- Area della Ricerca di Genova, Genova, Italia
- Information Hiding, Social Networking, Network Security, Networking, P2P/Overlay Networks, IPv6, and 22 moreQoS for Wireless Sensor Networks, Social Media, Computer Networks, Computer Science, Information Technology, Data Mining, Computer Security, Steganography, Cloud Computing, Green Computing, Datacenter, Cloud Computing and Virtualization, Covert Channels, Machine Learning, Mobile Networks, Quality of Service, Mobile Networking, Overlay Networks, Information Security, Security, Cybersecurity, and Social Networksedit
- Luca Caviglione participated in many Research Projects funded by the EU, by ESA, and by Siemens COM AG. He is author ... moreLuca Caviglione participated in many Research Projects funded by the EU, by ESA, and by Siemens COM AG. He is author and coauthor of more than one hundred academic publications about TCP/IP networking, p2p systems, wireless networks and security. He participates in TPCs of several conferences, and gives talks about IPv6 and p2p. In 2006 he was with the Italian National Consortium for Telecommunications - Genoa Research Unit. Since 2007, he works at the Istituto di Studi sui Sistemi Intelligenti per l’Automazione, Italian National Research Council, Genoa, Italy. He is a WG Leader of the Italian IPv6 Task Force and he has filed, as a coauthor, several patents in the field of p2p. Luca is also a Professional Engineer. From April 2011, he is Associate Editor of the Transactions on Emerging Telecommunications Technologies, Wiley.edit
Modern IoT ecosystems are the preferred target of threat actors wanting to incorporate resource-constrained devices within a botnet or leak sensitive information. A major research effort is then devoted to create countermeasures for... more
Modern IoT ecosystems are the preferred target of threat actors wanting to incorporate resource-constrained devices within a botnet or leak sensitive information. A major research effort is then devoted to create countermeasures for mitigating attacks, for instance, hardware-level verification mechanisms or effective network intrusion detection frameworks. Unfortunately, advanced malware is often endowed with the ability of cloaking communications within network traffic, e.g., to orchestrate compromised IoT nodes or exfiltrate data without being noticed. Therefore, this paper showcases how different autoencoder-based architectures can spot the presence of malicious communications hidden in conversations, especially in the TTL of IPv4 traffic. To conduct tests, this work considers IoT traffic traces gathered in a real setting and the presence of an attacker deploying two hiding schemes (i.e., naive and “elusive” approaches). Collected results showcase the effectiveness of our method ...
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Abstract This special issue was desired to foster the progress in research on the development of novel defense methods in information security, especially for sophisticated and networked/hyper-connected systems, including those within IoT... more
Abstract This special issue was desired to foster the progress in research on the development of novel defense methods in information security, especially for sophisticated and networked/hyper-connected systems, including those within IoT and CPS scenarios.
Research Interests:
Network covert channels embedded within network conversations are becoming widely adopted to enforce privacy of users or bypass censorship attempts as well as by malware to remain unnoticed while exfiltrating data or coordinating an... more
Network covert channels embedded within network conversations are becoming widely adopted to enforce privacy of users or bypass censorship attempts as well as by malware to remain unnoticed while exfiltrating data or coordinating an attack. As a consequence, being able to design a network covert channel or anticipate its exploitation is of paramount importance to fully assess the security of the Internet. Since prime requirements for a successful covert channel are its stealthiness and bandwidth, the popularity, availability and performances of the overt traffic flows used as the carrier play a major role. Therefore, in this paper we investigate the use of ubiquitous Transport Layer Security (TLS) to contain hidden information for implementing network covert channels. Specifically, we review seven methods targeting TLS traffic and investigate the performances of three covert channels through an experimental measurement campaign. Obtained results indicate the feasibility of using TLS traffic as the carrier and also allow to derive some general indications for the development of countermeasures.
Research Interests:
Research Interests:
Research Interests:
Information hiding techniques can implement covert channels, which are increasingly used for developing malware that is able to bypass the security layer of modern mobile devices or to covertly exfiltrate data. For this reason,... more
Information hiding techniques can implement covert channels, which are increasingly used for developing malware that is able to bypass the security layer of modern mobile devices or to covertly exfiltrate data. For this reason, understanding and detecting this type of threats is crucial to assess the security of modern devices and data. Unfortunately, the detection of information hiding-capable malware is a complex and poorly generalizable task, as it is tightly coupled with the specific implementation. Therefore, this chapter proposes to prevent the exfiltration of mobile data by early detection of malicious software considering the correlation of processes running on a device or anomalies in the consumed energy.
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Due to steady improvements in defensive systems, malware developers are turning their attention to mechanisms for cloaking attacks as long as possible. A recent trend exploits techniques like Invoke-PSImage, which allows embedding a... more
Due to steady improvements in defensive systems, malware developers are turning their attention to mechanisms for cloaking attacks as long as possible. A recent trend exploits techniques like Invoke-PSImage, which allows embedding a malicious script within an innocent-looking image, for example, to smuggle data into compromised devices. To address such a class of emerging threats, new mechanisms are needed, since standard tools fail in their detection or offer poor performance. To this aim, this work introduces Mavis, an efficient and highly accurate method for detecting hidden payloads, retrieving the embedded information, and estimating its size. Experimental results collected by considering real-world malicious PowerShell scripts showcase that Mavis can detect attacks with a high accuracy (100%) while keeping the rate of false positives and false negatives very low (0.01% and 0%, respectively). The proposed approach outperforms other solutions available in the literature or comme...
Research Interests:
Research Interests:
The number of citations attracted by publications is a key criteria for measuring their success. To avoid discriminating newer research, such a metric is usually measured in average yearly citations. Understanding and characterizing how... more
The number of citations attracted by publications is a key criteria for measuring their success. To avoid discriminating newer research, such a metric is usually measured in average yearly citations. Understanding and characterizing how citations behave have been prime research topics, yet investigations targeting the cybersecurity domain seem to be particularly scarce. In this perspective, the paper aims at filling this gap by analyzing average yearly citations for 6,693 papers published in top-tier conferences and journals in cybersecurity. Results indicate the existence of three clusters, i.e., general security conferences, general security journals, and cryptography-centered publications. The analysis also suggests that the amount of conference-to-conference citations stands out compared to journal-to-journal and conference-to-journal citations. Besides, papers published at top conferences attract more citations although a direct comparison against other venues is not straightforward. To better quantify the impact of works dealing with cybersecurity aspects, the paper introduces two new metrics, namely the number of main words in the title, and the combined number of unique main words in title, abstract and keywords. Collected results show that they can be associated with average yearly citations (together with the number of cited references). Finally, the paper draws some ideas to take advantage from such findings.
Research Interests:
The increasing application of ICT technologies to medicine opens new usage patterns. Among the various standards, the Digital Imaging and COmmunication in Medicine (DICOM) has been gaining momentum, mainly due to its complete coverage of... more
The increasing application of ICT technologies to medicine opens new usage patterns. Among the various standards, the Digital Imaging and COmmunication in Medicine (DICOM) has been gaining momentum, mainly due to its complete coverage of the diagnostic pipeline, including key applications such as CT, MRI and ultrasound scanners. However, owing to its complex and multifaceted nature, DICOM is prone to many risks especially due to the vast and complex attack surface characterizing the composite interplay of services, formats and technologies at the basis of the standard. Luckily, DICOM exhibits some room for improving its security. Specifically, information hiding and steganography can be used in a twofold manner. On one hand, they can help to watermark diagnostic images to improve their resistance against tampering and alterations. On the other hand, the digital infrastructure at the basis of DICOM can lead to data leaks or malicious manipulations via artificial intelligence techniques. Therefore, in this work we introduce risks and opportunities when applying information-hiding-based techniques to the DICOM standard. Our investigation highlights some opportunities as well as introduces possibilities of exploiting DICOM images to set up covert channels, i.e., hidden communication paths that can be used to exfiltrate data or launch attacks. To prove the effectiveness of our vision, this paper also showcases the performance evaluation of a covert channel built by applying text steganography principles on realistic DICOM images.
Research Interests:
Research Interests:
Modern malware increasingly takes advantage of information hiding to avoid detection, spread infections, and obfuscate code. A major offensive strategy exploits steganography to conceal scripts or URLs, which can be used to steal... more
Modern malware increasingly takes advantage of information hiding to avoid detection, spread infections, and obfuscate code. A major offensive strategy exploits steganography to conceal scripts or URLs, which can be used to steal credentials or retrieve additional payloads. A recent example is the attack campaign against the Magento e-commerce platform, where a web skimmer has been cloaked in favicons to steal payment information of users. In this paper, we propose an approach based on deep learning for detecting threats using least significant bit steganography to conceal malicious PHP scripts and URLs in favicons. Experimental results, conducted on a realistic dataset with both legitimate and compromised images, demonstrated the effectiveness of our solution. Specifically, our model detects ∼100% of the compromised favicons when examples of various malicious payloads are provided in the learning phase. Instead, it achieves an overall accuracy of ∼90% when in the presence of new payloads or alternative encoding schemes.
Research Interests:
An increasing trend exploits steganography to conceal payloads in digital images, e.g., to drop malicious executables or to retrieve configuration files. Due to the very attack-specific nature of the exploited hiding mechanisms,... more
An increasing trend exploits steganography to conceal payloads in digital images, e.g., to drop malicious executables or to retrieve configuration files. Due to the very attack-specific nature of the exploited hiding mechanisms, developing general detection methods is a hard task. An effective approach concerns the creation of ad-hoc solutions to be integrated within general toolkits, also to holistically face unknown threats. Therefore, this paper discusses the integration of a tool for detecting malicious contents hidden in digital images via the Invoke-PSImage technique within the Secure Intelligent Methods for Advanced Recognition of Malware and Stegomalware framework. Since the real impact of images embedding steganographic threats and the behavior of ad-hoc solutions in realistic scenarios are still unknown territories, this work also showcases a performance evaluation conducted in a nationwide telecommunication provider. Results demonstrated the effectiveness of the approach and also support the need of modular architectures to face the emerging wave of highly-specialized threats.
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Modern malware is becoming hard to spot since attackers are increasingly adopting new techniques to elude signature-and rule-based detection mechanisms. Among the others, steganography and information hiding can be used to bypass security... more
Modern malware is becoming hard to spot since attackers are increasingly adopting new techniques to elude signature-and rule-based detection mechanisms. Among the others, steganography and information hiding can be used to bypass security frameworks searching for suspicious communications between processes or exfiltration attempts through covert channels. Since the array of potential carriers is very large (e.g., information can be hidden in hardware resources, various multimedia files or network flows), detecting this class of threats is a scarcely generalizable process and gathering multiple behavioral information is time-consuming, lacks scalability, and could lead to performance degradation. In this paper, we leverage the extended Berkeley Packet Filter (eBPF), which is a recent code augmentation feature provided by the Linux kernel, for programmatically tracing and monitoring the behavior of software processes in a very efficient way. To prove the flexibility of the approach, we investigate two realistic use cases implementing different attack mechanisms, i.e., two processes colluding via the alteration of the file system and hidden network communication attempts nested within IPv6 traffic flows. Our results show that even simple eBPF programs can provide useful data for the detection of anomalies, with a minimal overhead. Furthermore, the flexibility to develop and run such programs allows to extract relevant features that could be used for the creation of datasets for feeding security frameworks exploiting AI.
Research Interests:
Research Interests:
Research Interests:
Even if information hiding can be used for licit purposes, it is increasingly exploited by malware to exfiltrate data or to coordinate attacks in a stealthy manner. Therefore, investigating new methods for creating covert channels is... more
Even if information hiding can be used for licit purposes, it is increasingly exploited by malware to exfiltrate data or to coordinate attacks in a stealthy manner. Therefore, investigating new methods for creating covert channels is fundamental to completely assess the security of the Internet. Since the popularity of the carrier plays a major role, this paper proposes to hide data within VoIP traffic. Specifically, we exploit Voice Activity Detection (VAD), which suspends the transmission during speech pauses to reduce bandwidth requirements. To create the covert channel, our method transforms a VAD-activated VoIP stream into a non-VAD one. Then, hidden information is injected into fake RTP packets generated during silence intervals. Results indicate that steganographically modified VAD-activated VoIP streams offer a good trade-off between stealthiness and steganographic bandwidth.
Research Interests:
Modern network and computing scenarios are characterized by a complex continuum spread across a variety of technological and administrative domains. For instance, cloud infrastructures are used to offload personal devices, IEEE 802.11 and... more
Modern network and computing scenarios are characterized by a complex continuum spread across a variety of technological and administrative domains. For instance, cloud infrastructures are used to offload personal devices, IEEE 802.11 and 4G/5G connectivity allow ubiquitous mobility, and low-power communications and edge/fog computing enable to integrate cyber-physical systems in the daily routine. Moreover, software platforms are not characterized anymore by clear and precise technological and functional boundaries. In fact, modern smart services often span over multiple actors, e.g., product vendors, telcos, proprietary Software-as-a-Service deployments, as well as several nations (possibly with incompatible laws). As a consequence, the Internet is a mixed collection of IoT devices, traditional hosts, wearable and mobile devices as well as individuals. Needles to say, its increasing human-centric nature accounts for a huge load of sensitive data, which can be considered one of the...
Research Interests:
IPv6CC is a suite of network covert channels targeting the IPv6 protocol. Its main scope is supporting penetration test campaigns to evaluate the security of a system against emerging information-hidingcapable attacks or steganographic... more
IPv6CC is a suite of network covert channels targeting the IPv6 protocol. Its main scope is supporting penetration test campaigns to evaluate the security of a system against emerging information-hidingcapable attacks or steganographic malware. This paper presents the techniques used to inject data within IPv6 packets, the reference use case and the software architecture of the suite. It also showcases a performance evaluation of the different covert channels offered by IPv6CC, as well as an analysis of their ability to bypass some de-facto standard security tools.
Research Interests:
Research Interests:
Modern malware threats utilize many advanced techniques to increase their stealthiness. To this aim, information hiding is becoming one of the preferred approaches, especially to exfiltrate data. However, for the case of smartphones,... more
Modern malware threats utilize many advanced techniques to increase their stealthiness. To this aim, information hiding is becoming one of the preferred approaches, especially to exfiltrate data. However, for the case of smartphones, covert communications are primarily used to bypass the security framework of the device. The most relevant case is when two "colluding applications" cooperate to elude the security policies enforced by the underlying OS. Unfortunately, detecting this type of malware is a challenging task as well as a poorly generalizable process. In this paper, we propose a method for the detection of malware exploiting colluding applications. In more details, we analyze the correlation of processes to spot the unknown pair covertly exchanging information. Experimental results collected on an Android device showcase the effectiveness of the approach, especially to detect low-attention raising covert channels, i.e., those active when the user is not operating t...
Research Interests:
Today, the information gathered from massive learning platforms and social media sites allow deriving a very comprehensive set of learning information. To this aim, data mining techniques can surely help to gain proper insights,... more
Today, the information gathered from massive learning platforms and social media sites allow deriving a very comprehensive set of learning information. To this aim, data mining techniques can surely help to gain proper insights, personalize learning experiences, formative assessments, performance measurements, as well as to develop new learning and instructional design models. Therefore, a core requirement is to classify, mix, filter and process the involved big data sources by means of proper learning and social learning analytics tools. In this perspective, the paper investigates the most promising applications and issues of big data for the design of the next-generation of massive learning platforms and social media sites. Specifically, it addresses the methodological tools and instruments for social learning analytics, pitfalls arising from the usage of open datasets, and privacy and security aspects. The paper also provides future research directions.
Research Interests:
The use of network covert channels to improve privacy or support security threats has been widely discussed in the literature. As today, the totality of works mainly focuses on how to not disrupt the overt traffic flow and the performance... more
The use of network covert channels to improve privacy or support security threats has been widely discussed in the literature. As today, the totality of works mainly focuses on how to not disrupt the overt traffic flow and the performance of the covert channels in terms of undetectability and capacity. To not void the stealthiness of the channel, an important feature is the ability of restoring the carrier embedding the secret information into its original form. However, the development of such techniques mainly targets the domain of digital media steganography. Therefore, this paper applies the concept of reversible data hiding to storage network covert channels. To prove the effectiveness of our idea, a prototypical implementation of a channel exploiting IPv4 flows is presented along with its performance evaluation.
Research Interests:
The increasing diffusion of malware endowed with steganographic techniques requires to carefully identify and evaluate a new set of threats. The creation of a covert channel to hide a communication within network traffic is one of the... more
The increasing diffusion of malware endowed with steganographic techniques requires to carefully identify and evaluate a new set of threats. The creation of a covert channel to hide a communication within network traffic is one of the most relevant, as it can be used to exfiltrate information or orchestrate attacks. Even if network steganography is becoming a well-studied topic, only few works focus on IPv6 and consider real network scenarios. Therefore, this paper investigates IPv6 covert channels deployed in the wild. Also, it presents a performance evaluation of six different data hiding techniques for IPv6 including their ability to bypass some intrusion detection systems. Lastly, ideas to detect IPv6 covert channels are presented.
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Placement is the process of deploying virtual machines (VMs) over the physical machines (PMs) available in a cloud datacenter. Unfortunately, too many running PMs inflate energy requirements, while too aggressive packings of VMs over the... more
Placement is the process of deploying virtual machines (VMs) over the physical machines (PMs) available in a cloud datacenter. Unfortunately, too many running PMs inflate energy requirements, while too aggressive packings of VMs over the same host degrade performances. Therefore, the paper presents a VM placement method based on model predictive control to reduce the power consumption of cloud datacenters while maintaining Quality of Service requirements. To describe the evolution of the system, a discrete-time dynamic model is introduced with several constraints. Placement strategies are obtained by solving finite-horizon optimal control problems with integer variables at each time step. The effectiveness of the proposed approach is evaluated through simulations and compared with two heuristics taken from the literature.
Research Interests:
Robotic networks are increasingly used to undertake complex missions and are often composed of heterogeneous agents executing well-defined tasks. To react against external disturbances and hardware failures, a typical technique is to... more
Robotic networks are increasingly used to undertake complex missions and are often composed of heterogeneous agents executing well-defined tasks. To react against external disturbances and hardware failures, a typical technique is to change at runtime how tasks are assigned to robots. In this perspective, the paper presents an approach based on predictive control for the on-line selection of the optimal time instants when perform reassignments. To evaluate the effectiveness of the proposed approach, simulation results are showcased in comparison with reactive and proactive strategies.