Project Publications
LOCARD related articles have been published in high-rated journals and presented in top conferences. The following list depicts all articles published and presented from the beginning of the project.

Abstract:

In recent years, the usage model of the Internet has changed, pushing researchers towards the design of the Information-Centric Networking (ICN) paradigm as a possible replacement of the existing architecture. Even though both Academia and Industry have investigated the feasibility and effectiveness of ICN, achieving the complete replacement of the Internet Protocol (IP) is a challenging task: (i) the process involves multiple parties, such as Internet Service Providers (ISPs), that need to coordinate among each other; (ii) it requires an indefinite amount of time to update hardware and software of network components; and (iii) it is a high risk goal that might introduce unexpected complications. Thus, the process of replacing the current Internet will inevitably lead towards a period of coexistence between the old and the new architectures. Given the urgency of the problem, this transition phase will happen very soon and people should address it in a smooth way. Some research groups have already addressed the coexistence by designing their own architectures, but none of those is the final solution to move towards the future Internet considering the unaltered state of the networking. To design such architecture, the research community needs now a comprehensive overview of the existing solutions that have so far addressed the coexistence. The purpose of this paper is to reach this goal by providing the first comprehensive survey and classification of the coexistence architectures according to their features (i.e., deployment approach, deployment scenarios, addressed coexistence requirements and additional architecture or technology used) and evaluation parameters (i.e., challenges emerging during the deployment and the runtime behaviour of an architecture). We believe that this paper will finally fill the gap required for moving towards the design of the final coexistence architecture.


Authors: Mauro Conti; Ankit Gangwal; Muhammad Hassan; Chhagan Lal; Eleonora Losiouk

JournalIEEE Communications Surveys & Tutorials

Date of Publication: May 2020.

Publisher: IEEE

Abstract:

Process Mining is a set of techniques that aim at discovering, monitoring and improving real processes by using logs of events created and stored by corporate information systems. The growing use of information and communication technologies and the imminent wide deployment of the Internet of Things enable the massive collection of events, which are going to be studied so as to improve all kinds of systems efficiency. Despite its enormous benefits, analyzing event logs might endanger individuals privacy, especially when those logs contain personal and confidential information, such as healthcare data. This article contributes to an emerging research direction within the process mining field, known as Privacy-Preserving Process Mining (PPPM), which embraces the privacy-by-design principle when conducting process mining analyses. We show that current solutions based on pseudonyms and encryption are vulnerable to attacks based on the analysis of the distribution of events combined with well-known location-oriented attacks such as the restricted space identification and the object identification attacks. With the aim to counteract these attacks, we present u-PPPM, a novel privacy-preserving process mining technique based on the uniformization of events distributions. This approach protects the privacy of the individuals appearing in event logs while minimizing the information loss during process discovery analyses. Experimental results, conducted using six real-life event logs, demonstrate the feasibility of our approach in real settings.


Authors: Edgar Batista; Agusti Solanas.

JournalPeer-to-Peer Networking and Applications.

Date of Publication: 16 January, 2021.

Publisher: Springer.

Abstract:

In recent years the PC has been replaced by mobile devices formany security sensitive operations, both from a privacy and a financial standpoint. Therefore the stark increase in malware targeting Android, the mobile OS with the largest market share, wasbound to happen. While device vendors are taking their precautions with app-store and on-device scanning, limitations abound,mainly related to the malware signature-based detection approach.This situation calls for an additional protection layer that detects unknown malware that breaches existing countermeasures. In this work we propose SpotCheck, an anomaly detector intended to run on Android devices. It samples app executions and submits any suspicious apps to more thorough processing by malwares and boxes. We compare Kernel Principal Component Analysis(KPCA) and Variational Autoencoders (VAE) on app execution representations based on the well-known system call traces, as well as a novel approach based on memory dumps. Results show that whenusing VAE, SpotCheck attains a level of effectiveness comparable to what has been previously achieved for network anomaly detection. Even more interesting, the KPCA anomaly detector managed comparable effectiveness even for the experimental memory dump approach. Overall, these promising results present a solid platform upon which to strive for an improved design.


Authors: Mark Vella; Christian Colombo.

Conference: 13th International Conference on Security of Information and Networks.

Date of Publication: November 2020.

Publisher: ACM.

Abstract:

Attackers regularly target Android phones and come up withnew ways to bypass detection mechanisms to achieve long-term stealth on a victim's phone. One way attackers do this is by leveraging critical benign app functionality to carry out specific attacks. In this paper, we present a novel generalised framework, JIT-MF (Just-in-time Memory Forensics), which aims to address the problem of timely collection of short-lived evidence in volatile memory to solve the stealthiest of Android attacks. The main components of this framework are i) Identification of critical data objects in memory linked with critical benign application steps that may be misused by an attacker; and ii) Careful selection of trigger points, which identify when memory dumpsshould be taken during benign app execution.The effectiveness and cost of trigger point selection, a corner stone of this framework, are evaluated in a preliminary qualitative study using Telegram and Pushbullet as the victim apps targeted by stealthy malware.Our study identifies that JIT-MF is successful in dumping critical dataobjects on time, providing evidence that eludes all other forensic sources.Experimentation offers insight into identifying categories of trigger points that can strike a balance between the effort required for selection andthe resulting effectiveness and storage costs. Several optimisation mea-sures for the JIT-MF tools are presented, considering the typical resource constraints of Android devices.


Authors: Jennifer Bellizzi; Mark Vella; Christian Colombo; Mark Vella; Christian Colombo; Julio Hernandez-Castro.

Conference: 25th Nordic Conference on Secure IT Systems

Date of Publication: November 2020.

Publisher: Springer.

Abstract:

Android accessibility features include a robust set of toolsallowing developers to create apps for assisting people with disabilities. Unfortunately, this useful set of tools can also be abused and turned into an attack vector, providing malware with the ability to interact and readcontent from third-party apps. In this work, we are the first to study the impact that the stealthy exploitation of Android accessibility services can have on significantly reducing the forensic footprint of malware attacks, thus hindering both liveand post-incident forensic investigations. We show that through Living off the Land (LotL) tactics, or by offering a malware-only substitute for attacks typically requiring more elaborate schemes, accessibility-based malware can be rendered virtually undetectable. In the LotL approach, we demonstrate accessibility-enabled SMS andcommand and control (C2) capabilities. As for the latter, we show acomplete cryptocurrency wallet theft, whereby the accessibility trojancan hijack the entire withdrawal process of a widely used app, including two-factor authentication (2FA). In both cases, we demonstrate how the attacks result in significantly diminished forensic evidence when compared to similar attacks not employing accessibility tools, even to the extent of maintaining device take-over without requiring malware per-sistence.


Authors: Yonas Leguesse; Mark Vella; Christian Colombo; Julio Hernandez-Castro.

Journal: International Workshop on Security and Trust Management.

Date of Publication: 16 September, 2020.

PublisherSpringer.

Abstract:

Traceability has become a critical element in supply chain management, particularly in safety-sensitive sectors like food, pharmaceuticals, etc. Upstream (manufacturers, producers, etc.) and downstream (distributors, wholesalers, etc.) supply chain members need to store and handle traceability-related information for providing proof of regulatory compliance to both state authorities and more demanding customers. Consumers also place high expectations on food supply chains (FSC) with specific emphasis on facets related to safety. However, the complexity of modern FSC networks and their fragmentation act as barriers for the development of sound traceability mechanisms. In this paper a distributed trustless and secure architecture for FSC traceability is developed and tested. For assessing the feasibility of the proposed approach, a food traceability case study from a dairy company is presented. The applicability of the model is further illustrated by the development of fully functional smart contracts and a local private blockchain. Moreover, the various links between the proposed blockchain-based model and its managerial implications are presented. The overall benefits of the proposed model are discussed along with fruitful areas for future research. The results are of significant value to both practitioners and researchers.


Authors: Fran Casino,Venetis Kanakaris,Thomas K. Dasaklis,Socrates Moschuris,Spiros Stachtiaris,Maria Pagoni &Nikolaos P. Rachaniotis

Journal: International Journal of Production Research

Date of Publication: 23 July, 2020.

Publisher: Taylor & Francis

Attachments:
Download this file (trace_block.pdf)trace_block.pdf[ ]2320 kB

Abstract:

Routing Protocol for low power and Lossy networks (RPL) is a standardized routing protocol for low power and lossy networks (LLNs) such as the Internet of Things (IoT). RPL was designed to be a simple (but efficient) and practical networking protocol to perform routing in IoT networks that consists of resource constrained devices. These tiny intercommunicating devices are currently in use in a large array of IoT application services (e.g., eHealth, smart agriculture, smart grids, and home automation). However, the lack of scalability and the low data communication reliability due to faulty links or malicious nodes, still remains significant challenges in the broader adoption of RPL in LLNs. In this paper, we propose RECOUP, a robust multicast communication routing protocol for Low power and Lossy Networks. RECOUP efficiently uses a low-overhead cluster-based multicast routing technique on top of the RPL protocol. RECOUP increases the probability of message delivery to the intended destination(s), irrespective of the network size and faults (such as broken links or non-responsive nodes), and in the presence of misbehaving nodes. An implementation of RECOUP is realized in Contiki. Our results show the effectiveness of RECOUP over state-of-art protocols concerning packet delivery ratio to 25%, end-to-end delay down to 100 ms, and low radio transmissions required for per packet delivery to 6 mJ. Moreover, it minimizes the impact of various topologies (i.e., rank and sybil) and data communication (i.e., blackhole, wormhole, and jamming) attacks that targets an IoT networking infrastructure.


Authors: Mauro Conti; Pallavi Kaliyar; Chhagan Lal.

Journal: Journal of Network and Computer Applications.

Date of Publication: 15 August, 2020.

Publisher:: Elsevier.

Abstract:

The Internet of Things (IoT) is recognized as a disruptive innovation that has been led by industry leaders and researchers. IoT promises to improve our daily life based on smart objects interacting with each other, and that can be connected to the Internet. Building a security framework into this new paradigm is a significant technical challenge today. It is mainly due to the low-cost and resource-constrained nature of IoT devices. In most of the IoT application scenarios, the routing is done by the de-facto standard protocol called routing protocol for low power and lossy networks (RPL). The use of RPL is suitable due to its energy-efficient schemes, availability of secure and multiple communication modes, and adaptivity to work in various IoT network scenarios. Hence, many researchers are now focusing on RPL related security issues. To this end, our work provides a concise description of two major threats to RPL called sybil and wormhole attacks. Moreover, we propose two solutions to detect these attacks in RPL-based IoT networks. Specifically, our proposed techniques exploit the concept of Highest Rank Common Ancestor (HRCA) to find a common ancestor with the highest rank among all the ancestors that a pair of nodes have in the target network tree. Our two detection algorithms not only detect an ongoing attack but also localizes the position of the adversary in the network. Thus, it makes the mitigation process lightweight and fast. We implement the two approaches in Cooja, the Contiki network emulator. The results obtained from our experiments demonstrate the feasibility of the proposals concerning true positive rate, detection time, packet loss ratio, memory consumption, and network overhead. Our techniques show promising to cover more complex scenarios in the future.


AuthorsPallavi KaliyarWafa Ben Jaballah; Mauro Conti; Chhagan Lal.

Journal: Computers and Security.

Date of Publication: July, 2020.

Publisher:: Elsevier.

Abstract:

Over the last few years, the dramatic growth in video demand has inspired the service providers (e.g., Netflix and YouTube) to swing towards HTTP based Dynamic Adaptive Streaming (DASH). However, sustaining the adequate bandwidth claims over this rapid growth in multimedia content becomes a significant challenge for network operators. Considering the effectiveness of the next generation future Internet architecture, i.e., Name Data Networking (NDN), recently DASH over NDN is implemented. The fundamental characteristics of NDN, such as efficient content distribution and low bandwidth requirements, significantly increase the bandwidth utilization, which ensures the smooth delivery of multimedia content. However, we discovered that the above characteristics of NDN also opens the door for new vulnerabilities.

In this paper, first we propose a new attack termed as “Bitrate Oscillation Attack” (BOA), which disrupt the functionality of DASH protocol over NDN by exploiting its two key features called in-network caching and interest aggregation. In particular, BOA forces the DASH streaming system running at the honest client to oscillate in various video resolutions with high frequency and amplitude, within a single video session. Second, to mitigate the BOA, we design and implement a proactive countermeasure called “NC based DAS-NDN”. Our solution efficiently enables the network coding to DAS multimedia content and within NDN architecture. Thus, without any coordination between the network nodes reduces bitrate oscillations in the presence of BOA and NDN’s inherent content source variations. The performance evaluation performed on different target scenarios proves the effectiveness of our proposed attack, and the results also show the correctness of our proposed corresponding countermeasure. In particular, the result analysis shows that BOA increases the annoyance factor in spatial dimension of end-user, and our countermeasure greatly reduces the adverse effects of BOA and also make DAS friendly to NDN’s inherent features.


AuthorsPallavi KaliyarWafa Ben Jaballah; Mauro Conti; Chhagan Lal.

Journal: Computer Networks.

Date of Publication: 19 June, 2020.

Publisher:: Elsevier.

Attachments:
Download this file (NC based DAS-NDN.pdf)NC based DAS-NDN.pdf[ ]2552 kB

Page 3 of 6

Slide 1
Join the community
Follow us and stay connected and updated.
EU flag Copyright © 2019 - 2022 LOCARD. All rights reserved. This project has received funding from the European Union’s Horizon 2020 Research and Innovation Programme under Grant Agreement nº 832735. This project reflects only the author’s view and the Commission is not responsible for any use that may be made of the information it contains.