BACHECA TESI
Giovanni Apruzzese (Dipartimento di Ingegneria )
"Security Analytics and Machine Learning for Cyber Detection: Modern Issues and Novel Solutions"
Link esterno al gruppo di ricerca: https://weblab.ing.unimore.it/people/
"Security Analytics and Machine Learning for Cyber Detection: Modern Issues and Novel Solutions"Link esterno al gruppo di ricerca: https://weblab.ing.unimore.it/people/
Giovanni Apruzzese (Dipartimento di Ingegneria )
"Security Analytics and Machine Learning for Cyber Detection: Modern Issues and Novel Solutions"
(Relatore: Prof. Michele Colajanni).
La sicurezza delle informazioni nel mondo digitale è un problema complesso ed articolato: i sistemi informatici moderni sono costituiti da migliaia di dispositivi ed applicazioni eterogenee, aumentando quindi la superficie di vulnerabilità sfruttabili dagli attaccanti. I meccanismi difensivi si dividono in tre tipologie: prevenzione, rilevazione, e reazione. La prevenzione completa da qualsiasi tipologia di minaccia è un traguardo quasi irraggiungibile, mentre la reazione presuppone che l'attaccante ha già portato a termine il proprio obiettivo. La presente tesi quindi affronta l'argomento della rilevazione (detection) dei cyber-attacchi avanzati -- attività che presenta numerose sfide. Gli attaccanti più esperti migliorano continuamente i propri strumenti e, attraverso l'attuazione di strategie originali, sono in grado di eludere la rilevazione degli approcci tradizionali basati su regole statiche. Di conseguenza, molte data-breach richiedono mesi prima di essere identificate, provocando ingenti danni alle organizzazioni moderne. Gli operatori umani da soli non sono in grado di gestire il continuo aumento della complessità, varietà e velocità delle minacce recenti. Per risolvere questo problema, come evidenziato sia dalla letteratura scientifica che da appositi report tecnici, gli analisti della sicurezza devono essere supportati da meccanismi di rilevazione aumatici che possano sfruttare le grandi quantità di dati generati dalle reti moderne. Questa tesi promuove e incentiva questa posizione, proponendo tecniche di security analytics che adottano modelli di machine learning e algoritmi matematici. In particolare, vengono presentate soluzioni originali per la cyber detection di minacce diffuse quali botnet, lateral movement, comunicazioni periodiche malevole, e phishing. Viene anche effettuato uno studio dei problemi che affliggono questi approcci nei contesti di cybersecurity, caratterizati da una -- non apparente -- difficoltà di applicazione di nuove soluzioni, a causa della difficoltà di definire la linea di separazione tra azioni malevole e legittime. Nella seconda parte di questa tesi, si considera il problema degli adversarial attack contro i cyber detector, e si presentano soluzioni originali per ridurre l'impatto di simili minacce. Tutti i metodi proposti richiedono un ridotto quantitativo di informazioni e si basano su assunzioni essenziali, consentendone l'integrazione nei framework di difesa adottati dalle organizzazioni reali. Un valore importante che caratterizza l'intera tesi è che tutte le idee e tecniche proposte sono validate attraverso numerose campagne sperimentali effettuate su dataset realistici di grosse dimensioni. I risultati ottenuti migliorano lo stato dell'arte e, in alcuni casi, risolvono i problemi di detection. Per queste ragioni, si può affermare che la presente tesi costituisca un solido fondamento per la creazione di sistemi difensivi che siano in grado di supportare gli operatori di sicurezza anche in presenza delle forme di cyber-attacchi più all'avanguardia.
Link esterno al gruppo di ricerca: https://weblab.ing.unimore.it/people/
"Security Analytics and Machine Learning for Cyber Detection: Modern Issues and Novel Solutions"(Relatore: Prof. Michele Colajanni).
La sicurezza delle informazioni nel mondo digitale è un problema complesso ed articolato: i sistemi informatici moderni sono costituiti da migliaia di dispositivi ed applicazioni eterogenee, aumentando quindi la superficie di vulnerabilità sfruttabili dagli attaccanti. I meccanismi difensivi si dividono in tre tipologie: prevenzione, rilevazione, e reazione. La prevenzione completa da qualsiasi tipologia di minaccia è un traguardo quasi irraggiungibile, mentre la reazione presuppone che l'attaccante ha già portato a termine il proprio obiettivo. La presente tesi quindi affronta l'argomento della rilevazione (detection) dei cyber-attacchi avanzati -- attività che presenta numerose sfide. Gli attaccanti più esperti migliorano continuamente i propri strumenti e, attraverso l'attuazione di strategie originali, sono in grado di eludere la rilevazione degli approcci tradizionali basati su regole statiche. Di conseguenza, molte data-breach richiedono mesi prima di essere identificate, provocando ingenti danni alle organizzazioni moderne. Gli operatori umani da soli non sono in grado di gestire il continuo aumento della complessità, varietà e velocità delle minacce recenti. Per risolvere questo problema, come evidenziato sia dalla letteratura scientifica che da appositi report tecnici, gli analisti della sicurezza devono essere supportati da meccanismi di rilevazione aumatici che possano sfruttare le grandi quantità di dati generati dalle reti moderne. Questa tesi promuove e incentiva questa posizione, proponendo tecniche di security analytics che adottano modelli di machine learning e algoritmi matematici. In particolare, vengono presentate soluzioni originali per la cyber detection di minacce diffuse quali botnet, lateral movement, comunicazioni periodiche malevole, e phishing. Viene anche effettuato uno studio dei problemi che affliggono questi approcci nei contesti di cybersecurity, caratterizati da una -- non apparente -- difficoltà di applicazione di nuove soluzioni, a causa della difficoltà di definire la linea di separazione tra azioni malevole e legittime. Nella seconda parte di questa tesi, si considera il problema degli adversarial attack contro i cyber detector, e si presentano soluzioni originali per ridurre l'impatto di simili minacce. Tutti i metodi proposti richiedono un ridotto quantitativo di informazioni e si basano su assunzioni essenziali, consentendone l'integrazione nei framework di difesa adottati dalle organizzazioni reali. Un valore importante che caratterizza l'intera tesi è che tutte le idee e tecniche proposte sono validate attraverso numerose campagne sperimentali effettuate su dataset realistici di grosse dimensioni. I risultati ottenuti migliorano lo stato dell'arte e, in alcuni casi, risolvono i problemi di detection. Per queste ragioni, si può affermare che la presente tesi costituisca un solido fondamento per la creazione di sistemi difensivi che siano in grado di supportare gli operatori di sicurezza anche in presenza delle forme di cyber-attacchi più all'avanguardia.
Link esterno al gruppo di ricerca: https://weblab.ing.unimore.it/people/
Giovanni Calore (Dipartimento di Matematica, Università degli Studi di Padova)
"Membership Inference Attacks on Differentially Private StyleGAN2"
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
"Membership Inference Attacks on Differentially Private StyleGAN2"Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Giovanni Calore (Dipartimento di Matematica, Università degli Studi di Padova)
"Membership Inference Attacks on Differentially Private StyleGAN2"
(Relatore: Mauro Conti).
In recent years, great progress has been made in defining ever more performing and powerful deep learning models, with abilities never seen before. While it is true that the architecture of a model is fundamental for performance in terms of quality and time spent on training, no less important is the usage of a high-quality dataset during training. If even the best of models is trained with a poor quality dataset, then the final result will reflect the negative consequences. Datasets often requires specific permissions that the user must request at the source or complex anonymization procedures, which must be carried out to avoid exposing sensitive information, such as medical records, everyday personal information or sensitive images. A strategy adopted to speed up the scientific research, satisfy the complex requests for data analysis and the stringent privacy requirements is that of the production of synthetic datasets, i.e., datasets that have a distribution very similar to that of a target dataset and can both be used to train complex networks and guarantee a high level of privacy, since their individual samples are different from those of the original dataset, while ensuring the similarity as a whole. A specific model architecture, the Generative Adversarial Network (GAN), has been proved effective in qualitative terms for the production of synthetic datasets. This work focuses on a specific type of attacks against these networks, the Membership Inference attacks. Making membership inference means obtaining information about the individual components of the original dataset, in particular starting from a sample, defining whether that sample is part of the training dataset or not. Having a set of samples, in which the presence of samples used to train the generative model is suspected, the attack consists in identifying these samples. The analysis is concentrated on images, an area in which GANs have established themselves as state-of-the-art for the production of high-quality images. A question to which we try to answer in this document concerns the privacy leakage of these models: do the improvements made to the networks that are now able to produce high-quality samples, translate into greater vulnerability? Does giving more quality necessarily mean creating overfitting on the reference dataset? What are the biggest privacy drawbacks towards these networks? We then propose some innovative approaches as attempted attacks on GANs, testing the intuition that the network can actually "remember" information related to the training data. Abadi et al. defined an algorithm for the protection of GANs against this kind of attacks, introducing the differentially private gradient descent. Basically, to avoid that the update of the network weights undergoes too large variations following observation of the data, the gradient is first clipped and then an arbitrary sum of noise is added, steps which are both regulated by hyperparameters. By definition, the addition of noise in the training procedure leads the model to lose part of its effectiveness and quality in the production of synthetic samples, a price that is paid to guarantee a certain level of privacy. We wanted to measure the effective loss of quality as the values of the clipping and noise intensity hyperparameters vary and the relative ability to resist the analyzed threats, with the aim of determining the feasibility of using the protections adopted in a realistic context and a trade-off between performance and privacy protection. We then propose a new differentially private training procedure that aims to increase the performance of the model in terms of output sample quality, but still maintaining a good level of privacy. This approach is based on a different noise distribution through the layers: the intuition is that by adding a greater amount of noise to the layers that control the synthesis of higher-level features than the noise added to those layers that control low-level features, the model should perform better and output images with higher quality than having a static noise sum operation. The new defined optimizer is called Hierarchical Differentially Private Stochastic Gradient Descent (HDP-SGD).
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
"Membership Inference Attacks on Differentially Private StyleGAN2"(Relatore: Mauro Conti).
In recent years, great progress has been made in defining ever more performing and powerful deep learning models, with abilities never seen before. While it is true that the architecture of a model is fundamental for performance in terms of quality and time spent on training, no less important is the usage of a high-quality dataset during training. If even the best of models is trained with a poor quality dataset, then the final result will reflect the negative consequences. Datasets often requires specific permissions that the user must request at the source or complex anonymization procedures, which must be carried out to avoid exposing sensitive information, such as medical records, everyday personal information or sensitive images. A strategy adopted to speed up the scientific research, satisfy the complex requests for data analysis and the stringent privacy requirements is that of the production of synthetic datasets, i.e., datasets that have a distribution very similar to that of a target dataset and can both be used to train complex networks and guarantee a high level of privacy, since their individual samples are different from those of the original dataset, while ensuring the similarity as a whole. A specific model architecture, the Generative Adversarial Network (GAN), has been proved effective in qualitative terms for the production of synthetic datasets. This work focuses on a specific type of attacks against these networks, the Membership Inference attacks. Making membership inference means obtaining information about the individual components of the original dataset, in particular starting from a sample, defining whether that sample is part of the training dataset or not. Having a set of samples, in which the presence of samples used to train the generative model is suspected, the attack consists in identifying these samples. The analysis is concentrated on images, an area in which GANs have established themselves as state-of-the-art for the production of high-quality images. A question to which we try to answer in this document concerns the privacy leakage of these models: do the improvements made to the networks that are now able to produce high-quality samples, translate into greater vulnerability? Does giving more quality necessarily mean creating overfitting on the reference dataset? What are the biggest privacy drawbacks towards these networks? We then propose some innovative approaches as attempted attacks on GANs, testing the intuition that the network can actually "remember" information related to the training data. Abadi et al. defined an algorithm for the protection of GANs against this kind of attacks, introducing the differentially private gradient descent. Basically, to avoid that the update of the network weights undergoes too large variations following observation of the data, the gradient is first clipped and then an arbitrary sum of noise is added, steps which are both regulated by hyperparameters. By definition, the addition of noise in the training procedure leads the model to lose part of its effectiveness and quality in the production of synthetic samples, a price that is paid to guarantee a certain level of privacy. We wanted to measure the effective loss of quality as the values of the clipping and noise intensity hyperparameters vary and the relative ability to resist the analyzed threats, with the aim of determining the feasibility of using the protections adopted in a realistic context and a trade-off between performance and privacy protection. We then propose a new differentially private training procedure that aims to increase the performance of the model in terms of output sample quality, but still maintaining a good level of privacy. This approach is based on a different noise distribution through the layers: the intuition is that by adding a greater amount of noise to the layers that control the synthesis of higher-level features than the noise added to those layers that control low-level features, the model should perform better and output images with higher quality than having a static noise sum operation. The new defined optimizer is called Hierarchical Differentially Private Stochastic Gradient Descent (HDP-SGD).
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Denis Donadel (Dipartimento di Ingegneria dell'Informazione, Università degli Studi di Padova)
"Secure Cyber-Physical Systems: Key Issues in Industrial Control Systems and Electric Vehicles"
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
"Secure Cyber-Physical Systems: Key Issues in Industrial Control Systems and Electric Vehicles"Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Denis Donadel (Dipartimento di Ingegneria dell'Informazione, Università degli Studi di Padova)
"Secure Cyber-Physical Systems: Key Issues in Industrial Control Systems and Electric Vehicles"
(Relatore: Prof. Mauro Conti).
** Introduction In the last decades, technological innovation had touched almost everything, moving society to the Cyber-Physical Systems (CPSs) era. Industries have become smarter by installing new intelligent devices and connecting components to the Internet. The spreading of Electric Vehicles (EVs) has increased the energy demand, which needs a smart infrastructure to be safely managed. This more pervasive penetration of software inside a wide range of devices opened the possibility of different cyber-attacks in many fields external to the classical Information Technology. To protect these new assets, novel ad-hoc techniques have begun to be developed. ** First part: Industrial Control Systems Since real Industrial Control Systems (ICSs) contains critical processes, researchers who want to implement security measures need to rely on scaled-down versions or anonymized data captures from real systems. In this work, we analyzed many available testbeds and datasets available in the literature. Starting from this work, we provide not only a description of the most relevant ones, but also some advice and good practices for researchers who want to use or build a testbed or a dataset. ** Second part: Electric Vehicles Furthermore, we analyzed the security of the Vehicle To Grid (V2G) environment, providing a review of the state-of-the-art. We design EVExchange, an effective relay attack that allows an attacker to block the charge of a victim and make the victim pay for the energy requested by the attacker. To test EVExchange, we developed a novel open-source simulator based on Mininet and RiseV2G which is presented in this work and which can be used to simulate networks of EVs and charging stations. Finally, to protect the infrastructure from the presented attack, we designed a countermeasure based on the fingerprinting of the Electric Vehicle Supply Equipment (EVSE) employing easily accessible physical measurements, together with the position offered by the Global Navigation Satellite System (GNSS). ** Contributions The main contributions of this thesis are the following: • A survey of the main testbed and datasets employed in the field of ICS security, showing the main characteristics of them; • A complete list of advice and good practices that can be useful to researchers who want to build an ICS testbed or who want to select the best testbed or dataset to test their findings; • A simulator to facilitate the implementation of a network of charging stations and EVs by using only open-source software (i.e., Mininet and RiseV2G); • The design of EVExchange, an effective relay attack against the V2G environment; • A novel countermeasure mainly based on the fingerprinting of an EVSE which can prevent EVExchange and other relay attacks.
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
"Secure Cyber-Physical Systems: Key Issues in Industrial Control Systems and Electric Vehicles"(Relatore: Prof. Mauro Conti).
** Introduction In the last decades, technological innovation had touched almost everything, moving society to the Cyber-Physical Systems (CPSs) era. Industries have become smarter by installing new intelligent devices and connecting components to the Internet. The spreading of Electric Vehicles (EVs) has increased the energy demand, which needs a smart infrastructure to be safely managed. This more pervasive penetration of software inside a wide range of devices opened the possibility of different cyber-attacks in many fields external to the classical Information Technology. To protect these new assets, novel ad-hoc techniques have begun to be developed. ** First part: Industrial Control Systems Since real Industrial Control Systems (ICSs) contains critical processes, researchers who want to implement security measures need to rely on scaled-down versions or anonymized data captures from real systems. In this work, we analyzed many available testbeds and datasets available in the literature. Starting from this work, we provide not only a description of the most relevant ones, but also some advice and good practices for researchers who want to use or build a testbed or a dataset. ** Second part: Electric Vehicles Furthermore, we analyzed the security of the Vehicle To Grid (V2G) environment, providing a review of the state-of-the-art. We design EVExchange, an effective relay attack that allows an attacker to block the charge of a victim and make the victim pay for the energy requested by the attacker. To test EVExchange, we developed a novel open-source simulator based on Mininet and RiseV2G which is presented in this work and which can be used to simulate networks of EVs and charging stations. Finally, to protect the infrastructure from the presented attack, we designed a countermeasure based on the fingerprinting of the Electric Vehicle Supply Equipment (EVSE) employing easily accessible physical measurements, together with the position offered by the Global Navigation Satellite System (GNSS). ** Contributions The main contributions of this thesis are the following: • A survey of the main testbed and datasets employed in the field of ICS security, showing the main characteristics of them; • A complete list of advice and good practices that can be useful to researchers who want to build an ICS testbed or who want to select the best testbed or dataset to test their findings; • A simulator to facilitate the implementation of a network of charging stations and EVs by using only open-source software (i.e., Mininet and RiseV2G); • The design of EVExchange, an effective relay attack against the V2G environment; • A novel countermeasure mainly based on the fingerprinting of an EVSE which can prevent EVExchange and other relay attacks.
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Andrea Fioraldi (Dipartimento di Ingegneria Informatica, automatica e gestionale Antonio Ruberti, Sapienza Università di Roma)
"Program State Abstraction for Feedback-Driven Fuzz Testing using Likely Invariants"
Link esterno alla tesi: https://arxiv.org/abs/2012.11182
"Program State Abstraction for Feedback-Driven Fuzz Testing using Likely Invariants"Link esterno alla tesi: https://arxiv.org/abs/2012.11182
Andrea Fioraldi (Dipartimento di Ingegneria Informatica, automatica e gestionale Antonio Ruberti, Sapienza Università di Roma)
"Program State Abstraction for Feedback-Driven Fuzz Testing using Likely Invariants"
(Relatore: Daniele Cono D'Elia).
Fuzz testing proved its great effectiveness in finding software bugs in the latest years, however, there are still open challenges. Coverage-guided fuzzers suffer from the fact that covering a program point does not ensure the trigger of a fault. Other more sensitive techniques that in theory should cope with this problem, such as the coverage of the memory values, easily lead to path explosion. In this thesis, we propose a new feedback for Feedback-driven Fuzz testing that combines code coverage with the "shape" of the data. We learn likely invariants for each basic block in order to divide into regions the space described by the variables used in the block. The goal is to distinguish in the feedback when a block is executed with values that fall in different regions of the space. This better approximates the program state coverage and, on some targets, improves the ability of the fuzzer in finding faults. We developed a prototype using LLVM and AFL++ called InvsCov.
Link esterno alla tesi: https://arxiv.org/abs/2012.11182
"Program State Abstraction for Feedback-Driven Fuzz Testing using Likely Invariants"(Relatore: Daniele Cono D'Elia).
Fuzz testing proved its great effectiveness in finding software bugs in the latest years, however, there are still open challenges. Coverage-guided fuzzers suffer from the fact that covering a program point does not ensure the trigger of a fault. Other more sensitive techniques that in theory should cope with this problem, such as the coverage of the memory values, easily lead to path explosion. In this thesis, we propose a new feedback for Feedback-driven Fuzz testing that combines code coverage with the "shape" of the data. We learn likely invariants for each basic block in order to divide into regions the space described by the variables used in the block. The goal is to distinguish in the feedback when a block is executed with values that fall in different regions of the space. This better approximates the program state coverage and, on some targets, improves the ability of the fuzzer in finding faults. We developed a prototype using LLVM and AFL++ called InvsCov.
Link esterno alla tesi: https://arxiv.org/abs/2012.11182
Fabrizio La Rocca (Dipartimento di Informatica, Università degli Studi di Milano)
"Splunk4Honeypot - Progettazione e deployment di honeypot ed integrazione con Splunk"
"Splunk4Honeypot - Progettazione e deployment di honeypot ed integrazione con Splunk"Fabrizio La Rocca (Dipartimento di Informatica, Università degli Studi di Milano)
"Splunk4Honeypot - Progettazione e deployment di honeypot ed integrazione con Splunk"
(Relatore: Stelvio Cimato).
A differenza dei più comuni sistemi di difesa ad oggi conosciuti, gli honeypot sono appositamente progettati per essere esposti in rete in modo tale da risultare agli occhi degli attaccanti come delle risorse potenzialmente compromettibili. Subendo attacchi informatici diretti è possibile acquisire preziose informazioni sugli avversari permettendo di individuare, per esempio, nuove tipologie e tecniche di attacco, eventi riconducibili alla presenza di attaccanti all’interno del proprio perimetro di sicurezza o, dall’analisi del sistema compromesso e degli artefatti trovati, indicatori di compromissione impiegabili per attività di prevenzione e threat hunting. Il lavoro di tesi svolto prevede una prima parte dedicata agli aspetti più teorici e generali della tecnologia quali: possibili classificazioni, caratteristiche funzionali e architetturali, analisi sullo stato dell’arte, benefici e svantaggi. La seconda parte è dedicata al processo di progettazione (dall’analisi dei requisiti fino alla messa in funzione) conclusosi con la realizzazione di due sistemi honeypot: uno di ricerca sul cloud, finalizzato all’analisi di attacchi provenienti dall’internet pubblico, l’altro in un ambiente di produzione, per il possibile rilevamento di attacchi all’interno della intranet aziendale. I due progetti sono stati integrati con Splunk, piattaforma tra i leader del mercato, che ha permesso, grazie alle funzionalità che offre, l’acquisizione centralizzata dei log honeypot e un’efficiente estrazione e valorizzazione delle informazioni acquisibili dagli stessi. La necessità di disporre di un componente facilmente integrabile, espandibile, personalizzabile e utilizzabile sia in contesti privati che aziendali (provvisti o meno di soluzioni SIEM) e l’inesistenza di un’app nella libreria “Splunkbase” dedicata all’analisi dei log honeypot, ha portato alla creazione dell’applicazione Splunk “Splunk4Honeypot”. La stessa ha permesso di fornire all’utilizzatore finale tutti gli strumenti di supporto utili per il rilevamento automatico, visualizzazione e analisi degli eventi più significativi (in tempo reale e non) acquisiti dagli honeypot. Tra questi, figurano: alert dedicati, workflow per la rapida ricerca di IOC su siti di Threat Intelligence (quali indirizzi IP o hash dei file raccolti), dashboard dinamiche per una più semplice ricerca e migliore presentazione dei dati, report schedulati visualizzabili sulla piattaforma o inviabili via mail. L’ultima parte della tesi è dedicata all’analisi dei risultati e ai pattern di attacco rilevati (numero, distribuzione geografica e complessità delle password impiegate per tentare l’accesso, azioni post-intrusione e altri particolari comportamenti riscontrati). Si conclude, infine, con la descrizione dei possibili sviluppi futuri del progetto e dell’applicazione Splunk4Honeypot realizzata.
"Splunk4Honeypot - Progettazione e deployment di honeypot ed integrazione con Splunk"(Relatore: Stelvio Cimato).
A differenza dei più comuni sistemi di difesa ad oggi conosciuti, gli honeypot sono appositamente progettati per essere esposti in rete in modo tale da risultare agli occhi degli attaccanti come delle risorse potenzialmente compromettibili. Subendo attacchi informatici diretti è possibile acquisire preziose informazioni sugli avversari permettendo di individuare, per esempio, nuove tipologie e tecniche di attacco, eventi riconducibili alla presenza di attaccanti all’interno del proprio perimetro di sicurezza o, dall’analisi del sistema compromesso e degli artefatti trovati, indicatori di compromissione impiegabili per attività di prevenzione e threat hunting. Il lavoro di tesi svolto prevede una prima parte dedicata agli aspetti più teorici e generali della tecnologia quali: possibili classificazioni, caratteristiche funzionali e architetturali, analisi sullo stato dell’arte, benefici e svantaggi. La seconda parte è dedicata al processo di progettazione (dall’analisi dei requisiti fino alla messa in funzione) conclusosi con la realizzazione di due sistemi honeypot: uno di ricerca sul cloud, finalizzato all’analisi di attacchi provenienti dall’internet pubblico, l’altro in un ambiente di produzione, per il possibile rilevamento di attacchi all’interno della intranet aziendale. I due progetti sono stati integrati con Splunk, piattaforma tra i leader del mercato, che ha permesso, grazie alle funzionalità che offre, l’acquisizione centralizzata dei log honeypot e un’efficiente estrazione e valorizzazione delle informazioni acquisibili dagli stessi. La necessità di disporre di un componente facilmente integrabile, espandibile, personalizzabile e utilizzabile sia in contesti privati che aziendali (provvisti o meno di soluzioni SIEM) e l’inesistenza di un’app nella libreria “Splunkbase” dedicata all’analisi dei log honeypot, ha portato alla creazione dell’applicazione Splunk “Splunk4Honeypot”. La stessa ha permesso di fornire all’utilizzatore finale tutti gli strumenti di supporto utili per il rilevamento automatico, visualizzazione e analisi degli eventi più significativi (in tempo reale e non) acquisiti dagli honeypot. Tra questi, figurano: alert dedicati, workflow per la rapida ricerca di IOC su siti di Threat Intelligence (quali indirizzi IP o hash dei file raccolti), dashboard dinamiche per una più semplice ricerca e migliore presentazione dei dati, report schedulati visualizzabili sulla piattaforma o inviabili via mail. L’ultima parte della tesi è dedicata all’analisi dei risultati e ai pattern di attacco rilevati (numero, distribuzione geografica e complessità delle password impiegate per tentare l’accesso, azioni post-intrusione e altri particolari comportamenti riscontrati). Si conclude, infine, con la descrizione dei possibili sviluppi futuri del progetto e dell’applicazione Splunk4Honeypot realizzata.
Francesco Meloni (DIEE, Università degli Studi di Cagliari)
"Advanced Call Graph Fingerprinting for the Analysis and Classification of Windows Malware"
"Advanced Call Graph Fingerprinting for the Analysis and Classification of Windows Malware"Francesco Meloni (DIEE, Università degli Studi di Cagliari)
"Advanced Call Graph Fingerprinting for the Analysis and Classification of Windows Malware"
(Relatore: Davide Maiorca).
When dealing with computer security and the ever-growing cyber threats, malware has had a major impact over the years. Given the complex aspects of determining malicious behaviour through malware analysis, different solutions leveraging on artificial intelligence and machine learning have been developed. The research on this matter focuses on increasing the effectiveness and the speed by which cyber threats can be found and thus mitigated. This work aims to give a contribution by implementing a system which is able to correctly classify malware samples based on their family of behaviour. Recent works in research are focusing most of their implementation on deep machine learning models, that are able to autonomously extract discriminant features. While these type of systems are highly effective in their usage case scenarios, they require much more effort in terms of computational power to be built and time expense to be trained. Most importantly, in order to achieve better classification accuracy, they are more complex to analyse and debug than they are easier to potentially exploit (as shown by the recent progress in adversarial machine learning models). This work took another direction, by building a system which can be used not only for malware classification, but also as an analysis framework to automatically characterise groups of malware executables. It disposes of all the needed processing blocks to filter out and label samples for supervised learning, autonomously extract valuable information such as a compact graph view of the executables. These graphs are then used to construct the features used by different machine learning models. These features constitute a so called behavioral "fingerprint" , a compact matrix which is composed of an ensemble of signatures that capture how a given malware sample flows in terms of user defined functions and library functions called inside them. The classification simply uses an ad-hoc distance metric dependent on the similarity of families of fingerprints to predict the behaviour of new samples. Malware fingerprints have proved to be an effective tool for classifying the behaviour of a set of known malware families, as well as determining the existence of potentially new malware families.
"Advanced Call Graph Fingerprinting for the Analysis and Classification of Windows Malware"(Relatore: Davide Maiorca).
When dealing with computer security and the ever-growing cyber threats, malware has had a major impact over the years. Given the complex aspects of determining malicious behaviour through malware analysis, different solutions leveraging on artificial intelligence and machine learning have been developed. The research on this matter focuses on increasing the effectiveness and the speed by which cyber threats can be found and thus mitigated. This work aims to give a contribution by implementing a system which is able to correctly classify malware samples based on their family of behaviour. Recent works in research are focusing most of their implementation on deep machine learning models, that are able to autonomously extract discriminant features. While these type of systems are highly effective in their usage case scenarios, they require much more effort in terms of computational power to be built and time expense to be trained. Most importantly, in order to achieve better classification accuracy, they are more complex to analyse and debug than they are easier to potentially exploit (as shown by the recent progress in adversarial machine learning models). This work took another direction, by building a system which can be used not only for malware classification, but also as an analysis framework to automatically characterise groups of malware executables. It disposes of all the needed processing blocks to filter out and label samples for supervised learning, autonomously extract valuable information such as a compact graph view of the executables. These graphs are then used to construct the features used by different machine learning models. These features constitute a so called behavioral "fingerprint" , a compact matrix which is composed of an ensemble of signatures that capture how a given malware sample flows in terms of user defined functions and library functions called inside them. The classification simply uses an ad-hoc distance metric dependent on the similarity of families of fingerprints to predict the behaviour of new samples. Malware fingerprints have proved to be an effective tool for classifying the behaviour of a set of known malware families, as well as determining the existence of potentially new malware families.
Carolina Minonzio (Università degli Studi di Milano - Dipartimento di Economics, Management and Quantitative Methods)
"CYBER RISK MANAGEMENT: THEORETICAL EVOLUTION AND PRACTICAL APPLICATION IN SMALL AND MEDIUM SIZED ENTERPRISES"
"CYBER RISK MANAGEMENT: THEORETICAL EVOLUTION AND PRACTICAL APPLICATION IN SMALL AND MEDIUM SIZED ENTERPRISES"Carolina Minonzio (Università degli Studi di Milano - Dipartimento di Economics, Management and Quantitative Methods)
"CYBER RISK MANAGEMENT: THEORETICAL EVOLUTION AND PRACTICAL APPLICATION IN SMALL AND MEDIUM SIZED ENTERPRISES"
(Relatore: Anna Prenestini).
“If you don’t invest in risk management, it doesn’t matter what business you’re in, it’s a risky business.” Gary Cohn The digital arena, with its ability to establish direct and real-time contacts between people in every part of the planet, represents a formidable tool for developing relationships and creating exchanges of information and knowledge, as well as goods and services. The powerful electronic and computer technologies have determined a real cybernetic revolution, with the connection on the net of almost all of the planet's surface, and the direct control of a myriad of physical devices among the most varied, from smartphones to wearable devices, from city traffic control systems for electricity production to distribution infrastructures. The evolution of a technological and cutting-edge world, characterized by the presence of innumerable risks to which companies are exposed daily, has made risk management a fundamental component of the organizational process. In particular, in recent years the risks to which companies are most exposed are cyber risks, such as cyber-attacks or data breaches. Continuously evolving technologies, whether used as work tools or in daily life via mobile devices and cloud services, have increased exponentially the exposure and vulnerability of cyber space. In such environment, companies need to be aware of the risks they run and must be able to manage them in the best possible way. Cyber security has therefore become a risk to be monitored in any kind of business, in order to avoid the serious consequences that a cyber-attack or a data breach might cause. This paper analyzes the aspects intrinsic in the cyber risk management process and the placement of risk within the cyber space. In the first chapter the concept of risk will be framed, firstly with a focus on the various definitions of the risk and its characteristics, then the risk management in the company will be analyzed and lastly a classification of the risks will be provided. In the second chapter the cyber space context will be presented and analyzed; the focus will be on risk assessment in the cyber space and then risks and threats in the cyber space will be identified and deepened. The concepts of cybersecurity and “the internet of things”, in which electronic devices also acquire intelligence, communicate data and help to draw a virtual map of what is happening in the world, are also explored in this chapter. In the third chapter, risk management is presented, starting from its definition and evolution, then analyzing different approaches to risk management such as traditional risk management, financial risk management, project risk management and control risk management. Also, the most recent and efficient model, the Enterprise Risk Management, is explained and analyzed covering its most relevant topics: the culture of risk, the organization and the process. Lastly, the benefits and limits of the Enterprise Risk Management model are collected and evaluated. In the fourth and last chapter, the research conducted on Small and Medium sized Enterprises in the Lecco area is presented and the analysis of the results is reported. The research objective is the analysis of the actual situation within Small and Medium-sized Enterprises (SMEs) on a topic that is as current as still unknown for a small part of companies. To carry out this analysis, the contribution of SMEs which made themselves available to participate to the survey was fundamental. The main topics of the survey are risk management in the company system and risk management in its cyber sense. Most of the companies contacted made themselves available to fill out the questionnaire and this made it possible to analyze the aggregate data in order to understand in which direction risk management is going within medium-small businesses. The final part of this paper presents the conclusions drawn both on a theoretical level, confirming how much the role that risk management plays in companies is increasingly predominant, and on a more practical level, with the conclusions drawn from the results analysis of the survey.
"CYBER RISK MANAGEMENT: THEORETICAL EVOLUTION AND PRACTICAL APPLICATION IN SMALL AND MEDIUM SIZED ENTERPRISES"(Relatore: Anna Prenestini).
“If you don’t invest in risk management, it doesn’t matter what business you’re in, it’s a risky business.” Gary Cohn The digital arena, with its ability to establish direct and real-time contacts between people in every part of the planet, represents a formidable tool for developing relationships and creating exchanges of information and knowledge, as well as goods and services. The powerful electronic and computer technologies have determined a real cybernetic revolution, with the connection on the net of almost all of the planet's surface, and the direct control of a myriad of physical devices among the most varied, from smartphones to wearable devices, from city traffic control systems for electricity production to distribution infrastructures. The evolution of a technological and cutting-edge world, characterized by the presence of innumerable risks to which companies are exposed daily, has made risk management a fundamental component of the organizational process. In particular, in recent years the risks to which companies are most exposed are cyber risks, such as cyber-attacks or data breaches. Continuously evolving technologies, whether used as work tools or in daily life via mobile devices and cloud services, have increased exponentially the exposure and vulnerability of cyber space. In such environment, companies need to be aware of the risks they run and must be able to manage them in the best possible way. Cyber security has therefore become a risk to be monitored in any kind of business, in order to avoid the serious consequences that a cyber-attack or a data breach might cause. This paper analyzes the aspects intrinsic in the cyber risk management process and the placement of risk within the cyber space. In the first chapter the concept of risk will be framed, firstly with a focus on the various definitions of the risk and its characteristics, then the risk management in the company will be analyzed and lastly a classification of the risks will be provided. In the second chapter the cyber space context will be presented and analyzed; the focus will be on risk assessment in the cyber space and then risks and threats in the cyber space will be identified and deepened. The concepts of cybersecurity and “the internet of things”, in which electronic devices also acquire intelligence, communicate data and help to draw a virtual map of what is happening in the world, are also explored in this chapter. In the third chapter, risk management is presented, starting from its definition and evolution, then analyzing different approaches to risk management such as traditional risk management, financial risk management, project risk management and control risk management. Also, the most recent and efficient model, the Enterprise Risk Management, is explained and analyzed covering its most relevant topics: the culture of risk, the organization and the process. Lastly, the benefits and limits of the Enterprise Risk Management model are collected and evaluated. In the fourth and last chapter, the research conducted on Small and Medium sized Enterprises in the Lecco area is presented and the analysis of the results is reported. The research objective is the analysis of the actual situation within Small and Medium-sized Enterprises (SMEs) on a topic that is as current as still unknown for a small part of companies. To carry out this analysis, the contribution of SMEs which made themselves available to participate to the survey was fundamental. The main topics of the survey are risk management in the company system and risk management in its cyber sense. Most of the companies contacted made themselves available to fill out the questionnaire and this made it possible to analyze the aggregate data in order to understand in which direction risk management is going within medium-small businesses. The final part of this paper presents the conclusions drawn both on a theoretical level, confirming how much the role that risk management plays in companies is increasingly predominant, and on a more practical level, with the conclusions drawn from the results analysis of the survey.
Laura Nardi (Dipartimento di Ingegneria - Università degli Studi del Sannio)
"Realization of an engine for GAN-driven malware manipulation"
"Realization of an engine for GAN-driven malware manipulation"Laura Nardi (Dipartimento di Ingegneria - Università degli Studi del Sannio)
"Realization of an engine for GAN-driven malware manipulation"
(Relatore: Corrado Aaron Visaggio).
Presence of adversarial samples indicates the vulnerability of the machine learning models. Learning robust models and measuring their susceptibility against adversarial attacks are need of the day. Attacks and defenses on adversarial examples draw great attention. The vulnerability to adversarial examples becomes one of the major risks for applying DNNs (Deep Neural Networks) in safety critical environments. Adversarial perturbations can easily fool DNNs in the testing/deploying stage exploiting blind spots in the Machine Learning engine. The effectiveness of an adversarial system is measured in terms of what is commonly called Evasion Rate. The evasion rate represents a measure of the success rate obtained by generators networks in fooling their opponent discriminators; it can be computed as the ratio between the number of adversarial examples that were misclassified as benign samples (also referred in the following as "goodware") by each detector, over the total amount of adversarial samples submitted to the discriminators. It depends upon a specific group of features considered for the input set. Applied to the creation of malware, GANs (Generative Adversarial Networks) are able to generate a new instance of a malware family without knowing an explicit model of the initial distribution of the data. So an attacker could use GANs to fool detection systems, just by sampling the provided data. On the other hand, GANs are also useful to build more robust machine learning models helping in the development of a better training set. Real defense technologies such as AV or EDR must take into account an acceptable trade-off among the detection accuracy, short learning times and limit the size of data obtain able by selecting a convenient combination of the sensitive feature. The effectiveness of an attack on the ML model also depends on the knowledge of the system by the attacker. In this case study, we conducted a grey-box attack in which the features of the training set are known: this permits us to reach a very high evasion rate (about 99%).
"Realization of an engine for GAN-driven malware manipulation"(Relatore: Corrado Aaron Visaggio).
Presence of adversarial samples indicates the vulnerability of the machine learning models. Learning robust models and measuring their susceptibility against adversarial attacks are need of the day. Attacks and defenses on adversarial examples draw great attention. The vulnerability to adversarial examples becomes one of the major risks for applying DNNs (Deep Neural Networks) in safety critical environments. Adversarial perturbations can easily fool DNNs in the testing/deploying stage exploiting blind spots in the Machine Learning engine. The effectiveness of an adversarial system is measured in terms of what is commonly called Evasion Rate. The evasion rate represents a measure of the success rate obtained by generators networks in fooling their opponent discriminators; it can be computed as the ratio between the number of adversarial examples that were misclassified as benign samples (also referred in the following as "goodware") by each detector, over the total amount of adversarial samples submitted to the discriminators. It depends upon a specific group of features considered for the input set. Applied to the creation of malware, GANs (Generative Adversarial Networks) are able to generate a new instance of a malware family without knowing an explicit model of the initial distribution of the data. So an attacker could use GANs to fool detection systems, just by sampling the provided data. On the other hand, GANs are also useful to build more robust machine learning models helping in the development of a better training set. Real defense technologies such as AV or EDR must take into account an acceptable trade-off among the detection accuracy, short learning times and limit the size of data obtain able by selecting a convenient combination of the sensitive feature. The effectiveness of an attack on the ML model also depends on the knowledge of the system by the attacker. In this case study, we conducted a grey-box attack in which the features of the training set are known: this permits us to reach a very high evasion rate (about 99%).
Giulio Pellizzari (Dipartimento di Ingegneria e Scienza dell'Informazione (DISI) dell'Università degli Studi di Trento)
"Micro-Id-Gym: a Tool to Support Sandboxing and Automated Pentesting of Identity Management Protocols"
Link esterno alla tesi: https://github.com/pllgiulio/master-thesis
Link esterno al gruppo di ricerca: https://stfbk.github.io/
"Micro-Id-Gym: a Tool to Support Sandboxing and Automated Pentesting of Identity Management Protocols"Link esterno alla tesi: https://github.com/pllgiulio/master-thesis
Link esterno al gruppo di ricerca: https://stfbk.github.io/
Giulio Pellizzari (Dipartimento di Ingegneria e Scienza dell'Informazione (DISI) dell'Università degli Studi di Trento)
"Micro-Id-Gym: a Tool to Support Sandboxing and Automated Pentesting of Identity Management Protocols"
(Relatore: Silvio Ranise).
Thanks to spread of web applications and the digitalization of our society people started using more and more frequently online services. These services usually require the registration of a user account to access the benefits they offer. Password-based authentication is one of the most common techniques used to verify user identity but, considering the large number of online services the user needs to access, this authentication mechanism forces people to remind lots of passwords. For this reason, even if best practices discourage that, people tend to reuse the same password across multiple accounts thus exposing themselves to a higher level of risk. To tackle this issue, Single Sign-On (SSO) has been introduced. SSO is an authentication schema allowing the user to access different services using the same set of credentials. In this thesis, we focused on the protocols implementing this authentication schema where a Client server relies on a trusted third-party server, the Identity Provider, for user authentication. These protocols have been identified as Identity Management (IdM) protocols. A system implementing an IdM protocol is hereafter referred as IdM systems. In this work, we focus on two of the most known IdM protocol: SAML 2.0 SSO and OAuth 2.0/OpenID Connect. Since several vulnerabilities on the implementation of these protocols have been detected, we investigate the state of the art to discover if there were any tools to assist system administrators and developers in the implementation of IdM protocols. As the first contribution, we provide a comprehensive analysis of the actual state of the art of the (semi-)automated pentesting tools to detect vulnerabilities in IdM systems. Using what we learned from the state of the art, we design and implement Micro-Id-Gym (MIG), the main contribution of this thesis. MIG is a tool to support the creation of sandboxes containing IdM system and perform automated pentesting of IdM protocols. MIG consists of three main parts: MIG Backend, MIG Frontend and the dashboard. MIG Backend contains a set of instances of Client and Identity Provider used to recreate IdM system in a sandbox and a repository of Cyber Threat Intelligence information. MIG Frontend provides the tools to support and automate the pentesting activities of IdM protocols. The dashboard is used to set up an IdM system in a sandbox and to configure MIG Frontend tools. As the last contribution of this thesis, we describe three use cases that prove the effectiveness of MIG. In the first one, we used MIG to test an IdM system in the wild. We collaborate with an important Italian Identity Provider that implements strong authentication required by PSD2 standard to assess the security of its service. We discovered three relevant vulnerabilities and some misconfiguration on the tested IdM system. In the second use case, we tested an industrial IdM system belonging to Italian National Mint and Printing House. We used MIG during the development process to spot vulnera- bilities before the IdM system deployment and we discover two misconfiguration and a vulnerability potentially leading to Cross-Site Request Forgery attacks. Finally, in the third use case, we propose to use MIG for a hands-on experience of pentesting IdM protocols during a security class at the uni- versity. After the execution of an IdM system in a sandbox, the students perform pentesing activities to learn IdM protocols, the vulnerabilities they might suffer, which attacks can exploit them and the countermeasures that can be implemented.
Link esterno alla tesi: https://github.com/pllgiulio/master-thesis
Link esterno al gruppo di ricerca: https://stfbk.github.io/
"Micro-Id-Gym: a Tool to Support Sandboxing and Automated Pentesting of Identity Management Protocols"(Relatore: Silvio Ranise).
Thanks to spread of web applications and the digitalization of our society people started using more and more frequently online services. These services usually require the registration of a user account to access the benefits they offer. Password-based authentication is one of the most common techniques used to verify user identity but, considering the large number of online services the user needs to access, this authentication mechanism forces people to remind lots of passwords. For this reason, even if best practices discourage that, people tend to reuse the same password across multiple accounts thus exposing themselves to a higher level of risk. To tackle this issue, Single Sign-On (SSO) has been introduced. SSO is an authentication schema allowing the user to access different services using the same set of credentials. In this thesis, we focused on the protocols implementing this authentication schema where a Client server relies on a trusted third-party server, the Identity Provider, for user authentication. These protocols have been identified as Identity Management (IdM) protocols. A system implementing an IdM protocol is hereafter referred as IdM systems. In this work, we focus on two of the most known IdM protocol: SAML 2.0 SSO and OAuth 2.0/OpenID Connect. Since several vulnerabilities on the implementation of these protocols have been detected, we investigate the state of the art to discover if there were any tools to assist system administrators and developers in the implementation of IdM protocols. As the first contribution, we provide a comprehensive analysis of the actual state of the art of the (semi-)automated pentesting tools to detect vulnerabilities in IdM systems. Using what we learned from the state of the art, we design and implement Micro-Id-Gym (MIG), the main contribution of this thesis. MIG is a tool to support the creation of sandboxes containing IdM system and perform automated pentesting of IdM protocols. MIG consists of three main parts: MIG Backend, MIG Frontend and the dashboard. MIG Backend contains a set of instances of Client and Identity Provider used to recreate IdM system in a sandbox and a repository of Cyber Threat Intelligence information. MIG Frontend provides the tools to support and automate the pentesting activities of IdM protocols. The dashboard is used to set up an IdM system in a sandbox and to configure MIG Frontend tools. As the last contribution of this thesis, we describe three use cases that prove the effectiveness of MIG. In the first one, we used MIG to test an IdM system in the wild. We collaborate with an important Italian Identity Provider that implements strong authentication required by PSD2 standard to assess the security of its service. We discovered three relevant vulnerabilities and some misconfiguration on the tested IdM system. In the second use case, we tested an industrial IdM system belonging to Italian National Mint and Printing House. We used MIG during the development process to spot vulnera- bilities before the IdM system deployment and we discover two misconfiguration and a vulnerability potentially leading to Cross-Site Request Forgery attacks. Finally, in the third use case, we propose to use MIG for a hands-on experience of pentesting IdM protocols during a security class at the uni- versity. After the execution of an IdM system in a sandbox, the students perform pentesing activities to learn IdM protocols, the vulnerabilities they might suffer, which attacks can exploit them and the countermeasures that can be implemented.
Link esterno alla tesi: https://github.com/pllgiulio/master-thesis
Link esterno al gruppo di ricerca: https://stfbk.github.io/
Giuseppe Pratticò (Dipartimento di Ingegneria dell'Informazione/Università degli Studi Mediterranea di Reggio Calabria)
"Analisi Forense di Attacchi HID su Windows 10"
"Analisi Forense di Attacchi HID su Windows 10"Giuseppe Pratticò (Dipartimento di Ingegneria dell'Informazione/Università degli Studi Mediterranea di Reggio Calabria)
"Analisi Forense di Attacchi HID su Windows 10"
(Relatore: Prof. Francesco Buccafurri).
Da diverso tempo ormai gli hacker hanno intuito che il modo migliore per attaccare un sistema informatico è cercare di ingannare gli utilizzatori con attività di Social Engineering. In questo ambito può entrare in gioco il meccanismo del baiting per riuscire a consegnare alla vittima dispositivi HID (Human Interface Device), i quali permettono l’interazione uomo macchina, come semplici chiavette USB, mouse, tastiere, ecc. Eseguire un attacco HID significa rendere malevolo il device, il più delle volte con modifiche hardware, in modo che una volta inserito nel calcolatore svolga le attività stabilite a priori dall’attaccante. Ad oggi esistono sul mercato diversi dispositivi già pronti per eseguire attacchi HID. In questo ambito di ricerca spiccano in particolare quelli costruiti dal team Hak5 e da Mike Grover. Con questo elaborato di tesi è stata eseguita l’implementazione del tool “Windows HID-Attack Seeker” adatto per eseguire analisi forense su un sistema operativo Windows 10, per capire se è stato soggetto ad un attacco HID. Si è vista necessaria la creazione di tale strumento in quanto in uno scenario del genere risulta importante analizzare in modo quanto più vasto ma allo stesso tempo mirato l'attività degli utenti, così da individuare azioni poco lecite o del tutto illecite soprattutto nel caso in cui non risultino automatizzate da applicazioni individuate come tali, bypassando le principali misure di End Point Protection. L’analisi inizia con un'overview dell'architettura e delle caratteristiche dei device HID. Sono poi descritti i principali dispositivi disponibili sul mercato, indicandone i punti di forza, ed esplicitato un caso reale. Successivamente vengono rese note, estratte ed esposte passo dopo passo le evidenze studiate che possono risultare utili al riconoscimento di un simile attacco. Attraverso le informazioni estratte il DES (Digital Evidence Specialist) potrà analizzare le attività in intervalli ristretti riguardanti la presenza di ogni singolo dispositivo HID per chiarire le possibili cause di un incidente. Il codice dell’intero programma viene esplicitato in ogni sua parte nell’Appendice dell’elaborato ed è reso disponibile open source su GitHub. “Windows HID-Attack Seeker” è stato implementato in Python3, mentre il sistema Windows 10 usato in fase di test è stato estratto attraverso le funzioni di FTK Imager e montato su Tsurugi Linux, distribuzione ad hoc per eseguire analisi forense. L’intero lavoro è stato svolto soddisfando i requisiti di pertinenza, affidabilità, sufficienza, verificabilità, ripetibilità e riproducibilità del metodo forense. Non sono esclusi sviluppi futuri per includere altre evidenze non tenute in considerazione in questo studio o non al momento esistenti, oppure spinti dal supporto di chiunque voglia dare il proprio contributo per rendere questo sistema sempre più efficacie.
"Analisi Forense di Attacchi HID su Windows 10"(Relatore: Prof. Francesco Buccafurri).
Da diverso tempo ormai gli hacker hanno intuito che il modo migliore per attaccare un sistema informatico è cercare di ingannare gli utilizzatori con attività di Social Engineering. In questo ambito può entrare in gioco il meccanismo del baiting per riuscire a consegnare alla vittima dispositivi HID (Human Interface Device), i quali permettono l’interazione uomo macchina, come semplici chiavette USB, mouse, tastiere, ecc. Eseguire un attacco HID significa rendere malevolo il device, il più delle volte con modifiche hardware, in modo che una volta inserito nel calcolatore svolga le attività stabilite a priori dall’attaccante. Ad oggi esistono sul mercato diversi dispositivi già pronti per eseguire attacchi HID. In questo ambito di ricerca spiccano in particolare quelli costruiti dal team Hak5 e da Mike Grover. Con questo elaborato di tesi è stata eseguita l’implementazione del tool “Windows HID-Attack Seeker” adatto per eseguire analisi forense su un sistema operativo Windows 10, per capire se è stato soggetto ad un attacco HID. Si è vista necessaria la creazione di tale strumento in quanto in uno scenario del genere risulta importante analizzare in modo quanto più vasto ma allo stesso tempo mirato l'attività degli utenti, così da individuare azioni poco lecite o del tutto illecite soprattutto nel caso in cui non risultino automatizzate da applicazioni individuate come tali, bypassando le principali misure di End Point Protection. L’analisi inizia con un'overview dell'architettura e delle caratteristiche dei device HID. Sono poi descritti i principali dispositivi disponibili sul mercato, indicandone i punti di forza, ed esplicitato un caso reale. Successivamente vengono rese note, estratte ed esposte passo dopo passo le evidenze studiate che possono risultare utili al riconoscimento di un simile attacco. Attraverso le informazioni estratte il DES (Digital Evidence Specialist) potrà analizzare le attività in intervalli ristretti riguardanti la presenza di ogni singolo dispositivo HID per chiarire le possibili cause di un incidente. Il codice dell’intero programma viene esplicitato in ogni sua parte nell’Appendice dell’elaborato ed è reso disponibile open source su GitHub. “Windows HID-Attack Seeker” è stato implementato in Python3, mentre il sistema Windows 10 usato in fase di test è stato estratto attraverso le funzioni di FTK Imager e montato su Tsurugi Linux, distribuzione ad hoc per eseguire analisi forense. L’intero lavoro è stato svolto soddisfando i requisiti di pertinenza, affidabilità, sufficienza, verificabilità, ripetibilità e riproducibilità del metodo forense. Non sono esclusi sviluppi futuri per includere altre evidenze non tenute in considerazione in questo studio o non al momento esistenti, oppure spinti dal supporto di chiunque voglia dare il proprio contributo per rendere questo sistema sempre più efficacie.
Mario Raciti (Dipartimento di Matematica e Informatica, Università degli Studi di Catania)
"AURA: AUtomotive Risk Assessment - Study and application of the MAGERIT methodology and the PILAR tool to an automotive scenario"
Link esterno alla tesi: https://github.com/zMrSec/AURA-MSc-Thesis
"AURA: AUtomotive Risk Assessment - Study and application of the MAGERIT methodology and the PILAR tool to an automotive scenario"Link esterno alla tesi: https://github.com/zMrSec/AURA-MSc-Thesis
Mario Raciti (Dipartimento di Matematica e Informatica, Università degli Studi di Catania)
"AURA: AUtomotive Risk Assessment - Study and application of the MAGERIT methodology and the PILAR tool to an automotive scenario"
(Relatore: Prof. Giampaolo Bella).
Over the last few years the increasing of electronic and digital components in cars has improved the safety and driving experience of the vehicles. Although, the higher number of externally-communicating units has led to a growth in the dimension of the attack surfaces of each vehicle and, consequently, novel cybersecurity risks and threats are arising. Since smart cars are increasingly complex and involve multiple components, appropriate security measures need to be implemented to mitigate the potential risks, especially as attacks threaten the security, safety and even the privacy of vehicle passengers and all other road users, including pedestrians. In addition to the classic risks concerning the "car" product, indeed they should deal with risks deriving from the Information and Communication Technology (ICT) field. Among these, we can recall the problem of privacy which for instance, with the entry into force of the European General Data Protection Regulation (GDPR), could represent a critical factor in terms of compliance. In this regard, it should also be recalled that in the automotive field (and not only) personal data are exposed to risks due to the growth of Internet of Things (IoT) smart devices and the emerging use of the cloud. As a result with this increased connectivity — also the advancement of 5G is expected to further promote it — novel cybersecurity risks and threats arise and, consequently, there is the need to manage them. In addiction, the potential attack surface and attack vectors are also expanded with the emergence of semi-autonomous and autonomous cars, which make use of advanced machine learning and artificial intelligence techniques. Another factor which leverages the increase of risks can be ascribed to the deployment of intelligent transport systems and autonomous cars, i.e., Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) interfaces. In this work we propose a Risk Assessment exercise applied to an automotive scenario, according to the MAGERIT methodology and with the support of the PILAR/EAR commercial tool, in order to seek whether both the methodology and the tool may prove to be useful in the automotive field, with specific attention paid to communication peripherals and cloud, which may potential threaten personal data en route from/to connected vehicles. For this purpose, we introduce an overview of the Risk Assessment process according to ISO/IEC 27005, followed by a description of Magerit. Moreover, we also provide a regression analysis study of the algorithm implemented in Pilar for the purposes of reverse engineering, to better understand the values calculated by the tool in the demo. The latter follows a description of the case study within a STRIDE threat modeling analysis, which is preparatory to the demo itself.
Link esterno alla tesi: https://github.com/zMrSec/AURA-MSc-Thesis
"AURA: AUtomotive Risk Assessment - Study and application of the MAGERIT methodology and the PILAR tool to an automotive scenario"(Relatore: Prof. Giampaolo Bella).
Over the last few years the increasing of electronic and digital components in cars has improved the safety and driving experience of the vehicles. Although, the higher number of externally-communicating units has led to a growth in the dimension of the attack surfaces of each vehicle and, consequently, novel cybersecurity risks and threats are arising. Since smart cars are increasingly complex and involve multiple components, appropriate security measures need to be implemented to mitigate the potential risks, especially as attacks threaten the security, safety and even the privacy of vehicle passengers and all other road users, including pedestrians. In addition to the classic risks concerning the "car" product, indeed they should deal with risks deriving from the Information and Communication Technology (ICT) field. Among these, we can recall the problem of privacy which for instance, with the entry into force of the European General Data Protection Regulation (GDPR), could represent a critical factor in terms of compliance. In this regard, it should also be recalled that in the automotive field (and not only) personal data are exposed to risks due to the growth of Internet of Things (IoT) smart devices and the emerging use of the cloud. As a result with this increased connectivity — also the advancement of 5G is expected to further promote it — novel cybersecurity risks and threats arise and, consequently, there is the need to manage them. In addiction, the potential attack surface and attack vectors are also expanded with the emergence of semi-autonomous and autonomous cars, which make use of advanced machine learning and artificial intelligence techniques. Another factor which leverages the increase of risks can be ascribed to the deployment of intelligent transport systems and autonomous cars, i.e., Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) interfaces. In this work we propose a Risk Assessment exercise applied to an automotive scenario, according to the MAGERIT methodology and with the support of the PILAR/EAR commercial tool, in order to seek whether both the methodology and the tool may prove to be useful in the automotive field, with specific attention paid to communication peripherals and cloud, which may potential threaten personal data en route from/to connected vehicles. For this purpose, we introduce an overview of the Risk Assessment process according to ISO/IEC 27005, followed by a description of Magerit. Moreover, we also provide a regression analysis study of the algorithm implemented in Pilar for the purposes of reverse engineering, to better understand the values calculated by the tool in the demo. The latter follows a description of the case study within a STRIDE threat modeling analysis, which is preparatory to the demo itself.
Link esterno alla tesi: https://github.com/zMrSec/AURA-MSc-Thesis
Roberto Rossini (Dipartimento di Ingegneria dell'Informazione Università degli Studi di Padova)
"Security and Privacy Vulnerabilities Detection and Exploitation in Android Applications"
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
"Security and Privacy Vulnerabilities Detection and Exploitation in Android Applications"Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Roberto Rossini (Dipartimento di Ingegneria dell'Informazione Università degli Studi di Padova)
"Security and Privacy Vulnerabilities Detection and Exploitation in Android Applications"
(Relatore: Mauro Conti).
The identification of software vulnerabilities, with the release of security patches, and the exploitation of such vulnerabilities by attackers is a never-ending arms race. Google is daily facing this challenge, as confirmed by the monthly Android Security Bulletins, also encouraging security researchers to make the Android OS more secure through the Android Security Rewards Program. However, among the different classes of vulnerabilities, Google has paid little attention so far to the ones that can be introduced by legitimate developers. As a matter of fact, the only support developers can rely on is a set of textual guidelines on how to prevent the introduction of security and privacy issues. However, these guidelines are not enough, because developers should read, understand, and implement them in their applications. Thus, there is an urgent need for an automatic support to help developers implement secure mobile applications. In order to tackle this issue, throughout this thesis project we designed and implemented SPECK+, a system which allows Android developers to test the security of their apps. This new system is able to detect violations to some security-related rules and, eventually, automatically generate exploits which take advantage of the observed contraventions. To achieve this, SPECK+ relies on SPECK, a static analyser tool which analyses Android applications employing a set of 32 rules formalised from the Google’s guidelines. However, SPECK+ extends the SPECK capability, allowing developers to specify new rules using a new formalism language that we designed: SPECK-F. With SPECK-F, mobile developers can formulate new security rules and define exploits associated to the eventually detected rule violations SPECK+ was evaluated over a list of top 100 popular apps, re-formalising a subset of the 32 rules implemented in SPECK, and associating each of them with a formalised exploit. Considering the tool adopted by Android developers, the results are really promising.
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
"Security and Privacy Vulnerabilities Detection and Exploitation in Android Applications"(Relatore: Mauro Conti).
The identification of software vulnerabilities, with the release of security patches, and the exploitation of such vulnerabilities by attackers is a never-ending arms race. Google is daily facing this challenge, as confirmed by the monthly Android Security Bulletins, also encouraging security researchers to make the Android OS more secure through the Android Security Rewards Program. However, among the different classes of vulnerabilities, Google has paid little attention so far to the ones that can be introduced by legitimate developers. As a matter of fact, the only support developers can rely on is a set of textual guidelines on how to prevent the introduction of security and privacy issues. However, these guidelines are not enough, because developers should read, understand, and implement them in their applications. Thus, there is an urgent need for an automatic support to help developers implement secure mobile applications. In order to tackle this issue, throughout this thesis project we designed and implemented SPECK+, a system which allows Android developers to test the security of their apps. This new system is able to detect violations to some security-related rules and, eventually, automatically generate exploits which take advantage of the observed contraventions. To achieve this, SPECK+ relies on SPECK, a static analyser tool which analyses Android applications employing a set of 32 rules formalised from the Google’s guidelines. However, SPECK+ extends the SPECK capability, allowing developers to specify new rules using a new formalism language that we designed: SPECK-F. With SPECK-F, mobile developers can formulate new security rules and define exploits associated to the eventually detected rule violations SPECK+ was evaluated over a list of top 100 popular apps, re-formalising a subset of the 32 rules implemented in SPECK, and associating each of them with a formalised exploit. Considering the tool adopted by Android developers, the results are really promising.
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Marco Russodivito (Università degli Studi del Molise)
"2Faces: un nuovo modello di malware basato sulla compilazione dinamica di payload malevoli distribuiti"
"2Faces: un nuovo modello di malware basato sulla compilazione dinamica di payload malevoli distribuiti"Marco Russodivito (Università degli Studi del Molise)
"2Faces: un nuovo modello di malware basato sulla compilazione dinamica di payload malevoli distribuiti"
(Relatore: Francesco Mercaldo).
Android è il sistema operativo per dispositivi mobili più diffuso ed utilizzato al mondo, ma anche quello sottoposto a maggiori pressioni da parte di attacker, i quali sviluppano applicazioni malevole per trafugare informazioni private e sensibili da device infetti. Inoltre, considerando le recenti e sempre più stringenti normative in materia di dati personali, Google sta attuando misure maggiormente restrittive nella pubblicazione delle applicazioni nel suo Google Play Store, il market ufficiale di Android. Ciò porta gli attacker a sviluppare metodologie di attacco innovative. Le motivazioni dietro questo lavoro di tesi risiedono nella progettazione e nella implementazione di un nuovo modello di malware che sfrutta alcune caratteristiche di Android ereditate dal linguaggio Java, quali la compilazione dinamica, il caricamento dinamico e la reflection. Tali tecniche non sono ancora state adoperate per lo sviluppo di un malware, ma potrebbero essere in grado di operare attacchi sempre più dannosi, grazie alle capacità di eseguire codice malevolo, senza che questo persista nell’applicazione e di conseguenza che possa essere rilevato da qualsiasi software di analisi statica e dinamica, quali gli anti-malware. L’obiettivo di questo lavoro di tesi è la progettazione di un nuovo modello di malware Android basato sulla compilazione ed esecuzione di codice Java a runtime e, successivamente, alla progettazione di un’architettura software in grado di rendere questo nuovo modello di malware automatico e distribuito. Tutto ciò ci ha permesso di indagare su una nuova modalità d’attacco in ambiente Android al fine di diffondere i risultati raggiunti dalla comunità scientifica. Tali risultati sono soddisfacenti e ci hanno permesso di gettare buone basi per eventuali sviluppi futuri. È possibile visionare il codice sorgente di 2Faces sulla piattaforma GitHub sulle seguenti repository pubbliche: 1. Android Application – https://github.com/RedHitMark/2faces-android 2. Node.js back end – https://github.com/RedHitMark/2faces-backend 3. Vue.js panel – https://github.com/RedHitMark/2faces-panel
"2Faces: un nuovo modello di malware basato sulla compilazione dinamica di payload malevoli distribuiti"(Relatore: Francesco Mercaldo).
Android è il sistema operativo per dispositivi mobili più diffuso ed utilizzato al mondo, ma anche quello sottoposto a maggiori pressioni da parte di attacker, i quali sviluppano applicazioni malevole per trafugare informazioni private e sensibili da device infetti. Inoltre, considerando le recenti e sempre più stringenti normative in materia di dati personali, Google sta attuando misure maggiormente restrittive nella pubblicazione delle applicazioni nel suo Google Play Store, il market ufficiale di Android. Ciò porta gli attacker a sviluppare metodologie di attacco innovative. Le motivazioni dietro questo lavoro di tesi risiedono nella progettazione e nella implementazione di un nuovo modello di malware che sfrutta alcune caratteristiche di Android ereditate dal linguaggio Java, quali la compilazione dinamica, il caricamento dinamico e la reflection. Tali tecniche non sono ancora state adoperate per lo sviluppo di un malware, ma potrebbero essere in grado di operare attacchi sempre più dannosi, grazie alle capacità di eseguire codice malevolo, senza che questo persista nell’applicazione e di conseguenza che possa essere rilevato da qualsiasi software di analisi statica e dinamica, quali gli anti-malware. L’obiettivo di questo lavoro di tesi è la progettazione di un nuovo modello di malware Android basato sulla compilazione ed esecuzione di codice Java a runtime e, successivamente, alla progettazione di un’architettura software in grado di rendere questo nuovo modello di malware automatico e distribuito. Tutto ciò ci ha permesso di indagare su una nuova modalità d’attacco in ambiente Android al fine di diffondere i risultati raggiunti dalla comunità scientifica. Tali risultati sono soddisfacenti e ci hanno permesso di gettare buone basi per eventuali sviluppi futuri. È possibile visionare il codice sorgente di 2Faces sulla piattaforma GitHub sulle seguenti repository pubbliche: 1. Android Application – https://github.com/RedHitMark/2faces-android 2. Node.js back end – https://github.com/RedHitMark/2faces-backend 3. Vue.js panel – https://github.com/RedHitMark/2faces-panel
Federico Sinigaglia (DIBRIS - Università degli Studi di Genova / S&T Unit - Fondazione Bruno Kessler)
"Security Analysis of Multi-Factor Authentication Security Protocols"
Link esterno alla tesi: http://hdl.handle.net/11567/1010670
"Security Analysis of Multi-Factor Authentication Security Protocols"Link esterno alla tesi: http://hdl.handle.net/11567/1010670
Federico Sinigaglia (DIBRIS - Università degli Studi di Genova / S&T Unit - Fondazione Bruno Kessler)
"Security Analysis of Multi-Factor Authentication Security Protocols"
(Relatore: Roberto Carbone, Gabriele Costa).
Multi-Factor Authentication (MFA) is being increasingly adopted by on-line services in order to achieve an adequate level of security. MFA is based on security protocols, called MFA protocols, integrating the use of credentials with additional identity proofs, called authentication factors (based on knowledge, possession or inherence). These factors are provided through specific objects, called authenticators (e.g., hardware tokens, apps). To date, MFA has been widely adopted in the most diverse security-critical application scenarios (e.g., online banking, eHealth). Various solutions have been proposed, leveraging MFA protocols which employ different kinds of authenticators and providing different user experience. When considering various MFA protocols, few questions may arise. How do MFA protocols differ in terms of (i) level of protection, (ii) compliance w.r.t. current regulations and (iii) complexity for the user? To answer the first question, traditional verification techniques for security protocols, requiring a formal specification of the protocol under analysis, could be applied. However, several service providers employ ad-hoc MFA protocols and do not disclose their internals. In addition, classical attacker models, such as the Dolev-Yao adversary, hardly apply. Hence, new modeling techniques and new attacker models should be investigated. Concerning regulations, public and private authorities have introduced directives and guidelines for the design of MFA protocols (e.g., regulatory standards from the European Banking Authority, Digital Identity Guidelines from NIST). In principle, these initiatives aim to guide the design of more secure and usable MFA protocols, but there is no evidence that the existing MFA protocols actually comply with them. Thus, a novel methodology is needed to provide such an evidence. Finally, the ease-of-use is a relevant aspect to be considered in the analysis of an MFA protocol. Indeed, the use of multiple authenticators in the execution of an MFA protocol can negatively affect user experience, having an impact on its security as well. However, none of the previous research works managed to measure the usability of a conspicuous number of MFA protocols design. Hence, a methodology for evaluating the ease-of-use of an MFA protocol should be identified. In this work, we propose a framework to analyze MFA protocols, which does not rely on the implementation details, being able to assess the (i) level of protection, (ii) compliance w.r.t. current regulations and (iii) complexity for the user. To this aim, we define a specification language which is compatible with the typical (amount of) information publicly released by service providers on the employed MFA protocols. For what concerns the security analysis, we propose an evaluation of MFA protocols in terms of resistance against a set of attacker models, tailored for the specific case of MFA protocols. For what concerns the regulatory aspects and best practices, we include the possibility to evaluate a protocol in terms of compliance with a customizable set of requirements and best practices. Furthermore, for what concerns the ease-of-use of an MFA protocol, we propose a new metric, called complexity, for evaluating a protocol in terms of efforts that an user is required to perform during its execution. The aforementioned framework has been then implemented in a working tool, MuFASA, allowing (even non-expert) users to model an MFA protocol and to automatically analyze it. Finally, the presented framework has been applied on some selected use cases. First, it has been employed in the early stages of the design of a novel MFA protocol, integrated into the Citizens’ Clinical Record platform developed in the Trentino region (Italy). Then, it has been used for performing a latitudinary study on online banking services, allowing us to model and analyze more than 150 MFA protocols employed by banks all over the world.
Link esterno alla tesi: http://hdl.handle.net/11567/1010670
"Security Analysis of Multi-Factor Authentication Security Protocols"(Relatore: Roberto Carbone, Gabriele Costa).
Multi-Factor Authentication (MFA) is being increasingly adopted by on-line services in order to achieve an adequate level of security. MFA is based on security protocols, called MFA protocols, integrating the use of credentials with additional identity proofs, called authentication factors (based on knowledge, possession or inherence). These factors are provided through specific objects, called authenticators (e.g., hardware tokens, apps). To date, MFA has been widely adopted in the most diverse security-critical application scenarios (e.g., online banking, eHealth). Various solutions have been proposed, leveraging MFA protocols which employ different kinds of authenticators and providing different user experience. When considering various MFA protocols, few questions may arise. How do MFA protocols differ in terms of (i) level of protection, (ii) compliance w.r.t. current regulations and (iii) complexity for the user? To answer the first question, traditional verification techniques for security protocols, requiring a formal specification of the protocol under analysis, could be applied. However, several service providers employ ad-hoc MFA protocols and do not disclose their internals. In addition, classical attacker models, such as the Dolev-Yao adversary, hardly apply. Hence, new modeling techniques and new attacker models should be investigated. Concerning regulations, public and private authorities have introduced directives and guidelines for the design of MFA protocols (e.g., regulatory standards from the European Banking Authority, Digital Identity Guidelines from NIST). In principle, these initiatives aim to guide the design of more secure and usable MFA protocols, but there is no evidence that the existing MFA protocols actually comply with them. Thus, a novel methodology is needed to provide such an evidence. Finally, the ease-of-use is a relevant aspect to be considered in the analysis of an MFA protocol. Indeed, the use of multiple authenticators in the execution of an MFA protocol can negatively affect user experience, having an impact on its security as well. However, none of the previous research works managed to measure the usability of a conspicuous number of MFA protocols design. Hence, a methodology for evaluating the ease-of-use of an MFA protocol should be identified. In this work, we propose a framework to analyze MFA protocols, which does not rely on the implementation details, being able to assess the (i) level of protection, (ii) compliance w.r.t. current regulations and (iii) complexity for the user. To this aim, we define a specification language which is compatible with the typical (amount of) information publicly released by service providers on the employed MFA protocols. For what concerns the security analysis, we propose an evaluation of MFA protocols in terms of resistance against a set of attacker models, tailored for the specific case of MFA protocols. For what concerns the regulatory aspects and best practices, we include the possibility to evaluate a protocol in terms of compliance with a customizable set of requirements and best practices. Furthermore, for what concerns the ease-of-use of an MFA protocol, we propose a new metric, called complexity, for evaluating a protocol in terms of efforts that an user is required to perform during its execution. The aforementioned framework has been then implemented in a working tool, MuFASA, allowing (even non-expert) users to model an MFA protocol and to automatically analyze it. Finally, the presented framework has been applied on some selected use cases. First, it has been employed in the early stages of the design of a novel MFA protocol, integrated into the Citizens’ Clinical Record platform developed in the Trentino region (Italy). Then, it has been used for performing a latitudinary study on online banking services, allowing us to model and analyze more than 150 MFA protocols employed by banks all over the world.
Link esterno alla tesi: http://hdl.handle.net/11567/1010670
Pier Paolo Tricomi (Dipartimento di Matematica - Università degli Studi di Padova)
"Player Recognition and Private Data Inference Exploiting Online-Gaming Data"
Link esterno alla tesi: https://link.springer.com/chapter/10.1007/978-3-030-62974-8_22
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
"Player Recognition and Private Data Inference Exploiting Online-Gaming Data"Link esterno alla tesi: https://link.springer.com/chapter/10.1007/978-3-030-62974-8_22
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Pier Paolo Tricomi (Dipartimento di Matematica - Università degli Studi di Padova)
"Player Recognition and Private Data Inference Exploiting Online-Gaming Data"
(Relatore: Prof. Mauro Conti).
La tesi “Player Recognition and Private Data Inference Exploiting Online-Gaming Data” affronta il tema della sicurezza nei video games. In particolare, il candidato Pier Paolo Tricomi ha implementato una rete neurale ricorrente in grado di profilare e riconoscere videogiocatori in base al loro stile di gioco, creando un metodo innovativo ed originale per contrastare problemi quali truffe e cyberbullismo, sempre più presenti nel mondo virtuale. Inoltre, è stata condotta un’analisi preliminare sulla correlazione tra informazioni private dei giocatori e il loro stile di gioco. L’esito positivo di tale analisi apre pericolosamente la possibilità di inferire informazioni private di videogiocatori sfruttando dati di gioco pubblici. Per verificare l’esistenza di comportamenti pericolosi nei videogames, quali truffe e cyberbullismo, e per raccogliere dati utili a verificare gli obiettivi della tesi, Pier Paolo ha distribuito un questionario online indirizzato a giocatori di Dota 2, un videogame con più di 10 milioni di utenti attivi. Al questionario hanno partecipato circa 600 persone, e i risultati mostrano come cyberbullismo e truffe siano fenomeni molto presenti nei videogiochi online: circa il 50% dei partecipanti è stato molestato in gioco almeno una volta e il 75% è stato vittima di un tentativo di truffa. I problemi sopra citati possono essere ridotti essendo in grado di riconoscere univocamente un giocatore, indipendentemente dall’account in cui gioca. Se gli amministratori dei videogiochi “bannano” un utente pericoloso, quest’ultimo può ricreare un nuovo account e continuare ad esserlo. Potendo disporre di una “impronta digitale” nel mondo virtuale, si ridurrebbe drasticamente questo problema, in quanto un giocatore potrebbe essere riconosciuto anche se sotto falsa identità. Il tesista ha delineato questa impronta digitale sfruttando lo stile di gioco di un giocatore, usando il movimento del cursore, della telecamera di gioco, e le azioni compiute dal giocatore. Per riconoscere i giocatori, è stata implementata una rete neurale ricorrente. Allenata su 50 giocatori diversi e 5000 partite, la rete ha riconosciuto i giocatori in più del 96% dei casi. Questo risultato dimostra come lo stile di gioco possa essere considerato “biometrico”, dando vita a innumerevoli sviluppi nel campo della sicurezza informatica nei videogiochi. Tra le conseguenze, se un truffatore o un cyberbullo vengono bannati in un account, essi saranno identificabili in ogni altro account in cui giocano o creano. Al contrario, se una vittima di cyberbullismo provasse a creare un nuovo account per sfuggire dai bulli, essi potrebbero rintracciarla usando il medesimo sistema. Quindi, la tesi ha anche lo scopo di creare consapevolezza riguardo una possibile e grave vulnerabilità. Infine, tale sistema di riconoscimento può essere utilizzato come metodo di autenticazione “biometrico”, quindi più sicuro rispetto (o insieme) a una password, per proteggere gli account dei giocatori. Nella parte finale della tesi è stata dimostrata l’esistenza di correlazione tra i dati di gioco degli utenti e loro informazioni private, come il genere, l’occupazione, e tratti di personalità. I risultati mostrano come sia teoricamente possibile inferire informazioni private dei giocatori sfruttando i loro dati di gioco, condivisi pubblicamente senza protezione alcuna. Questo introdurrebbe gravissimi problemi di privacy, o incentivare i già presenti fenomeni di stalking e cyberbullismo. Per questi motivi, crediamo che questo lavoro abbia aperto molte strade alla comunità scientifica per studiare e migliorare la sicurezza degli utenti anche nel mondo virtuale dei videogiochi, che ad oggi coinvolge più di due miliardi di persone. Un estratto della tesi, “PvP: Profiling versus Player! Exploiting Gaming Data for Player Recognition”, è stato pubblicato ad Information Security Conference 2020 (ISC 2020), una delle conferenze di riferimento in Cybersecurity.
Link esterno alla tesi: https://link.springer.com/chapter/10.1007/978-3-030-62974-8_22
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
"Player Recognition and Private Data Inference Exploiting Online-Gaming Data"(Relatore: Prof. Mauro Conti).
La tesi “Player Recognition and Private Data Inference Exploiting Online-Gaming Data” affronta il tema della sicurezza nei video games. In particolare, il candidato Pier Paolo Tricomi ha implementato una rete neurale ricorrente in grado di profilare e riconoscere videogiocatori in base al loro stile di gioco, creando un metodo innovativo ed originale per contrastare problemi quali truffe e cyberbullismo, sempre più presenti nel mondo virtuale. Inoltre, è stata condotta un’analisi preliminare sulla correlazione tra informazioni private dei giocatori e il loro stile di gioco. L’esito positivo di tale analisi apre pericolosamente la possibilità di inferire informazioni private di videogiocatori sfruttando dati di gioco pubblici. Per verificare l’esistenza di comportamenti pericolosi nei videogames, quali truffe e cyberbullismo, e per raccogliere dati utili a verificare gli obiettivi della tesi, Pier Paolo ha distribuito un questionario online indirizzato a giocatori di Dota 2, un videogame con più di 10 milioni di utenti attivi. Al questionario hanno partecipato circa 600 persone, e i risultati mostrano come cyberbullismo e truffe siano fenomeni molto presenti nei videogiochi online: circa il 50% dei partecipanti è stato molestato in gioco almeno una volta e il 75% è stato vittima di un tentativo di truffa. I problemi sopra citati possono essere ridotti essendo in grado di riconoscere univocamente un giocatore, indipendentemente dall’account in cui gioca. Se gli amministratori dei videogiochi “bannano” un utente pericoloso, quest’ultimo può ricreare un nuovo account e continuare ad esserlo. Potendo disporre di una “impronta digitale” nel mondo virtuale, si ridurrebbe drasticamente questo problema, in quanto un giocatore potrebbe essere riconosciuto anche se sotto falsa identità. Il tesista ha delineato questa impronta digitale sfruttando lo stile di gioco di un giocatore, usando il movimento del cursore, della telecamera di gioco, e le azioni compiute dal giocatore. Per riconoscere i giocatori, è stata implementata una rete neurale ricorrente. Allenata su 50 giocatori diversi e 5000 partite, la rete ha riconosciuto i giocatori in più del 96% dei casi. Questo risultato dimostra come lo stile di gioco possa essere considerato “biometrico”, dando vita a innumerevoli sviluppi nel campo della sicurezza informatica nei videogiochi. Tra le conseguenze, se un truffatore o un cyberbullo vengono bannati in un account, essi saranno identificabili in ogni altro account in cui giocano o creano. Al contrario, se una vittima di cyberbullismo provasse a creare un nuovo account per sfuggire dai bulli, essi potrebbero rintracciarla usando il medesimo sistema. Quindi, la tesi ha anche lo scopo di creare consapevolezza riguardo una possibile e grave vulnerabilità. Infine, tale sistema di riconoscimento può essere utilizzato come metodo di autenticazione “biometrico”, quindi più sicuro rispetto (o insieme) a una password, per proteggere gli account dei giocatori. Nella parte finale della tesi è stata dimostrata l’esistenza di correlazione tra i dati di gioco degli utenti e loro informazioni private, come il genere, l’occupazione, e tratti di personalità. I risultati mostrano come sia teoricamente possibile inferire informazioni private dei giocatori sfruttando i loro dati di gioco, condivisi pubblicamente senza protezione alcuna. Questo introdurrebbe gravissimi problemi di privacy, o incentivare i già presenti fenomeni di stalking e cyberbullismo. Per questi motivi, crediamo che questo lavoro abbia aperto molte strade alla comunità scientifica per studiare e migliorare la sicurezza degli utenti anche nel mondo virtuale dei videogiochi, che ad oggi coinvolge più di due miliardi di persone. Un estratto della tesi, “PvP: Profiling versus Player! Exploiting Gaming Data for Player Recognition”, è stato pubblicato ad Information Security Conference 2020 (ISC 2020), una delle conferenze di riferimento in Cybersecurity.
Link esterno alla tesi: https://link.springer.com/chapter/10.1007/978-3-030-62974-8_22
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
BACHECA TESI EDIZIONI PASSATE
Edizione 2020Edizione 2019
Edizione 2018
Edizione 2017
Edizione 2016
Edizione 2015
Edizione 2014
Edizione 2013
Edizione 2012
Edizione 2011
Edizione 2010
Edizione 2009
Edizione 2008
Edizione 2007
