The cybersecurity group is a multidisciplinary team of researchers that collates several knowledge areas and apply them to scientific problems in the context of IT security. The team works on several diverse topics related to cybersecurity, including:
Among all the existing Attack models, Attack graphs represent a nice abstraction to capture the notion of multi-step attack i.e., an attack toward a specific target executed taking intermediate steps in which the attacker compromise several entireties and exploits their vulnerability to reach the target. Several attack graph representations exist in literature but they suffer the same limitation: they are poorly scalable and consider only vulnerability related to the underling network infrastructure. We study how to improve the scalability of the attack graph generation process and how to enrich the attack graph with other types of information (e.g., application vulnerabilities, human vulnerabilities, etc.).
Binary similarity. Different works in literature afford the problem of binary similarity: given the binary code of two different functions they try to understand if these two binaries have been compiled from the same source. The problem has a large number of potential applications, but it is not trivial because the source code can be compiled with different compilers on different platforms, or the compiler can use different optimizations. We study how we can generalize this definition of similarity using deep learning. In particular, we aim at identifying semantic similarities among compiled functions to support malware analysis.
Blockchain. Blockchain is an emerging paradigm that allows to store data in a fully decentralized system guaranteeing data integrity and transparency in the data flow. Actually, several technologies exists that allows users to develop and deploy his/her own blockchain. We are studying issues related to blockchain scalability (in terms of achieved performance) and security against external attacks.
Cyber-physical systems. Protection and preventive control of cyber-physical systems via model-based control-theoretical approaches. Robust control and model predictive control are being utilized to safely operate complex systems, such as SCADA? controlled Critical Infrastructures (e.g., Power Networks), in order to assure service resilience and operational efficiency. On a related research line, we study novel solutions for the protection of IoT devices from external malicious interactions based on the behavioral analysis of the attacker.
Evasive malware. Sandboxes are a staple of modern malware detection and analysis techniques. However, malware writers over the years have adapted their strategies in order to have malicious sample hide their true colors when executing in such analysis environments. Fingerprinting techniques are employed to detect distinctive features of sandboxing products or even better of the virtualization technologies they rely upon. We investigate how dynamic binary instrumentation can be used to detect evasive attempts by malware samples, and fake the results provided by the execution environment in order to give a sample the illusion that it is executing in a non-hostile environment, or in a very specific hardware and software configuration in the case of APT malware.
Information Extraction for Open Source Intelligence. Open-Source INTelligence (OSINT) is intelligence based on publicly available resources, such as news sites, blogs, forums, social networks, etc. In OSINT, the Web is the primary source of information, and extracting, structuring and interpreting such information are crucial problem in many application scenarios, like, for instance, security, market intelligence, or statistics. We study how to transform raw information crawled from the Web into actionable data, by coupling traditional information extraction approaches with the use of semantic technologies, which may help to automatize this process and to assign a precise structure and a clear semantic to the extracted data.
Malware Analysis Support Tools. Understanding the behavior of malware requires a semiautomatic approach including complex software tools and human analysts in the loop. However, the huge number of malicious samples developed daily calls for some prioritization mechanism to carefully select the samples that really deserve to be further examined by analysts. This avoids computational resources be overloaded and human analysts saturated. We investigate a malware triage stage where samples are quickly and automatically examined to promptly decide whether they should be immediately dispatched to human analysts or to other specific automatic analysis queues, rather than following the common and slow analysis pipeline.
Privacy Preserving Applications. Private computing provides a clever way to process data without revealing any details about the data itself to the party in charge of processing it. Data protection can be achieved by encrypting the signals and processing them in encrypted form. Possible applications of this approach are virtually endless. Among them, we explore privacy-preserving biometric matching, biomedical signal processing, private sensor fusion in IoT swarms, and private sample analysis for malware identification.
Return Oriented Programming. Code reuse attacks are exploits in which an attacker can execute arbitrary code on a compromised machine without having to inject it in memory, as they achieve the intended behavior by joining fragments of code belonging to a legit installed software component. Return oriented programming (ROP) attacks are the most common form of such attacks. We have been building a collection of ROP exploits of increasing complexity to foster their study in the research community; we also developed a tool for inspecting and analyzing how a ROP attack takes place, which can be sometimes a cumbersome task even for security professionals due to the entanglements of ROP code, and frequently an offputting job for researchers. We are also exploring how code reuse can be employed in a defensive scenario, for instance to protect intellectual property in the context of code obfuscation and anti-piracy applications.
Swarm Attestation. Remote attestation protocols are widely used to detect device configuration (e.g., software and/or data) compromise in Internet of Things (IoT) scenarios. Unfortunately, the performances of such protocols are unsatisfactory when dealing with thousands of smart devices. Upon the recent concept of noninteractive attestation, we are approaching collective attestation problem by reducing it into a minimum consensus one and the results confirm the suitability of such solution for low-end devices, and highly unstructured networks.
Symbolic execution. In recent years symbolic execution has drawn considerable attention from academic and industrial researchers, with notable applications to, e.g., software testing, program verification, and security. We authored a survey of symbolic execution techniques, reviewing the state of the art in the design, implementation, and open research problems in the area, with particular attention to cybersecurity aspects. We have been researching in memory modeling problems for symbolic executors, proposing a model that can accurately capture pointer dereferencing operations, which are critical for instance in the detection of vulnerabilities (such as use-after-free and heap overflow) and in turn for their exploitation. We also explored how symbolic execution can help reconstruct the protocol used in Remote Access Trojans, which are weapons used by cybercriminals to control infected endpoints.
Visual analytics. Visual Analytics is the science of analytical reasoning facilitated by visual interactive interfaces. In the cyber-security domain it allows the human to manipulate and manage large quantities of data through powerful visual abstractions, supporting heterogeneous analysis tasks like monitoring, proactive and reactive analysis, what-if analysis and prediction. The support is at different levels, ranging from strategic decision processes down to active cyber-attacks countermeasures. We are actively studying novel visual analytics solutions for cybersecurity, focused on supporting proactive analysis of cyber-risk status for complex networks, real-time response to cyber attacks, effective explanation of learning process for malware classifiers, cybersecurity policy assessment and specification through standard frameworks (e.g. NIST cyber-security framework). Solutions regarding improving situational awareness of cyber-security operators under stressful situations and support to digital forensics activities are currently under development.
The cybersecurity group members are also strongly involved in the activities of the Research Center of Cyber Intelligence and Information Security (CIS). CIS does leadership applied research in the context of cyber security, information assurance, critical information infrastructure protection, trend prediction, open-source intelligence, cyber physical systems and smart complex systems. Advanced capabilities in cyber intelligence will be indeed essential in the next years due to the pervasiveness of cloud, social computing and mobility technologies, that lower the control that organizations and governments have over systems, infrastructure and data. CIS aims at designing better information security methodologies, threat profiles and at elaborating defense strategies taking into account the economic and legal impact in a unique framework. Research results are applied to real world contexts such as cyberwarfare, fraud detection, stock market stability, detection of tax evasion, monitoring of mission-critical systems, early warning systems and smart environments.