Project Publications
LOCARD related articles have been published in high-rated journals and presented in top conferences. The following list depicts all articles published and presented from the beginning of the project.


During the last few years, there has been an upsurge of social media influencers who are part of the adult entertainment industry, referred to as Performers. To monetize their online presence, Performers often engage in practices which violate community guidelines of social media, such as selling subscriptions for accessing their private "premium" social media accounts, where they distribute adult content. In this paper, we collect and analyze data from FanCentro, an online marketplace where Performers can sell adult content and subscriptions to private accounts in platforms like Snapchat and Instagram. Our work aims to shed light on the semi-illicit adult content market layered on the top of popular social media platforms and its offerings, as well as to profile the demographics, activity and content produced by Performers.

Authors: Nikolaos Lykousas; Fran Casino; Constantinos Patsakis

Conference: International Conference on Social Informatics

Date of Publication: October 2020.

Publisher: Springer


Nowadays, malware campaigns have reached a high level of sophistication, thanks to the use of cryptography and covert communication channels over traditional protocols and services. In this regard, a typical approach to evade botnet identification and takedown mechanisms is the use of domain fluxing through the use of Domain Generation Algorithms (DGAs). These algorithms produce an overwhelming amount of domain names that the infected device tries to communicate with to find the Command and Control server, yet only a small fragment of them is actually registered. Due to the high number of domain names, the blacklisting approach is rendered useless. Therefore, the botmaster may pivot the control dynamically and hinder botnet detection mechanisms. To counter this problem, many security mechanisms result in solutions that try to identify domains from a DGA based on the randomness of their name.

In this work, we explore hard to detect families of DGAs, as they are constructed to bypass these mechanisms. More precisely, they are based on the use of dictionaries or adversarial approaches so the generated domains seem to be user-generated. Therefore, the corresponding generated domains pass many filters that look for, e.g. high entropy strings or n-grams. To address this challenge, we propose an accurate and efficient probabilistic approach to detect them. We test and validate the proposed solution through extensive experiments with a sound dataset containing all the wordlist-based DGA families that exhibit this behaviour, as well as several adversarial DGAs, and compare it with other state-of-the-art methods, practically showing the efficacy and prevalence of our proposal.

Authors: Constantinos Patsakis; Fran Casino

Journal: Journal of Information Security and Applications

Date of Publication: May 2021.

Publisher: Elsevier


In this report, we analyse the latest campaign of Emotet that had a significant impact in several countries worldwide. We leverage the data of a specifically crafted dataset, which contains emails, documents, executables and domains from the latest campaign. The goal is to analyse the attack vector, map the infrastructure used in various stages of the campaign and perform a surface analysis of Emotet's malicious payloads to assess their potential impact.

Authors: Constantinos Patsakis; Anargyros Chrysanthou

Journal: arXiv

Date of Publication: November 2020.

Publisher: arXiv

Download this file (fall-2020-emotet.pdf)fall-2020-emotet.pdf[ ]8676 kB


The current landscape of the core Internet technologies shows considerable centralisation with the big tech companies controlling the vast majority of traffic and services. This situation has sparked a wide range of decentralisation initiatives with blockchain technology being among the most prominent and successful innovations. At the same time, over the past years there have been considerable attempts to address the security and privacy issues affecting the Domain Name System (DNS). To this end, it is claimed that Blockchain-based DNS may solve many of the limitations of traditional DNS. However, such an alternative comes with its own security concerns and issues, as any introduction and adoption of a new technology typically does - let alone a disruptive one. In this work we present the emerging threat landscape of blockchain-based DNS and we empirically validate the threats with real-world data. Specifically, we explore a part of the blockchain DNS ecosystem in terms of the browser extensions using such technologies, the chain itself (Namecoin and Emercoin), the domains, and users who have been registered in these platforms. Our findings reveal several potential domain extortion attempts and possible phishing schemes. Finally, we suggest countermeasures to address the identified threats, and we identify emerging research themes.

Authors: Constantinos Patsakis; Fran Casino; Nikolaos Lykousas; Vasilios Katos

JournalIEEE Access

Date of Publication: June 2020.

Publisher: IEEE

Download this file (unravelling-ariadne-thread.pdf)unravelling-ariadne-thread.pdf[ ]1993 kB


The Internet of Things (IoT) is an emerging paradigm and has penetrated deeply into our daily life. Due to the seamless connections of the IoT devices with the physical world through the Internet, the IoT applications use the cloud to store and provide ubiquitous access to collected data. Sharing of data with third party services and other users incurs potential risks and leads to unique security and privacy concerns, e.g., data breaches. Existing cryptographic solutions are inapt for resource-constrained IoT devices, because of their significant computational overhead. To address these concerns, we propose a data protection scheme to store the encrypted IoT data in a cloud, while still allowing query processing over the encrypted data. Our proposed scheme features a novel encrypted data sharing scheme based on Boneh-Goh-Nissim (BGN) cryptosystem, with revocation capabilities and in-situ key updates. We perform exhaustive experiments on real datasets, to assess the feasibility of the proposed scheme on the resource constrained IoT devices. The results show the feasibility of our scheme, together with the ability to provide a high level of security. The results also show that our scheme significantly reduces the computation, storage and energy overheads than the best performed scheme in the state-of-the-art.

Authors: Subir Halder; Mauro Conti.

JournalIEEE Transactions on Cloud Computing

Date of Publication: January 2021.

Publisher: IEEE


In recent years, the usage model of the Internet has changed, pushing researchers towards the design of the Information-Centric Networking (ICN) paradigm as a possible replacement of the existing architecture. Even though both Academia and Industry have investigated the feasibility and effectiveness of ICN, achieving the complete replacement of the Internet Protocol (IP) is a challenging task: (i) the process involves multiple parties, such as Internet Service Providers (ISPs), that need to coordinate among each other; (ii) it requires an indefinite amount of time to update hardware and software of network components; and (iii) it is a high risk goal that might introduce unexpected complications. Thus, the process of replacing the current Internet will inevitably lead towards a period of coexistence between the old and the new architectures. Given the urgency of the problem, this transition phase will happen very soon and people should address it in a smooth way. Some research groups have already addressed the coexistence by designing their own architectures, but none of those is the final solution to move towards the future Internet considering the unaltered state of the networking. To design such architecture, the research community needs now a comprehensive overview of the existing solutions that have so far addressed the coexistence. The purpose of this paper is to reach this goal by providing the first comprehensive survey and classification of the coexistence architectures according to their features (i.e., deployment approach, deployment scenarios, addressed coexistence requirements and additional architecture or technology used) and evaluation parameters (i.e., challenges emerging during the deployment and the runtime behaviour of an architecture). We believe that this paper will finally fill the gap required for moving towards the design of the final coexistence architecture.

Authors: Mauro Conti; Ankit Gangwal; Muhammad Hassan; Chhagan Lal; Eleonora Losiouk

JournalIEEE Communications Surveys & Tutorials

Date of Publication: May 2020.

Publisher: IEEE


Process Mining is a set of techniques that aim at discovering, monitoring and improving real processes by using logs of events created and stored by corporate information systems. The growing use of information and communication technologies and the imminent wide deployment of the Internet of Things enable the massive collection of events, which are going to be studied so as to improve all kinds of systems efficiency. Despite its enormous benefits, analyzing event logs might endanger individuals privacy, especially when those logs contain personal and confidential information, such as healthcare data. This article contributes to an emerging research direction within the process mining field, known as Privacy-Preserving Process Mining (PPPM), which embraces the privacy-by-design principle when conducting process mining analyses. We show that current solutions based on pseudonyms and encryption are vulnerable to attacks based on the analysis of the distribution of events combined with well-known location-oriented attacks such as the restricted space identification and the object identification attacks. With the aim to counteract these attacks, we present u-PPPM, a novel privacy-preserving process mining technique based on the uniformization of events distributions. This approach protects the privacy of the individuals appearing in event logs while minimizing the information loss during process discovery analyses. Experimental results, conducted using six real-life event logs, demonstrate the feasibility of our approach in real settings.

Authors: Edgar Batista; Agusti Solanas.

JournalPeer-to-Peer Networking and Applications.

Date of Publication: 16 January, 2021.

Publisher: Springer.


In recent years the PC has been replaced by mobile devices formany security sensitive operations, both from a privacy and a financial standpoint. Therefore the stark increase in malware targeting Android, the mobile OS with the largest market share, wasbound to happen. While device vendors are taking their precautions with app-store and on-device scanning, limitations abound,mainly related to the malware signature-based detection approach.This situation calls for an additional protection layer that detects unknown malware that breaches existing countermeasures. In this work we propose SpotCheck, an anomaly detector intended to run on Android devices. It samples app executions and submits any suspicious apps to more thorough processing by malwares and boxes. We compare Kernel Principal Component Analysis(KPCA) and Variational Autoencoders (VAE) on app execution representations based on the well-known system call traces, as well as a novel approach based on memory dumps. Results show that whenusing VAE, SpotCheck attains a level of effectiveness comparable to what has been previously achieved for network anomaly detection. Even more interesting, the KPCA anomaly detector managed comparable effectiveness even for the experimental memory dump approach. Overall, these promising results present a solid platform upon which to strive for an improved design.

Authors: Mark Vella; Christian Colombo.

Conference: 13th International Conference on Security of Information and Networks.

Date of Publication: November 2020.

Publisher: ACM.


Attackers regularly target Android phones and come up withnew ways to bypass detection mechanisms to achieve long-term stealth on a victim's phone. One way attackers do this is by leveraging critical benign app functionality to carry out specific attacks. In this paper, we present a novel generalised framework, JIT-MF (Just-in-time Memory Forensics), which aims to address the problem of timely collection of short-lived evidence in volatile memory to solve the stealthiest of Android attacks. The main components of this framework are i) Identification of critical data objects in memory linked with critical benign application steps that may be misused by an attacker; and ii) Careful selection of trigger points, which identify when memory dumpsshould be taken during benign app execution.The effectiveness and cost of trigger point selection, a corner stone of this framework, are evaluated in a preliminary qualitative study using Telegram and Pushbullet as the victim apps targeted by stealthy malware.Our study identifies that JIT-MF is successful in dumping critical dataobjects on time, providing evidence that eludes all other forensic sources.Experimentation offers insight into identifying categories of trigger points that can strike a balance between the effort required for selection andthe resulting effectiveness and storage costs. Several optimisation mea-sures for the JIT-MF tools are presented, considering the typical resource constraints of Android devices.

Authors: Jennifer Bellizzi; Mark Vella; Christian Colombo; Mark Vella; Christian Colombo; Julio Hernandez-Castro.

Conference: 25th Nordic Conference on Secure IT Systems

Date of Publication: November 2020.

Publisher: Springer.

Page 1 of 5

Join the community
Follow us and stay connected and updated.
EU flag Copyright © 2019 - 2021 LOCARD. All rights reserved. This project has received funding from the European Union’s Horizon 2020 Research and Innovation Programme under Grant Agreement nº 832735. This project reflects only the author’s view and the Commission is not responsible for any use that may be made of the information it contains.