Publications

Computing Technology for Trusted Cloud Security

Published in Cloud Computing Security: Foundations and Challenges, 2016

This handbook offers a comprehensive overview of cloud computing security technology and implementation, while exploring practical solutions to a wide range of cloud computing security issues. With more organizations using cloud computing and cloud providers for data operations, proper security in these and other potentially vulnerable areas have become a priority for organizations of all sizes across the globe. Research efforts from both academia and industry in all security aspects related to cloud computing are gathered within one reference guide.

Recommended citation: Roberto Di Pietro, Flavio Lombardi, Matteo Signorini: Computing Technology for Trusted Cloud Security - CRC Press

Published in , 1900

BAD: Blockchain Anomaly Detection

Published in arXiv , 2018

Anomaly detection tools play a role of paramount importance in protecting networks and systems from unforeseen attacks, usually by automatically recognizing and filtering out anomalous activities. Over the years, different approaches have been designed, all focused on lowering the false positive rate. However, no proposal has addressed attacks targeting blockchain-based systems. In this paper we present BAD: the first Blockchain Anomaly Detection solution. BAD leverages blockchain meta-data, named forks, in order to collect potentially malicious activities in the network/system. BAD enjoys the following features: (i) it is distributed (thus avoiding any central point of failure), (ii) it is tamper-proof (making not possible for a malicious software to remove or to alter its own traces), (iii) it is trusted (any behavioral data is collected and verified by the majority of the network) and (iv) it is private (avoiding any third party to collect/analyze/store sensitive information). Our proposal is validated via both experimental results and theoretical complexity analysis, that highlight the quality and viability of our Blockchain Anomaly Detection solution.

Recommended citation: Matteo Signorini, Matteo Pontecorvi, Wael Kanoun and Roberto Di Pietro: "BAD: Blockchain Anomaly Detection", arXiv - 2018

ADvISE: Anomaly Detection tool for blockchaIn SystEms

Published in IEEE World Congress on Services (SERVICES), 2018

Anomaly detection tools play a role of paramount importance in protecting networks and systems from unforeseen attacks, usually by automatically recognizing and filtering out anomalous activities. In this paper we present ADvISE: the first Anomaly Detection tool for blockchaIn SystEms which leverages blockchain meta-data, named forks, in order to collect potentially malicious requests in the network/system while being resilient to eclipse attacks. ADvISE collects and analyzes malicious forks to build a threat database that enables detection and prevention of future attacks.

Recommended citation: M. Signorini, M. Pontecorvi, W. Kanoun and R. Di Pietro, "ADvISE: Anomaly Detection tool for blockchaIn SystEms," 2018 IEEE World Congress on Services (SERVICES), San Francisco, CA, 2018, pp. 65-66. doi: 10.1109/SERVICES.2018.00046

N-Guard: a Solution to Secure Access to NFC tags

Published in IEEE Conference on Communications and Network Security, 2018

In this paper we propose N-Guard: a portable, effective, and efficient solution to thwart contactless skimming of NFC cards. Our solution enables an NFC-compliant smartphone to protect the user’s cards, preventing the adversary from harvesting the cards’ data. Moreover, we also introduce a fine grained access control mechanism, allowing the user to discriminate between NFC cards that can be opportunistically queried and sensitive ones that can be read only under the strict permission of the owner. We implemented a proof-of-concept of N-Guard for Android OS and tested it under several digital skimming scenarios showing its effectiveness in thwarting unauthorized access attempts. Moreover, we also measured the consumption of N-Guard and proved that its energy consumption is negligible. Further, it is worth noting that N-Guard requires neither any specific modification to the NFC standard, nor any change on users behavior. Finally, through some empirical evidence, we show N-Guard to be effective even when the interaction between the NFC tags and the reader is driven by proprietary protocols (e.g. Mastercard). All the reported results, having being developed over an NFC-enabled credit-card use case, are general and applicable to all NFC tags.

Recommended citation: R. D. Pietro, G. Oligeri, X. Salleras and M. Signorini, "N-Guard: a Solution to Secure Access to NFC tags," 2018 IEEE Conference on Communications and Network Security (CNS), Beijing, 2018, pp. 1-9.

Small Transactions with Sustainable Incentives

Published in 9th International Conference on New Technologies, Mobility and Security, 2018

The design of a successful distributed system for enabling payments and small transactions among Internet users has long been a major challenge in applied computer science. Bitcoin, the first cryptocurrency having reached world-wide popularity, suffers from sustainability problems such as inefficient energy expenditure for its network operation and from perverse incentives that foster speculative hoarding behavior. We propose a digital transfer system based on a variant of the Bitcoin ledger that is meant to support deterministic small payments with enforced proportional transaction fees: to achieve this property, we renounce the persistence of balances expected of a cryptocurrency, thus mitigating currency hoarding. We introduce at the same time a novel external incentive mechanism based on a verifiable third party with the goal of promoting long-term sustainability, adjusting the margins of profitability for contributors to the proof-of-work scheme without stifling the transaction rate.

Recommended citation: F. Pianese, M. Signorini and S. Sarkar, "Small Transactions with Sustainable Incentives," 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Paris, 2018, pp. 1-5.

CoLLIDE: CLoud Latency-based IDEntification

Published in Procedia Computer Science, 2017

As services steadily migrate to the Cloud, the availability of an overarching identity framework has become a stringent need. Moreover, such an identity framework is now critical in the Internet of Things. To address this problem, identification solutions have been proposed in the past leveraging software or hardware properties of devices. While those solutions proved feasible, their root of trust was based either within the device or in a remote server. In this paper, we overcome the above paradigm and star investigating novel perspectives offered by an overarching identity framework that is not based on client/server properties, but on the network latency of their communications. The core idea behind our approach is to leverage cloud client/server interactions’ latency patterns over the network to derive unique and unpredictable identity factors. Such factors can be used to design and implement effective identification schemes especially suitable for cloud-based services. To the best of our knowledge, our approach is the first one ensuring unclonability and unpredictability properties, relying on neither trusted computing bases (TCBs) nor on classical pseudo-random number generators (PRNGs). The experimental tests presented in this paper, conducted on worst case conditions, show that the network latency (generated between two interacting devices) can produce random values with properties close to the ones generated by most of the well-known PRNGs, that are an ideal fit for providing unique identifiers.

Recommended citation: Vanesa Daza, Roberto Di Pietro, Flavio Lombardi, Matteo Signorini, CoLLIDE: CLoud Latency-based IDEntification, Procedia Computer Science, Volume 113, 2017, Pages 81-88, ISSN 1877-0509,

CONNECT: CONtextual NamE disCovery for blockchain-based services in the IoT

Published in IEEE International Conference on Communications, 2017

The Internet of Things is gaining momentum thanks to the provided vision of seamlessly interconnected devices. However, a unified way to discover and to interact with the surrounding smart environment is missing. As an outcome, we have been assisting to the development of heterogeneous ecosystems, where each service provider adopts its own protocol- thus preventing IoT devices from interacting when belonging to different providers. And, the same is happening again for the blockchain technology which provides a robust and trusted way to accomplish tasks -unfortunately not providing interoperability thus creating the same heterogeneous ecosystems above highlighted. In this context, the fundamental research question we address is how do we find things or services in the Internet of Things. In this paper, we propose the first IoT discovery approach which provides an answer to the above question by exploiting hierarchical and universal multi-layered blockchains. Our approach does neither define new standards nor force service providers to change their own protocol. On the contrary, it leverages the existing and publicly available information obtained from each single blockchain to have a better knowledge of the surrounding environment. The proposed approach is detailed and discussed with the support of relevant use cases.

Recommended citation: V. Daza, R. Di Pietro, I. Klimek and M. Signorini, "CONNECT: CONtextual NamE disCovery for blockchain-based services in the IoT," 2017 IEEE International Conference on Communications (ICC), Paris, 2017, pp. 1-6. doi: 10.1109/ICC.2017.7996641

Secure Management of Virtualized Resources

Published in Security in the Private Cloud, 2016

This comprehensive handbook serves as a professional reference and practitioner’s guide to today’s most complete and concise view of private cloud security. It explores practical solutions to a wide range of private cloud computing security issues. The knowledge imparted will enable readers to determine whether the private cloud security solution is appropriate for their organization from a business and technical perspective, to select the appropriate cloud security model, and to plan and implement a cloud security adoption and migration strategy.

Recommended citation: R.D. Di Pietro, F. Lombardi, M. Signorini, "Secure Management of Virtualized Resources" in Security in the Private Cloud, CRC Press, 2016.

Assessment and Authorization in Private Cloud Security

Published in CRC Press - Security in the Private Cloud, 2016

Cloud computing is nowadays a well-established computing model that provides many advantages to organizations (service providers and users) in terms of massive scalability, lower cost, and flexibility. The cloud computing paradigm has become a mainstream solution for the deployment of business processes and applications. In the public cloud vision, infrastructure, platform, and software services are provisioned on a pay-as-you-go basis [1]. Nevertheless, the level of service and the nonfunctional properties of cloud applications are still an open problem. In the past few years, the research community has been focusing on the nonfunctional aspects of the cloud paradigm, especially with respect to security aspects. However, despite these technical and economical benefits, many potential cloud consumers are still hesitant to adopt cloud computing due to security and privacy concerns.

Recommended citation: Di Pietro, Roberto and Lombardi, Flavio and Signorini, Matteo: Assessment and Authorization in Private Cloud Security - Security in the Private Cloud, CRCPress - 2016

FRoDO: Fraud Resilient Device for Off-Line Micro-Payments

Published in IEEE Transactions on Dependable and Secure Computing, 2016

Credit and debit card data theft is one of the earliest forms of cybercrime. Still, it is one of the most common nowadays. Attackers often aim at stealing such customer data by targeting the Point of Sale (for short, PoS) system, i.e. the point at which a retailer first acquires customer data. Modern PoS systems are powerful computers equipped with a card reader and running specialized software. Increasingly often, user devices are leveraged as input to the PoS. In these scenarios, malware that can steal card data as soon as they are read by the device has flourished. As such, in cases where customer and vendor are persistently or intermittently disconnected from the network, no secure on-line payment is possible. This paper describes FRoDO, a secure off-line micro-payment solution that is resilient to PoS data breaches. Our solution improves over up to date approaches in terms of flexibility and security. To the best of our knowledge, FRoDO is the first solution that can provide secure fully off-line payments while being resilient to all currently known PoS breaches. In particular, we detail FRoDO architecture, components, and protocols. Further, a thorough analysis of FRoDO functional and security properties is provided, showing its effectiveness and viability.

Recommended citation: V. Daza, R. D. Pietro, F. Lombardi and M. Signorini, "FRoDO: Fraud Resilient Device for Off-Line Micro-Payments," in IEEE Transactions on Dependable and Secure Computing, vol. 13, no. 2, pp. 296-311, 1 March-April 2016.

SOLDI: Secure Off-Line Disposable CredIts to Secure Mobile Micro Payments

Published in ICETE Communications in Computer and Information Science, 2015

Mobile-based payment schemes are increasingly widespread albeit suffering from a number of limitations. In fact, current protocols require at least one of the two parties to be on-line, i.e. connected either to a trusted third party or to a shared database. In particular, in scenarios where customers and vendors are persistently or intermittently disconnected from the network, no on-line payment is possible. This paper discusses SOLDI, a novel mobile micro-payment approach where all involved parties can be fully off-line. SOLDI relies solely on local data to perform the requested operations and improves over state-of-the-art approaches in terms of payment flexibility and security. SOLDI architecture and protocols are discussed in depth in this paper. Finally, security properties and main functionalities are analyzed in depth, showing SOLDI viability, benefits, and further development directions.

Recommended citation: Daza V., Di Pietro R., Lombardi F., Signorini M. (2015) SOLDI: Secure Off-Line Disposable CredIts to Secure Mobile Micro Payments. In: Obaidat M., Holzinger A., Filipe J. (eds) E-Business and Telecommunications. ICETE 2014. Communications in Computer and Information Science, vol 554. Springer, Cham

CloRExPa: Cloud resilience via execution path analysis

Published in Future Generation Computer Systems, 2014

Despite the increasing interest around cloud concepts, current cloud technologies and services related to security are not mature enough to enable a more widespread industrial acceptance of cloud systems. Providing an adequate level of resilience to cloud services is a challenging problem due to the complexity of the environment as well as the need for efficient solutions that could preserve cloud benefits over other solutions. In this paper we provide the architectural design, implementation details, and performance results for a customizable resilience service solution for cloud guests. This solution leverages execution path analysis. In particular, we propose an architecture that can trace, analyze and control live virtual machine activity as well as intervened code and data modifications possibly due to either malicious attacks or software faults. Execution path analysis allows the virtual machine manager (VMM) to trace the VM state and to prevent such a guest from reaching faulty states.

Recommended citation: Roberto Di Pietro, Flavio Lombardi, Matteo Signorini: "CloRExPa: Cloud resilience via execution path analysis", Future Generation Computer Systems - Volume 32, 2014, Pages 168-179, ISSN 0167-739X

FORCE: Fully off-line secure credits for mobile micro payments

Published in 11th International Conference on Security and Cryptography, 2014

Payment schemes based on mobile devices are expected to supersede traditional electronic payment approaches in the next few years. However, current solutions are limited in that protocols require at least one of the two parties to be on-line, i.e. connected either to a trusted third party or to a shared database. Indeed, in cases where customer and vendor are persistently or intermittently disconnected from the network, any on-line payment is not possible. This paper introduces FORCE, a novel mobile micro payment approach where all involved parties can be fully off-line. Our solution improves over state-of-the-art approaches in terms of payment flexibility and security. In fact, FORCE relies solely on local data to perform the requested operations. Present paper describes FORCE architecture, components and protocols. Further, a thorough analysis of its functional and security properties is provided showing its effectiveness and viability.

Recommended citation: V. Daza, R. Di Pietro, F. Lombardi and M. Signorini, "FORCE: Fully off-line secure credits for mobile micro payments," 2014 11th International Conference on Security and Cryptography (SECRYPT), Vienna, 2014, pp. 1-12.

Smart User Authentication for an Improved Data Privacy

Published in Advanced Research in Data Privacy. Studies in Computational Intelligence, 2014

Market analysis predicts that in a few years, companies, universities, government agencies as well as common people in they daily life will increasingly adopt mobile computing systems thus increasingly enjoying the benefits of online, Internet-based services. However, such scenario will also expose user data privacy to severe attacks. This situation has led to the development of authentication approaches aimed at preventing unauthorized access to user data. Many different authentication approaches have been proposed over the last years, starting from basic password to more complex biometric solutions but all of them have proven to suffer from the same weaknesses. This issue drove us to design a solution based upon hardware intrinsic security features and aimed at guaranteeing a high level of data privacy while providing a user friendly authentication process. Our solution shows advanced features of data privacy policies definition making it a good candidate for the construction of future data privacy policies.

Recommended citation: Daza V., Signorini M. (2015) Smart User Authentication for an Improved Data Privacy. In: Navarro-Arribas G., Torra V. (eds) Advanced Research in Data Privacy. Studies in Computational Intelligence, vol 567. Springer, Cham