Project Publications
LOCARD related articles have been published in high-rated journals and presented in top conferences. The following list depicts all articles published and presented from the beginning of the project.

Abstract:

In this paper, we present a systematic survey on the contextual information based proximity detection techniques. These techniques are heavily used for improving security and usability in Zero-Interaction based Co-presence Detection and Authentication (ZICDA) systems. In particular, this survey includes a discussion on the possible adversary and communication models along with the existing security attacks on ZICDA systems. It also reviews the state-of-the-art proximity detection techniques that make use of contextual information. The proximity detection techniques are commonly referred as Contextual Co-presence (COCO) protocols. The COCO protocols dynamically collect and use contextual information to improve the security of ZICDA systems during the proximity verification process. Finally, we summarize the significant challenges and suggest possible innovative and efficient future solutions for securely detecting co-presence between devices in the presence of adversaries. The proximity verification techniques presented in the literature usually involve several trade-offs between metrics such as efficiency, security, deployment cost, and usability. At present, there is no ideal solution which adequately addresses the trade-off between these metrics. Therefore, we trust that this review gives an insight into the strengths and shortcomings of the known research methodologies and pave the way for the design of future practical, secure, and efficient solutions.


Authors: Mauro ContiChhagan Lal.

JournalComputers & Security.

Date of Publication: January 2020.

Publisher: Elsevier.

Abstract:

In Information Centric Networking (ICN), consumer mobility is supported by design in virtue of its connection-less pull-based communication model. However, producer mobility management is challenging as it focuses on the named-based resolution mechanism, which applies a dynamic and direct interaction between the producer and forwarding plane. In this paper, we consider the fundamental security issues related to producer mobility in ICN. These security issues exist mainly due to the insecure interaction of producer with the network’s forwarding information management system. We show that the current mobility solutions lack an adequate security mechanism and they invite severe security threats in the network (e.g., prefix hijacking and Denial of Service (DoS) attacks). To address such security threats, we propose a Blockchain based lightweight distributed mobile producer Authentication (BlockAuth) protocol to enable secure and efficient mobility management in ICN. BlockAuth authenticates the producers’ prefix(es) and enforce them to express only genuine routing updates for the prefix(es) to which they are entitled to advertise. The qualitative security analysis confirms that BlockAuth is robust against various security attacks to which mobile network and blockchain are particularly vulnerable (e.g., prefix hijacking, double spending, DoS attack). Additionally, the performance evaluation of BlockAuth shows that it maintains significant performance gain compared to the state-of-the-art prefix attestation proposals. In particular, it maintains up to 94% of the network’s original throughput, while it needs additional storage of just tens of megabytes.


Authors: Mauro Conti; Muhammad Hassan; Chhagan Lal.

Journal: Computer Networks.

Date of Publication: December 2019.

Publisher: Elsevier.

Abstract:

The widespread adoption of the new generation of decentralised architectures, leveraged by blockchain and decentralised file storage (DFS) systems, enables a myriad of new applications and opportunities. Nevertheless, their remarkable features, namely auditability, availability and, among all, immutability, do not come without a cost. In this article, we examine blockchain and the most widely used DFS systems and discuss their main challenges and opportunities, with special regard to their immutability and its impact on their GDPR compliance. A description of current and prospective threats is also provided, along with an analysis of the features that each threat exploits. In addition, we discuss several measures to address the identified threats, and we provide a fertile common ground for further research.


AuthorsFran Casino; Eugenia Politou; Efthimios Alepis; Constantinos Patsakis.

Journal: IEEE Access.

Date of Publication: December 2019.

PublisherInstitute of Electrical and Electronics Engineers (IEEE).

Attachments:
Download this file (immutability.pdf)immutability.pdf[ ]8748 kB

Abstract

Voice-over-IP (VoIP) software are among the most widely spread and pervasive software, counting millions of monthly users. However, we argue that people ignore the drawbacks of transmitting information along with their voice, such as keystroke sounds—as such sound can reveal what someone is typing on a keyboard.

In this article, we present and assess a new keyboard acoustic eavesdropping attack that involves VoIP, called Skype & Type (S&T). Unlike previous attacks, S&T assumes a weak adversary model that is very practical in many real-world settings. Indeed, S&T is very feasible, as it does not require (i) the attacker to be physically close to the victim (either in person or with a recording device) and (ii) precise profiling of the victim’s typing style and keyboard; moreover, it can work with a very small amount of leaked keystrokes. We observe that leakage of keystrokes during a VoIP call is likely, as people often “multi-task” during such calls. As expected, VoIP software acquires and faithfully transmits all sounds, including emanations of pressed keystrokes, which can include passwords and other sensitive information. We show that one very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim’s input—keystrokes typed on the remote keyboard. Our results demonstrate that, given some knowledge on the victim’s typing style and keyboard model, the attacker attains top-5 accuracy of 91.7% in guessing a random key pressed by the victim. This work extends previous results on S&T, demonstrating that our attack is effective with many different recording devices (such as laptop microphones, headset microphones, and smartphones located in proximity of the target keyboard), diverse typing styles and speed, and is particularly threatening when the victim is typing in a known language.


Authors: Stefano CecconelloAlberto Compagno; Mauro ContiDaniele LainGene Tsudik

Journal: ACM Transactions on Privacy and Security.

Date of Publication: December 2019.

Publisher: ACM Digital Library.

Abstract:

Remote attestation is a two-party security protocol that aims to detect the presence of malware in a remote untrusted IoT device. In order to perform the attestation, an IoT device typically has to stop the regular operation and perform expensive computations that will consume the battery life of the device. In this paper, we use cloud/fog computing to attest an IoT device in an efficient way. We propose Remote Attestation as a Service (RAaS) which allows even a low-end IoT device to securely offload the attestation process to the cloud. We argue that RAaS allows the clone of the device, securely created in the cloud, to perform the most expensive attestation computations. Our proposed approach could reduce the number of attestation operations running on the real IoT device, saving energy consumption, and reducing the downtime of the usual operation of an IoT device during the execution of remote attestation.


AuthorsMauro ContiEdlira DushkuLuigi V. ManciniMd Masoom RabbaniSilvio Ranise.

Date of Publication: November 2019.

Publisher: Institute of Electrical and Electronics Engineers (IEEE).

Conference: Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS).

Attachments:
Download this file (Remote Attestation as a Service.pdf)Remote Attestation as a Service.pdf[ ]713 kB

Abstract:

Software-Defined Networking (SDN) is a novel network approach that has revolutionised existent network architectures by decoupling the control plane from the data plane. Researchers have shown that SDN networks are highly vulnerable to security attacks. For instance, adversaries can tamper with the controller's network topology view to hijack the hosts' location or create fake inter-switch links. These attacks can be launched for various purposes, ranging from impersonating hosts to bypassing middleboxes or intercepting network traffic. Several countermeasures have been proposed to mitigate topology attacks but to date there has been no comprehensive analysis of the level of security they offer. A critical analysis is thus an important step towards better understanding the possible limitations of the existing solutions and building stronger defences against topology attacks.

In this paper, we evaluate the actual security of the existing mechanisms for network topology discovery in SDN. Our analysis reveals 6 vulnerabilities in the state-of-the-art countermeasures against topology attacks: TopoGuard,</> <>TopoGuard+,</>SPV</> and SecureBinder.</> We show that these vulnerabilities can be exploited in practice to manipulate the network topology view at the controller. Furthermore, we present 2 novel topology attacks, called Topology Freezing</> and Reverse Loop,</> that exploit vulnerabilities in the widely used Floodlight controller. We responsibly disclosed these vulnerabilities to Floodlight. While we show that it is difficult to fully eradicate these attacks, we propose fixes to mitigate them. In response to our findings, we conclude the paper by detailing practical ways of further improving the existing countermeasures.


Authors: Eduard Marin; Nicola Bucciol; Mauro Conti.

Date of Publication: November 2019.

Publisher: ACM Digital Library.

Conference: ACM Conference on Computer and Communications Security.

Abstract

Cybercrime in the past decade has experienced an all-time high due to the inclusion of so-called smart devices in our daily lives. These tiny devices with brittle security features are often dubbed as the Internet of Things (IoT). Their inclusion is not only limited to our daily lives but also in different fields, for example, healthcare, smart-industries, aviation, and smart-cities. Although IoT devices make our lives easy and perform our jobs in a smart way, but their fragile security mechanisms pose a severe challenge regarding safety and privacy of its users. Attacks like Stuxnet, and Mirai-botnet are the key examples of the damages that can be caused by maliciously controlling these devices. One effective tool to identify a malicious entity at a network device is to perform Remote Attestation (RA). However, performing RA over a large, heterogeneous IoT network is difficult tasks due to resource constrain nature of these networks. To this end, we propose a novel scheme called SARP, which is an attestation-assisted secure and scalable routing protocol for IoT networks. SARP performs attestation in large scale IoT networks by using Routing Protocol for Low Power and Lossy Networks (RPL) framework and exploiting the inbuilt features of RPL. In particular, SARP uses attestation technique that not only secures the network from internal attacks, but it also provides security to RPL’s data communication process, which helps to improve the overall network performance. Moreover, SARP supports network mobility, device heterogeneity, and network scalability, while it does not sacrifice the key requirements of IoT networks such as low energy and memory consumption, and low network overhead. The simulation results obtained in different IoT scenarios in presence of various types of attacks show the effectiveness of SARP, concerning energy consumption, packet delivery ratio, network overhead, data integrity, and communication security.


Authors: Mauro Conti; Pallavi Kaliyar; Md Masoon Rabbani; Silvio Ranise.

Date of Publication: November 2019.

Publisher: Elsevier.

Abstract:

Blockchain's evolution during the past decade is astonishing: from bitcoin to over 2.000 altcoins, and from decentralised electronic payments to transactions programmable by smart contracts and complex tokens governed by decentralised organisations. While the new generation of blockchain applications is still evolving, blockchain's technical characteristics are also advancing. Yet, immutability, a hitherto indisputable and highly advertised property according to which blockchain data cannot be edited nor deleted, remains the cornerstone of blockchain's security. Nevertheless, blockchain's immutability is being called into question lately in the light of the new erasing requirements imposed by the GDPR's "Right to be Forgotten (RtbF)" provision. As the RtbF obliges blockchain data to be editable in order restricted content redactions, modifications or deletions to be applied when requested, blockchains compliance with the regulation is indeed challenging, if not impracticable. Towards resolving this contradiction, various methods and techniques for mutable blockchains have been proposed to satisfy regulatory erasing requirements while preserving blockchains' security. To this end, this work aims to provide a comprehensive review on the state-of-the-art research approaches, technical workarounds and advanced cryptographic techniques that have been put forward to resolve this conflict and to discuss their potentials, constraints and limitations when applied in the wild to either permissioned or permissionless blockchains.


Authors: Eugenia Politou; Fran Casino; Efthimios Alepis; Constantinos Patsakis.

Journal: IEEE Transactions on Emerging Topics in Computing

Date of Publication: 25 October 2019.

Publisher: Institute of Electrical and Electronics Engineers (IEEE).

Attachments:
Download this file (mutability.pdf)mutability.pdf[ ]1356 kB

Abstract:

Information overload is a phenomenon of our days due to the unprecedented penetration of information and communication technologies (ICT) in our daily lives. As a result, people often end up with more options than they can process to choose from and therefore may opt for choices which do not fit best to their preferences. To address these issues, recommender systems (RSs) were proposed and have gained a lot of interest from the research community and industry. However, privacy is a big concern in these systems. While decentralized recommenders can protect privacy, they lack the needed efficiency to be widely adopted. In this article, we use blockchain as the backbone of a decentralized RS, managing to equip it with a broad set of features while simultaneously, preserving user’s privacy. We introduce a new architecture, based on decentralized locality sensitive hashing classification as well as a set of recommendation methods, according to how data are managed by users. Extensive experimental results illustrate the performance and efficacy of our approach compared with state-of-the-art methods. In addition, a discussion about its benefits and opportunities provides ground for further research.


Authors: Fran CasinoConstantinos Patsakis.

Journal: IEEE Transactions on Engineering Management.

Date of Publication: 22 October 2019.

Publisher: Institute of Electrical and Electronics Engineers (IEEE).

Attachments:
Download this file (block_collab.pdf)block_collab.pdf[ ]1632 kB

Page 5 of 6

Slide 1
Join the community
Follow us and stay connected and updated.
EU flag Copyright © 2019 - 2022 LOCARD. All rights reserved. This project has received funding from the European Union’s Horizon 2020 Research and Innovation Programme under Grant Agreement nº 832735. This project reflects only the author’s view and the Commission is not responsible for any use that may be made of the information it contains.