defined interfaces among them. This novel conceptualization allows easier auditing of the protocol security properties and serves as the blueprint of a novel implementation that is released publicly (https://weblab.ing.unimore.it/people/ferretti/versop/). To the best of our knowledge, this is the first public implementation of a protocol for verifiable sets operations.
2015 IEEE Fourth Symposium on Network Cloud Computing and Applications (NCCA), 2015
The cloud computing paradigm has become really popular, and its adoption is constantly increasing... more The cloud computing paradigm has become really popular, and its adoption is constantly increasing. Hence, also network activities and security alerts related to cloud services are increasing and are likely to become even more relevant in the upcoming years. In this paper, we propose the first characterization of real security alerts related to cloud activities and generated by a network sensor at the edge of a large network environment over several months. Results show that the characteristics of cloud security alerts differ from those that are not related to cloud activities. Moreover, alerts related to different cloud providers exhibit peculiar and different behaviors that can be identified through temporal analyses. The methods and results proposed in this paper are useful as a basis for the design of novel algorithms for the automatic analysis of cloud security alerts, that can be aimed at forecasting, prioritization, anomaly and state-change detection. Index Terms-Security analytics; Cloud security; Cloud alerts; Temporal characterization.
This paper describes a concept for vehicle safe-mode, that may help reduce the potential damage o... more This paper describes a concept for vehicle safe-mode, that may help reduce the potential damage of an identified cyberattack. Unlike other defense mechanisms, that try to block the attack or simply notify of its existence, our mechanism responds to the detected breach, by limiting the vehicle’s functionality to relatively safe operations, and optionally activating additional security counter-measures. This is done by adopting the already existing mechanism of Limp-mode, that was originally designed to limit the potential damage of either a mechanical or an electrical malfunction and let the vehicle “limp back home” in relative safety. We further introduce two modes of safe-mode operation: In Transparent-mode, when a cyber-attack is detected the vehicle enters its pre-configured Limp-mode; In Extendedmode we suggest to use custom messages that offer additional flexibility to both the reaction and the recovery plans. While Extended-mode requires modifications to the participating ECUs...
List of Tables 2.1 (a) Acceptors required to solve asynchronous consensus under various failure m... more List of Tables 2.1 (a) Acceptors required to solve asynchronous consensus under various failure models. c is the maximum number of crash failures and b is the maximum number of Byzantine failures tolerated while ensuring the system is both safe and live. u is the maximum number of failures tolerated while ensuring the system is up. r is the maximum number of commission failures tolerated while ensuring the system is right. (b) Acceptors required to solve asynchronous consensus under the crash (Byzantine) failure model for various values of f = b = c. (c) Acceptors required to solve asynchronous consensus under a hybrid failure model with varying values of b and c. (d) Acceptors required to solve asynchronous consensus under the UpRight model with varying values of u and r. Values representing equivalent configurations across tables are marked with emphasis (italicized for BFT configurations, bolded for CFT configurations, or underlined for HFT configurations). 3.1 Observed peak throughput of BFT systems in a fault-free case and when a single faulty client submits a carefully crafted series of requests. We detail our measurements in Section 3.6.2. † The result reported for Q/U is for correct clients issuing conflicting requests. ‡ The HQ prototype demonstrates fault-free performance and does not implement many of the error-handling steps required to resolve
Vijayakumar Varadarajan is currently a Professor and an Associate Dean for School of Computing Sc... more Vijayakumar Varadarajan is currently a Professor and an Associate Dean for School of Computing Science and Engineering at VIT University, Chennai, India. He has more than 18 years of experience including industrial and institutional. He also served as a Team Lead in industries like Satyam, Mahindra Satyam and Tech Mahindra for several years. He has completed Diploma with First Class Honors. He has completed BE CSE and MBA HRD with First Class. He has also completed ME CSE with First Rank Award. He has completed his PhD from Anna University in 2012. He has published many articles in national and international level journals/conferences/books. He is a reviewer in IEEE Transactions, Inderscience and Springer Journals. He has initiated a number of international research collaborations with universities in Europe, Australia, Africa, Malaysia, Singapore and North America. He had also initiated joint research collaboration between VIT University and various industries. He is also the Guest...
2021 IEEE 20th International Symposium on Network Computing and Applications (NCA), 2021
The transportation sector is undergoing rapid changes to reduce pollution and increase life quali... more The transportation sector is undergoing rapid changes to reduce pollution and increase life quality in urban areas. One of the most effective approaches is flexible car rental and sharing to reduce traffic congestion and parking space issues. In this paper, we envision a flexible car sharing framework where vehicle owners want to make their vehicles available for flexible rental to other users. The owners delegate the management of their vehicles to intermediate services under certain policies, such as municipalities or authorized services, which manage the due infrastructure and services that can be accessed by users. We investigate the design of an accountable solution that allow vehicles owners, who want to share their vehicles securely under certain usage policies, to control that delegated services and users comply with the policies. While monitoring users behavior, our approach also takes care of users privacy, preventing tracking or profiling procedures by other parties. Existing approaches put high trust assumptions on users and third parties, do not consider users' privacy requirements, or have limitations in terms of flexibility or applicability. We propose an accountable protocol that extends standard delegated authorizations and integrate it with Security Credential Management Systems (SCMS), while considering the requirements and constraints of vehicular networks. We show that the proposed approach represents a practical approach to guarantee accountability in realistic scenarios with acceptable overhead.
2020 IEEE 92nd Vehicular Technology Conference (VTC2020-Fall)
Emerging Cooperative Intelligent Transportation Systems (C-ITS) enable improved driving experienc... more Emerging Cooperative Intelligent Transportation Systems (C-ITS) enable improved driving experience and safety guarantees, but require secure Vehicular Ad-hoc NETworks (VANETs) that must comply to strict performance constraints. Specialized standards have been defined to these aims, such as the IEEE 1609.2 that uses network-efficient cryptographic protocols to reduce communication latencies. The reduced latencies are achieved through a combination of the Elliptic Curve Qu-Vantstone (ECQV) implicit certificate scheme and the Elliptic Curve Digital Signature Algorithm (ECDSA), to guarantee data integrity and authenticity. However, literature lacks implementations and evaluations for vehicular systems. In this paper, we consider the IEEE 1609.2 standard for secure VANETs and investigate the feasibility of ECQV and ECDSA schemes when deployed in C-ITSs. We propose a prototype implementation of the standard ECQV scheme to evaluate its performance on automotive-grade hardware. To the best of our knowledge, this is the first open implementation of the scheme for constrained devices that are characterized by low computational power and low memory. We evaluate its performance against C-ITS communication latency constraints and show that, although even highly constrained devices can support the standard, complying with stricter requirements demands for higher computational resources.
Digital Threats: Research and Practice, 2021
The incremental diffusion of machine learning algorithms in supporting cybersecurity is creating ... more The incremental diffusion of machine learning algorithms in supporting cybersecurity is creating novel defensive opportunities but also new types of risks. Multiple researches have shown that machine learning methods are vulnerable to adversarial attacks that create tiny perturbations aimed at decreasing the effectiveness of detecting threats. We observe that existing literature assumes threat models that are inappropriate for realistic cybersecurity scenarios because they consider opponents with complete knowledge about the cyber detector or that can freely interact with the target systems. By focusing on Network Intrusion Detection Systems based on machine learning, we identify and model the real capabilities and circumstances required by attackers to carry out feasible and successful adversarial attacks. We then apply our model to several adversarial attacks proposed in literature and highlight the limits and merits that can result in actual adversarial attacks. The contributions...
Lecture Notes in Computer Science, 2009
The complexity of modern network architectures and the epidemic diffusion of malware require coll... more The complexity of modern network architectures and the epidemic diffusion of malware require collaborative approaches for defense. We present a novel distributed system where each component collaborates to the intrusion and malware detection and to the dissemination of the local analyses. The proposed architecture is based on a decentralized, peer-to-peer and sensor-agnostic design that addresses dependability and load unbalance issues affecting existing systems based on centralized and hierarchical schemes. Load balancing properties, ability to tolerate churn, self-organization capabilities and scalability are demonstrated through a prototype integrating different open source defensive software.
IFIP – The International Federation for Information Processing
The constant increase of malware threats clearly shows that the present countermeasures are not s... more The constant increase of malware threats clearly shows that the present countermeasures are not sufficient especially because most actions are put in place only when infections have already spread. In this paper, we present an innovative collaborative architecture for malware analysis that aims to early detection and timely deployment of countermeasures. The proposed system is a multi-tier architecture where the sensor nodes are geographically distributed over multiple organizations. These nodes send alerts to intermediate managers that, in their turn, communicate with one logical collector and analyzer. Relevant information, that is determined by the automatic analysis of the malware behavior in a sandbox, and countermeasures are sent to all the cooperating networks. There are many other novel features in the proposal. The architecture is extremely scalable and flexible because multiple levels of intermediate managers can be utilized depending on the complexity of the network of the participating organization. Cyphered communications among components help preventing the leakage of sensitive information and allow the pairwise authentication of the nodes involved in the information sharing. The feasibility of the proposed architecture is demonstrated through an operative prototype realized using open source software.
Uploads
Papers by Mirco Marchetti