NECS – PhD Winter School 2025

20th January – 24th January 2025

Cortina d’Ampezzo (BL)

Abstracts:

“TEE for strong identity and software integrity”

Antonio Lioy, Politecnico di Torino, Italy

Abstract

The increasing adoption of a multi-tenant paradigm for cloud and edge computing and the multiplication of embedded systems and IoT devices, challenge the traditional security model. Strong device and workload identity is becoming vital, along with the verification of the execution environment, the running code, and the respective configurations. One way to offer these features is via a trusted execution environment (TEE) which may take different forms, hardware, firmware, or software. This talk will discuss trust principles and their implementation in various scenarios, including TPM, DICE, and CPU-based solutions.

 

 

“Anomaly-based intrusion detection: challenges and possible strategies from unknowns to APTs detection”

Andrea Ceccarelli, University of Florence, Italy

Abstract

The ever-evolving landscape of attacks, coupled with the growing complexity of ICT systems, makes crafting anomaly-based intrusion detectors a difficult task. While the problem can be simplistically described as “doing accurate and fast classification on tabular data”, several specificities apply. Different algorithms have their pros and cons, which could be ideally combined by using ensembles orchestrated according to a specific meta-learning strategy. The lecture will i) review the basis of building an anomaly-based intrusion detector, ii) briefly present main state-of-the-art algorithms, commenting on their ability to detect unknown attacks (zero-days), and iii) include strategies to combine classifiers (meta-learning) to improve performances. Last, the talk will shortly debate about Advanced Persistent Threats which shift the challenge from detecting a single attack to interrupting an attack path before a goal is reached.

 

 

Federeted machine learning for cyber security”

Gianluigi Folino,  ICAR-CNR, Italy

Abstract

Data sovereignty and regulations, such as the EU’s GDPR, along with growing concerns over privacy and security, underscore the limitations of centralized machine learning (ML) in sensitive domains like cybersecurity. Federated Learning (FL) has emerged as a promising paradigm, enabling the collaborative training of global models without sharing raw data, thereby aligning with privacy and sovereignty requirements while meeting the demand for advanced ML analytics. This talk addresses these challenges and presents a framework based on sparse Mixture of Experts (MoE) architectures for FL in vertically federated settings, where parties hold complementary subsets of features. Sparse MoEs improve computational and energy efficiency by selectively activating experts and leveraging conditional computation. The framework mitigates risks of information leakage and reduces communication costs, supporting efficient model training and deployment. Additionally, the talk explores key attack scenarios, defense strategies, and efficient methods for distributing the VFL paradigm with minimal communication overhead.

 

“Covert & Side Stories: Threats Evolution in Traditional and Modern
Technologies”

Mauro Conti, University of Padua, Italy

Abstract

Alongside traditional Information and Communication Technologies, more recent ones like Smartphones and IoT devices also became pervasive. Furthermore, all technologies manage an increasing amount of confidential data. The concern of protecting these data is not only

related to an adversary gaining physical or remote control of a victim device through traditional

attacks, but also to what extent an adversary without the above capabilities can infer or steal information through side and covert channels! In this talk, we survey a corpus of representative research results published in the domain of side and covert channels, ranging from TIFS 2016 to more

recent Usenix Security 2022, INFOCOM 2023, CCS 2023, and including several demonstrations at Black

 Hat Hacking Conferences. We discuss threats coming from contextual information and to which extent it is feasible to infer very specific information. In particular, we discuss attacks like inferring actions that a user is doing on mobile apps, by eavesdropping their encrypted network traffic, identifying the presence of a specific user within a network through analysis of energy
consumption, or inferring information (also key one like passwords and
PINs) through timing, acoustic, or video information.

 

“Security assessment of mobile ecosystems”

Luca Verderame, University of Genoa, Italy

Abstract

The lecture will explore the main trends in mobile security and privacy research, highlighting current threats and emerging challenges. Then, the session will discuss the primary techniques used in Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) for assessing Android application security. Attendees will learn about the tools and methods used to identify vulnerabilities in mobile apps, along with the strengths and limitations of each approach. The lecture will conclude with a hands-on demonstration of a real-world attack targeting commercial apps, showing how vulnerabilities can be exploited and how they can be mitigated. 

 

“Security Analysis of Cyber-physical systems: from formal methodologies to ICS honyepots”

Massimo Merro, University of Verona, Italy

Abstract:
The lecture is divided into two parts: in the first part, we present some research work  applying formal methods to secure cyber-physical systems (CPSs), in the second part  we present a more practical approach in the context of securing cyber-physical systems based on ad-hoc honeypots.
In both case, the presentation will be at a sufficiently high level of detail. In the first part, we start  by highlighting  a hybrid process calculus to model both CPSs and physics-based attacks. We formalize a threat model that specifies MITM attacks that can manipulate sensor readings and/or control commands in order to drive a CPS into an undesired state, and we provide the means to assess attack tolerance/vulnerability with respect to a given attack.  We then formalize how to estimate the impact of a successful attack on a CPS and investigate possible quantifications of the success chances of an attack. The notion of impact allows us to formalize a notion  of robustness of CPS under attack.
Then, we report a line of work that uses model checking tools and statistical model checking techniques to perform static security analysis of CPSs that are increasingly complex and therefore exposed to more complex cyber-physical attacks that attempt to bypass different IDSs.
Finally, we move to runtime enforcement techniques to ensure specification compliance in networks of controllers, possibly compromised by colluding malware. We define a synthesis algorithm that, given a set of observable actions and a timed correctness property, returns a monitor that enforces the property during the execution of any (potentially corrupted) controller. Our enforcement enjoys a number of classical properties together with attack mitigation by correcting and suppressing incorrect actions of corrupted controllers and by generating safe actions in full autonomy when the controller under scrutiny is not able to do so in a correct manner.
In the second part of the lecture, we present a more practical approach in the context of securing cyber-physical systems, and in particular industrial control systems (ICSs).  We present  HoneyICS, a  high-interaction, physics-aware, scalable, and extensible honeynet for ICSs, equipped with an advanced monitoring system. Then, we present a latitudinal study on a dataset comprising both IT and ICS interactions collected from an instance of an ICS honeynet emulating ICS devices exposed on the Internet for three months. The study focuses on three orthogonal aspects of such interactions: level of interaction, origin of interactions, and interaction/attack patterns. Our results shed light on the impact of different choices in the configuration of a honeynet on its attractiveness and on the captured behavior.

 

Network Security LAB: Anomaly Detection in Network Traffic Using Forecasting

Kamil  Jeřábek, Brno University of Technology

Abstract 

This workshop focuses on analyzing network traffic data to identify anomalies that may indicate malicious or unexpected activity. Participants will work with real volumetric time-series data from the CESNET ISP network. The session will cover methods for inspecting and interpreting network traffic data, understanding the concept of anomalies, and applying forecasting models—particularly neural networks—for anomaly detection. Attendees will also evaluate model performance and gain practical experience with hands-on exercises, bridging theoretical knowledge with real-world applications in network security. 

 

 

“How to Study Cybersecurity in the Automotive Domain: From Offensive to Defensive Approaches”

Ilaria Matteucci, IIT-CNR, Italy

Abstract

 Studying cybersecurity in the automotive domain requires a combination of offensive and defensive approaches, as it is essential to understand both potential threats and the countermeasures needed to protect vehicles and their systems. The offensive approach, leveraging ethical hacking skills, enables the study of threats and possible vulnerabilities in modern vehicles, allowing for an investigation into potential risks to which the vehicle may be exposed. Subsequently, the defensive approach, combined with knowledge of current standards and regulations, facilitates the design and development of solutions to enhance vehicle security. This lecture will showcase various techniques and examples of attacks on real vehicles, along with countermeasures and standards that can effectively mitigate such threats.

 

 

“Compositional Bigraphical Models for Container-Based Systems Security”

Marino Miculan, University of Udine, Italy

Abstract

Containers have become the cornerstone of modern service-oriented architectures, enabling developers to focus on application logic while offloading deployment and management concerns to system administrators. This talk presents a formal model for container-based systems grounded in the framework of Bigraphical Reactive Systems (BRSs). By leveraging this formalism, we define a signature for containers, demonstrating that container composition (as realized by tools like Docker Compose) aligns precisely with bigraphical composition. This formal representation opens avenues for analyzing and manipulating containerized systems using graph-theoretic techniques.
To illustrate the practical application of this model, we illustrate DCChecker, a prototypal tool designed to verify security properties of container-based systems. Given abstract descriptions of container interfaces and behaviors, and a description of their composition, DCChecker constructs a formal model that can be analyzed by ProVerif (a state-of-the-art cryptographic protocol verifier). This enables the verification of critical security properties, ensuring the overall system’s integrity and confidentiality.