NECS – PhD Winter School 2024

8th January – 12th January 2024

Cortina d’Ampezzo (BL)


Biometrics: technologies, challenges, and research directions
Vincenzo Piuri, Università degli Studi di Milano, Italy
Once typically used for critical applications and services, biometric technologies are now pervasively permeating our everyday life enabling seamless and convenient identification, authentication, as well as service assistance, from business to leisure. Think of passport control, smart phone unlocking, voice command to home/IoT devices, automatic photo tagging in social applications, all services based on underlying control of biometric traits (e.g., face, finger, voice). Different biometric traits and technologies have different characteristics, for instance, in terms of universality, uniqueness, permanence, performance, and circumvention, making each of them suitable different application scenarios. In this lecture I will illustrate the main biometrics techniques, their strengths, limitations, and applications. I will also illustrate challenges and research directions.

Data Security and Privacy in Distributed Collaborative Scenarios
Pierangela Samarati, Università degli Studi di Milano, Italy
The rapid advancements in Information and Communication Technologies (ICTs) have been greatly changing our society, with clear societal and economic benefits. Cloud, Big Data, Internet of things, services and technologies that are becoming more and more pervasive and conveniently accessible, towards the realization of a ‘smart’ society’. At the heart of this evolution is the ability to collect, analyze, process, and share an ever-increasing amount of data, to extract knowledge for offering personalized and advanced services. This typically also involves data management and computation by external storage and computational providers that may be either not authorized to access data or not fully trusted. In this seminar, I will illustrate some challenges related to guaranteeing confidentiality and integrity of data stored or processed by external providers. I will then address in particular the protection of data in the context of collaborative distributed computation involving different data sources, authorities and computational providers.

From Advantages to Adversaries: Safeguarding Security in Federated Machine Learning
Alexandra Dmitrienko, University of Wuerzburg in Germany
Machine Learning (ML) methods are getting more mature and increasingly deployed in all areas of our lives to assist users in various classification and decision-making tasks. This lecture will showcase advantages ML can bring for improving security of modern applications. On the other hand, we will also delve into the security and privacy concerns associated with the utilization of ML methods. Specifically, we will focus on Federated Learning (FL), a distributed version of ML that can provide enhanced privacy preservation when training ML models. We will thoroughly evaluate the security and privacy risks associated with FL and then delve deeper into targeted and untargeted poisoning attacks and countermeasures. We will pay special attention to open challenges, that include distinguishing poisoned and benign but unusual models, for instance models trained on datasets with different data distributions, and adaptive attackers, who, once they know the detection method, can add an additional training loss to minimize any changes in the detection metric, and, hence, evade detection. To initiate further discussions, we will outline open research directions.



Who Let the Smart Toaster Hack the House? Exploring Security and Privacy Risks in Connected Devices
Anna Maria Mandalari,  University College London, UK
The consumer Internet of Things (IoT) space has experienced a significant rise in popularity in the recent years. From smart speakers to baby monitors, smart kettles and TVs, these devices are increasingly found in households around the world while users may be unaware of the risks associated with owning these devices. Why are they so cheap and what is the real value they give back to us? In this talk, we will explore what we are invisible trading in exchange for these devices, sharing examples of privacy leakage and security threats from the most popular IoT devices in the market, what the implications for consumers are, and discuss potential future mitigation.

Covert & Side Stories: Threats Evolution in Traditional and Modern Technologies
Mauro Conti, University of Padua, Italy
Alongside traditional Information and Communication Technologies, more recent ones like Smartphones and IoT devices also became pervasive. Furthermore, all technologies manage an increasing amount of confidential data. The concern of protecting these data is not only
related to an adversary gaining physical or remote control of a victim device through traditional attacks, but also to what extent an adversary without the above capabilities can infer or steal information through side and covert channels!
In this talk, we survey a corpus of representative research results published in the domain of side and covert channels, ranging from TIFS 2016 to more recent Usenix Security 2022, INFOCOM 2023, CCS 2023, and including several demonstrations at Black Hat Hacking Conferences. We discuss threats coming from contextual information and to which extent it is feasible to infer very specific information. In particular, we discuss attacks like inferring actions that a user is doing on mobile
apps, by eavesdropping their encrypted network traffic, identifying the presence of a specific user within a network through analysis of energy consumption, or inferring information (also key one like passwords and PINs) through timing, acoustic, or video information.

Information Flow Tracking
Mihelič, Jurij, University of Ljubljana
Within this lecture, we offer and introductionary exploration of the Information Flow Tracking (IFT) approach, where the intent is to monitor and analyze sensitve information as it flows througout the information processing system, as well as to provide guaranties and assurances about various security-related properties of data such as confidentiality and integrity. We start our journey with an examination of applications and provide a motivation for IFT. Delving into the realm of IFT, we dissect both static and dynamic approach to IFT. We compare the approaches, but we delve deeper into the latter where we unveil tagging as a practical and effective technique to implement dynamic IFT.  We discuss various challenges inherent to the IFT, such as implicit information flow and lable creep problem. Finally, we review various concrete approaches to dynamic IFT found in the scientific literature from software-only, hardware-only, and hybrid co-designed approaches.