Project Publications
LOCARD related articles have been published in high-rated journals and presented in top conferences. The following list depicts all articles published and presented from the beginning of the project.

Abstract:

Recent advances in telecommunications and database systems have allowed the scientific community to efficiently mine vast amounts of information worldwide and to extract new knowledge by discovering hidden patterns and correlations. Nevertheless, all this shared information can be used to invade the privacy of individuals through the use of fusion and mining techniques. Simply removing direct identifiers such as name, SSN, or phone number is not anymore sufficient to prevent against these practices. In numerous cases, other fields, like gender, date of birth and/or zipcode, can be used to re-identify individuals and to expose their sensitive details, e.g. their medical conditions, financial statuses and transactions, or even their private connections. The scope of this work is to provide an in-depth overview of the current state of the art in Privacy-Preserving Data Publishing (PPDP) for relational data. To counter information leakage, a number of data anonymisation methods have been proposed during the past few years, including $k$ -anonymity, $\ell $ -diversity, $t$ -closeness, to name a few. In this study we analyse these methods providing concrete examples not only to explain how each of them works, but also to facilitate the reader to understand the different usage scenarios in which each of them can be applied. Furthermore, we detail several attacks along with their possible countermeasures, and we discuss open questions and future research directions.


Authors: Athanasios Zigomitros; Fran Casino; Agusti Solanas; Constantinos Patsakis.

Journal: IEEE Access.

Date of Publication: 11 March 2020.

Publisher: Institute of Electrical and Electronics Engineers (IEEE).

Attachments:
Download this file (kannon.pdf)kannon.pdf[ ]2830 kB

Abstract:

Android is currently the most widespread operating system (OS) worldwide, but also the most prone to attacks. Despite the challenges faced by Industry and Academia to improve the Android OS security, it still has several vulnerabilities. Among those, the severity of the Next-Intent Vulnerability (NIV) can be immediately grasped. Android apps are made of components, which by default are private and cannot be targeted by other apps on the same phone. However, NIV allows any app to access the private components of a different app, eventually generating a crash or stealing sensitive data. NIV occurs when there is a chain of calls among different components based on the Intent messaging model and there is no control over the reliability of the first component triggering the call. NIV was first detected in 2013, but it is still an open issue. In this paper, we present Next-Intent Vulnerability Detector (NIVD), a novel approach to detect NIV in Android apps by relying on type systems. NIVD applies the inference rules of its type system to the app execution paths containing a sequence of calls to three NIV-related Android APIs. Compared to the state-of-the-art, NIVD is faster and more efficient, without losing precision in detecting NIV. Finally, through NIVD Google Photos was found to be vulnerable, and we disclosed the finding on the Google official bug report website (issue number 124342801).


Authors: Mohamed A. El-Zawawy; Eleonora Losiouk; Mauro Conti.

Journal: International Journal of Information Security.

Date of Publication: 6 March, 2020.

Publisher:: Springer.

Abstract:

Energy trading in Industrial Internet of Things (IIoT), a fundamental approach to realize Industry 4.0, plays a vital role in satisfying energy demands and optimizing system efficiency. Existing research works adopts a utility company to distribute energy to energy nodes with the help of energy brokers. Afterwards, they apply blockchain to provide transparency, immutability, and auditability of peer-to-peer (P2P) energy trading. However, their schemes are constructed on a weak security model and do not consider the cheating attack initiated by energy sellers. Such an attack refers to an energy seller refusing to transfer the negotiated energy to an energy purchaser who already paid money. In this paper, we propose FeneChain, a blockchain-based energy trading scheme to supervise and manage the energy trading process towards building a secure energy trading system and improving the energy quality for Industry 4.0. Specifically, we leverage anonymous authentication to protect user privacy, and we design a timed commitments based mechanism to guarantee the verifiable fairness during energy trading. Moreover, we utilize fine-grained access control for energy trading services. We also build a consortium blockchain among energy brokers to verify and record energy trading transactions. Finally, we formally analyze the security and privacy of FeneChain and evaluate its performance (i.e., computational costs and communication overhead) by implementing a prototype via a local Ethereum test network and Raspberry Pi.


Authors: Meng Li; Donghui Hu; Chhagan Lal; Mauro Conti; Zijian Zhang.

Journal: IEEE Transactions on Industrial Informatics.

Date of Publication: 17 February, 2020.

Publisher: Institute of Electrical and Electronics Engineers (IEEE).

Abstract:

Tracing products and processes across complex supply chain networks has become an integral part of current supply chain management practices. However, the effectiveness and efficiency of existing supply chain traceability mechanisms are hindered by several barriers including lack of data interoperability and information sharing, opportunistic behaviour, lack of transparency and visibility and cyber-physical threats, to name a few. In this paper, we propose a forensics-by-design supply chain traceability framework with audit trails for integrity and provenance guarantees based on malleable blockchain tokens. This framework also provides the establishment of different granularity levels for tracing products across the entire supply chain based on their unique characteristics, supply chain processes and stakeholders engagement. To showcase the applicability of our proposal, we develop a functional set of smart contracts and a local private blockchain. The benefits of our framework are further discussed, along with fruitful areas for future research.


Authors: Thomas K. Dasaklis; Fran Casino; Costas PatsakisChristos Douligeris.

Conference17th Int. Conference on Business Process Management (BPM 2019), at Vienna.

Date of Publication: January 2020.

PublisherSpringer, Cham.

Attachments:
Download this file (blockchaintokens.pdf)blockchaintokens.pdf[ ]699 kB

Abstract:

In this paper, we present a systematic survey on the contextual information based proximity detection techniques. These techniques are heavily used for improving security and usability in Zero-Interaction based Co-presence Detection and Authentication (ZICDA) systems. In particular, this survey includes a discussion on the possible adversary and communication models along with the existing security attacks on ZICDA systems. It also reviews the state-of-the-art proximity detection techniques that make use of contextual information. The proximity detection techniques are commonly referred as Contextual Co-presence (COCO) protocols. The COCO protocols dynamically collect and use contextual information to improve the security of ZICDA systems during the proximity verification process. Finally, we summarize the significant challenges and suggest possible innovative and efficient future solutions for securely detecting co-presence between devices in the presence of adversaries. The proximity verification techniques presented in the literature usually involve several trade-offs between metrics such as efficiency, security, deployment cost, and usability. At present, there is no ideal solution which adequately addresses the trade-off between these metrics. Therefore, we trust that this review gives an insight into the strengths and shortcomings of the known research methodologies and pave the way for the design of future practical, secure, and efficient solutions.


Authors: Mauro ContiChhagan Lal.

JournalComputers & Security.

Date of Publication: January 2020.

Publisher: Elsevier.

Abstract:

In Information Centric Networking (ICN), consumer mobility is supported by design in virtue of its connection-less pull-based communication model. However, producer mobility management is challenging as it focuses on the named-based resolution mechanism, which applies a dynamic and direct interaction between the producer and forwarding plane. In this paper, we consider the fundamental security issues related to producer mobility in ICN. These security issues exist mainly due to the insecure interaction of producer with the network’s forwarding information management system. We show that the current mobility solutions lack an adequate security mechanism and they invite severe security threats in the network (e.g., prefix hijacking and Denial of Service (DoS) attacks). To address such security threats, we propose a Blockchain based lightweight distributed mobile producer Authentication (BlockAuth) protocol to enable secure and efficient mobility management in ICN. BlockAuth authenticates the producers’ prefix(es) and enforce them to express only genuine routing updates for the prefix(es) to which they are entitled to advertise. The qualitative security analysis confirms that BlockAuth is robust against various security attacks to which mobile network and blockchain are particularly vulnerable (e.g., prefix hijacking, double spending, DoS attack). Additionally, the performance evaluation of BlockAuth shows that it maintains significant performance gain compared to the state-of-the-art prefix attestation proposals. In particular, it maintains up to 94% of the network’s original throughput, while it needs additional storage of just tens of megabytes.


Authors: Mauro Conti; Muhammad Hassan; Chhagan Lal.

Journal: Computer Networks.

Date of Publication: December 2019.

Publisher: Elsevier.

Abstract:

The widespread adoption of the new generation of decentralised architectures, leveraged by blockchain and decentralised file storage (DFS) systems, enables a myriad of new applications and opportunities. Nevertheless, their remarkable features, namely auditability, availability and, among all, immutability, do not come without a cost. In this article, we examine blockchain and the most widely used DFS systems and discuss their main challenges and opportunities, with special regard to their immutability and its impact on their GDPR compliance. A description of current and prospective threats is also provided, along with an analysis of the features that each threat exploits. In addition, we discuss several measures to address the identified threats, and we provide a fertile common ground for further research.


AuthorsFran Casino; Eugenia Politou; Efthimios Alepis; Constantinos Patsakis.

Journal: IEEE Access.

Date of Publication: December 2019.

PublisherInstitute of Electrical and Electronics Engineers (IEEE).

Attachments:
Download this file (immutability.pdf)immutability.pdf[ ]8748 kB

Abstract

Voice-over-IP (VoIP) software are among the most widely spread and pervasive software, counting millions of monthly users. However, we argue that people ignore the drawbacks of transmitting information along with their voice, such as keystroke sounds—as such sound can reveal what someone is typing on a keyboard.

In this article, we present and assess a new keyboard acoustic eavesdropping attack that involves VoIP, called Skype & Type (S&T). Unlike previous attacks, S&T assumes a weak adversary model that is very practical in many real-world settings. Indeed, S&T is very feasible, as it does not require (i) the attacker to be physically close to the victim (either in person or with a recording device) and (ii) precise profiling of the victim’s typing style and keyboard; moreover, it can work with a very small amount of leaked keystrokes. We observe that leakage of keystrokes during a VoIP call is likely, as people often “multi-task” during such calls. As expected, VoIP software acquires and faithfully transmits all sounds, including emanations of pressed keystrokes, which can include passwords and other sensitive information. We show that one very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim’s input—keystrokes typed on the remote keyboard. Our results demonstrate that, given some knowledge on the victim’s typing style and keyboard model, the attacker attains top-5 accuracy of 91.7% in guessing a random key pressed by the victim. This work extends previous results on S&T, demonstrating that our attack is effective with many different recording devices (such as laptop microphones, headset microphones, and smartphones located in proximity of the target keyboard), diverse typing styles and speed, and is particularly threatening when the victim is typing in a known language.


Authors: Stefano CecconelloAlberto Compagno; Mauro ContiDaniele LainGene Tsudik

Journal: ACM Transactions on Privacy and Security.

Date of Publication: December 2019.

Publisher: ACM Digital Library.

Abstract:

Remote attestation is a two-party security protocol that aims to detect the presence of malware in a remote untrusted IoT device. In order to perform the attestation, an IoT device typically has to stop the regular operation and perform expensive computations that will consume the battery life of the device. In this paper, we use cloud/fog computing to attest an IoT device in an efficient way. We propose Remote Attestation as a Service (RAaS) which allows even a low-end IoT device to securely offload the attestation process to the cloud. We argue that RAaS allows the clone of the device, securely created in the cloud, to perform the most expensive attestation computations. Our proposed approach could reduce the number of attestation operations running on the real IoT device, saving energy consumption, and reducing the downtime of the usual operation of an IoT device during the execution of remote attestation.


AuthorsMauro ContiEdlira DushkuLuigi V. ManciniMd Masoom RabbaniSilvio Ranise.

Date of Publication: November 2019.

Publisher: Institute of Electrical and Electronics Engineers (IEEE).

Conference: Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS).

Attachments:
Download this file (Remote Attestation as a Service.pdf)Remote Attestation as a Service.pdf[ ]713 kB

Page 2 of 4

Join the community
Follow us and stay connected and updated.
Slider
EU flag Copyright © 2020 LOCARD. All rights reserved. This project has received funding from the European Union’s Horizon 2020 Research and Innovation Programme under Grant Agreement nº 832735. This project reflects only the author’s view and the Commission is not responsible for any use that may be made of the information it contains.