publications.bib

@Thesis{          volpatto_thesis_2010,
  Author        = {Volpatto, Alberto},
  Title         = {Negoziazione cooperativa e meccanismi adattativi per
                  mitigare gli attacchi contro le applicazioni web},
  Year          = {2010},
  Institution   = {Politecnico di Milano}
}

@Thesis{          visentin_thesis_2010,
  Author        = {Visentin, Luca and Todisco, Stefano},
  Title         = {Pcapstat: un sistema per supportare l’analisi del traffico
                  di rete},
  Year          = 2010,
  Institution   = {Politecnico di Milano}
}

@Thesis{          testa_thesis_2007,
  Author        = {Testa, Pietro},
  Title         = {Valutazione automatica delle performance di sistemi di
                  anomaly detection},
  Year          = 2007,
  Institution   = {Politecnico di Milano}
}

@Thesis{          rizzi_thesis_2010,
  Author        = {Rizzi, Alessandro and Schiavoni, Stefano},
  Title         = {WebLorica: Un framework per lo sviluppo di anomaly detection
                  system per applicazioni web},
  Year          = 2010,
  Institution   = {Politecnico di Milano}
}

@Article{         pogliani_article_2019,
  Author        = {Pogliani, Marcello and Quarta, Davide and Polino, Mario and
                  Vittone, Martino and Maggi, Federico and Zanero, Stefano},
  Title         = {Security of controlled manufacturing systems in the
                  connected factory: the case of industrial robots},
  Journal       = {Journal of Computer Virology and Hacking Techniques},
  Abstract      = {In modern factories, ``controlled'' manufacturing systems,
                  such as industrial robots, CNC machines, or 3D printers, are
                  often connected in a control network, together with a
                  plethora of heterogeneous control devices. Despite the
                  obvious advantages in terms of production and ease of
                  maintenance, this trend raises non-trivial cybersecurity
                  concerns. Often, the devices employed are not designed for an
                  interconnected world, but cannot be promptly replaced: In
                  fact, they have essentially become legacy systems, embodying
                  design patterns where components and networks are accounted
                  as trusted elements. In this paper, we take a holistic view
                  of the security issues (and challenges) that arise in
                  designing and securely deploying controlled manufacturing
                  systems, using industrial robots as a case study---indeed,
                  robots are the most representative instance of a complex
                  automatically controlled industrial device. Following up to
                  our previous experimental analysis, we take a broad look at
                  the deployment of industrial robots in a typical factory
                  network and at the security challenges that arise from the
                  interaction between operators and machines; then, we propose
                  actionable points to secure industrial cyber-physical
                  systems, and we discuss the limitations of the current
                  standards in industrial robotics to account for active
                  attackers.},
  DOI           = {10.1007/s11416-019-00329-8},
  ISSN          = {2263-8733},
  Year          = {2019},
  Month         = {Feb},
  day           = {13},
  File          = {files/papers/journal-papers/pogliani_article_2019.pdf}
}

@Thesis{          peri_thesis_2010,
  Author        = {Peri, Lorenzo},
  Title         = {Metodi K-nearest-neighbor per la rilevazione automatica di
                  attacchi informatici},
  Year          = 2010,
  Institution   = {Politecnico di Milano}
}

@Thesis{          michelini_thesis_2008,
  Author        = {Michelini, Matteo},
  Title         = {Kernel auditing su Linux 2.6 in formato OpenBSM},
  Year          = 2008,
  Institution   = {Politecnico di Milano}
}

@Thesis{          magni_thesis_2007,
  Author        = {Magni, Claudio},
  Title         = {Analisi e test automatizzati di sistemi di anomaly detection
                  network-based},
  Year          = 2007,
  Institution   = {Politecnico di Milano}
}

@Thesis{          lever_thesis_2010,
  Author        = {Lever, Eros},
  Title         = {Un sistema di raccolta dati per lo studio delle minacce
                  celate dagli URL brevi},
  Year          = 2010,
  Institution   = {Politecnico di Milano}
}

@Thesis{          lancini_thesis_2010,
  Author        = {Lancini, Marco},
  Title         = {FacePrivacy},
  Year          = 2010,
  Institution   = {Politecnico di Milano}
}

@Thesis{          gressi_thesis_2009,
  Author        = {Gressi, Erika},
  Title         = {Apprendimento e simulazione dell’attività di un utente
                  mediante l’utilizzo di modelli semi- markoviani nascosti},
  Year          = 2009,
  Institution   = {Politecnico di Milano}
}

@Thesis{          debiasi_thesis_2007,
  Author        = {Debiasi, Matteo and Falsitta, Matteo},
  Title         = {Reingengerizzazione ed ottimizzazione di un sistema di
                  anomaly detection host based},
  Year          = 2007,
  Institution   = {Politecnico di Milano}
}

@Thesis{          clerici_thesis_2010,
  Author        = {Clerici, Marco and Sasso, Mattia},
  Title         = {Analisi Sperimentale delle vulnerabilità di Google
                  reCAPTCHA},
  Year          = 2010,
  Institution   = {Politecnico di Milano}
}

@Thesis{          benefico_thesis_2010,
  Author        = {Benefico, Simone and Colombo, Andrea},
  Title         = {Reingegnerizzazione di un riconoscitore automatico di
                  attacchi di rete},
  Year          = 2010,
  Institution   = {Politecnico di Milano}
}

@Unpublished{     yen_ddsbheu_talk_2021,
  ShortTitle    = {DDSBHEU},
  Author        = {Yen, Ta-Lun and Maggi, Federico and Boasson, Erik},
  Title         = {The Data Distribution Service (DDS) Protocol is Critical:
                  Let's Use it Securely!},
  EventTitle    = {Black Hat Briefings Europe},
  Abstract      = {We discovered and disclosed vulnerabilities in most of the
                  OMG Data Distribution Service (DDS) implementations. DDS
                  enables crucial technologies like autonomous driving,
                  healthcare machinery, military tactical systems, or missile
                  launch stations. Notably, DDS is used by NASA at the KSC, by
                  SIEMENS for smart grid applications, by Volkswagen and Bosch
                  for autonomous valet parking systems, by NAV CANADA for ATC,
                  and by the Robot Operating System 2 (ROS2) to control
                  industrial and consumer robots.
                  
                  Designed around industrial-level requirements, DDS sits deep
                  in the control network, allowing an arbitrary number of
                  endpoints like sensors or actuators to communicate
                  transparently, with an abstract API based on familiar data
                  type specifications (e.g., C structs) and simple function
                  calls, regardless of the complexity of the data.
                  
                  We approached DDS from the bottom up, and we will show you
                  how we wrote a Scapy layer to guide you through the packet
                  structure. Although network fuzzing wasn't directly
                  effective, it greatly helped us to master the tiny details of
                  DDS. This led us to find an amplification vulnerability in
                  the standard, which allows an attacker to redirect flood an
                  arbitrary host. DDS configuration is highly dependent on XML,
                  JSON, YAML, or similar formats, which make them another
                  attack vector. By writing a Radamsa-based file fuzzer we
                  found a parsing vulnerability in RTI DDS Connector, so an
                  attacker can use a malicious configuration file to gain
                  initial access. We then focus on fuzzing the message
                  interpretation routines in all implementations. Using
                  concrete examples, we explain how to pick good fuzz targets
                  and prepare them for popular frameworks like OSS-Fuzz and
                  UnicornAFL.
                  
                  We take you from knowing nothing about DDS to efficiently
                  researching new vulnerabilities, which we encourage other
                  researchers, DDS users and implementors to do. We report on
                  our interactions with some of the DDS implementors, which we
                  believe is the first concrete step towards securing this
                  critical protocol in the long run. We release fuzzing
                  harnesses and a Scapy layer to decode the DDS RTPS layer.},
  Location      = {London, UK},
  URL           = {https://www.blackhat.com/eu-21/briefings/schedule/index.html#the-data-distribution-service-dds-protocol-is-critical-lets-use-it-securely-24934},
  Date          = {2021-11-08},
  HowPublished  = {Peer-reviewed Talk},
  File          = {files/talks/yen_ddsbheu_talk_2021.pdf}
}

@Unpublished{     mayoral-vilches_smallwonderbhus_talk_2021,
  ShortTitle    = {SmallWonderBHUS},
  Author        = {Mayoral-Vilches, Víctor and Maggi, Federico},
  Title         = {Small Wonder: Uncovering Planned Obsolescence Practices in
                  Robotics and What This Means for Cybersecurity},
  EventTitle    = {Black Hat Briefings USA},
  Abstract      = {Security in robotics is nothing really new if one considers
                  modern OT and IT approaches, and most security practices
                  translate directly to robots. However, there's almost no
                  security culture amongst robot makers.
                  
                  Building a robot requires careful selection of components
                  that interact across networks while meeting timing deadlines.
                  It isn't uncommon for robot components to be compromised or
                  fail over time, leading to complete system malfunction. Given
                  the expensive prices of these machines (we focus on robots in
                  the 25K-70K USD range), it's only reasonable to consider the
                  need for securing and repairing robots.
                  
                  We introduce and promote systematic "robot teardown" as an
                  approach to repair robots by understanding their internals
                  (still obscure). Needless to say, robot teardown is an
                  essential practice in robot security. We show several "tricks
                  from the trade" and the legal implications learned by porting
                  reverse-engineering practices into the less-explored field of
                  robotics. We explain how we a) discovered more than 90
                  security vulnerabilities in robots from Teradyne (MiR and UR)
                  over a period of two years (never discussed publicly before),
                  b) gained repairing capabilities on these robots, c) show
                  evidence of planned obsolescence by comparing two
                  sequentially released robot controllers, and d) demonstrate
                  how robot hacking leads us to repurpose an older controller
                  (previous version) from Universal Robots with their newer
                  robots (arms) maintaining full capabilities and demonstrating
                  that there's no need to re-spend thousands of dollars again.
                  
                  Similar to Ford in the 1920s with cars, most robot
                  manufacturers nowadays employ planned obsolescence practices
                  and organize dealers and system integrators into "private
                  networks", providing repair parts only to "certified"
                  companies to make repairs more difficult and evade
                  competition. We wrap up by advocating for a "Right to
                  Repair'' in robotics to reduce robot e-waste and promote
                  systematic teardowns for the benefit of security research.},
  Location      = {Las Vegas, US},
  URL           = {https://www.blackhat.com/us-20/briefings/schedule/index.html#otrazor-static-code-analysis-for-vulnerability-discovery-in-industrial-automation-scripts-19523},
  Date          = {2021-07-31},
  HowPublished  = {Peer-reviewed Talk},
  File          = {files/talks/mayoral-vilches_smallwonderbhus_talk_2021.pdf}
}

@TechReport{      maggi_rfquack_tr_2021,
  ShortTitle    = {RFQuack},
  Author        = {Maggi, Federico and Guglielmini, Andrea},
  Title         = {RFQuack: A Universal Hardware-Software Toolkit for Wireless
                  Protocol (Security) Analysis and Research},
  Institution   = {arXiv},
  Abstract      = {Software-defined radios (SDRs) are indispensable for signal
                  reconnaissance and physical-layer dissection, but despite we
                  have advanced tools like Universal Radio Hacker, SDR-based
                  approaches require substantial effort. Contrarily, RF dongles
                  such as the popular Yard Stick One are easy to use and
                  guarantee a deterministic physical-layer implementation.
                  However, they're not very flexible, as each dongle is a
                  static hardware system with a monolithic firmware. We present
                  RFquack, an open-source tool and library firmware that
                  combines the flexibility of a software-based approach with
                  the determinism and performance of embedded RF frontends.
                  RFquack is based on a multi-radio hardware system with
                  swappable RF frontends, and a firmware that exposes a
                  uniform, hardware-agnostic API. RFquack focuses on a
                  structured firmware architecture that allows high- and
                  low-level interaction with the RF frontends. It facilitates
                  the development of host-side scripts and firmware plug-ins,
                  to implement efficient data-processing pipelines or
                  interactive protocols, thanks to the multi-radio support.
                  RFquack has an IPython shell and 9 firmware modules for:
                  spectrum scanning, automatic carrier detection and bitrate
                  estimation, headless operation with remote management,
                  in-flight packet filtering and manipulation, MouseJack, and
                  RollJam (as examples). We used RFquack to setup RF hacking
                  contests, analyze industrial-grade devices and key fobs, on
                  which we found and reported 11 vulnerabilities in their RF
                  protocols. },
  Date          = {2021-04-06},
  URL           = {https://arxiv.org/abs/2104.02551},
  File          = {files/papers/reports/maggi_rfquack_tr_2021.pdf}
}

@InProceedings{   maggi_smsec_2020,
  ShortTitle    = {SMSec},
  Author        = {Maggi, Federico and Balduzzi, Marco and Vosseler, Rainer and
                  Rösler, Martin and Quadrini, Walter and Tavola, Giacomo and
                  Pogliani, Marcello and Quarta, Davide and Zanero, Stefano},
  Title         = {Smart Factory Security: A Case Study on a Modular
                  SmartManufacturing System},
  Publisher     = {Elsevier Procedia Computer Science},
  BookTitle     = {International Conference on Industry 4.0 and Smart
                  Manufacturing},
  Volume        = {42},
  Series        = {ISM '20},
  Location      = {Linz, Austria},
  Abstract      = {Smart manufacturing systems are an attractive target for
                  cyber attacks, because they embed valuable data andcritical
                  equipment. Despite the market is driving towards integrated
                  and interconnected factories, current smartmanufacturing
                  systems are still designed under the assumption that they
                  will stay isolated from the corporatenetwork and the outside
                  world. This choice may result in an internal architecture
                  with insufficient network andsystem compartmentalization. As
                  a result, once an attacker has gained access, they have full
                  control of the entireproduction plant because of the lack of
                  network segmentation.With the goal of raising cybersecurity
                  awareness, in this paper we describe a practical case study
                  showing attackscenarios that we have validated on a real
                  modular smart manufacturing system, and suggest practical
                  securitycountermeasures. The testbed smart manufacturing
                  system is part of the Industry 4.0 research laboratory hosted
                  byPolitecnico di Milano, and comprises seven assembly
                  stations, each with their programmable logic controllers
                  andhuman-computer interfaces, as well as an industrial
                  robotic arm that performs pick-and-place tasks.On this
                  testbed we show two indirect attacks to gain initial access,
                  even under the best-case scenario of a system notdirectly
                  connected to any public network. We conclude by showing two
                  post-exploitation scenarios that an adversarycan use to cause
                  physical impact on the production, or keep persistent access
                  to the plant.We are unaware of a similar security analysis
                  performed within the premises of a research facility,
                  following ascientific methodology, so we believe that this
                  work can represent a good first step to inspire follow up
                  research onthe many verticals that we touch.},
  Date          = {2020-11-23},
  File          = {files/papers/conference-papers/maggi_smsec_2020.pdf}
}

@InProceedings{   pogliani_otrazor_2020,
  ShortTitle    = {OTRazor},
  Author        = {Pogliani, Marcello and Maggi, Federico and Balduzzi, Marco
                  and Quarta, Davide and Zanero, Stefano},
  Title         = {Detecting Unsafe Code Patterns in Industrial Robot
                  Programs},
  Publisher     = {ACM},
  BookTitle     = {Proceedings of the 15th ACM Asia Conference on Computer and
                  Communications SecurityOctober 2020},
  Series        = {AsiaCCS '20},
  Pages         = {759--771},
  Address       = {New York, NY, USA},
  Location      = {Taipei, Taiwan},
  Abstract      = {In this paper, we analyze the languages of $8$ leading
                  industrial robot vendors, systematize their technical
                  features, and discuss cases of vulnerable and malicious uses.
                  We then describe a static source-code analyzer that we
                  created to analyze robotic programs and discover insecure or
                  potentially malicious code paths. We focused our
                  proof-of-concept implementation on two popular languages,
                  namely ABB's RAPID and KUKA's KRL. By evaluating our tool on
                  a set of publicly available programs, we show that insecure
                  patterns are found in real-world code; therefore, static
                  source-code analysis is an effective security screening
                  mechanism, for example to prevent commissioning insecure or
                  malicious industrial task programs. Finally, we discuss
                  remediation steps that developers and vendors can adopt to
                  mitigate such issues.},
  DOI           = {https://doi.org/10.1145/3320269.3384735},
  Date          = {2020-10-5},
  File          = {files/papers/conference-papers/pogliani_otrazor_2020.pdf}
}

@Unpublished{     maggi_smscs3sthlm_talk_2020,
  ShortTitle    = {SMSCS3STHLM},
  Author        = {Maggi, Federico},
  Title         = {Hidden Attack Surfaces of Modern Industrial Automation
                  Systems},
  EventTitle    = {CS3STHLM},
  Abstract      = {Last year we performed a security analysis on a testbed
                  smart manufacturing system using a variety of
                  "unconventional" attack vectors. Striving to think very much
                  outside the box, we wanted to understand which overlooked
                  conditions and attacker capabilities make certain attacks
                  possible, and their consequences.
                  
                  Through concrete PoCs, we'll describe what unconventional
                  attack vectors and very creative attackers can achieve, as
                  well as how they can be stopped by current security
                  solutions.
                  
                  We'll first show how a remote attacker can indirectly
                  compromise an engineering workstation to backdoor the
                  automation logic of an industrial robot. Then, we'll reveal
                  how the attack has been carried out via a malicious software
                  extension that targets the simulation and offline programming
                  (OLP) platform. The attendees will learn that such malicious
                  extensions have full capabilities on the target system, but
                  we'll explain what they are and how they can be stopped.
                  
                  Our second entry point is an industry-grade embedded device.
                  These devices, often dubbed as "IIoT devices" offer great
                  programming flexibility—compared to, say, PLCs—at the
                  price of more responsibility for the programmers. The
                  proliferation of customizable IIoT devices along with the
                  many 3rd-party development libraries are the perfect target
                  for software supply-chain attacks. We'll show how we
                  trojanized a simple temperature-measurement library to
                  implement an ARP-based DoS attack, along with inaccurate
                  temperature data-points, which can cause cascade effects down
                  the data-processing pipeline. We'll argue that detecting
                  violations in the software supply-chain is hard in large,
                  distributed enterprises, but their effects can be mitigated
                  with proper network partitioning.
                  
                  The last step of our security analysis focused on lateral
                  movements to complex, programmable machines such as
                  industrial robots. We observe that, movement-instructions
                  aside, industrial robot programming languages have
                  statements, loops, conditions, network sockets, serial
                  communication, etc. With access to low-level system resources
                  like files, network, memory, and peripherals, task programs
                  are a powerful, overlooked payload. Not only we show that
                  task programs are susceptible to input-validation
                  vulnerabilities, we also show that they're rich enough to
                  implement malware-like functionalities, given that the
                  runtime environment provides no resource isolation. As a
                  result, task programs have unmediated access to the entire
                  system.
                  
                  We'll share cases of vulnerable and malicious task programs,
                  and how to discover such patterns, including some
                  vulnerabilities we found in real-world code.
                  
                  We conclude by discussing the remediation steps that can be
                  adopted by developers and vendors to mitigate our findings in
                  the medium and long term.},
  Location      = {Stocholm, Sweden},
  URL           = {https://cs3sthlm.se/agenda/},
  Date          = {2020-10-21},
  HowPublished  = {Peer-reviewed Talk},
  File          = {files/talks/maggi_smscs3sthlm_talk_2020.pdf}
}

@Unpublished{     maggi_otrazorhitcon_talk_2020,
  ShortTitle    = {OTRazorHITCON},
  Author        = {Maggi, Federico and Pogliani, Marcello and Quarta, Davide
                  and Zanero, Stefano and Balduzzi, Marco},
  Title         = {Guarding the Factory Floor: Catching Insecure Industrial
                  Robot Programs},
  EventTitle    = {HITCON},
  Abstract      = {What if a perfectly patched industrial manufacturing machine
                  can still harbor for vulnerabilities where no one is looking?
                  What if the powerful programming languages used to program
                  these machines can go beyond simple movement instructions,
                  and actually allow threat actors to hide malware into the
                  logic?
                  
                  Industrial robot OEMs provide proprietary, legacy programming
                  languages to automate these complex machines. Mostly offering
                  movement primitives, theseprogramming languages also give
                  access to low-level system resources like files, network
                  sockets, and some even allow memory and program pointer.
                  While useful, these features may lead to insecure programming
                  patterns such as input-validation vulnerabilities. Also,
                  they’re powerful enough to allow the implementation of
                  advanced malware functionalities, with an underlying runtime
                  environment that provides no resource isolation.
                  
                  After going through the technical features of the languages
                  by eight leading OEMs, we'll share cases of vulnerable and
                  malicious usage. We'll then present a static code analyzer
                  that we created and patented, to scan robotic programs and
                  discover unsafe code patterns. Our evaluation on 100
                  automation task program files show that insecure patterns are
                  indeed found in real-world code, and that static source code
                  analysis is an effective defense tool in the short term.},
  Location      = {Taiwan},
  URL           = {https://hitcon.org/2020/agenda/93ba0758-bd84-43ae-9da0-b389fde2803b/},
  Date          = {2020-09-12},
  HowPublished  = {Peer-reviewed Talk},
  File          = {files/talks/maggi_otrazorhitcon_talk_2020.pdf}
}

@Unpublished{     maggi_otrazorbhus_talk_2020,
  ShortTitle    = {OTRazorBHUS},
  Author        = {Maggi, Federico and Pogliani, Marcello and Quarta, Davide
                  and Zanero, Stefano and Balduzzi, Marco},
  Title         = {OTRazor: Static Code Analysis for Vulnerability Discovery in
                  Industrial Automation Scripts},
  EventTitle    = {Black Hat Briefings USA},
  Abstract      = {In this talk, we delve into industrial robot programming,
                  focusing on the security issues arising from the design and
                  implementation choices of these platforms.
                  
                  Industrial robot manufacturers provide proprietary,
                  domain-specific programming languages to operate these
                  complex machines. Mostly focused on movement instructions,
                  such programming languages also provide access to low-level
                  system resources like files and network access, and some even
                  allow dynamic code loading. While useful, these features can
                  lead to unsafe programming patterns such as input-validation
                  vulnerabilities or malware-like functionalities, especially
                  if the underlying environment provides no resource isolation
                  like those found in modern operating systems.
                  
                  After describing the technical features of the languages by
                  eight leading manufacturers, we'll share several cases of
                  vulnerable and malicious usage. We'll then present a static
                  code analyzer that we created and patented, to scan robotic
                  programs and discover unsafe code patterns. Our evaluation on
                  50 automation programs show that unsafe patterns are indeed
                  found in real-world code, and that static source code
                  analysis is an effective defense tool in the short term.
                  
                  We conclude by discussing the remediation steps that can be
                  adopted by developers and vendors to mitigate such issues in
                  the medium and long term.},
  Location      = {Las Vegas, US},
  URL           = {https://www.blackhat.com/us-20/briefings/schedule/index.html#otrazor-static-code-analysis-for-vulnerability-discovery-in-industrial-automation-scripts-19523},
  Date          = {2020-08-05},
  HowPublished  = {Peer-reviewed Talk},
  File          = {files/talks/maggi_otrazorbhus_talk_2020.pdf}
}

@TechReport{      maggi_rogueautomationwp_tr_2020,
  ShortTitle    = {RogueAutomationWP},
  Author        = {Maggi, Federico and Pogliani, Marcello and Vittone, Martino,
                  and Quarta, Davide and Zanero, Stefano and Balduzzi, Marco
                  and Vosseler, Rainer and Rösler, Martin},
  Title         = {Rogue Automation: Vulnerable and Malicious Code in
                  Industrial Programming},
  Institution   = {Trend Micro, Inc.},
  Abstract      = {In this research paper, we reveal previously unknown design
                  flaws that malicious actors could exploit to hide malicious
                  functionalities in industrial robots and other automated,
                  programmable manufacturing machines. Since these flaws are
                  difficult to fix, enterprises that deploy vulnerable machines
                  could face serious consequences. An attacker could exploit
                  them to become persistent within a smart factory, silently
                  alter the quality of products, halt a manufacturing line, or
                  perform some other malicious activity.},
  Date          = {2020-08-04},
  URL           = {https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/unveiling-the-hidden-risks-of-industrial-automation-programming},
  Series        = {Research Papers},
  Publisher     = {Trend Micro Research},
  File          = {files/papers/reports/maggi_rogueautomationwp_tr_2020.pdf}
}

@TechReport{      maggi_smartfactorywp_tr_2020,
  ShortTitle    = {SmartFactoryWP},
  Author        = {Maggi, Federico and Pogliani, Marcello},
  Title         = {Attacks on Smart Manufactururing Systems: A Forward-looking
                  Security Analysis},
  Institution   = {Trend Micro, Inc.},
  Abstract      = {This research presents a systematic security analysis that
                  we performed to explore a variety of attack vectors on a real
                  smart manufacturing system and to assess the attacks that
                  could be feasibly launched on a complex smart manufacturing
                  system. The main, two-pronged question we want to answer is:
                  Under which threat conditions and attacker capabilities are
                  certain attacks possible, and what are the consequences?},
  Date          = {2020-05-11},
  URL           = {https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/threats-and-consequences-a-security-analysis-of-smart-manufacturing-systems},
  Series        = {Research Papers},
  Publisher     = {Trend Micro Research},
  File          = {files/papers/reports/maggi_smartfactorywp_tr_2020.pdf}
}

@TechReport{      hilt_factoryhoneypotwp_tr_2020,
  ShortTitle    = {FactoryHoneypotWP},
  Author        = {Hilt, Stephen and Maggi, Federico and Perine, Charles and
                  Remorin, Lord and Rösler, Martin and Vosseler, Rainer},
  Title         = {Caught in the Act: Running a Realistic Factory Honeypot to
                  Capture Real Threats},
  Institution   = {Trend Micro, Inc.},
  Abstract      = {Different critical infrastructures have been hit with
                  attacks such as those that involved the infamous Stuxnet
                  malware1 and the more recent Triton malware. These incidents
                  — attacks on manufacturing and other sectors that use
                  industrial control systems (ICSs) — continue to be heard of
                  through the years. In 2017, for instance, the notorious
                  WannaCry ransomware shut down a car manufacturing factory in
                  Japan, and another ransomware attack took down a factory in
                  North Carolina, U.S. Smart factories attract the interest of
                  threat actors for the critical and sensitive infrastructures
                  they usually handle. A successful attack, no matter how
                  difficult the execution, can yield high-impact results that
                  can corner an organization into giving in to
                  cybercriminals’ demands or, at the very least, cost it
                  considerable losses.Prompted by our desire to determine how
                  knowledgeable and imaginative attackers could be in
                  compromising a manufacturing facility, we built the most
                  realistic factory honeypot we had ever created. And in doing
                  so, we also created an ideal environment where we could
                  monitor and learn about the attacks that the honeypot came to
                  attract. From conceptualization to actual execution, our
                  factory honeypot was designed to be an attractive target for
                  potential cybercriminals.Our factory honeypot took on the
                  ruse of a small fictitious company that apparently handled
                  clients from critical industries yet possessed inadequate
                  security defenses. Our ruse proved successful as our honeypot
                  saw several attacks, which we had the freedom and resources
                  to monitor. These attacks included a malicious cryptocurrency
                  mining campaign, two ransomware attacks, another that posed
                  as a ransomware attack, and several scanners.In this research
                  paper, we detail the conceptualization and creation of our
                  most elaborate honeypot to date, and discuss the result of
                  our monitoring and tracking of the incidents that occurred on
                  the honeypot.},
  Date          = {2020-01-21},
  URL           = {https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/fake-company-real-threats-logs-from-a-smart-factory-honeypot},
  Series        = {Research Papers},
  Publisher     = {Trend Micro Research},
  File          = {files/papers/reports/hilt_factoryhoneypotwp_tr_2020.pdf}
}

@InProceedings{   maggi_industrialradios_2019,
  ShortTitle    = {IndustrialRadios},
  Author        = {Maggi, Federico and Balduzzi, Marco and Andersson, Jonathan
                  and Lin, Philippe and Hilt, Stephen and Urano, Akira and
                  Vosseler, Rainer},
  Title         = {A Security Evaluation of Industrial Radio Remote
                  Controllers},
  Publisher     = {Springer International Publishing},
  Editor        = {Perdisci, Roberto and Almgren, Magnus},
  BookTitle     = {Proceedings of the 16th International Conference on
                  Detection of Intrusions and Malware, and Vulnerability
                  Assessment (DIMVA)},
  Volume        = {11543},
  Pages         = {(to appear)},
  Location      = {Gothenburg, Sweden},
  Abstract      = {Heavy industrial machinery is a primary asset for the
                  operation of key sectors such as construction, manufacturing,
                  and logistics. Targeted attacks against these assets could
                  result in incidents, fatal injuries, and substantial
                  financial loss. Given the importance of such scenarios, we
                  analyzed and evaluated the security implications of the
                  technology used to operate and control this machinery, namely
                  industrial radio remote controllers. We conducted the
                  first-ever security analysis of this technology, which relies
                  on proprietary radio-frequency protocols to implement
                  remote-control functionalities. Through a two-phase
                  evaluation approach we discovered important flaws in the
                  design and implementation of industrial remote controllers.
                  In this paper we introduce and describe 5 practical attacks
                  affecting major vendors and multiple real-world
                  installations. We conclude by discussing how a challenging
                  responsible disclosure process resulted in first-ever
                  security patches and improved security awareness.},
  DOI           = {10.1007/978-3-030-22038-9_7},
  ISBN          = {978-3-030-22037-2},
  Date          = {2019-06-19},
  File          = {files/papers/conference-papers/maggi_industrialradios_2019.pdf}
}

@Unpublished{     balduzzi_industrialradioshitb_talk_2019,
  ShortTitle    = {IndustrialRadiosHITB},
  Author        = {Balduzzi, Marco and Maggi, Federico},
  Title         = {Hey Operator, Where’s Your Crane? Attacking Industrial
                  Remote Controllers},
  EventTitle    = {Hack In The Box Amsterdam},
  Abstract      = {Radio-frequency (RF) remote controllers are widely used in
                  multiple industrial applications like manufacturing,
                  construction and transportation. Cranes, drillers and
                  diggers, among others, are commonly equipped with RF
                  controllers, which have become the weakest link in
                  safety-critical IIoT applications.
                  
                  Our security assessment revealed a lack of important security
                  features at different levels, with vendors using obscure
                  proprietary protocols instead of standards. As a consequence,
                  this technology appeared to be vulnerable to attacks like
                  replay, command injection, e-stop abuse, malicious repairing
                  and reprogramming. Together with ZDI, we ran into a 6-months
                  responsible disclosure process and then released 10 security
                  advisories.
                  
                  In this presentation, we share the findings of our research
                  and make use of demos to discuss the problems in detail. We
                  conclude providing recommendations for all parties involved
                  in the life-cycle of these devices, from vendors to users and
                  system integrators.},
  Location      = {Amsterdam, The Netherlands},
  URL           = {https://conference.hitb.org/hitbsecconf2019ams/sessions/hey-operator-wheres-your-crane-attacking-industrial-remote-controllers/},
  Date          = {2019-05-10},
  HowPublished  = {Peer-reviewed Talk},
  File          = {files/talks/balduzzi_industrialradioshitb_talk_2019.pdf}
}

@Unpublished{     maggi_rfquack_talk_2019,
  ShortTitle    = {RFQuack},
  Author        = {Maggi, Federico},
  Title         = {RFQuack: The RF-Analysis Tool That Quacks},
  EventTitle    = {HITB Amsterdam},
  Abstract      = {RFQuack is the versatile RF-analysis tool that quacks! It's
                  a library firmware that allows you to sniff, manipulate, and
                  transmit data over the air. And if you're not happy how the
                  default firmware functionalities, we made it easy to extend.
                  Consider it as the hardware-modular and developer-friendly
                  version of the great YardStick One, which is based on the
                  CC1111 radio chip. Differently from that and other RF
                  dongles, RFQuack is designed to be agnostic with respect to
                  the radio chip. So if you want to use, say, the RF69, you can
                  do it. If you need to use the CC110L or CC1120, you can do
                  it. Similarly to RFCat, RFQuack has console based, Python
                  scriptable, client that allows you to set parameters,
                  receive, transmit, and so on.},
  Location      = {Amsterdam, The Netherlands},
  URL           = {https://github.com/trendmicro/RFQuack},
  Date          = {2019-05-09},
  HowPublished  = {Peer-reviewed Demo},
  File          = {files/talks/maggi_rfquack_talk_2019.pdf}
}

@Unpublished{     maggi_m2mhmi_talk_2019,
  ShortTitle    = {M2MHMI},
  Author        = {Maggi, Federico},
  Title         = {Machine-to-Machine Protocol Security: The Case of MQTT and
                  CoAP},
  EventTitle    = {Hannover Messe},
  Abstract      = {MQTT and CoAP provide data connectivity for practically any
                  kind of "machines". This talk will cover the results of our
                  security analysis of MQTT and CoAP, which uncovered issues in
                  the design specifications, vulnerable product
                  implementations, and hundreds of thousands unsecured,
                  open-to-the-world deployments. Despite the fixes in the
                  design specifications, it is hard for developers to keep up
                  with a changing standard when a technology becomes pervasive.
                  Also, the market of this technology is very wide because the
                  barrier to entry is fairly low. This led to a multitude of
                  fragmented implementations. Our findings have been
                  acknowledged by the vendors, by the MQTT Technical Committee,
                  which released a note to help identify the risks, and
                  received the attention of several other organizations. Using
                  MQTT and CoAP as case study, we will provide recommendations
                  at various levels, in the hope to see a significant reduction
                  in the number of insecure deployments in the future.},
  Location      = {Hannover, Germany},
  Date          = {2019-04-04},
  HowPublished  = {Selected Talk},
  URL           = {https://www.hannovermesse.de/event/machine-to-machine-protocol-security-the-case-of-mqtt-and-coap/VOR/90582},
  File          = {files/talks/maggi_m2mhmi_talk_2019.pdf}
}

@TechReport{      andersson_industrialradioswp_tr_2019,
  ShortTitle    = {IndustrialRadiosWP},
  Author        = {Andersson, Jonathan and Balduzzi, Marco and Hilt, Stephen
                  and Lin, Philippe and Maggi, Federico and Urano, Akira and
                  Vosseler, Rainer},
  Title         = {A Security Analysis of Radio Remote Controllers for
                  Industrial Applications},
  Institution   = {Trend Micro, Inc.},
  Abstract      = {Radio frequency (RF) remote controllers are widely used in
                  manufacturing, construction, transportation, and many other
                  industrial applications. Cranes, drills, and miners, among
                  others, are commonly equipped with RF remotes. Unfortunately,
                  these devices have become the weakest link in these
                  safety-critical applications, characterized by long life
                  spans, high replacement costs, and cumbersome patching
                  processes. Given the pervasive connectivity promoted by the
                  Industry 4.0 trend, we foresee a security risk in this domain
                  as has happened in other fields.
                  
                  Our research reveals that RF remote controllers are
                  distributed globally, and millions of vulnerable units are
                  installed on heavy industrial machinery and environments. Our
                  extensive in-lab and on-site analysis of devices made by
                  seven popular vendors reveals a lack of security features at
                  different levels, with obscure, proprietary protocols instead
                  of standard ones. They are vulnerable to command spoofing, so
                  an attacker can selectively alter their behavior by crafting
                  arbitrary commands — with consequences ranging from theft
                  and extortion to sabotage and injury.
                  
                  This research analyzes and shows how an attacker can
                  persistently and remotely take control or simulate the
                  malfunction of the attached machinery, through attacks like
                  command injection, emergency-stop (e-stop) abuse, and
                  malicious re-pairing. In addition, many modern radio
                  controllers can be programmed via software, which also lacks
                  any security measures, opening them to remote attack vectors.
                  A remote attacker who compromises the computer used to
                  program these remotes can alter their firmware to implement
                  persistent and sophisticated attacks.
                  
                  Having examined the root cause of the vulnerabilities that
                  make these attacks possible, we have reached out to the
                  affected vendors to promote suitable mitigation, and we hope
                  that our research will help raise awareness and avoid
                  unfortunate situations regarding RF remote controllers in
                  industrial applications.},
  Date          = {2019-01-15},
  URL           = {https://documents.trendmicro.com/assets/white_papers/wp-a-security-analysis-of-radio-remote-controllers.pdf},
  Series        = {Research Papers},
  Publisher     = {Trend Micro Research},
  File          = {files/papers/reports/andersson_industrialradioswp_tr_2019.pdf}
}

@Unpublished{     maggi_mqttbheu_talk_2018,
  ShortTitle    = {MQTTBHEU},
  Author        = {Maggi, Federico and Quarta, Davide},
  Title         = {When Machines Can't Talk: Security and Privacy Issues of
                  Machine-to-Machine Data Protocols},
  EventTitle    = {Black Hat Briefings Europe},
  Abstract      = {Two popular machine-to-machine (M2M) protocols—MQTT \&
                  CoAP—are slowly forming the backbone of many IoT
                  infrastructures, including critical industry environments.
                  They are used to provide data connectivity for practically
                  any kind of "machines". We found out that these protocols are
                  affected by security and privacy issues that impact several
                  market verticals, applications, products, and brands.
                  
                  This talk provides a security analysis of MQTT \& CoAP at the
                  design, implementation, and deployment level. We found issues
                  in the design specifications, vulnerable product
                  implementations, and hundreds of thousands unsecured,
                  open-to-the-world deployments. These issues show the risk
                  that endpoints could be open to denial-of-service attacks
                  and, in some cases, full control by an adversary. Despite the
                  fixes in the design specifications, it is hard for developers
                  to keep up with a changing standard when a technology becomes
                  pervasive. Also, the market of this technology is very wide
                  because the barrier to entry is fairly low. This led to a
                  multitude of fragmented implementations.
                  
                  We analyzed the source code of the most common MQTT
                  implementations, and discovered common flaws—mostly
                  originating from misinterpretation of the standard. In
                  particular, we found issues in how multibyte strings, UTF-8
                  characters, and regular-expressions are parsed. Combined with
                  standard features that force servers to retain messages and
                  clients to request acknowledgement the delivery of every
                  message, such bugs can lead to persistent denial of service.
                  Our findings have been acknowledged by the MQTT Technical
                  Committee, which released a note to help identify the risks.
                  
                  Alongside this, we've analyzed hundreds of millions MQTT \&
                  CoAP messages obtained from hundreds of thousands server.
                  Despite previous efforts that tried to raise awareness, we
                  still found exposed data related to various industry sectors
                  and sensitive information, including credentials and network
                  infrastructure details. Moreover, we found out that MQTT is
                  being used beyond messaging, to transport binary data, most
                  likely for OTA update purposes, which certainly raises a red
                  flag.
                  
                  Using MQTT \& CoAP as a concrete example of modern M2M
                  technology, we will provide recommendations at various levels
                  (standardization bodies, vendors, developers, and users) in
                  the hope to see a significant reduction in the number of
                  insecure deployments in the future, and a more responsible
                  position by standardization bodies.},
  Location      = {London, UK},
  URL           = {https://www.blackhat.com/eu-18/briefings/schedule/#when-machines-cant-talk-security-and-privacy-issues-of-machine-to-machine-data-protocols-12722},
  Date          = {2018-12-06},
  HowPublished  = {Peer-reviewed Talk},
  File          = {files/talks/maggi_mqttbheu_talk_2018.pdf}
}

@TechReport{      maggi_mqttwp_tr_2018,
  ShortTitle    = {MQTTWP},
  Author        = {Maggi, Federico and Vosseler, Rainer and Quarta, Davide},
  Title         = {The Fragility of Industrial IoT's Data Backbone: Security
                  and Privacy Issues in MQTT and CoAP Protocols},
  Institution   = {Trend Micro, Inc.},
  Abstract      = {The most popular protocols for machine-tomachine (M2M)
                  technology---the backbone of the internet of things (IoT) and
                  industrial internet of things (IIoT)---are affected by
                  security and privacy issues that impact several market
                  verticals, applications, products, and brands.
                  
                  This report provides a holistic security analysis of the most
                  popular M2M protocols: Message Queuing Telemetry Transport
                  (MQTT) and Constrained Application Protocol (CoAP). Given
                  their flexibility, these data protocols are being adopted in
                  a variety of settings for consumer, enterprise, and
                  industrial applications to connect practically all kinds of
                  “machine,” from innocuous fitness trackers to large power
                  plants. We found issues in design as well as vulnerable
                  implementations, along with hundreds of thousands of unsecure
                  deployments. These issues highlight the risk of how endpoints
                  could be open to denial-of-service (DoS) attacks and, in some
                  cases, taken advantage of to gain full control by an
                  attacker. Despite the fixes in the design specifications, it
                  is hard for developers to keep up with a changing standard
                  when a technology becomes pervasive. Also, the market for
                  this technology is very wide because the barrier to entry is
                  fairly low. This has led to a multitude of fragmented
                  implementations.
                  
                  This report is aimed at raising security awareness and
                  driving the adoption of proper remediation measures.},
  Date          = {2018-12-04},
  URL           = {https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/mqtt-and-coap-security-and-privacy-issues-in-iot-and-iiot-communication-protocols},
  Series        = {Research Papers},
  Publisher     = {Trend Micro Research},
  File          = {files/papers/reports/maggi_mqttwp_tr_2018.pdf}
}

@Unpublished{     maggi_webdefacementhitb_talk_2018,
  ShortTitle    = {WebDefacementHITB},
  Author        = {Maggi, Federico},
  Title         = {Using Machine-Learning to Investigate Web Campaigns at
                  Large},
  EventTitle    = {Hack In The Box Dubai},
  Abstract      = {Web defacement is the practice of altering a website after
                  its compromise. The altered pages, called defaced pages, can
                  negatively affect the reputation and business of the victim.
                  While investigating several campaigns, we observed that the
                  artifacts left by these attackers allow an expert analyst to
                  investigate their modus operandi and social structure, and
                  expand from single attacks to a group of related incidents.
                  However, manually performing such analysis on millions of
                  events is tedious, and poses scalability challenges.
                  
                  From these observations, we conceived an automated system
                  that efficiently builds intelligence information out of raw
                  events. Our approach streamlines the analysts job by
                  automatically recognizing web campaigns, and assigning
                  meaningful textual labels to them. Applied to a comprehensive
                  dataset of 13 million incidents, our approach allowed us to
                  conduct what we believe been the first large-scale
                  investigation of this form. In addition, our approach is
                  meant to be adopted operationally by analysts to identify
                  live campaigns in the real world.
                  
                  We analyze the social structure of modern web attackers,
                  which includes lone individuals as well as actors that
                  cooperate in teams. We look into their motivations, and we
                  draw a parallel between the time line of word-shaping events
                  and web campaigns, which represent the evolution of the
                  interests and orientation of modern attackers.},
  Location      = {Dubai, United Arab Emirates},
  URL           = {https://conference.hitb.org/hitbsecconf2018dxb/sessions/using-machine-learning-to-investigate-web-campaigns-at-large/},
  Date          = {2018-11-28},
  HowPublished  = {Peer-reviewed Talk},
  File          = {files/talks/maggi_webdefacementhitb_talk_2018.pdf}
}

@Unpublished{     maggi_ir_talk_2018,
  ShortTitle    = {IR},
  Author        = {Maggi, Federico},
  Title         = {Safety Risks and Threats in Industrial Automation Systems:
                  The Case of Industrial Radio Remote Controllers},
  EventTitle    = {Trend Micro Direction},
  Location      = {Tokyo, JP},
  URL           = {https://direction.trendmicro.com/sess/},
  Date          = {2018-11-16},
  HowPublished  = {Talk},
  File          = {files/talks/maggi_ir_talk_2018.pdf}
}

@InProceedings{   maggi_defplorex_2018,
  ShortTitle    = {DefPloreX},
  Author        = {Maggi, Federico and Balduzzi, Marco and Flores, Ryan and Gu,
                  Lion and Ciancaglini, Vincenzo},
  Title         = {Investigating Web Defacement Campaigns at Large},
  Publisher     = {ACM},
  BookTitle     = {Proceedings of the 2018 on Asia Conference on Computer and
                  Communications Security},
  Series        = {AsiaCCS '18},
  Pages         = {443--456},
  Address       = {New York, NY, USA},
  Location      = {Incheon, Republic of Korea},
  Abstract      = { Website defacement is the practice of altering the web
                  pages of a website after its compromise. The altered pages,
                  calleddeface pages, can negatively affect the reputation and
                  business of the victim site. Previous research has focused
                  primarily on detection, rather than exploring the defacement
                  phenomenon in depth. While investigating several defacements,
                  we observed that the artifacts left by the defacers allow an
                  expert analyst to investigate the actors' modus operandi and
                  social structure, and expand from the single deface page to a
                  group of related defacements (i.e., acampaign ). However,
                  manually performing such analysis on millions of incidents is
                  tedious, and poses scalability challenges. From these
                  observations, we propose an automated approach that
                  efficiently builds intelligence information out of raw deface
                  pages. Our approach streamlines the analysts job by
                  automatically recognizing defacement campaigns, and assigning
                  meaningful textual labels to them. Applied to a comprehensive
                  dataset of 13 million defacement records, from Jan. 1998 to
                  Sept. 2016, our approach allowed us to conduct the first
                  large-scale measurement on web defacement campaigns. In
                  addition, our approach is meant to be adopted operationally
                  by analysts to identify live campaigns on the field.
                  
                  We go beyond confirming anecdotal evidence. We analyze the
                  social structure of modern defacers, which includes lone
                  individuals as well as actors that cooperate with each
                  others, or with teams, which evolve over time and dominate
                  the scene. We conclude by drawing a parallel between the time
                  line of World-shaping events and defacement campaigns,
                  representing the evolution of the interests and orientation
                  of modern defacers.},
  DOI           = {10.1145/3196494.3196542},
  ISBN          = {978-1-4503-5576-6},
  Date          = {2018-06-04},
  File          = {files/papers/conference-papers/maggi_defplorex_2018.pdf}
}

@Unpublished{     maggi_iiothmi_talk_2018,
  ShortTitle    = {IIoTHMI},
  Author        = {Maggi, Federico},
  Title         = {The impact of legacy machines on future manufacturing
                  cybersecurity},
  EventTitle    = {Hannover Messe},
  Abstract      = {Despite the focus on future-generation equipment, legacy
                  industrial machines will continue to exist. In terms of
                  cybersecurity risks, what happens when these machines must be
                  connected? We've answered this question by taking a close
                  look at a previous-generation industrial robot, one of the
                  most widespread industrial machine, used practically in every
                  sector, including for manufacturing. Besides the software
                  vulnerabilities that we have found, which we consider
                  "natural" in embedded software, we focused on the root cause
                  of these vulnerabilities and we will discuss our thoughts and
                  practical recommendations with the audience. We will provide
                  a demo of what happens when an attacker compromises an
                  industrial robot, explaining how a software flaw can go all
                  the way down to affecting the quality of the manufactured
                  goods. Beyond robots, the entire factory features more and
                  more embedded systems, which are a critical entry point for
                  an external attacker, and thus need to properly be secured.},
  Location      = {Hannover, Germany},
  Date          = {2018-04-09},
  HowPublished  = {Selected Talk},
  URL           = {http://www.hannovermesse.de/event/the-impact-of-legacy-machines-on-future-manufacturing-cybersecurity/VOR/83621},
  File          = {files/talks/maggi_iiothmi_talk_2018.pdf}
}

@TechReport{      balduzzi_defplorexwp_tr_2018,
  ShortTitle    = {DefPloreXWP},
  Author        = {Balduzzi, Marco and Flores, Ryan and Gu, Lion and Maggi,
                  Federico and Ciancaglini, Vincenzo and Reyes, Roel and Urano,
                  Akira},
  Title         = {A Deep Dive into Defacement: How Geopolitical Events Trigger
                  Web Attacks},
  Institution   = {Trend Micro, Inc.},
  Abstract      = {Web attacks—attacks that compromise internet assets like
                  mail servers, cloud infrastructures, and websites—are
                  troubling phenomena. The research community has put
                  considerable effort into investigating these incidents but
                  has mostly focused on detecting attacks and not delving into
                  the reasons behind these attacks.
                  
                  Of course, the typical cybercriminal's goal is to profit.
                  They might compromise websites to push ransomware, or they
                  could try and steal data—recent breaches show that
                  information is an increasingly valuable commodity. But, as
                  this paper discusses, more emotional motivations, such as
                  patriotism, specific real-world events or simply hacktivism,
                  can also trigger compromises.
                  
                  Web defacement hacktivism is the practice of subverting a
                  website with the goal of promoting a specific agenda or
                  political ideology. Methods may vary, but when hacktivists
                  compromise a website, the usual tactic involves replacing the
                  original page with their version—a practice that is called
                  web defacement. Hacktivism is mainly linked to web
                  defacement, but a hacktivist (the attacker) can also be
                  involved in traffic redirection (from a legitimate site to an
                  attackerowned site), denial of service (a form of service
                  disruption), and malware distribution to support their
                  particular cause.
                  
                  Dedicated websites like Zone-H1 collect evidence of web
                  defacements and defacers can voluntarily advertise their
                  compromise by submitting a report. Elaborating on the reasons
                  behind web defacements at scale is not as easy as it seems.
                  While someone could theorize that geopolitical events and
                  conflicts influence cybercriminals’ attacks against
                  websites and their choice of victims, corroborating this
                  phenomenon requires large-scale analysis.
                  
                  Our examination of over 13 million web defacement reports
                  against websites spans over 18 years, covering multiple
                  continents. We designed an internal system that gathers,
                  analyzes, and clusters these millions of reports. As we
                  identify the major campaigns of these defacers, we can
                  provide further insights into how geopolitical events are
                  reflected in web defacements. We also look at how different
                  factors, such as the political beliefs and the defacers'
                  religious inclination, can trigger and affect these attacks.
                  
                  Our first two sections provide high-level insights into our
                  dataset of defacements, as well as some defining facts about
                  the targets and tactics used by the defacers. Our next
                  section on Real World Impact breaks down seven top campaigns
                  that have affected Israel, France, India, Syria, Kosovo, and
                  countries surrounding the South China Sea. We delve into
                  specific conflicts in those areas and the defacements that
                  happened in the aftermath.
                  
                  The succeeding sections cover the hacking groups'
                  affiliations and how their collectives are organized—some
                  collectives are formed across continents, and some are a
                  loose collection of local hackers. Recruitment tools and the
                  methods used to distribute hacking techniques are also
                  discussed.
                  
                  The final sections discuss other activities that defacers
                  take part in, and how the current activities may evolve.
                  Recently, there have been incidents of hackers who have gone
                  from simple web defacement to activities supporting
                  cybercrime. There is a real possibility that defacers and
                  defacement groups will start to escalate their activities,
                  move away from ideological motivations, and turn into
                  cybercrime. },
  Date          = {2018-01-22},
  URL           = {https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf},
  Series        = {Research Papers},
  Publisher     = {TrendLabs},
  File          = {files/papers/reports/balduzzi_defplorexwp_tr_2018.pdf}
}

@InProceedings{   zarras_sqlbot_2017,
  ShortTitle    = {SQLBot},
  Author        = {Zarras, Apostolis and Maggi, Federico},
  Title         = {Hiding Behind the Shoulders of Giants: Abusing Crawlers for
                  Indirect Web Attacks},
  Publisher     = {IEEE Computer Society},
  BookTitle     = {Proceedings of the 15th Annual International Conference on
                  Privacy, Security and Trust (PST)},
  Pages         = {355--35509},
  Location      = {Calgary, Canada},
  Abstract      = {It could be argued that without search engines, the web
                  would have never grown to the size that it has today. To
                  achieve maximum coverage and provide relevant results, search
                  engines employ large armies of autonomous crawlers that
                  continuously scour the web, following links, indexing
                  content, and collecting features that are then used to
                  calculate the ranking of each page. In this paper, we
                  describe how autonomous crawlers can be abused by attackers
                  to exploit vulnerabilities on thirdparty websites while
                  hiding the true origin of the attacks. Moreover, we show how
                  certain vulnerabilities on websites that are currently deemed
                  unimportant, can be abused in a way that would allow an
                  attacker to arbitrarily boost the rankings of malicious
                  websites in the search results of popular search engines.
                  Motivated by the potentials of these vulnerabilities, we
                  propose a series of preventive and defensive countermeasures
                  that website owners and search engines can adopt to minimize,
                  or altogether eliminate, the effects of crawler-abusing
                  attacks.},
  DOI           = {10.1109/PST.2017.00049},
  ISBN          = {978-1-5386-2487-6},
  Date          = {2017-08-28},
  File          = {files/papers/conference-papers/zarras_sqlbot_2017.pdf}
}

@TechReport{      maggi_candoswp_tr_2017,
  ShortTitle    = {CANDoSWP},
  Author        = {Maggi, Federico},
  Title         = {A Vulnerability in Modern Automotive Standards and How We
                  Exploited It},
  Institution   = {Trend Micro, Inc.},
  Abstract      = {This research is a joint effort between Politecnico di
                  Milano, Linklayer Labs, and Trend Micro's FTR. In this
                  report, we describe a vulnerability in modern cars’
                  networks that allows a completely stealthy denial-of-service
                  attack which is undetectable by current security mechanisms
                  and works for every automotive vendor. This attack differs
                  drastically from other previously reported car hacks because
                  it does not exploit easily patchable software
                  vulnerabilities. Rather, the element exploited is a design
                  flaw, which is thus fundamentally hard to solve, in the
                  standard that defines how in-vehicle networks work.
                  
                  This attack was presented at the 2017 international
                  conference on Detection of Intrusions and Malware \&
                  Vulnerability Assessment (DIMVA) in Bonn (Jul 6–7). Prior
                  to that, we coordinated with the ICS-CERT, which promptly
                  disseminated an alert (ICS-ALERT-17-209-01).},
  Date          = {2017-08},
  URL           = {https://documents.trendmicro.com/assets/A-Vulnerability-in-Modern-Automotive-Standards-and-How-We-Exploited-It.pdf},
  Publisher     = {TrendLabs Security Intelligence Blog},
  Series        = {Technical Brief},
  File          = {files/papers/reports/maggi_candoswp_tr_2017.pdf}
}

@InProceedings{   unruh_joernphp_2017,
  ShortTitle    = {JoernPHP},
  Author        = {Unruh, Tommi and Shastry, Bhargava and Skoruppa, Malte and
                  Maggi, Federico and Rieck, Konrad and Seifert, Jean-Pierre
                  and Yamaguchi, Fabian},
  Title         = {Leveraging Flawed Tutorials for Seeding Large-Scale Web
                  Vulnerability Discovery},
  Publisher     = {USENIX Association},
  BookTitle     = {Proceedings of the 11th USENIX Workshop on Offensive
                  Technologies (WOOT 17)},
  Location      = {Vancouver, BC},
  Abstract      = {The Web is replete with tutorial-style content on how to
                  accomplish programming tasks. Unfortunately, even top-ranked
                  tutorials suffer from severe security vulnerabilities, such
                  as cross-site scripting (XSS), and SQL injection (SQLi).
                  Assuming that these tutorials influence real-world software
                  development, we hypothesize that code snippets from popular
                  tutorials can be used to bootstrap vulnerability discovery at
                  scale. To validate our hypothesis, we propose a
                  semi-automated approach to find recurring vulnerabilities
                  starting from a handful of top-ranked tutorials that contain
                  vulnerable code snippets. We evaluate our approach by
                  performing an analysis of tens of thousands of open-source
                  web applications to check if vulnerabilities originating in
                  the selected tutorials recur. Our analysis framework has been
                  running on a standard PC, analyzed 64,415 PHP codebases
                  hosted on GitHub thus far, and found a total of 117
                  vulnerabilities that have a strong syntactic similarity to
                  vulnerable code snippets present in popular tutorials. In
                  addition to shedding light on the anecdotal belief that
                  programmers reuse web tutorial code in an ad hoc manner, our
                  study finds disconcerting evidence of insufficiently reviewed
                  tutorials compromising the security of open-source projects.
                  Moreover, our findings testify to the feasibility of
                  large-scale vulnerability discovery using poorly written
                  tutorials as a starting point.},
  Date          = {2017-08},
  URL           = {https://www.usenix.org/conference/woot17/workshop-program/presentation/unruh},
  Keywords      = {workshop},
  File          = {files/papers/workshop-papers/unruh_joernphp_2017.pdf}
}

@InProceedings{   shastry_hybridstaticfuzzing_2017,
  ShortTitle    = {HybridStaticFuzzing},
  Author        = {Shastry, Bhargava and Maggi, Federico and Yamaguchi, Fabian
                  and Rieck, Konrad and Seifert, Jean-Pierre},
  Title         = {Static Exploration of Taint-Style Vulnerabilities Found by
                  Fuzzing},
  Publisher     = {USENIX Association},
  BookTitle     = {11th USENIX Workshop on Offensive Technologies USENIX
                  Workshop on Offensive Technologies ({WOOT} 17)},
  Location      = {Vancouver, BC},
  Abstract      = {Taint-style vulnerabilities comprise a majority of fuzzer
                  discovered program faults. These vulnerabilities usually
                  manifest as memory access violations caused by tainted
                  program input. Although fuzzers have helped uncover a
                  majority of taint-style vulnerabilities in software to date,
                  they are limited by (i) extent of test coverage; and (ii) the
                  availability of fuzzable test cases. Therefore, fuzzing alone
                  cannot provide a high assurance that all taint-style
                  vulnerabilities have been uncovered.
                  
                  In this paper, we use static template matching to find
                  recurrences of fuzzer-discovered vulnerabilities. To
                  compensate for the inherent incompleteness of template
                  matching, we implement a simple yet effective match-ranking
                  algorithm that uses test coverage data to focus attention on
                  matches comprising untested code. We prototype our approach
                  using the Clang/LLVM compiler toolchain and use it in
                  conjunction with afl-fuzz, a modern coverage-guided fuzzer.
                  Using a case study carried out on the Open vSwitch codebase,
                  we show that our prototype uncovers corner cases in modules
                  that lack a fuzzable test harness. Our work demonstrates that
                  static analysis can effectively complement fuzz testing, and
                  is a useful addition to the security assessment tool-set.
                  Furthermore, our techniques hold promise for increasing the
                  effectiveness of program analysis and testing, and serve as a
                  building block for a hybrid vulnerability discovery
                  framework.},
  Date          = {2017-08},
  URL           = {https://www.usenix.org/conference/woot17/workshop-program/presentation/shastry},
  Keywords      = {workshop},
  File          = {files/papers/workshop-papers/shastry_hybridstaticfuzzing_2017.pdf}
}

@Unpublished{     balduzzi_defplorexbhus_talk_2017,
  ShortTitle    = {DefPloreXBHUS},
  Author        = {Balduzzi, Marco and Maggi, Federico and Ciancaglini,
                  Vincenzo and Flores, Ryan and Gu, Lion},
  Title         = {DefPloreX: A Machine Learning Toolkit for Large-scale
                  e-Crime Forensics},
  EventTitle    = {Black Hat Arsenal USA},
  Abstract      = {The security industry as a whole---including operation
                  centers, providers and telcos---loves collecting data.
                  Researchers are not different! A sort of common feeling is
                  that the more data someone collects, the more self-confident
                  he becomes about, say, a threat or another phenomenon.
                  However, large volumes of data imply more processing
                  resources needed, especially in extracting meaningful and
                  useful information if the data is highly unstructured. As a
                  result, manual data analysis is often the only choice, with
                  security professionals like pen-testers, reversers and
                  analysts processing data through tedious repetitive
                  operations.
                  
                  Given this situation, and our research lab suffering from
                  similar problems, we have spent the first half of 2017
                  implementing a flexible toolkit based on open-source
                  libraries for efficiently analyzing millions of deface pages
                  and web incidents. Our tool, DefPloreX, uses a combination of
                  machine-learning and visualization techniques to practically
                  turn original unstructured data into meaningful high-level
                  descriptions. Real-time information on incidents, breaches,
                  attacks and vulnerabilities, for example, are efficiently
                  processed and condensed into objects that are easily
                  browsable -- making them suitable for efficient large-scale
                  eCrime forensics and investigations.
                  
                  DefPloreX ingests plain CSV inputs about web incidents to
                  analyze, explores their resources with headless browsers,
                  extracts features from deface pages, and uploads the
                  resulting data to an Elastic index. Distributed headless
                  browsers are coordinated via Celery. Using Python Panda,
                  NumPy and PyTables, DefPloreX provides offline "views" of the
                  data, allowing easy pivoting and exploration. Our toolkit
                  automatically groups similar deface pages in clusters and
                  organizes web incidents in campaigns. Requiring only one
                  pass, clustering is intrinsically parallel and not memory
                  bound. DefPloreX offers text- and web-based UIs, which can be
                  queried using a simple language for investigations and
                  forensics.},
  Location      = {Las Vegas, US},
  URL           = {https://www.blackhat.com/us-17/arsenal.html#defplorex-a-machine-learning-toolkit-for-large-scale-ecrime-forensics},
  Date          = {2017-07-27},
  HowPublished  = {Peer-reviewed Demo},
  File          = {files/talks/balduzzi_defplorexbhus_talk_2017.pdf}
}

@Unpublished{     continella_shieldfsbhus_talk_2017,
  ShortTitle    = {ShieldFSBHUS},
  Author        = {Continella, Andrea and Guagnelli, Alessandro and Zingaro,
                  Giovanni and De Pasquale, Giulio and Barenghi, Alessandro and
                  Zanero, Stefano and Maggi, Federico},
  Title         = {ShieldFS: The Last Word in Ransomware-resilient File
                  Systems},
  EventTitle    = {Black Hat Briefings USA},
  Abstract      = {Preventive and reactive security measures can only partially
                  mitigate the damage caused by modern ransomware attacks. The
                  remarkable amount of illicit profit and the cybercriminals'
                  increasing interest in ransomware schemes demonstrate that
                  current defense solutions are failing, and a large number of
                  users are actually paying the ransoms. In fact,
                  pure-detection approaches (e.g., based on analysis sandboxes
                  or pipelines) are not sufficient, because, when luck allows a
                  sample to be isolated and analyzed, it is already too late
                  for several users! Moreover, modern ransomware implements
                  several techniques to prevent detection by common AV.
                  Similarly, for performance reasons, backups leave a
                  small-but-important window of recent files unprotected.
                  
                  We believe that a forward-looking solution is to equip modern
                  operating systems with generic, practical self-healing
                  capabilities against this serious threat.
                  
                  In this talk, we will present ShieldFS, a drop-in driver that
                  makes the Windows native filesystem immune to ransomware
                  attacks, even when detection fails ShieldFS dynamically
                  toggles a protection layer that acts as a copy-on-write
                  mechanism whenever its detection component reveals suspicious
                  activity. For this, ShieldFS monitors the filesystem's
                  internals to update a set of adaptive models that profile the
                  system activity over time. This detection is based on a study
                  of the filesystem activity of over 2,245 applications, and
                  takes into account the entropy of write operations, frequency
                  of read, write, and folder-listing operations, fraction of
                  files renamed, and the file-type usage statistics.
                  Additionally, ShieldFS monitors the memory pages of each
                  "potentially malicious" process, searching for traces of the
                  typical block cipher key schedules.
                  
                  We will show how ShieldFS can shadow the write operations.
                  Whenever one or more processes violate our detection
                  component, their operations are deemed malicious and the side
                  effects on the filesystem are transparently rolled back.
                  
                  Last, we will demo how effective ShieldFS is against samples
                  from state of the art ransomware families, showing that it is
                  able to detect the malicious activity at runtime and
                  transparently recover all the original files.},
  Location      = {Las Vegas, US},
  URL           = {https://www.blackhat.com/us-17/briefings.html#shieldfs-the-last-word-in-ransomware-resilient-file-systems},
  Date          = {2017-07-27},
  HowPublished  = {Peer-reviewed Talk},
  File          = {files/talks/continella_shieldfsbhus_talk_2017.pdf}
}

@Unpublished{     quarta_robosecbhus_talk_2017,
  ShortTitle    = {RoboSecBHUS},
  Author        = {Quarta, Davide and Pogliani, Marcello and Polino, Mario and
                  Maggi, Federico and Zanero Stefano},
  Title         = {Breaking the Laws of Robotics: Attacking Industrial Robots},
  EventTitle    = {Black Hat Briefings USA},
  Abstract      = {Industrial robots are complex cyber-physical systems used
                  for manufacturing, and a critical component of any modern
                  factory. These robots aren't just electromechanical devices
                  but include complex embedded controllers, which are often
                  interconnected with other computers in the factory network,
                  safety systems, and to the Internet for remote monitoring and
                  maintenance. In this scenario, industrial routers also play a
                  key role, because they directly expose the robot's
                  controller. Therefore, the impact of a single, simple
                  vulnerability can grant attackers an easy entry point.
                  
                  Industrial robots must follow three fundamental laws:
                  accurately "read" from the physical world through sensors and
                  "write" (i.e. perform actions) through actuators, refuse to
                  execute self-damaging control logic, and most importantly,
                  echoing Asimov, never harm humans. By combining a set of
                  vulnerabilities we discovered on a real robot, we will
                  demonstrate how remote attackers are able to violate such
                  fundamental laws up to the point where they can alter the
                  manufactured product, physically damage the robot, steal
                  industry secrets, or injure humans.
                  
                  We will cover in-depth technical aspects (e.g., reverse
                  engineering and vulnerability details, and attack PoCs),
                  alongside a broader discussion on the security posture of
                  industrial routers and robots: Why these devices are
                  attractive for attackers? What could they achieve? Are they
                  hard to compromise? How can their security be improved?},
  Location      = {Las Vegas, US},
  URL           = {https://www.blackhat.com/us-17/briefings.html#breaking-the-laws-of-robotics-attacking-industrial-robots},
  Date          = {2017-07-27},
  HowPublished  = {Peer-reviewed Talk},
  File          = {files/talks/quarta_robosecbhus_talk_2017.pdf}
}

@InProceedings{   palanca_candos_2017,
  ShortTitle    = {CANDoS},
  Author        = {Palanca, Andrea and Evenchick, Eric and Maggi, Federico and
                  Zanero, Stefano},
  Title         = {A Stealth, Selective, Link-Layer Denial-of-Service Attack
                  Against Automotive Networks},
  Publisher     = {Springer International Publishing},
  Editor        = {Polychronakis, Michalis and Meier, Michael},
  BookTitle     = {Proceedings of the 14th International Conference on
                  Detection of Intrusions and Malware, and Vulnerability
                  Assessment (DIMVA)},
  Pages         = {185--206},
  Location      = {Bonn, Germany},
  Abstract      = {Modern vehicles incorporate tens of electronic control units
                  (ECUs), driven by as much as 100,000,000 lines of code. They
                  are tightly interconnected via internal networks, mostly
                  based on the CAN bus standard. Past research showed that, by
                  obtaining physical access to the network or by remotely
                  compromising a vulnerable ECU, an attacker could control even
                  safety-critical inputs such as throttle, steering or brakes.
                  In order to secure current CAN networks from cyberattacks,
                  detection and prevention approaches based on the analysis of
                  transmitted frames have been proposed, and are generally
                  considered the most time- and cost-effective solution, to the
                  point that companies have started promoting aftermarket
                  products for existing vehicles.},
  DOI           = {10.1007/978-3-319-60876-1_9},
  ISBN          = {978-3-319-60876-1},
  Date          = {2017-07-06},
  File          = {files/papers/conference-papers/palanca_candos_2017.pdf}
}

@Article{         continella_prometheus_article_2017,
  ShortTitle    = {Prometheus},
  Author        = {Continella, Andrea and Carminati, Michele and Polino, Mario
                  and Lanzi, Andrea and Zanero, Stefano and Maggi, Federico},
  Title         = {Prometheus: Analyzing WebInject-based information stealers},
  Journal       = {Journal of Computer Security},
  Number        = {Preprint},
  Pages         = {1--21},
  Abstract      = {Nowadays Information stealers are reaching high levels of
                  sophistication. The number of families and variants observed
                  increased exponentially in the last years. Furthermore, these
                  trojans are sold on underground markets along with automatic
                  frameworks that include web-based administration panels,
                  builders and customization procedures. From a technical point
                  of view such malware is equipped with a functionality, called
                  WebInject, that exploits API hooking techniques to intercept
                  all sensitive data in a browser context and modify web pages
                  on infected hosts. In this paper we propose Prometheus, an
                  automatic system that is able to analyze trojans that base
                  their attack technique on DOM modifications. Prometheus is
                  able to identify the injection operations performed by
                  malware, and generate signatures based on the injection
                  behavior. Furthermore, it is able to extract the WebInject
                  targets by using memory forensic techniques. We evaluated
                  Prometheus against real-world, online websites and a dataset
                  of distinct variants of financial trojans. In our experiments
                  we show that our approach correctly recognizes known variants
                  of WebInject-based malware and successfully extracts the
                  WebInject targets. },
  Publisher     = {IOS Press},
  Date          = {2017-05-02},
  File          = {files/papers/journal-papers/continella_prometheus_article_2017.pdf}
}

@InProceedings{   quarta_robosec_2017,
  ShortTitle    = {RoboSec},
  Author        = {Quarta, Davide and Pogliani, Marcello and Polino, Mario and
                  Maggi, Federico and Zanchettin, Andrea Maria and Zanero,
                  Stefano},
  Title         = {An Experimental Security Analysis of an Industrial Robot
                  Controller},
  Publisher     = {ACM},
  BookTitle     = {Proceedings of the 38th IEEE Symposium on Security and
                  Privacy},
  Series        = {S\&P '17},
  Location      = {San Jose, CA},
  Abstract      = {Industrial robots, automated manufacturing, and efficient
                  logistics processes are at the heart of the upcoming fourth
                  industrial revolution. While there are seminal studies on the
                  vulnerabilities of cyber-physical systems in the industry, as
                  of today there has been no systematic analysis of the
                  security of industrial robot controllers. We examine the
                  standard architecture of an industrial robot and analyze a
                  concrete deployment from a systems security standpoint. Then,
                  we propose an attacker model and confront it with the minimal
                  set of requirements that industrial robots should honor:
                  precision in sensing the environment, correctness in
                  execution of control logic, and safety for human operators.
                  Following an experimental and practical approach, we then
                  show how our modeled attacker can subvert such requirements
                  through the exploitation of software vulnerabilities, leading
                  to severe consequences that are unique to the robotics
                  domain. We conclude by discussing safety standards and
                  security challenges in industrial robotics.},
  DOI           = {10.1109/SP.2017.20},
  Date          = {2017-05},
  File          = {files/papers/conference-papers/quarta_robosec_2017.pdf}
}

@TechReport{      maggi_robotswp_tr_2017,
  ShortTitle    = {RobotsWP},
  Author        = {Maggi, Federico and Quarta, Davide and Pogliani, Marcello
                  and Polino, Mario and Zanchettin, Andrea M. and Zanero,
                  Stefano},
  Title         = {Rogue Robots: Testing the Limits of an Industrial Robot’s
                  Security},
  Institution   = {Trend Micro, Inc.},
  Abstract      = {Vulnerabilities in protocols and software running industrial
                  robots are by now widely known, but to date, there has been
                  no in-depth, hands-on research that demonstrates to what
                  extent robots can actually be compromised. For the first
                  time, with this research—a collaboration between
                  Politecnico di Milano (POLIMI) and the Trend Micro
                  Forward-Looking Threat Research (FTR) Team—we have been
                  able to analyze the impact of system-specific attacks and
                  demonstrate attack scenarios on actual standard industrial
                  robots in a controlled environment. In industrial devices,
                  the impact of a single, simple software vulnerability can
                  already have serious consequences. Depending on the actual
                  setup and security posture of the targeted smart factory,
                  attackers could trigger attacks that could amount to massive
                  financial damage to the company in question or at worst, even
                  affect critical goods. Almost all industry sectors that are
                  critical for a nation are potentially at risk.
                  
                  Unfortunately, the Industry 4.0 revolution is just bringing
                  industrial robots closer to the forefront. As improvements in
                  the way industrial robots work and communicate increase their
                  complexity and interconnectedness, the industrial robots
                  sector unlocks a broader attack surface. In our security
                  analysis, we found that the software running on these devices
                  is outdated; based on vulnerable OSs and libraries, sometimes
                  relying on obsolete or cryptographic libraries; and have weak
                  authentication systems with default, unchangeable
                  credentials. Additionally, the Trend Micro FTR Team found
                  tens of thousands of industrial devices residing on public IP
                  addresses, which could include exposed industrial robots,
                  further increasing the risk that an attacker can access and
                  hack them.
                  
                  The impact of vulnerabilities, for example on robots, is what
                  makes our findings a very loud wake-up call for the
                  industrial control systems (ICS) sector. To quantify such
                  impact, our security analysis revealed that industrial robots
                  must follow three fundamental laws—accurately “read”
                  from the physical world through sensors and “write”
                  (i.e., perform actions) through motors and tools, refuse to
                  execute self-damaging control logic, and most importantly,
                  echo one of the “Laws of Robotics” (devised by Isaac
                  Asimov, a popular science writer) to never harm humans. Then,
                  by combining the set of vulnerabilities that we discovered on
                  a real, standard robot installed in our laboratory, we
                  demonstrated how remote attackers can violate such
                  fundamental laws up to the point where they can alter or
                  introduce minor defects in the manufactured product,
                  physically damage the robot, steal industry secrets, or
                  injure humans. We then considered some threat scenarios on
                  how attackers capitalized on these attacks, as in an act of
                  sabotage or a ransomware-like scheme.
                  
                  On the one hand, industrial devices are designed according to
                  strict physical security and safety standards in order to
                  work in rough conditions with extreme temperature ranges,
                  vibrations, and electromagnetic noise. On the other, because
                  of the ubiquity and flexibility demanded by the Industry 4.0
                  trend, industrial devices are being designed to be flexible,
                  easy to deploy, and to not necessarily require any special
                  security or IT skills. These opposing design requirements
                  make producers very prone to introducing software bugs.
                  
                  Rather than concluding this paper with a classic checklist
                  for ICS vendors, we reflected on reasons why the situation
                  has not changed much over the years. Thus, we provided a
                  series of research and engineering challenges that we believe
                  will make a difference in the journey to secure the Industry
                  4.0 ecosystem. On this journey toward improving the security
                  posture of robots in the Industry 4.0 setting, we also began
                  reaching out to vendors, among whom ABB Robotics stood out in
                  that it readily welcomed suggestions we had to offer and even
                  started working on a response plan that will affect its
                  current product line without losing time.},
  Date          = {2017-05},
  URL           = {https://documents.trendmicro.com/assets/wp/wp-industrial-robot-security.pdf},
  Series        = {Research Papers},
  Publisher     = {TrendLabs},
  File          = {files/papers/reports/maggi_robotswp_tr_2017.pdf}
}

@InProceedings{   mavroudis_ubeacsec_2017,
  ShortTitle    = {uBeacSec},
  Author        = {Mavroudis, Vasilios and Hao, Shuang and Fratantonio, Yanick
                  and Maggi, Federico and Kruegel, Christopher and Vigna,
                  Giovanni},
  Title         = {On the Privacy and Security of the Ultrasound Ecosystem},
  Publisher     = {DE GRUYTER},
  BookTitle     = {Proceedings of the 17th Privacy Enhancing Technologies
                  Symposium},
  Series        = {PETS '17},
  Pages         = {95--112},
  Location      = {Minneapolis, USA},
  Abstract      = {Nowadays users often possess a variety of electronic devices
                  for communication and entertainment. In particular,
                  smartphones are playing an increasingly central role in
                  users’ lives: Users carry them everywhere they go and often
                  use them to control other devices. This trend provides
                  incentives for the industry to tackle new challenges, such as
                  cross-device authentication, and to develop new monetization
                  schemes. A new technology based on ultrasounds has recently
                  emerged to meet these demands. Ultrasound technology has a
                  number of desirable features: it is easy to deploy, flexible,
                  and inaudible by humans. This technology is already utilized
                  in a number of different real-world applications, such as
                  device pairing, proximity detection, and cross-device
                  tracking.
                  
                  This paper examines the different facets of ultrasound-based
                  technology. Initially, we discuss how it is already used in
                  the real world, and subsequently examine this emerging
                  technology from the privacy and security perspectives. In
                  particular, we first observe that the lack of OS features
                  results in violations of the principle of least privilege: an
                  app that wants to use this technology currently needs to
                  require full access to the device microphone. We then analyse
                  real-world Android apps and find that tracking techniques
                  based on ultrasounds suffer from a number of vulnerabilities
                  and are susceptible to various attacks. For example, we show
                  that ultrasound cross-device tracking deployments can be
                  abused to perform stealthy deanonymization attacks (e.g., to
                  unmask users who browse the Internet through anonymity
                  networks such as Tor), to inject fake or spoofed audio
                  beacons, and to leak a user’s private information.
                  
                  Based on our findings, we introduce several defense
                  mechanisms. We first propose and implement immediately
                  deployable defenses that empower practitioners, researchers,
                  and everyday users to protect their privacy. In particular,
                  we introduce a browser extension and an Android permission
                  that enable the user to selectively suppress frequencies
                  falling within the ultrasonic spectrum. We then argue for the
                  standardization of ultrasound beacons, and we envision a
                  flexible OS-level API that addresses both the effortless
                  deployment of ultrasound-enabled applications, and the
                  prevention of existing privacy and security problems.},
  DOI           = {10.1515/popets-2017-0018},
  Date          = {2017-04-04},
  File          = {files/papers/conference-papers/mavroudis_ubeacsec_2017.pdf}
}

@Thesis{          moriggia_thesis_2016,
  Author        = {Moriggia, Alex},
  Title         = {Cerberus from the proof of concept to the real system},
  Date          = {2016-12-21},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/134579}
}

@InProceedings{   continella_shieldfs_2016,
  ShortTitle    = {ShieldFS},
  Author        = {Continella, Andrea and Guagnelli, Alessandro and Zingaro,
                  Giovanni and De Pasquale, Giulio and Barenghi, Alessandro and
                  Zanero, Stefano and Maggi, Federico},
  Title         = {ShieldFS: A Self-healing, Ransomware-aware Filesystem},
  Publisher     = {ACM},
  BookTitle     = {Proceedings of the 32nd Annual Computer Security
                  Applications Conference},
  Series        = {ACSAC '16},
  Pages         = {336--347},
  Location      = {Los Angeles, USA},
  Abstract      = {Preventive and reactive security measures can only partially
                  mitigate the damage caused by modern ransomware attacks.
                  Indeed, the remarkable amount of illicit profit and the
                  cybercriminals’ increasing interest in ransomware schemes
                  suggest that a fair number of users are actually paying the
                  ransoms. Unfortunately, pure-detection approaches (e.g.,
                  based on analysis sandboxes or pipelines) are not sufficient
                  nowadays, because often we do not have the luxury of being
                  able to isolate a sample to analyze, and when this happens it
                  is already too late for several users! We believe that a
                  forwardlooking solution is to equip modern operating systems
                  with practical self-healing capabilities against this serious
                  threat. Towards such a vision, we propose ShieldFS, an add-on
                  driver that makes the Windows native filesystem immune to
                  ransomware attacks. For each running process, ShieldFS
                  dynamically toggles a protection layer that acts as a
                  copy-onwrite mechanism, according to the outcome of its
                  detection component. Internally, ShieldFS monitors the
                  low-level filesystem activity to update a set of adaptive
                  models that profile the system activity over time. Whenever
                  one or more processes violate these models, their operations
                  are deemed malicious and the side effects on the filesystem
                  are transparently rolled back.
                  
                  We designed ShieldFS after an analysis of billions of
                  low-level, I/O filesystem requests generated by thousands of
                  benign applications, which we collected from clean machines
                  in use by real users for about one month. This is the first
                  measurement on the filesystem activity of a large set of
                  benign applications in real working conditions. We evaluated
                  ShieldFS in real-world working conditions on real, personal
                  machines, against samples from state of the art ransomware
                  families. ShieldFS was able to detect the malicious activity
                  at runtime and transparently recover all the original files.
                  Although the models can be tuned to fit various filesystem
                  usage profiles, our results show that our initial tuning
                  yields high accuracy even on unseen samples and variants.},
  DOI           = {10.1145/2991079.2991110},
  ISBN          = {978-1-4503-4771-6},
  numpages      = {12},
  Date          = {2016-12},
  File          = {files/papers/conference-papers/continella_shieldfs_2016.pdf}
}

@Unpublished{     mavroudis_silverdogbh_talk_2016,
  ShortTitle    = {SilverDogBH},
  Author        = {Mavroudis, Vasilios and Hao, Shuang and Fratantonio, Yanick
                  and Maggi, Federico and Vigna, Giovanni and Kruegel,
                  Christopher},
  Title         = {Talking Behind Your Back: Attacks and Countermeasures of
                  Ultrasonic Cross-Device Tracking},
  EventTitle    = {Black Hat Briefings Europe},
  Abstract      = {Cross-device tracking (XDT) technologies are currently the
                  ``Holy Grail'' for marketers because they allow to track the
                  user's visited content across different devices to then push
                  relevant, more targeted content. For example, if a user
                  clicks on a particular advertisement while browsing the web
                  at home, the advertisers are very interested in collecting
                  this information to display, later on, related advertisements
                  on other devices belonging to the same user (e.g., phone,
                  tablet).
                  
                  Currently, the most recent innovation in this area is
                  ultrasonic cross-device tracking (uXDT), which is the use of
                  the ultrasonic spectrum as a communication channel to "pair"
                  devices for the aforementioned tracking purposes.
                  Technically, this pairing happens through a receiver
                  application installed on the phone or tablet. The business
                  model is that users will receive rewards or useful services
                  for keeping those apps active, pretty much like it happens
                  for proximity-marketing apps (e.g., Shopkick), where users
                  receive deals for walk-ins recorded by their
                  indoor-localizing apps.
                  
                  This talk will describe and demonstrate the practical
                  security and privacy risks that arise with the adoption of
                  uXDT-enabled systems. The uXDT technology has caught the
                  attention of major companies (e.g., IDG Ventures, Google,
                  Nestle, Dominos), many of which either invested in uXDT
                  providers (e.g., SilverPush, Signal360, Audible Magic), or
                  approached such companies as clients. Unfortunately,
                  unbeknownst to the users, we found that numerous mobile
                  applications, some with millions of downloads, include uXDT
                  advertising frameworks that actively listen for ultrasounds,
                  with no opt-out option for the users! Security experts and
                  the authorities (e.g., the Federal Trade Commission) have
                  promptly raised concerns about uXDT, but until now no
                  comprehensive security analysis of the technology has been
                  released.
                  
                  In this talk, we will explore the uXDT ecosystem, dig into
                  the inner workings of popular uXDT frameworks, and perform an
                  in-depth technical analysis of the underlying technology,
                  exposing both implementation \& design vulnerabilities, and
                  critical security \& privacy shortcomings that we discovered.
                  In the offensive part of our talk, we will demonstrate
                  (through practical demo sessions) how an attacker can exploit
                  uXDT frameworks to reveal the true IP addresses of users who
                  browse the Internet through anonymity networks (e.g., VPNs or
                  Tor). Moreover, we will describe how an attacker can tamper
                  with the "pairing" process or affect the results of the
                  advertising/bidding algorithms. For example, an attacker
                  equipped with a simple beacon-emitting device (e.g., a
                  smartphone) can walk into a Starbucks at peak hour and launch
                  a profile-corruption attack against all customers currently
                  taking advantage of uXDT-enabled apps.
                  
                  In the defensive part of our talk, we will introduce three
                  countermeasures that we designed, implemented, and will
                  publicly release. These include (1) a mobile application that
                  detects ultrasound beacons "in the air" with the goal of
                  raising awareness, (2) a browser extension that acts as a
                  personal firewall by selectively filtering ultrasonic
                  beacons, and (3) an brand-new OS permission control in
                  Android that allows applications to declaratively ask access
                  to the ultrasound spectrum. We will go into the technical
                  details and provide remediation advice useful both for the
                  users and developers.},
  Location      = {London, UK},
  URL           = {https://blackhat.com/eu-16/briefings/schedule/#talking-behind-your-back-attacks-and-countermeasures-of-ultrasonic-cross-device-tracking-4864},
  Date          = {2016-11-03},
  HowPublished  = {Peer-reviewed Talk},
  File          = {files/talks/mavroudis_silverdogbh_talk_2016.pdf}
}

@Unpublished{     maggi_greateatlonbheu_talk_2016,
  ShortTitle    = {GreatEatlonBHEU},
  Author        = {Maggi, Federico and Zanero, Stefano},
  Title         = {Pocket-sized Badness: Why Ransomware Comes as a Plot Twist
                  in the Cat-Mouse Game},
  EventTitle    = {Black Hat Briefings Europe},
  Abstract      = {While we have grown accustomed to stealthy malware,
                  specifically written to gain and maintain control of the
                  victim machines to abuse their resources, ransomware really
                  comes as a "plot twist"! After 10+ years of stealthy malware,
                  spread mainly for building botnets and steal information, for
                  the second time we're witnessing a growth of disruptive
                  malware, and an interest for direct and fast profit.
                  Ransomware is a particularly striking example of disruptive
                  malware, both on mobile and desktop targets: While
                  traditional mass malware must fly under the radar to fulfill
                  its goals, a ransomware attack that remains unaccountable has
                  failed miserably. It must show up to inform and frighten the
                  victim! As a result, the human psychological response to the
                  attack plays a significant role in the success of ransomware
                  schemes. And, given the remarkable revenue, the scheme seems
                  to be working fairly well.
                  
                  This talk will describe the technical impact of disruptive
                  malware and its game-changing approach, which made us (at
                  least) rethink our incident-response plans. We will focus on
                  mobile ransomware as a representative, extreme case study.
                  Albeit not very studied, we are currently tracking 10
                  distinct families, and collected tenths of thousands distinct
                  samples in three months. In this talk, we will go through the
                  most notorious families such as Koler, SLocker, Svpeng (and
                  mention the other notable ones), overviewing their
                  social-engineering tricks and how they are technically
                  implemented. This will include, for instance, how an app can
                  effectively lock a device to forcefully display the typical
                  threatening message that informs the victim of what just
                  happened, or how crypto and file-system APIs are (ab)used to
                  surreptitiously encrypt the valuable data.
                  
                  After having overviewed these aspects, we will describe how
                  they can be effectively detected with specific static
                  features. We will present a lightweight Smali emulator to
                  track the instruction sequences that implement device-locking
                  mechanisms. To detect malicious encryption attempts, we will
                  present a static, dataflow-based program-analysis technique
                  and tool that track file-system operations (e.g., file
                  listing, file reading) to determine if they are "connected"
                  to encryption flows. Since the most recent families have
                  started to abuse the device-administration API (e.g., to lock
                  the device), obfuscated method names and reflection to hinder
                  automatic static analysis, we will show a couple of
                  counter-tricks. Last, we will show how the threatening
                  messages can be recognized from normal text using a
                  language-analysis technique, which classifies text based on
                  the appearance of key terms frequently found in ransomware
                  samples but not in benign sources. Since static
                  program-analysis approaches like ours can be time and
                  resource consuming, we describe a fast triaging pre-filtering
                  technique to quickly discard strikingly benign applications.
                  This filter is generic and ransomware-agnostic. Thus, in
                  principle, it could be applied to any app-vetting pipeline.
                  
                  With this talk we will release the source code of a prototype
                  that implements (part of) the described techniques, and a
                  dataset comprising tenths of thousands of ransomware
                  applications targeting the Android platform, each labeled
                  with the set of features that characterize their
                  statically-extracted behavior.},
  Location      = {London, UK},
  URL           = {https://www.blackhat.com/eu-16/briefings.html},
  Date          = {2016-11-03},
  HowPublished  = {Peer-reviewed Talk},
  File          = {files/talks/maggi_greateatlonbheu_talk_2016.pdf}
}

@InProceedings{   zheng_greateatlon_2016,
  ShortTitle    = {GreatEatlon},
  Author        = {Zheng, Chenghyu and Della Rocca, Nicola and Andronio,
                  Niccolò and Zanero, Stefano and Maggi Federico},
  Title         = {GreatEatlon: Fast, Static Detection of Mobile Ransomware},
  Pages         = {617--636},
  Location      = {Guangzhou, People's Republic of China},
  Abstract      = {Ransomware is a class of malware that aim at preventing
                  victims from accessing valuable data, typically via data
                  encryption or device locking, and ask for a payment to
                  release the target. In the past year, instances of ransomware
                  attacks have been spotted on mobile devices too. However,
                  despite their relatively low infection rate, we notice that
                  the techniques used by mobile ransomware are quite
                  sophisticated, and different from those used by ransomware
                  against traditional computers.
                  
                  Through an in-depth analysis of about 100 samples of
                  currently active ransomware apps, we conclude that most of
                  them pass undetected by state-of-the-art tools, which are
                  unable to recognize the abuse of benign features for
                  malicious purposes. The main reason is that such tools rely
                  on an inadequate and incomplete set of features. The most
                  notable examples are the abuse of reflection and
                  device-administration APIs, appearing in modern ransomware to
                  evade analysis and detection, and to elevate their privileges
                  (e.g., to lock or wipe the device). Moreover, current
                  solutions introduce several false positives in the na ̈ıve
                  way they detect cryptographic-APIs abuse, flagging goodware
                  apps as ransomware merely because they rely on cryptographic
                  libraries. Last but not least, the performance overhead of
                  current approaches is unacceptable for appstore-scale
                  workloads.
                  
                  In this work, we tackle the aforementioned limitations and
                  propose GreatEatlon, a next-generation mobile ransomware
                  detector. We foresee GreatEatlon deployed on the appstore
                  side, as a preventive countermeasure. At its core,
                  GreatEatlon uses static program-analysis techniques to
                  ``resolve'' reflection-based, anti-analysis attempts, to
                  recognize abuses of the device administration API, and
                  extract accurate data-flow information required to detect
                  truly malicious uses of cryptographic APIs. Given the
                  significant resources utilized by Great- Eatlon, we prepend
                  to its core a fast pre-filter that quickly discards obvious
                  goodware, in order to avoid wasting computer cycles.
                  
                  We tested GreatEatlon on thousands of samples of goodware,
                  generic malware and ransomware applications, and showed that
                  it surpasses current approaches both in speed and detection
                  capabilities, while keeping the false negative rate below
                  1.3\%. },
  DOI           = {10.1007/978-3-319-59608-2_34},
  ISBN          = {978-3-319-59608-2},
  Date          = {2016-10-10},
  File          = {files/papers/conference-papers/zheng_greateatlon_2016.pdf}
}

@InProceedings{   zheng_openst_2016,
  ShortTitle    = {OpenST},
  Author        = {Zheng, Chenghyu and Dalla Preda, Mila and Granjal, Jorge and
                  Zanero, Stefano and Maggi, Federico},
  Title         = {On-Chip System Call Tracing: A Feasibility Study and Open
                  Prototype},
  BookTitle     = {IEEE Conference on Communications and Network Security
                  (CNS)},
  Pages         = {73-81},
  Location      = {Philadelphia, US},
  Abstract      = {Several tools for program tracing and introspection exist.
                  These tools can be used to analyze potentially malicious or
                  untrusted programs. In this setting, it is important to
                  prevent that the target program determines whether it is
                  being traced or not. This is typically achieved by minimizing
                  the code of the introspection routines and any artifact or
                  side-effect that the program can leverage. Indeed, the most
                  recent approaches consist of lightly instrumented operating
                  systems or thin hypervisors running directly on bare metal.
                  
                  Following this research trend, we investigate the feasibility
                  of transparently tracing a Linux/ARM program without
                  modifying the software stack, while keeping the analysis cost
                  and flexibility compatible with state of the art emulation-
                  or bare-metal-based approaches. As for the typical program
                  tracing task, our goal is to reconstruct the stream of system
                  call invocations along with the respective un-marshalled
                  arguments.
                  
                  We propose to leverage the availability of on-chip debugging
                  interfaces of modern ARM systems, which are accessible via
                  JTAG. More precisely, we developed OpenST, an open-source
                  prototype tracer that allowed us to analyze the performance
                  overhead and to assess the transparency with respect to
                  evasive, real-world malicious programs. OpenST has two
                  tracing modes: In-kernel dynamic tracing and external
                  tracing. The in-kernel dynamic tracing mode uses the JTAG
                  interface to ``hot-patch'' the system calls at runtime,
                  injecting introspection code. This mode is more transparent
                  than emulator based approaches, but assumes that the traced
                  program does not have access to the kernel memory where the
                  introspection code is loaded. The external tracing mode
                  removes this assumption by using the JTAG interface to manage
                  hardware breakpoints.
                  
                  Our tests show that OpenST's greater transparency comes at
                  the price of a steep performance penalty. However, with a
                  cost model, we show that OpenST scales better than the state
                  of the art, bare-metal-based approach, while remaining
                  equally stealthy to evasive malware.},
  DOI           = {10.1109/CNS.2016.7860472},
  Date          = {2016-10},
  File          = {files/papers/conference-papers/zheng_openst_2016.pdf}
}

@Article{         dalla-preda_aamo_article_2016,
  ShortTitle    = {AAMO},
  Author        = {Dalla Preda, Mila and Maggi, Federico},
  Title         = {Testing android malware detectors against code obfuscation:
                  a systematization of knowledge and unified methodology},
  Journal       = {Journal of Computer Virology and Hacking Techniques},
  Pages         = {1--24},
  Abstract      = {The authors of mobile-malware have started to leverage
                  program protection techniques to circumvent anti-viruses, or
                  simply hinder reverse engineering. In response to the
                  diffusion of anti-virus applications, several researches have
                  proposed a plethora of analyses and approaches to highlight
                  their limitations when malware authors employ
                  program-protection techniques. An important contribution of
                  this work is a systematization of the state of the art of
                  anti-virus apps, comparing the existing approaches and
                  providing a detailed analysis of their pros and cons. As a
                  result of our systematization, we notice the lack of openness
                  and reproducibility that, in our opinion, are crucial for any
                  analysis methodology. Following this observation, the second
                  contribution of this work is an open, reproducible, rigorous
                  methodology to assess the effectiveness of mobile anti-virus
                  tools against code-transformation attacks. Our unified
                  workflow, released in the form of an open-source prototype,
                  comprises a comprehensive set of obfuscation operators. It is
                  intended to be used by anti-virus developers and vendors to
                  test the resilience of their products against a large dataset
                  of malware samples and obfuscations, and to obtain insights
                  on how to improve their products with respect to particular
                  classes of code-transformation attacks.},
  DOI           = {10.1007/s11416-016-0282-2},
  ISSN          = {2263-8733},
  URL           = {http://dx.doi.org/10.1007/s11416-016-0282-2},
  Date          = {2016-09-20},
  File          = {files/papers/journal-papers/dalla-preda_aamo_article_2016.pdf}
}

@InProceedings{   mambretti_trellis_2016,
  ShortTitle    = {Trellis},
  Author        = {Mambretti, Andrea and Onarlioglu, Kaan and Mulliner, Collin
                  and Robertson, William and Kirda, Engin and Maggi, Federico
                  and Zanero, Stefano},
  Title         = {Trellis: Privilege Separation for Multi-User Applications
                  Made Easy},
  BookTitle     = {International Symposium on Research in Attacks, Intrusions
                  and Defenses (RAID)},
  Pages         = {437--456},
  Location      = {Paris, France},
  Abstract      = {Operating systems provide a wide variety of resource
                  isolation and access control mechanisms, ranging from
                  traditional user-based security models to fine-grained
                  permission systems as found in modern mobile operating
                  systems. However, comparatively little assistance is
                  available for defining and enforcing access control policies
                  within multiuser applications. These applications, often
                  found in enterprise environments, allow multiple users to
                  operate at different privilege levels in terms of exercising
                  application functionality and accessing data. Developers of
                  such applications bear a heavy burden in ensuring that
                  security policies over code and data in this setting are
                  properly expressed and enforced. We present Trellis, an
                  approach for expressing hierarchical access control policies
                  in applications and enforcing these policies during
                  execution. The approach enhances the development toolchain to
                  allow programmers to partially annotate code and data with
                  simple privilege level tags, and uses a static analysis to
                  infer suitable tags for the entire application. At runtime,
                  policies are extracted from the resulting binaries and are
                  enforced by a modified operating system kernel. Our
                  evaluation demonstrates that this approach effectively
                  supports the development of secure multi-user applications
                  with modest runtime performance overhead.},
  DOI           = {10.1007/978-3-319-45719-2_20},
  Date          = {2016-09},
  File          = {files/papers/conference-papers/mambretti_trellis_2016.pdf}
}

@Thesis{          della-rocca_thesis_2016,
  Author        = {Della Rocca, Nicola},
  Title         = {Talos: precise and fast detection of modern mobile
                  ransomware},
  Date          = {2016-07-28},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/123871}
}

@Thesis{          rodi_thesis_2016,
  Author        = {Rodi, Samuele},
  Title         = {Apollo: Eliciting and analyzing advanced WebInject-based
                  malware},
  Date          = {2016-07-27},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/122746}
}

@Thesis{          wu_thesis_2016,
  Author        = {Wu, Jiang},
  Title         = {Three-factor, ECG-based authentication: Security analysis of
                  the Nymi wristband},
  Date          = {2016-04-27},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/120485}
}

@Unpublished{     maggi_banksealer_talk_2016,
  ShortTitle    = {BankSealer},
  Author        = {Maggi, Federico},
  Title         = {Fast and Transparent Online Banking Fraud Detection and
                  Investigation},
  EventTitle    = {Hek.si},
  Location      = {Ljubljana, Slovenia},
  Date          = {2016-04-15},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_banksealer_talk_2016.pdf}
}

@InProceedings{   coletta_droydseuss_2016,
  ShortTitle    = {DroydSeuss},
  Author        = {Coletta, Alberto and Van der Veen, Victor and Maggi,
                  Federico},
  Title         = {DroydSeuss: A Mobile Banking Trojan Tracker - Short Paper},
  Publisher     = {Springer Berlin Heidelberg},
  BookTitle     = {Financial Cryptography and Data Security},
  Series        = {Lecture Notes in Computer Science (LNCS)},
  Abstract      = {After analyzing several Android mobile banking trojans, we
                  observed the presence of repetitive artifacts that describe
                  valuable information about the distribution of this class of
                  malicious apps. Motivated by the high threat level posed by
                  mobile banking trojans and by the lack of publicly available
                  analysis and intelligence tools, we automated the extraction
                  of such artifacts and created a malware tracker named
                  DroydSeuss. DroydSeuss first processes applications both
                  statically and dynamically, extracting relevant strings that
                  contain traces of communication endpoints. Second, it
                  prioritizes the extracted strings based on the APIs that
                  manipulate them. Finally, DroydSeuss correlates the endpoints
                  with descriptive metadata from the samples, providing
                  aggregated statistics, raw data, and cross-sample information
                  that allow researchers to pinpoint relevant groups of
                  applications. We connected DroydSeuss to the VirusTotal daily
                  feed, consuming Android samples that perform banking-trojan
                  activity. We manually analyzed its output and found
                  supporting evidence to confirm its correctness. Remarkably,
                  the most frequent itemset unveiled a campaign currently
                  spreading against Chinese and Korean bank customers.
                  
                  Although motivated by mobile banking trojans, DroydSeuss can
                  be used to analyze the communication behavior of any
                  suspicious application.},
  Date          = {2016-02},
  File          = {files/papers/conference-papers/coletta_droydseuss_2016.pdf}
}

@InProceedings{   falsina_grabnrun_2015,
  ShortTitle    = {GrabNRun},
  Author        = {Falsina, Luca and Fratantonio, Yanick and Zanero, Stefano
                  and Kruegel, Christopher and Vigna, Giovanni and Maggi,
                  Federico},
  Title         = {Grab 'n Run: Secure and Practical Dynamic Code Loading for
                  Android Applications},
  Publisher     = {ACM},
  BookTitle     = {Proceedings of the 31st Annual Computer Security
                  Applications Conference},
  Series        = {ACSAC '15},
  Pages         = {201--210},
  Location      = {Los Angeles, USA},
  Abstract      = {Android introduced the dynamic code loading (DCL) mechanism
                  to allow for code reuse, to achieve extensibility, to enable
                  updating functionalities or to boost application start- up
                  performance. In spite of its wide adoption by developers,
                  implementing DCL in a secure way is challenging, leading to
                  serious vulnerabilities such as remote code injection.
                  Previous academic and community attempts at solving this
                  problem are unfortunately either impractical or incomplete,
                  or in some cases exhibit vulnerabilities. In this paper, we
                  propose, design, implement and test Grab 'n Run, a novel code
                  verification protocol and a series of supporting libraries,
                  APIs, and components, that address the problem by abstracting
                  away from the developer challenging implementation details.
                  Grab 'n Run is designed to be practical: among its tools, it
                  provides a drop-in library, which requires no modifications
                  to the Android framework or the underlying Dalvik/ART
                  runtime, is very similar to the native API, and most code can
                  be automatically rewritten to use it. Grab 'n Run also
                  contains an application rewriting tool, which allows easy
                  porting of existing applications to use the secure API of its
                  library. We evaluate Grab 'n Run library with a user study,
                  obtaining impressive results in vulnerability reduction, ease
                  of use and speed of development. We also show that the
                  performance overhead introduced by our library is negligible.
                  The library is released as free software.},
  DOI           = {10.1145/2818000.2818042},
  ISBN          = {978-1-4503-3682-6},
  numpages      = {10},
  Date          = {2015-12},
  File          = {files/papers/conference-papers/falsina_grabnrun_2015.pdf}
}

@Unpublished{     maggi_mobilemalware_talk_2015,
  ShortTitle    = {MobileMalware},
  Author        = {Maggi, Federico and Fratantonio, Yanick},
  Title         = {Malware on Mobile: The What, The Why, and The How},
  EventTitle    = {Science and Engineering Council of Santa Barbara},
  Location      = {Santa Barbara, CA},
  Date          = {2015-11-11},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_mobilemalware_talk_2015.pdf}
}

@Article{         valdi_andrototal_article_2015,
  ShortTitle    = {AndroTotal},
  Author        = {Valdi, Andrea and Lever, Eros and Benefico, Simone and
                  Quarta, Davide and Zanero, Stefano and Maggi, Federico},
  Title         = {Scalable Testing of Mobile Antivirus Applications},
  JournalTitle  = {Computer},
  Volume        = {48},
  Number        = {11},
  Pages         = {60--68},
  Abstract      = {AndroTotal, a scalable antivirus evaluation system for
                  mobile devices, creates reproducible, self-contained testing
                  environments for each antivirus application and malware pair
                  and stores them in a repository, benefiting both the research
                  community and Android device users.},
  DOI           = {10.1109/MC.2015.320},
  ISSN          = {0018-9162},
  Date          = {2015-11},
  File          = {files/papers/journal-papers/valdi_andrototal_article_2015.pdf}
}

@InProceedings{   andronio_heldroid_2015,
  ShortTitle    = {HelDroid},
  Author        = {Andronio, Niccolò and Zanero, Stefano and Maggi, Federico},
  Title         = {HelDroid: Dissecting and Detecting Mobile Ransomware},
  BookTitle     = {International Symposium on Research in Attacks, Intrusions
                  and Defenses (RAID)},
  Volume        = {9404},
  Series        = {Lecture Notes in Computer Science},
  Pages         = {382--404},
  Location      = {Kyoto, Japan},
  Abstract      = {In ransomware attacks, the actual target is the human, as
                  opposed to the classic attacks that abuse the infected
                  devices (e.g., botnet renting, information stealing). Mobile
                  devices are by no means immune to ransomware attacks.
                  However, there is little research work on this matter and
                  only traditional protections are available. Even
                  state-of-the-art mobile malware detection approaches are
                  ineffective against ransomware apps because of the subtle
                  attack scheme. As a consequence, the ample attack surface
                  formed by the billion mobile devices is left unprotected.
                  First, in this work we summarize the results of our analysis
                  of the existing mobile ransomware families, describing their
                  common characteristics. Second, we present HelDroid, a fast,
                  efficient and fully automated approach that recognizes known
                  and unknown scareware and ransomware samples from goodware.
                  Our approach is based on detecting the ``build- ing blocks''
                  that are typically needed to implement a mobile ransomware
                  application. Specifically, HelDroid detects, in a generic
                  way, if an app is attempting to lock or encrypt the device
                  without the user’s consent, and if ransom requests are
                  displayed on the screen. Our technique works without
                  requiring that a sample of a certain family is available
                  beforehand. We implemented HelDroid and tested it on
                  real-world Android ransomware samples. On a large dataset
                  comprising hundreds of thousands of APKs including goodware,
                  malware, scareware, and ransomware, HelDroid exhibited nearly
                  zero false positives and the capability of recognizing
                  unknown ransomware samples. },
  DOI           = {10.1007/978-3-319-26362-5_18},
  Date          = {2015-10},
  File          = {files/papers/conference-papers/andronio_heldroid_2015.pdf}
}

@InProceedings{   ilia_faceoff_2015,
  ShortTitle    = {FaceOff},
  Author        = {Ilia, Panagiotis and Polakis, Iasonas and Athanasopoulos,
                  Elias and Maggi, Federico and Ioannidis, Sotiris},
  Title         = {Face/Off: Preventing Privacy Leakage From Photos in Social
                  Networks},
  Publisher     = {ACM},
  BookTitle     = {Proceedings of the 22Nd ACM SIGSAC Conference on Computer
                  and Communications Security},
  Series        = {CCS '15},
  Pages         = {781--792},
  Location      = {New York, NY, USA},
  Abstract      = {The capabilities of modern devices, coupled with the almost
                  ubiquitous availability of Internet connectivity, have
                  resulted in photos being shared online at an unprecedented
                  scale. This is further amplified by the popularity of social
                  networks and the immediacy they offer in content sharing.
                  Existing access control mechanisms are too coarse-grained to
                  handle cases of conflicting interests between the users
                  associated with a photo; stories of embarrassing or
                  inappropriate photos being widely accessible have become
                  quite common. In this paper, we propose to rethink access
                  control when applied to photos, in a way that allows us to
                  effectively prevent unwanted individuals from recognizing
                  users in a photo. The core concept behind our approach is to
                  change the granularity of access control from the level of
                  the photo to that of a user's personally identifiable
                  information (PII). In this work, we consider the face as the
                  PII. When another user attempts to access a photo, the system
                  determines which faces the user does not have the permission
                  to view, and presents the photo with the restricted faces
                  blurred out. Our system takes advantage of the existing face
                  recognition functionality of social networks, and can
                  interoperate with the current photo-level access control
                  mechanisms. We implement a proof-of-concept application for
                  Facebook, and demonstrate that the performance overhead of
                  our approach is minimal. We also conduct a user study to
                  evaluate the privacy offered by our approach, and find that
                  it effectively prevents users from identifying their contacts
                  in 87.35\% of the restricted photos. Finally, our study
                  reveals the misconceptions about the privacy offered by
                  existing mechanisms, and demonstrates that users are positive
                  towards the adoption of an intuitive, straightforward access
                  control mechanism that allows them to manage the visibility
                  of their face in published photos.},
  DOI           = {10.1145/2810103.2813603},
  ISBN          = {978-1-4503-3832-5},
  Date          = {2015-10},
  URL           = {http://doi.acm.org/10.1145/2810103.2813603},
  File          = {files/papers/conference-papers/ilia_faceoff_2015.pdf}
}

@Thesis{          zheng_thesis_2015,
  Author        = {Zheng, Chengyu},
  Title         = {OpenST: Feasibility Study and Prototype of a Low-cost
                  Hardware-based System Call Tracer},
  Date          = {2015-09-30},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/112609}
}

@Thesis{          uliana_thesis_2015,
  Author        = {Uliana, Emanuele and Rizzo, Claudio},
  Title         = {DriveDroid: a remote execution environment and UI exerciser
                  for Android malware analysis},
  Date          = {2015-09-30},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/111721}
}

@Thesis{          danelli_thesis_2015,
  Author        = {Danelli, Matteo},
  Title         = {ADMIRE: Android Developers \& Marketplaces Intelligence and
                  Reputation Engine},
  Date          = {2015-09-30},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/112003}
}

@Unpublished{     maggi_droydseuss_talk_2015,
  ShortTitle    = {DroydSeuss},
  Author        = {Maggi, Federico},
  Title         = {A walk through the construction of the first mobile malware
                  tracker},
  EventTitle    = {Android Security Symposium},
  Location      = {Vienna, Austria},
  Date          = {2015-09-11},
  URL           = {https://usmile.at/symposium/program},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_droydseuss_talk_2015.pdf}
}

@Thesis{          mazzoni_thesis_2015,
  Author        = {Mazzoni, Simone},
  Title         = {PANDORA: a flexible and transparent Windows native API
                  tracer},
  Date          = {2015-07-28},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/108691}
}

@InProceedings{   polino_jackdaw_2015,
  ShortTitle    = {Jackdaw},
  Author        = {Polino, Mario and Scorti, Andrea and Maggi, Federico and
                  Zanero, Stefano},
  Title         = {Jackdaw: Towards Automatic Reverse Engineering of Large
                  Datasets of Binaries},
  Publisher     = {Springer International Publishing},
  Editor        = {Almgren, Magnus and Gulisano, Vincenzo and Maggi, Federico},
  BookTitle     = {Detection of Intrusions and Malware, and Vulnerability
                  Assessment},
  Series        = {Lecture Notes in Computer Science},
  Pages         = {121--143},
  Abstract      = {When analyzing an untrusted binary, reverse engineers
                  usually rely on ad-hoc collections of interesting dynamic
                  patterns known as behaviors in the malware-analysis community
                  and static patterns known as signatures in the antivirus
                  community. Such patterns are often part of the skill set of
                  the analyst, sometimes implemented in manually-created
                  post-processing scripts. It would be desirable to be able to
                  automatically find such behaviors, present them to analysts,
                  and create a systematic catalog of matching rules and
                  relevant implementations. We propose Jackdaw, a system that
                  finds interesting dynamic patterns, and ranks them to unveil
                  potentially interesting behaviors. Then, it annotates them
                  with static information, capturing the distinct
                  implementations of each across different malware families.
                  Finally, Jackdaw associates semantic information to the
                  behaviors, so as to create a descriptive summary that helps
                  the analysts in querying the catalog of behaviors by type. To
                  do this, it leverages the dynamic information and an indexed
                  Web-based knowledge databases. We implement and demonstrate
                  Jackdaw on the Win32 API (even if the technique can be
                  generalized to any OS). On a dataset of 2,136 distinct
                  binaries, including both malicious and benign libraries and
                  executables, we compared the behaviors extracted
                  automatically against a ground truth of 44 behaviors created
                  manually by expert analysts. Jackdaw found 77.3\% of them and
                  was able to exclude spurious behaviors in 99.6\% cases. We
                  also discovered 466 novel behaviors, among which manual
                  exploration and review by expert reverse engineers revealed
                  interesting findings and confirmed the correctness of the
                  semantic tagging.},
  DOI           = {10.1007/978-3-319-20550-2_7},
  ISBN          = {978-3-319-20549-6 978-3-319-20550-2},
  Date          = {2015-07-09},
  URL           = {http://link.springer.com/chapter/10.1007/978-3-319-20550-2_7},
  File          = {files/papers/conference-papers/polino_jackdaw_2015.pdf}
}

@Unpublished{     maggi_mobileransomware_talk_2015,
  ShortTitle    = {MobileRansomware},
  Author        = {Maggi, Federico},
  Title         = {Mobile Ransomware},
  EventTitle    = {6th National Conference on Cyber Warfare},
  Location      = {Milano, Italy},
  Date          = {2015-06-03},
  URL           = {http://www.infowar.it/},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_mobileransomware_talk_2015.pdf}
}

@Thesis{          falsina_thesis_2015,
  Author        = {Falsina, Luca},
  Title         = {Grab ’n Run: Practical and Safe Dynamic Code Loading in
                  Android},
  Date          = {2015-04-29},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/106725}
}

@Thesis{          coletta_thesis_2015,
  Author        = {Coletta, Alberto},
  Title         = {Droydseuss: A Mobile Banking Trojan Tracking Service},
  Date          = {2015-04-29},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/106646}
}

@Thesis{          andronio_thesis_2015,
  Author        = {Andronio, Nicolò},
  Title         = {Heldroid: Fast and Efficient Linguistic-Based Ransomware
                  Detection},
  Date          = {2015-04-29},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/107202}
}

@Thesis{          guagnelli_thesis_2015,
  Author        = {Guagnelli, Alessandro and Zingaro, Giovanni},
  Title         = {RADAR : a ransomware detection and remediation system},
  Date          = {2015-04-27},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/120785}
}

@Unpublished{     maggi_cybercrimethreatanalysis_talk_2015,
  ShortTitle    = {CybercrimeThreatAnalysis},
  Author        = {Maggi, Federico},
  Title         = {From Cybercrime to Threat Analysis},
  Location      = {Università degli Studi di Trento},
  Date          = {2015-04-20},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_cybercrimethreatanalysis_talk_2015.pdf}
}

@Article{         carminati_banksealer_article_2015,
  ShortTitle    = {BankSealer},
  Author        = {Carminati, Michele and Caron, Roberto and Maggi, Federico
                  and Epifani, Ilenia and Zanero, Stefano},
  Title         = {BankSealer: A decision support system for online banking
                  fraud analysis and investigation},
  JournalTitle  = {Computers \& Security},
  Abstract      = {The significant growth of online banking frauds, fueled by
                  the underground economy of malware, raised the need for
                  effective fraud analysis systems. Unfortunately, almost all
                  of the existing approaches adopt black box models and
                  mechanisms that do not give any justifications to analysts.
                  Also, the development of such methods is stifled by limited
                  Internet banking data availability for the scientific
                  community. In this paper we describe BankSealer, a decision
                  support system for online banking fraud analysis and
                  investigation. During a training phase, BankSealer builds
                  easy-to-understand models for each customer's spending
                  habits, based on past transactions. First, it quantifies the
                  anomaly of each transaction with respect to the customer
                  historical profile. Second, it finds global clusters of
                  customers with similar spending habits. Third, it uses a
                  temporal threshold system that measures the anomaly of the
                  current spending pattern of each customer, with respect to
                  his or her past spending behavior. With this threefold
                  profiling approach, it mitigates the under-training due to
                  the lack of historical data for building well-trained
                  profiles, and the evolution of users' spending habits over
                  time. At runtime, BankSealer supports analysts by ranking new
                  transactions that deviate from the learned profiles, with an
                  output that has an easily understandable, immediate
                  statistical meaning.
                  
                  Our evaluation on real data, based on fraud scenarios built
                  in collaboration with domain experts that replicate typical,
                  real-world attacks (e.g., credential stealing, banking trojan
                  activity, and frauds repeated over time), shows that our
                  approach correctly ranks complex frauds. In particular, we
                  measure the effectiveness, the computational resource
                  requirements and the capabilities of BankSealer to mitigate
                  the problem of users that performed a low number of
                  transactions. Our system ranks frauds and anomalies with up
                  to 98\% detection rate and with a maximum daily computation
                  time of 4~min. Given the good results, a leading Italian bank
                  deployed a version of BankSealer in their environment to
                  analyze frauds.},
  DOI           = {10.1016/j.cose.2015.04.002},
  ISSN          = {0167-4048},
  Date          = {2015-04},
  URL           = {http://www.sciencedirect.com/science/article/pii/S0167404815000437},
  ShortJournal  = {Computers \& Security},
  File          = {files/papers/journal-papers/carminati_banksealer_article_2015.pdf}
}

@Unpublished{     maggi_threatanalysis_talk_2015,
  ShortTitle    = {ThreatAnalysis},
  Author        = {Maggi, Federico},
  Title         = {From Cybercrime to Threat Analysis},
  EventTitle    = {Catedra Europa},
  Date          = {2015-03-18},
  URL           = {http://www.uninorte.edu.co/web/catedra-europa},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_threatanalysis_talk_2015.pdf}
}

@TechReport{      maggi_eusyssec_tr_2015,
  ShortTitle    = {EUSysSec},
  Author        = {Maggi, Federico and Zanero, Stefano and Markatos,
                  Evangelos},
  Title         = {European Cyber-Security Research and Innovation},
  Number        = {43},
  Abstract      = {Looking back at the evolution of cyber criminal activities,
                  from the nineties to the present day, we observe interesting
                  trends coming together in what may seem a perfectly
                  orchestrated scene. In parallel with the `security by
                  design', we recall the importance of reactive security in a
                  field of ever-changing arms races.},
  Date          = {2015-01},
  URL           = {http://ercim-news.ercim.eu/en100/r-i/european-cyber-security-research-and-innovation},
  Series        = {ERCIM News},
  Pages         = {43},
  File          = {files/papers/reports/maggi_eusyssec_tr_2015.pdf}
}

@Thesis{          mambretti_thesis_2014,
  Author        = {Mambretti, Andrea},
  Title         = {PRIVMUL: PRIVilege separation for Multi-user Logic
                  applications},
  Date          = {2014-12-18},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/102103}
}

@Thesis{          palese_thesis_2014,
  Author        = {Palese, Giuseppe},
  Title         = {SimDroidUI: a new method of UI-based Clustering of Android
                  applications},
  Date          = {2014-12-18},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/102101}
}

@InProceedings{   polakis_resoauth_2014,
  ShortTitle    = {ReSoAuth},
  Author        = {Polakis, Iasonas and Ilia, Panagiotis and Maggi, Federico
                  and Lancini, Marco and Kontaxis, Georgios and Zanero, Stefano
                  and Ioannidis, Sotiris and Keromytis, Angelos D.},
  Title         = {Faces in the Distorting Mirror: Revisiting Photo-based
                  Social Authentication},
  Publisher     = {ACM},
  BookTitle     = {Proceedings of the 2014 ACM SIGSAC Conference on Computer
                  and Communications Security},
  Series        = {CCS '14},
  Pages         = {501--512},
  Location      = {New York, NY, USA},
  Abstract      = {In an effort to hinder attackers from compromising user
                  accounts, Facebook launched a form of two-factor
                  authentication called social authentication (SA), where users
                  are required to identify photos of their friends to complete
                  a log-in attempt. Recent research, however, demonstrated that
                  attackers can bypass the mechanism by employing face
                  recognition software. Here we demonstrate an alternative
                  attack. that employs image comparison techniques to identify
                  the SA photos within an offline collection of the users'
                  photos. In this paper, we revisit the concept of SA and
                  design a system with a novel photo selection and
                  transformation process, which generates challenges that are
                  robust against these attacks. The intuition behind our photo
                  selection is to use photos. that fail software-based face
                  recognition, while remaining recognizable to humans who are
                  familiar with the depicted people. The photo transformation
                  process. creates challenges in the form of photo collages,
                  where faces are transformed so as to render image matching
                  techniques ineffective. We experimentally confirm the
                  robustness of our approach against three template. matching
                  algorithms that solve 0.4 percent of the challenges, while
                  requiring four orders of magnitude more processing effort.
                  Furthermore, when the transformations are applied, face
                  detection software fails to detect even a single face. Our
                  user studies confirm that users are able to identify their
                  friends in over 99\% of the photos with faces unrecognizable
                  by software, and can solve over 94 percent of the challenges
                  with transformed photos.},
  DOI           = {10.1145/2660267.2660317},
  ISBN          = {978-1-4503-2957-6},
  Date          = {2014-11},
  URL           = {http://doi.acm.org/10.1145/2660267.2660317},
  File          = {files/papers/conference-papers/polakis_resoauth_2014.pdf}
}

@TechReport{      bazzoli_xsspeeker_tr_2014,
  ShortTitle    = {XSSPeeker},
  Author        = {Bazzoli, Enrico and Criscione, Claudio and Maggi, Federico
                  and Zanero, Stefano},
  Title         = {XSS Peeker: A Systematic Analysis of Cross-site Scripting
                  Vulnerability Scanners},
  Institution   = {arXiv},
  Abstract      = {Since the first publication of the "OWASP Top 10" (2004),
                  cross-site scripting (XSS) vulnerabilities have always been
                  among the top 5 web application security bugs. Black-box
                  vulnerability scanners are widely used in the industry to
                  reproduce (XSS) attacks automatically. In spite of the
                  technical sophistication and advancement, previous work
                  showed that black-box scanners miss a non-negligible portion
                  of vulnerabilities, and report non-existing, non-exploitable
                  or uninteresting vulnerabilities. Unfortunately, these
                  results hold true even for XSS vulnerabilities, which are
                  relatively simple to trigger if compared, for instance, to
                  logic flaws. Black-box scanners have not been studied in
                  depth on this vertical: knowing precisely how scanners try to
                  detect XSS can provide useful insights to understand their
                  limitations, to design better detection methods. In this
                  paper, we present and discuss the results of a detailed and
                  systematic study on 6 black-box web scanners (both
                  proprietary and open source) that we conducted in
                  coordination with the respective vendors. To this end, we
                  developed an automated tool to (1) extract the payloads used
                  by each scanner, (2) distill the "templates" that have
                  originated each payload, (3) evaluate them according to
                  quality indicators, and (4) perform a cross-scanner analysis.
                  Unlike previous work, our testbed application, which contains
                  a large set of XSS vulnerabilities, including DOM XSS, was
                  gradually retrofitted to accomodate for the payloads that
                  triggered no vulnerabilities. Our analysis reveals a highly
                  fragmented scenario. Scanners exhibit a wide variety of
                  distinct payloads, a non-uniform approach to fuzzing and
                  mutating the payloads, and a very diverse detection
                  effectiveness.},
  Date          = {2014-10-15},
  URL           = {http://arxiv.org/abs/1410.4207},
  File          = {files/papers/reports/bazzoli_xsspeeker_tr_2014.pdf}
}

@Unpublished{     maggi_cybercrime_talk_2014,
  ShortTitle    = {Cybercrime},
  Author        = {Maggi, Federico},
  Title         = {Current and Future Cybercrime Tactics},
  EventTitle    = {5th National Conference on Cyber Warfare},
  Location      = {Milano, Italy},
  Date          = {2014-10-13},
  URL           = {http://www.infowar.it/past/2014_october/index.php},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_cybercrime_talk_2014.pdf}
}

@Unpublished{     maggi_andradar_talk_2014,
  ShortTitle    = {AndRadar},
  Author        = {Maggi, Federico},
  Title         = {Come to the Dark Side: We have Apps!},
  EventTitle    = {HackInBo},
  Location      = {Bologna, Italy},
  Date          = {2014-10-11},
  URL           = {http://www.hackinbo.it/},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_andradar_talk_2014.pdf}
}

@Thesis{          braschi_thesis_2014,
  Author        = {Braschi, Andrea and Continella, Andrea},
  Title         = {Prometheus: Prometheus: A Web-based Platform for Analyzing
                  Banking Trojans},
  URL           = {https://hdl.handle.net/10589/97643},
  Institution   = {Politecnico di Milano},
  Date          = {2014-10-03}
}

@Unpublished{     maggi_androidre_talk_2014,
  ShortTitle    = {AndroidRe},
  Author        = {Maggi, Federico},
  Title         = {Static Analysis of Android Applications},
  EventTitle    = {2nd SysSec Summer Institution},
  Location      = {Amsterdam, The Netherlands},
  Date          = {2014-09-25},
  URL           = {http://www.syssec-project.eu/events/summer-school-2014/program/},
  HowPublished  = {Invited Lecture},
  File          = {files/talks/maggi_androidre_talk_2014.pdf}
}

@InProceedings{   antonini_knxmalware_2014,
  ShortTitle    = {KNXMalware},
  Author        = {Antonini, Alessio and Maggi, Federico and Zanero, Stefano},
  Title         = {A Practical Attack Against a KNX-based Building Automation
                  System},
  Publisher     = {BCS},
  BookTitle     = {Proceedings of the 2Nd International Symposium on ICS \&
                  SCADA Cyber Security Research 2014},
  Series        = {ICS-CSR 2014},
  Pages         = {53--60},
  Location      = {UK},
  Abstract      = {Building automation systems rely heavily on general-purpose
                  computers and communication protocols, which are often
                  affected by security vulnerabilities. In this paper, we first
                  analyze the attack surface of a real building automation
                  system - based on the widely used KNX protocol-connected to a
                  general-purpose IP network. To this end, we analyze the
                  vulnerabilities of KNX-based networks highlighted by previous
                  research work, which, however, did not corroborate their
                  findings with experimental results. To verify the practical
                  exploitability of these vulnerabilities and their potential
                  impact, we implement a full-fledged testbed infrastructure
                  that reproduces the typical deployment of a building
                  automation system. On this testbed, we show the feasibility
                  of a practical attack that leverages and combines the
                  aforementioned vulnerabilities. We show the ease of reverse
                  engineering the vendor-specific components of the KNX
                  protocol. Our attack leverages the IP-to-KNX connectivity to
                  send arbitrary commands which are executed by the actuators.
                  We conclude that the vulnerabilities highlighted by previous
                  work are effectively exploitable in practice, with severe
                  results. Although we use KNX as a target, our work can be
                  generalized to other communication protocols, often
                  characterized by similar issues. Finally, we analyze the
                  countermeasures proposed in previous literature and reveal
                  the limitations that prevent their adoption in practice. We
                  suggest a practical stopgap measure to protect real KNX-based
                  BASs from our attack.},
  DOI           = {10.14236/ewic/ics-csr2014.7},
  ISBN          = {978-1-78017-286-6},
  Date          = {2014-09},
  URL           = {http://dx.doi.org/10.14236/ewic/ics-csr2014.7},
  File          = {files/papers/conference-papers/antonini_knxmalware_2014.pdf}
}

@InProceedings{   polakis_osnresearch_2014,
  ShortTitle    = {OSNResearch},
  Author        = {Polakis, Iasonas and Maggi, Federico and Zanero, Stefano and
                  Keromytis, Angelos D.},
  Title         = {Security and Privacy Measurements on Social Networks:
                  Experiences and Lessons Learned},
  BookTitle     = {2014 Third International Workshop on Building Analysis
                  Datasets and Gathering Experience Returns for Security
                  (BADGERS)},
  Pages         = {18-29},
  Location      = {Wroclaw, Poland},
  Abstract      = {We describe our experience gained while exploring practical
                  security and privacy problems in a real-world, large- scale
                  social network (i.e., Facebook), and summarize our
                  conclusions in a series of "lessons learned". We first
                  conclude that it is better to adequately describe the
                  potential ethical concerns from the very beginning and plan
                  ahead the institutional review board (IRB) request. Even
                  though sometimes optional, the IRB approval is a valuable
                  point from the reviewer's perspective. Another aspect that
                  needs planning is getting in touch with the online social
                  network security team, which takes a substantial amount of
                  time. With their support, "bending the rules" (e.g., using
                  scrapers) when the experimental goals require so, is easier.
                  Clearly, in cases where critical technical vulnerabilities
                  are found during the research, the general recommendations
                  for responsible disclosure should be followed. Gaining the
                  audience's engagement and trust was essential to the success
                  of our user study. Participants felt more comfortable when
                  subscribing to our experiments, and also responsibly reported
                  bugs and glitches. We did not observe the same behavior in
                  crowd-sourcing workers, who were instead more interested in
                  obtaining their rewards. On a related point, our experience
                  suggests that crowd sourcing should not be used alone:
                  Setting up tasks is more time consuming than it seems, and
                  researchers must insert some sentinel checks to ensure that
                  workers are not submitting random answers.From a logistics
                  point of view, we learned that having at least a high-level
                  plan of the experiments pays back, especially when the IRB
                  requires a detailed description of the work and the data to
                  be collected. However, over planning can be dangerous because
                  the measurement goals can change dynamically. From a
                  technical point of view, partially connected to the logistics
                  remarks, having a complex and large data-gathering and
                  analysis framework may be counterproductive in terms of
                  set-up a- d management overhead. From our experience we
                  suggest to choose simple technologies that scale up if needed
                  but, more importantly, can scale down. For example, launching
                  a quick query should be straightforward, and the frameworks
                  should not impose too much overhead for formulating it. We
                  conclude with a series of practical recommendations on how to
                  successfully collect data from online social networks (e.g.,
                  using techniques for network multipresence, mimicking user
                  behavior, and other crawling "tricks"') and avoid abusing the
                  online service, while gathering the data required by the
                  experiments.},
  DOI           = {10.1109/BADGERS.2014.9},
  Date          = {2014-09},
  Keywords      = {workshop},
  File          = {files/papers/workshop-papers/polakis_osnresearch_2014.pdf}
}

@Unpublished{     maggi_virtualization_talk_2014,
  ShortTitle    = {Virtualization},
  Author        = {Maggi, Federico},
  Title         = {Virtualization},
  EventTitle    = {5th Int. Summer Institution on Information Security and
                  Protection},
  Location      = {Verona, Italy},
  Date          = {2014-07-27},
  URL           = {http://issisp2014.di.univr.it/},
  HowPublished  = {Invited Lecture},
  File          = {files/talks/maggi_virtualization_talk_2014.pdf}
}

@Thesis{          pellegatta_thesis_2014,
  Author        = {Pellegatta, Federico},
  Title         = {AAMO: Automatic Android Malware Obfuscation},
  URL           = {https://hdl.handle.net/10589/94484},
  Institution   = {Politecnico di Milano},
  Date          = {2014-07-25}
}

@InProceedings{   criscione_zarathustra_2014,
  ShortTitle    = {Zarathustra},
  Author        = {Criscione, Claudio and Bosatelli, Fabio and Zanero, Stefano
                  and Maggi, Federico},
  Title         = {Zarathustra: Extracting WebInject Signatures from Banking
                  Trojans},
  Publisher     = {IEEE Computer Society},
  BookTitle     = {Proceedings of the Twelfth Annual International Conference
                  on Privacy, Security and Trust (PST)},
  Pages         = {139--148},
  Location      = {Toronto, Canada},
  Abstract      = {Modern trojans are equipped with a functionality, called
                  WebInject, that can be used to silently modify a web page on
                  the infected end host. Given its flexibility, WebInject-based
                  malware is becoming a popular information-stealing mechanism.
                  In addition, the structured and well-organized
                  malware-as-a-service model makes revenue out of customization
                  kits, which in turns leads to high volumes of binary
                  variants. Analysis approaches based on memory carving to
                  extract the decrypted webinject.txt and config.bin files at
                  runtime make the strong assumption that the malware will
                  never change the way such files are handled internally, and
                  therefore are not future proof by design. In addition,
                  developers of sensitive web applications (e.g., online
                  banking) have no tools that they can possibly use to even
                  mitigate the effect of WebInjects.},
  DOI           = {10.1109/PST.2014.6890933},
  ISBN          = {978-1-4799-3502-4},
  Date          = {2014-07},
  File          = {files/papers/conference-papers/criscione_zarathustra_2014.pdf}
}

@InProceedings{   lindorfer_andradar_2014,
  ShortTitle    = {AndRadar},
  Author        = {Lindorfer, Martina and Volanis, Stamatis and Sisto,
                  Alessandro and Neugschwandtner, Matthias and Athanasopoulos,
                  Elias and Maggi, Federico and Platzer, Christian and Zanero,
                  Stefano and Ioannidis, Sotiris},
  Title         = {AndRadar: Fast Discovery of Android Applications in
                  Alternative Markets},
  Publisher     = {Springer International Publishing},
  Editor        = {Dietrich, Sven},
  BookTitle     = {Detection of Intrusions and Malware, and Vulnerability
                  Assessment},
  Series        = {Lecture Notes in Computer Science},
  Pages         = {51--71},
  Abstract      = {Compared to traditional desktop software, Android
                  applications are delivered through software repositories,
                  commonly known as application markets. Other mobile
                  platforms, such as Apple iOS and BlackBerry OS also use the
                  marketplace model, but what is unique to Android is the
                  existence of a plethora of alternative application markets.
                  This complicates the task of detecting and tracking Android
                  malware. Identifying a malicious application in one
                  particular market is simply not enough, as many instances of
                  this application may exist in other markets. To quantify this
                  phenomenon, we exhaustively crawled 8 markets between June
                  and November 2013. Our findings indicate that alternative
                  markets host a large number of ad-aggressive apps, a
                  non-negligible amount of malware, and some markets even allow
                  authors to publish known malicious apps without prompt
                  action. Motivated by these findings, we present AndRadar, a
                  framework for discovering multiple instances of a malicious
                  Android application in a set of alternative application
                  markets. AndRadar scans a set of markets in parallel to
                  discover similar applications. Each lookup takes no more than
                  a few seconds, regardless of the size of the marketplace.
                  Moreover, it is modular, and new markets can be transparently
                  added once the search and download URLs are known. Using
                  AndRadar we are able to achieve three goals. First, we can
                  discover malicious applications in alternative markets,
                  second, we can expose app distribution strategies used by
                  malware developers, and third, we can monitor how different
                  markets react to new malware. During a three-month evaluation
                  period, AndRadar tracked over 20,000 apps and recorded more
                  than 1,500 app deletions in 16 markets. Nearly 8\% of those
                  deletions were related to apps that were hopping from market
                  to market. The most established markets were able to react
                  and delete new malware within tens of days from the malicious
                  app publication date while other markets did not react at
                  all.},
  DOI           = {10.1007/978-3-319-08509-8_4},
  ISBN          = {978-3-319-08508-1 978-3-319-08509-8},
  Date          = {2014-07},
  URL           = {http://link.springer.com/chapter/10.1007/978-3-319-08509-8_4},
  File          = {files/papers/conference-papers/lindorfer_andradar_2014.pdf}
}

@InProceedings{   schiavoni_phoenix_2014,
  ShortTitle    = {Phoenix},
  Author        = {Schiavoni, Stefano and Maggi, Federico and Cavallaro,
                  Lorenzo and Zanero, Stefano},
  Title         = {Phoenix: DGA-Based Botnet Tracking and Intelligence},
  Publisher     = {Springer International Publishing},
  Editor        = {Dietrich, Sven},
  BookTitle     = {Proceedings of the International Conference on Detection of
                  Intrusions and Malware, and Vulnerability Assessment
                  (DIMVA)},
  Series        = {Lecture Notes in Computer Science},
  Pages         = {192--211},
  Abstract      = {Modern botnets rely on domain-generation algorithms (DGAs)
                  to build resilient command-and-control infrastructures. Given
                  the prevalence of this mechanism, recent work has focused on
                  the analysis of DNS traffic to recognize botnets based on
                  their DGAs. While previous work has concentrated on
                  detection, we focus on supporting intelligence operations. We
                  propose Phoenix, a mechanism that, in addition to telling
                  DGA- and non-DGA-generated domains apart using a combination
                  of string and IP-based features, characterizes the DGAs
                  behind them, and, most importantly, finds groups of
                  DGA-generated domains that are representative of the
                  respective botnets. As a result, Phoenix can associate
                  previously unknown DGA-generated domains to these groups, and
                  produce novel knowledge about the evolving behavior of each
                  tracked botnet. We evaluated Phoenix on 1,153,516 domains,
                  including DGA-generated domains from modern, well-known
                  botnets: without supervision, it correctly distinguished DGA-
                  vs. non-DGA-generated domains in 94.8 percent of the cases,
                  characterized families of domains that belonged to distinct
                  DGAs, and helped researchers ``on the field'' in gathering
                  intelligence on suspicious domains to identify the correct
                  botnet.},
  DOI           = {10.1007/978-3-319-08509-8_11},
  ISBN          = {978-3-319-08508-1 978-3-319-08509-8},
  Date          = {2014-07},
  URL           = {http://link.springer.com/chapter/10.1007/978-3-319-08509-8_11},
  File          = {files/papers/conference-papers/schiavoni_phoenix_2014.pdf}
}

@InProceedings{   carminati_banksealer_2014,
  ShortTitle    = {BankSealer},
  Author        = {Carminati, Michele and Caron, Roberto and Maggi, Federico
                  and Epifani, Ilenia and Zanero, Stefano},
  Title         = {BankSealer: An Online Banking Fraud Analysis and Decision
                  Support System},
  Publisher     = {Springer Berlin Heidelberg},
  Editor        = {Cuppens-Boulahia, Nora and Cuppens, Fr{\'e}d{\'e}ric and
                  Jajodia, Sushil and Kalam, Anas Abou El and Sans, Thierry},
  BookTitle     = {ICT Systems Security and Privacy Protection},
  Series        = {IFIP Advances in Information and Communication Technology},
  Pages         = {380--394},
  Abstract      = {We propose a semi-supervised online banking fraud analysis
                  and decision support approach. During a training phase, it
                  builds a profile for each customer based on past
                  transactions. At runtime, it supports the analyst by ranking
                  unforeseen transactions that deviate from the learned
                  profiles. It uses methods whose output has a immediate
                  statistical meaning that provide the analyst with an
                  easy-to-understand model of each customer's spending habits.
                  First, we quantify the anomaly of each transaction with
                  respect to the customer historical profile. Second, we find
                  global clusters of customers with similar spending habits.
                  Third, we use a temporal threshold system that measures the
                  anomaly of the current spending pattern of each customer,
                  with respect to his or her past spending behavior. As a
                  result, we mitigate the undertraining due to the lack of
                  historical data for building of well-trained profiles (of
                  fresh users), and the users that change their (spending)
                  habits over time. Our evaluation on real-world data shows
                  that our approach correctly ranks complex frauds as ``top
                  priority''.},
  DOI           = {10.1007/978-3-642-55415-5_32},
  ISBN          = {978-3-642-55414-8 978-3-642-55415-5},
  Date          = {2014-06-02},
  URL           = {http://link.springer.com/chapter/10.1007/978-3-642-55415-5_32},
  File          = {files/papers/conference-papers/carminati_banksealer_2014.pdf}
}

@Unpublished{     maggi_phoenixhoneynet_talk_2014,
  ShortTitle    = {PhoenixHoneynet},
  Author        = {Maggi, Federico},
  Title         = {Tracking and Characterizing Botnets Using Automatically
                  Generated Domains},
  EventTitle    = {Honeynet Workshop},
  Abstract      = {Modern botnets rely on domain-generation algorithms (DGAs)
                  to build resilient command-and-control infrastructures.
                  Recent works focus on recognizing automatically generated
                  domains (AGDs) from DNS traffic, which potentially allows to
                  identify previously unknown AGDs to hinder or disrupt
                  botnets' communication capabilities. The state-of-the-art
                  approaches require to deploy low-level DNS sensors to access
                  data whose collection poses practical and privacy issues,
                  making their adoption problematic. We propose a mechanism
                  that overcomes the above limitations by analyzing DNS traffic
                  data through a combination of linguistic and IP-based
                  features of suspicious domains. In this way, we are able to
                  identify AGD names, characterize their DGAs and isolate
                  logical groups of domains that represent the respective
                  botnets. Moreover, our system enriches these groups with new,
                  previously unknown AGD names, and produce novel knowledge
                  about the evolving behavior of each tracked botnet. We used
                  our system in real-world settings, to help researchers that
                  requested intelligence on suspicious domains and were able to
                  label them as belonging to the correct botnet automatically.
                  Additionally, we ran an evaluation on 1,153,516 domains,
                  including AGDs from both modern (e.g., Bamital) and
                  traditional (e.g., Conficker, Torpig) botnets. Our approach
                  correctly isolated families of AGDs that belonged to distinct
                  DGAs, and set automatically generated from non-automatically
                  generated domains apart in 94.8 percent of the cases.},
  Location      = {Warsaw, Poland},
  Date          = {2014-05-14},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_phoenixhoneynet_talk_2014.pdf}
}

@Unpublished{     maggi_phoenixgoogle_talk_2014,
  ShortTitle    = {PhoenixGoogle},
  Author        = {Maggi, Federico},
  Title         = {Phoenix \& Cerberus: Botnet Tracking via Precise DGA
                  Characterization},
  EventTitle    = {Google Tech Talk},
  Location      = {Google, Mountain View, CA, USA},
  Date          = {2014-05},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_phoenixgoogle_talk_2014.pdf}
}

@Thesis{          colombo_thesis_2014,
  Author        = {Colombo, Edoardo},
  Title         = {CERBERUS: Detection and Characterization of
                  Automatically-Generated Malicious Domains},
  URL           = {https://hdl.handle.net/10589/92341},
  Institution   = {Politecnico di Milano},
  Date          = {2014-04-29}
}

@InProceedings{   nikiforakis_strangerdanger_2014,
  ShortTitle    = {StrangerDanger},
  Author        = {Nikiforakis, Nick and Maggi, Federico and Stringhini,
                  Gianluca and Rafique, M. Zubair and Joosen, Wouter and
                  Kruegel, Christopher and Piessens, Frank and Vigna, Giovanni
                  and Zanero, Stefano},
  Title         = {Stranger Danger: Exploring the Ecosystem of Ad-based URL
                  Shortening Services},
  Publisher     = {International World Wide Web Conferences Steering
                  Committee},
  BookTitle     = {Proceedings of the 23rd International Conference on World
                  Wide Web},
  Series        = {WWW '14},
  Pages         = {51--62},
  Location      = {Seoul, Korea},
  Abstract      = {URL shortening services facilitate the need of exchanging
                  long URLs using limited space, by creating compact URL
                  aliases that redirect users to the original URLs when
                  followed. Some of these services show advertisements (ads) to
                  link-clicking users and pay a commission of their advertising
                  earnings to link-shortening users. In this paper, we
                  investigate the ecosystem of these increasingly popular
                  ad-based URL shortening services. Even though traditional URL
                  shortening services have been thoroughly investigated in
                  previous research, we argue that, due to the monetary
                  incentives and the presence of third-party advertising
                  networks, ad-based URL shortening services and their users
                  are exposed to more hazards than traditional shortening
                  services. By analyzing the services themselves, the
                  advertisers involved, and their users, we uncover a series of
                  issues that are actively exploited by malicious advertisers
                  and endanger the users. Moreover, next to documenting the
                  ongoing abuse, we suggest a series of defense mechanisms that
                  services and users can adopt to protect themselves.},
  DOI           = {10.1145/2566486.2567983},
  ISBN          = {978-1-4503-2744-2},
  Date          = {2014-04},
  URL           = {http://dx.doi.org/10.1145/2566486.2567983},
  File          = {files/papers/conference-papers/nikiforakis_strangerdanger_2014.pdf}
}

@InProceedings{   spagnuolo_bitiodine_2014,
  ShortTitle    = {BitIodine},
  Author        = {Spagnuolo, Michele and Maggi, Federico and Zanero, Stefano},
  Title         = {BitIodine: Extracting Intelligence from the Bitcoin
                  Network},
  Publisher     = {Springer Berlin Heidelberg},
  BookTitle     = {Financial Cryptography and Data Security},
  Series        = {Lecture Notes in Computer Science (LNCS)},
  Pages         = {457--468},
  Location      = {Barbados},
  Abstract      = {Bitcoin, the famous peer-to-peer, decentralized electronic
                  currency system, allows users to benefit from pseudonymity,
                  by generating an arbitrary number of aliases (or addresses)
                  to move funds. However, the complete history of all
                  transactions ever performed, called "blockchain", is public
                  and replicated on each node. The data it contains is
                  difficult to analyze manually, but can yield a high number of
                  relevant information.
                  
                  In this paper we present a modular framework, BitIodine,
                  which parses the blockchain, clusters addresses that are
                  likely to belong to a same user or group of users, classifies
                  such users and labels them, and finally visualizes complex
                  information extracted from the Bitcoin network.
                  
                  BitIodine labels users (semi-)automatically with information
                  on their identity and actions which is automatically scraped
                  from openly available information sources. BitIodine also
                  supports manual investigation by finding paths and reverse
                  paths between addresses or users.
                  
                  We tested BitIodine on several real-world use cases,
                  identified an address likely to belong to the encrypted Silk
                  Road cold wallet, or investigated the CryptoLocker ransomware
                  and accurately quantified the number of ransoms paid, as well
                  as information about the victims.
                  
                  We release an early prototype of BitIodine as a library for
                  building more complex Bitcoin forensic analysis tools.},
  DOI           = {10.1007/978-3-662-45472-5_29},
  ISBN          = {978-3-662-45471-8},
  Date          = {2014-03-03},
  File          = {files/papers/conference-papers/spagnuolo_bitiodine_2014.pdf}
}

@TechReport{      gianazza_puppetdroid_tr_2014,
  ShortTitle    = {PuppetDroid},
  Author        = {Gianazza, Andrea and Maggi, Federico and Fattori, Aristide
                  and Cavallaro, Lorenzo and Zanero, Stefano},
  Title         = {PuppetDroid: A User-Centric UI Exerciser for Automatic
                  Dynamic Analysis of Similar Android Applications},
  Institution   = {arXiv},
  Abstract      = {Popularity and complexity of malicious mobile applications
                  are rising, making their analysis difficult and labor
                  intensive. Mobile application analysis is indeed inherently
                  different from desktop application analysis: In the latter,
                  the interaction of the user (i.e., victim) is crucial for the
                  malware to correctly expose all its malicious behaviors. We
                  propose a novel approach to analyze (malicious) mobile
                  applications. The goal is to exercise the user interface (UI)
                  of an Android application to effectively trigger malicious
                  behaviors, automatically. Our key intuition is to record and
                  reproduce the UI interactions of a potential victim of the
                  malware, so as to stimulate the relevant behaviors during
                  dynamic analysis. To make our approach scale, we
                  automatically re-execute the recorded UI interactions on apps
                  that are similar to the original ones. These characteristics
                  make our system orthogonal and complementary to current
                  dynamic analysis and UI-exercising approaches. We developed
                  our approach and experimentally shown that our stimulation
                  allows to reach a higher code coverage than automatic UI
                  exercisers, so to unveil interesting malicious behaviors that
                  are not exposed when using other approaches. Our approach is
                  also suitable for crowdsourcing scenarios, which would push
                  further the collection of new stimulation traces. This can
                  potentially change the way we conduct dynamic analysis of
                  (mobile) applications, from fully automatic only, to
                  user-centric and collaborative too.},
  Date          = {2014-02-19},
  URL           = {http://arxiv.org/abs/1402.4826},
  File          = {files/papers/reports/gianazza_puppetdroid_tr_2014.pdf}
}

@Unpublished{     maggi_androidmalware_talk_2014,
  ShortTitle    = {AndroidMalware},
  Author        = {Maggi, Federico},
  Title         = {Malicious Android Apps: Overview, Status and Dilemmas},
  Location      = {Qualcomm, San Diego, USA},
  Date          = {2014-01-03},
  URL           = {http://s.maggi.cc/android-malware-2013},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_androidmalware_talk_2014.pdf}
}

@Thesis{          sisto_thesis_2013,
  Author        = {Sisto, Alessandro},
  Title         = {AndroCrawl: Studying Android Alternative Marketplaces},
  Date          = {2013-12-18},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/88407}
}

@Thesis{          lever_thesis_2013,
  Author        = {Lever, Eros},
  Title         = {DroidSaGe: An Automated Android Sandbox Generator},
  Date          = {2013-12-18},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/88332}
}

@Thesis{          bazzoli_thesis_2013,
  Author        = {Bazzoli, Enrico},
  Title         = {XSS Peeker: An analysis of black-box web scanners on
                  detecting cross-site scripting vulnerabilities},
  Date          = {2013-12-18},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/88421}
}

@InProceedings{   bonetti_ssdforensics_2013,
  ShortTitle    = {SSDForensics},
  Author        = {Bonetti, Gabriele and Viglione, Marco and Frossi, Alessandro
                  and Maggi, Federico and Zanero, Stefano},
  Title         = {A Comprehensive Black-box Methodology for Testing the
                  Forensic Characteristics of Solid-state Drives},
  Publisher     = {ACM},
  BookTitle     = {Proceedings of the 29th Annual Computer Security
                  Applications Conference},
  Series        = {ACSAC '13},
  Pages         = {269--278},
  Location      = {New York, NY, USA},
  Abstract      = {Solid-state drives (SSDs) are inherently different from
                  traditional drives, as they incorporate data-optimization
                  mechanisms to overcome their limitations (such as a limited
                  number of program-erase cycles, or the need of blanking a
                  block before writing). The most common optimizations are wear
                  leveling, trimming, compression, and garbage collection,
                  which operate transparently to the host OS and, in certain
                  cases, even when the disks are disconnected from a computer
                  (but still powered up). In simple words, SSD controllers are
                  designed to hide these internals completely, rendering them
                  inaccessible if not through direct acquisition of the memory
                  cells. These optimizations have a significant impact on the
                  forensic analysis of SSDs. The main cause is that memory
                  cells could be pre-emptively blanked, whereas a traditional
                  drive sector would need to be explicitly rewritten to
                  physically wipe off the data. Unfortunately, the existing
                  literature on this subject is sparse and the conclusions are
                  seemingly contradictory. In this paper we propose a generic,
                  practical, test-driven methodology that guides researchers
                  and forensics analysts through a series of steps that assess
                  the "forensic friendliness" of a SSD. Given a drive of the
                  same brand and model of the one under analysis, our
                  methodology produces a decision that helps an analyst to
                  determine whether or not an expensive direct acquisition of
                  the memory cells is worth the effort, because the extreme
                  optimizations may have rendered the data unreadable or
                  useless. We apply our methodology to three SSDs produced by
                  top vendors (Samsung, Corsair, and Crucial), and provide a
                  detailed description of how each step should be conducted.},
  DOI           = {10.1145/2523649.2523660},
  ISBN          = {978-1-4503-2015-3},
  Date          = {2013-12},
  URL           = {http://doi.acm.org/10.1145/2523649.2523660},
  File          = {files/papers/conference-papers/bonetti_ssdforensics_2013.pdf}
}

@TechReport{      schiavoni_phoenix_tr_2013,
  ShortTitle    = {Phoenix},
  Author        = {Schiavoni, Stefano and Maggi, Federico and Cavallaro,
                  Lorenzo and Zanero, Stefano},
  Title         = {Tracking and Characterizing Botnets Using Automatically
                  Generated Domains},
  Institution   = {arXiv},
  Abstract      = {Modern botnets rely on domain-generation algorithms (DGAs)
                  to build resilient command-and-control infrastructures.
                  Recent works focus on recognizing automatically generated
                  domains (AGDs) from DNS traffic, which potentially allows to
                  identify previously unknown AGDs to hinder or disrupt
                  botnets' communication capabilities. The state-of-the-art
                  approaches require to deploy low-level DNS sensors to access
                  data whose collection poses practical and privacy issues,
                  making their adoption problematic. We propose a mechanism
                  that overcomes the above limitations by analyzing DNS traffic
                  data through a combination of linguistic and IP-based
                  features of suspicious domains. In this way, we are able to
                  identify AGD names, characterize their DGAs and isolate
                  logical groups of domains that represent the respective
                  botnets. Moreover, our system enriches these groups with new,
                  previously unknown AGD names, and produce novel knowledge
                  about the evolving behavior of each tracked botnet. We used
                  our system in real-world settings, to help researchers that
                  requested intelligence on suspicious domains and were able to
                  label them as belonging to the correct botnet automatically.
                  Additionally, we ran an evaluation on 1,153,516 domains,
                  including AGDs from both modern (e.g., Bamital) and
                  traditional (e.g., Conficker, Torpig) botnets. Our approach
                  correctly isolated families of AGDs that belonged to distinct
                  DGAs, and set automatically generated from non-automatically
                  generated domains apart in 94.8 percent of the cases.},
  Date          = {2013-11-21},
  URL           = {http://arxiv.org/abs/1311.5612},
  File          = {files/papers/reports/schiavoni_phoenix_tr_2013.pdf}
}

@Unpublished{     maggi_phoenixinfosek_talk_2013,
  ShortTitle    = {PhoenixInfosek},
  Author        = {Maggi, Federico},
  Title         = {Modern Botnets and the Rise of Automatically Generated
                  Domains},
  EventTitle    = {InfoSek},
  Location      = {Nova Gorica, Slovenia},
  Date          = {2013-11-20},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_phoenixinfosek_talk_2013.pdf}
}

@Unpublished{     maggi_andrototalinfosek_talk_2013,
  ShortTitle    = {AndroTotalInfosek},
  Author        = {Maggi, Federico},
  Title         = {AndroTotal: A Scalable Framework for Android Antivirus
                  Testing},
  EventTitle    = {InfoSek},
  Location      = {Nova Gorica, Slovenia},
  Date          = {2013-11-20},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_andrototalinfosek_talk_2013.pdf}
}

@Unpublished{     maggi_andrototalsecure_talk_2013,
  ShortTitle    = {AndroTotalSecure},
  Author        = {Maggi, Federico},
  Title         = {AndroTotal: A Scalable Framework for Android Antimalware
                  Testing},
  EventTitle    = {Secure},
  Abstract      = {Although there are controversial opinions regarding how
                  large the mobile malware phenomenon is in terms of absolute
                  numbers, hype aside, the amount of new Android malware
                  variants is increasing. This trend is mainly due to the fact
                  that, as it happened with traditional malware, the authors
                  are striving to repackage, obfuscate, or otherwise transform
                  the executable code of their malicious apps in order to evade
                  mobile security apps. There are about 85 of these apps only
                  on the official marketplace. However, it is not clear how
                  effective they are. Indeed, the sandboxing mechanism of
                  Android does not allow (security) apps to audit other apps.
                  We present AndroTotal, a publicly available tool, malware
                  repository and research framework that aims at mitigating the
                  above challenges, and allow researchers to automatically scan
                  Android apps against an arbitrary set of malware detectors.
                  We implemented AndroTotal and released it to the research
                  community in April 2013. So far, we collected 18,758 distinct
                  submitted samples and received the attention of several
                  research groups (1,000 distinct accounts), who integrated
                  their malware-analysis services with ours.},
  Location      = {Warsaw, Poland},
  Date          = {2013-10-09},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_andrototalsecure_talk_2013.pdf}
}

@Thesis{          polino_thesis_2013,
  Author        = {Polino, Mario and Scorti, Andrea},
  Title         = {Jackdaw: Automatic Behavior Extractor and Semantic Tagger},
  Date          = {2013-10-03},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/85226}
}

@Thesis{          gianazza_thesis_2013,
  Author        = {Gianazza, Andrea},
  Title         = {PuppetDroid: a Remote Execution Environment and UI Exerciser
                  for Android Malware Analysis},
  Date          = {2013-10-03},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/84662}
}

@Thesis{          carminati_thesis_2013,
  Author        = {Carminati, Michele and Caron, Roberto},
  Title         = {BankSealer: A Transaction Monitoring System for Internet
                  Banking Fraud Detection},
  Date          = {2013-10-03},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/84804}
}

@Article{         nacci_mpower_article_2013,
  ShortTitle    = {MPower},
  Author        = {Nacci, Alessandro and Trov{\`o}, Francesco and Maggi,
                  Federico and Ferroni, Matteo and Cazzola, Andrea and Sciuto,
                  Donatella and Santambrogio, Marco},
  Title         = {Adaptive and Flexible Smartphone Power Modeling},
  JournalTitle  = {Mobile Networks and Applications},
  Pages         = {1--10},
  Abstract      = {Mobile devices have become the main interaction mean between
                  users and the surrounding environment. An indirect measure of
                  this trend is the increasing amount of security threats
                  against mobile devices, which in turn created a demand for
                  protection tools. Protection tools, unfortunately, add an
                  additional burden for the smartphone's battery power, which
                  is a precious resource. This observation motivates the need
                  for smarter (security) applications, designed and capable of
                  running within adaptive energy goals. Although this problem
                  affects other areas, in the security area this research
                  direction is referred to as "green security". In general, a
                  fundamental need to the researches toward creating
                  energy-aware applications, consist in having appropriate
                  power models that capture the full dynamic of devices and
                  users. This is not an easy task because of the highly dynamic
                  environment and usage habits. In practice, this goal requires
                  easy mechanisms to measure the power consumption and
                  approaches to create accurate models. The existing approaches
                  that tackle this problem are either not accurate or not
                  applicable in practice due to their limiting requirements. We
                  propose MPower, a power-sensing platform and adaptive power
                  modeling platform for Android mobile devices. The MPower
                  approach creates an adequate and precise knowledge base of
                  the power "behavior" of several different devices and users,
                  which allows us to create better device-centric power models
                  that considers the main hardware components and how they
                  contributed to the overall power consumption. In this paper
                  we consolidate our perspective work on MPower by providing
                  the implementation details and evaluation on 278 users and
                  about 22.5 million power-related data. Also, we explain how
                  MPower is useful in those scenarios where low-power,
                  unobtrusive, accurate power modeling is necessary (e.g.,
                  green security applications).},
  DOI           = {10.1007/s11036-013-0470-y},
  ISSN          = {1383-469X},
  Date          = {2013-10-01},
  File          = {files/papers/journal-papers/nacci_mpower_article_2013.pdf}
}

@InProceedings{   maggi_andrototal_2013,
  ShortTitle    = {AndroTotal},
  Author        = {Maggi, Federico and Valdi, Andrea and Zanero, Stefano},
  Title         = {AndroTotal: A Flexible, Scalable Toolbox and Service for
                  Testing Mobile Malware Detectors},
  Publisher     = {ACM},
  BookTitle     = {Proceedings of the Third ACM Workshop on Security and
                  Privacy in Smartphones \& Mobile Devices},
  Series        = {SPSM '13},
  Pages         = {49--54},
  Location      = {New York, NY, USA},
  Abstract      = {Although there are controversial opinions regarding how
                  large the mobile malware phenomenon is in terms of absolute
                  numbers, hype aside, the amount of new Android malware
                  variants is increasing. This trend is mainly due to the fact
                  that, as it happened with traditional malware, the authors
                  are striving to repackage, obfuscate, or otherwise transform
                  the executable code of their malicious apps in order to evade
                  mobile security apps. There are about 85 of these apps only
                  on the official marketplace. However, it is not clear how
                  effective they are. Indeed, the sandboxing mechanism of
                  Android does not allow (security) apps to audit other apps.
                  We present AndroTotal, a publicly available tool, malware
                  repository and research framework that aims at mitigating the
                  above challenges, and allow researchers to automatically scan
                  Android apps against an arbitrary set of malware detectors.
                  We implemented AndroTotal and released it to the research
                  community in April 2013. So far, we collected 18,758 distinct
                  submitted samples and received the attention of several
                  research groups (1,000 distinct accounts), who integrated
                  their malware-analysis services with ours.},
  DOI           = {10.1145/2516760.2516768},
  ISBN          = {978-1-4503-2491-5},
  Date          = {2013-10},
  URL           = {http://doi.acm.org/10.1145/2516760.2516768},
  Keywords      = {workshop},
  File          = {files/papers/workshop-papers/maggi_andrototal_2013.pdf}
}

@Article{         dardanelli_cartox_article_2013,
  ShortTitle    = {CarToX},
  Author        = {Dardanelli, Andrea and Maggi, Federico and Tanelli, Mara and
                  Zanero, Stefano and Savaresi, Sergio M and Kochanek, Roman
                  and Holz, Thorsten},
  Title         = {A Security Layer for Smartphone-to-Vehicle Communication
                  over Bluetooth},
  JournalTitle  = {Embedded Systems Letters},
  Volume        = {5},
  Number        = {3},
  Pages         = {34--37},
  Abstract      = {Modern vehicles are increasingly being interconnected with
                  computer systems, which collect information both from
                  vehicular sources and Internet services. Unfortunately, this
                  creates a non negligible attack surface, which extends when
                  vehicles are partly operated via smartphones. In this letter,
                  a hierarchically distributed control system architecture
                  which integrates a smartphone with classical embedded systems
                  is presented, and an ad-hoc, end-to-end security layer is
                  designed to demonstrate how a smartphone can interact
                  securely with a modern vehicle without requiring
                  modifications to the existing in-vehicle network.
                  Experimental results demonstrate the effectiveness of the
                  approach.},
  DOI           = {10.1109/LES.2013.2264594},
  ISSN          = {1943-0663},
  Date          = {2013-06-21},
  File          = {files/papers/journal-papers/dardanelli_cartox_article_2013.pdf}
}

@InProceedings{   maggi_longshore_2013,
  ShortTitle    = {LongShore},
  Author        = {Maggi, Federico and Frossi, Alessandro and Zanero, Stefano
                  and Stringhini, Gianluca and Stone-Gross, Brett and Kruegel,
                  Christopher and Vigna, Giovanni},
  Title         = {Two years of short URLs internet measurement: security
                  threats and countermeasures},
  Publisher     = {International World Wide Web Conferences Steering
                  Committee},
  BookTitle     = {Proceedings of the 22nd international conference on World
                  Wide Web (WWW)},
  Pages         = {861--872},
  Location      = {Republic and Canton of Geneva, Switzerland},
  Abstract      = {URL shortening services have become extremely popular.
                  However, it is still unclear whether they are an effective
                  and reliable tool that can be leveraged to hide malicious
                  URLs, and to what extent these abuses can impact the end
                  users. With these questions in mind, we first analyzed
                  existing countermeasures adopted by popular shortening
                  services. Surprisingly, we found such countermeasures to be
                  ineffective and trivial to bypass. This first measurement
                  motivated us to proceed further with a large-scale collection
                  of the HTTP interactions that originate when web users access
                  live pages that contain short URLs. To this end, we monitored
                  622 distinct URL shortening services between March 2010 and
                  April 2012, and collected 24,953,881 distinct short URLs.
                  With this large dataset, we studied the abuse of short URLs.
                  Despite short URLs are a significant, new security risk, in
                  accordance with the reports resulting from the observation of
                  the overall phishing and spamming activity, we found that
                  only a relatively small fraction of users ever encountered
                  malicious short URLs. Interestingly, during the second year
                  of measurement, we noticed an increased percentage of short
                  URLs being abused for drive-by download campaigns and a
                  decreased percentage of short URLs being abused for spam
                  campaigns. In addition to these security-related findings,
                  our unique monitoring infrastructure and large dataset
                  allowed us to complement previous research on short URLs and
                  analyze these web services from the user's perspective.},
  ISBN          = {978-1-4503-2035-1},
  Date          = {2013-05},
  File          = {files/papers/conference-papers/maggi_longshore_2013.pdf}
}

@Unpublished{     maggi_andrototalmit_talk_2013,
  ShortTitle    = {AndroTotalMIT},
  Author        = {Maggi, Federico},
  Title         = {AndroTotal: A Scalable Framework for Android Antimalware
                  Testing},
  EventTitle    = {MIT CSAIL-POLIMI Workshop},
  Abstract      = {Although there are controversial opinions regarding how
                  large the mobile malware phenomenon is in terms of absolute
                  numbers, hype aside, the amount of new Android malware
                  variants is increasing. This trend is mainly due to the fact
                  that, as it happened with traditional malware, the authors
                  are striving to repackage, obfuscate, or otherwise transform
                  the executable code of their malicious apps in order to evade
                  mobile security apps. There are about 85 of these apps only
                  on the official marketplace. However, it is not clear how
                  effective they are. Indeed, the sandboxing mechanism of
                  Android does not allow (security) apps to audit other apps.
                  We present AndroTotal, a publicly available tool, malware
                  repository and research framework that aims at mitigating the
                  above challenges, and allow researchers to automatically scan
                  Android apps against an arbitrary set of malware detectors.
                  We implemented AndroTotal and released it to the research
                  community in April 2013. So far, we collected 18,758 distinct
                  submitted samples and received the attention of several
                  research groups (1,000 distinct accounts), who integrated
                  their malware-analysis services with ours.},
  Location      = {MIT, Boston, Massachussets, USA},
  Date          = {2013-05},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_andrototalmit_talk_2013.pdf}
}

@Thesis{          valdi_thesis_2013,
  Author        = {Valdi, Andrea},
  Title         = {AndroTotal: A Flexible Platform for Scalable Android
                  Antivirus Testing},
  Date          = {2013-04-22},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/78622}
}

@Thesis{          schiavoni_thesis_2013,
  Author        = {Schiavoni, Stefano},
  Title         = {Finding, characterizing and tracking domain generation
                  algorithms from passive DNS monitoring},
  Date          = {2013-04-22},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/78505}
}

@Thesis{          lancini_thesis_2013,
  Author        = {Lancini, Marco},
  Title         = {Social Authentication: Vulnerabilities, Mitigations and
                  Redesign},
  Date          = {2013-04-22},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/78569}
}

@Thesis{          bosatelli_thesis_2013,
  Author        = {Bosatelli, Fabio},
  Title         = {Zarathustra: Detecting Banking Trojans via Automatic,
                  Platform-independent WebInjects Extraction},
  Date          = {2013-04-22},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/78343}
}

@Unpublished{     maggi_soauth_talk_2013,
  ShortTitle    = {SoAuth},
  Author        = {Maggi, Federico},
  Title         = {Our Face are Belong to us: Breaking Facebook's Social
                  Authentication},
  EventTitle    = {Hek.si},
  Abstract      = {Two-factor authentication is widely used by high-value
                  services to prevent adversaries from compromising accounts
                  using stolen credentials. Facebook has recently released a
                  two-factor authentication mechanism, referred to as Social
                  Authentication, which requires users to identify some of
                  their friends in randomly selected photos. A recent study has
                  provided a formal analysis of social authentication
                  weaknesses against attackers inside the victim's social
                  circles. In this paper, we extend the threat model and study
                  the attack surface of social authentication in practice, and
                  show how any attacker can obtain the information needed to
                  solve the challenges presented by Facebook. We implement a
                  proof-of-concept system that utilizes widely available face
                  recognition software and cloud services, and evaluate it
                  using real public data collected from Facebook. Under the
                  assumptions of Facebook's threat model, our results show that
                  an attacker can obtain access to (sensitive) information for
                  at least 42\% of a user's friends that Facebook uses to
                  generate social authentication challenges. By relying solely
                  on publicly accessible information, a casual attacker can
                  solve 22\% of the social authentication tests in an automated
                  fashion, and gain a significant advantage for an additional
                  56\% of the tests, as opposed to just guessing. Additionally,
                  we simulate the scenario of a determined attacker placing
                  himself inside the victim's social circle by employing dummy
                  accounts. In this case, the accuracy of our attack greatly
                  increases and reaches 100\% when 120 faces per friend are
                  accessible by the attacker, even though it is very accurate
                  with as little as 10 faces.},
  Location      = {Ljubljana, Slovenia},
  Date          = {2013-04},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_soauth_talk_2013.pdf}
}

@InProceedings{   lindorfer_beagle_2012,
  ShortTitle    = {Beagle},
  Author        = {Lindorfer, Martina and Federico, Alessandro Di and Maggi,
                  Federico and Comparetti, Paolo Milani and Zanero, Stefano},
  Title         = {Lines of Malicious Code: Insights Into the Malicious
                  Software Industry},
  Publisher     = {ACM},
  BookTitle     = {Proceedings of the Annual Computer Security Applications
                  Conference (ACSAC)},
  Pages         = {349--358},
  Location      = {New York, NY, USA},
  Abstract      = {Malicious software installed on infected computers is a
                  fundamental component of online crime. Malware development
                  thus plays an essential role in the underground economy of
                  cyber-crime. Malware authors regularly update their software
                  to defeat defenses or to support new or improved criminal
                  business models. A large body of research has focused on
                  detecting malware, defending against it and identifying its
                  functionality. In addition to these goals, however, the
                  analysis of malware can provide a glimpse into the software
                  development industry that develops malicious code. In this
                  work, we present techniques to observe the evolution of a
                  malware family over time. First, we develop techniques to
                  compare versions of malicious code and quantify their
                  differences. Furthermore, we use behavior observed from
                  dynamic analysis to assign semantics to binary code and to
                  identify functional components within a malware binary. By
                  combining these techniques, we are able to monitor the
                  evolution of a malware's functional components. We implement
                  these techniques in a system we call BEAGLE, and apply it to
                  the observation of 16 malware strains over several months.
                  The results of these experiments provide insight into the
                  effort involved in updating malware code, and show that
                  BEAGLE can identify changes to individual malware
                  components.},
  DOI           = {10.1145/2420950.2421001},
  ISBN          = {978-1-4503-1312-4},
  Date          = {2012-12-03},
  File          = {files/papers/conference-papers/lindorfer_beagle_2012.pdf}
}

@InProceedings{   polakis_soauth_2012,
  ShortTitle    = {SoAuth},
  Author        = {Polakis, Jason and Lancini, Marco and Kontaxis, Georgios and
                  Maggi, Federico and Ioannidis, Sotiris and Keromytis, Angelos
                  and Zanero, Stefano},
  Title         = {All Your Face Are Belong to Us: Breaking Facebook's Social
                  Authentication},
  Publisher     = {ACM},
  BookTitle     = {Proceedings of the Annual Computer Security Applications
                  Conference (ACSAC)},
  Pages         = {399--408},
  Location      = {New York, NY, USA},
  Abstract      = {Two-factor authentication is widely used by high-value
                  services to prevent adversaries from compromising accounts
                  using stolen credentials. Facebook has recently released a
                  two-factor authentication mechanism, referred to as Social
                  Authentication, which requires users to identify some of
                  their friends in randomly selected photos. A recent study has
                  provided a formal analysis of social authentication
                  weaknesses against attackers inside the victim's social
                  circles. In this paper, we extend the threat model and study
                  the attack surface of social authentication in practice, and
                  show how any attacker can obtain the information needed to
                  solve the challenges presented by Facebook. We implement a
                  proof-of-concept system that utilizes widely available face
                  recognition software and cloud services, and evaluate it
                  using real public data collected from Facebook. Under the
                  assumptions of Facebook's threat model, our results show that
                  an attacker can obtain access to (sensitive) information for
                  at least 42\% of a user's friends that Facebook uses to
                  generate social authentication challenges. By relying solely
                  on publicly accessible information, a casual attacker can
                  solve 22\% of the social authentication tests in an automated
                  fashion, and gain a significant advantage for an additional
                  56\% of the tests, as opposed to just guessing. Additionally,
                  we simulate the scenario of a determined attacker placing
                  himself inside the victim's social circle by employing dummy
                  accounts. In this case, the accuracy of our attack greatly
                  increases and reaches 100\% when 120 faces per friend are
                  accessible by the attacker, even though it is very accurate
                  with as little as 10 faces.},
  DOI           = {10.1145/2420950.2421008},
  ISBN          = {978-1-4503-1312-4},
  Date          = {2012-12-03},
  File          = {files/papers/conference-papers/polakis_soauth_2012.pdf}
}

@TechReport{      kochanek_cartox_tr_2012,
  ShortTitle    = {CarToX},
  Author        = {Kochanek, Roman and Dardanelli, Andrea and Maggi, Federico
                  and Zanero, Stefano and Tanelli, Mara and Savaresi, Sergio
                  and Holz, Thorsten},
  Title         = {Secure Integration of Mobile Devices for Automotive
                  Services},
  Institution   = {Politecnico di Milano},
  Number        = {2012-09},
  Abstract      = {Modern vehicles, and in particular electric vehicles, are
                  increasingly being equipped with interconnected computer
                  systems, which collect information through vehicular sources
                  and remote, Internet-connected services. Unfortunately, this
                  creates a non-negligible attack surface, which extends even
                  more when vehicles are integrated with smartphones to offer
                  advanced services. In fact, embedded systems on vehicles have
                  been developed to address safety, not security requirements.
                  Furthermore, vehicles have real-time constraints, and the
                  typical embedded architectures used on board significantly
                  complicate security designs. In this paper, we introduce a
                  communication framework that addresses these challenges and
                  we demonstrate how a smartphone can interact with a vehicle
                  in a secure and safe manner. To this end, we design a
                  security session layer that ensures end-to-end security
                  transparently. We conduct an experimental evaluation on a
                  real implementation of our security layer, which shows that
                  our solution is practical and easy to use, satisfies
                  performance constraints, and meets real-time requirements by
                  taking into account the limited capabilities of our target
                  architecture. More precisely, we implement our approach for
                  an electrically-powered two-wheeler manufactured by Piaggio,
                  and show how a smartphone can interact via a wireless link
                  with the battery-life controller in a secure manner.
                  Interestingly, our approach is not limited to vehicles, but
                  can be used in other application domains where a smartphone
                  needs to securely interact with an embedded device.},
  Date          = {2012-06-01},
  File          = {files/papers/reports/kochanek_cartox_tr_2012.pdf}
}

@Unpublished{     maggi_longshore_talk_2012,
  ShortTitle    = {LongShore},
  Author        = {Maggi, Federico},
  Title         = {The Long Story of Short URLs},
  EventTitle    = {ISG Research Seminars},
  Abstract      = {I gave a talk based on these slides for the first time at
                  Royal Holloway University of London, in April 2012. This talk
                  discusses the results of a research that we have conducted
                  about the impact on users of short URLs. I describe a system
                  that we designed, implemented, and deployed that observes and
                  collects the short URLs that more than 7,000 real web users
                  have encountered while browsing the Web between March 2010
                  and April 2011 (and counting). On this dataset, which
                  comprises 16,075,693 distinct short URLs, we first precisely
                  characterized the usage habits observed during our collection
                  process, and the content typically referred by short URLs:
                  Users exhibit different usage habits depending on the type of
                  content they are using short URLs for. We then analyzed the
                  abuse of short URLs to hide the true URL of malicious pages:
                  This practice is not widespread, although we noticed that the
                  miscreants tend to post the same malicious short URL on
                  multiple pages. Finally, we analyzed the countermeasures of
                  shortening services against abuses of short URLs, and found
                  that they are trivially bypassed by shortening a benign URL
                  that turns malicious only a few moments after submitting it
                  to the shortening service.},
  Location      = {Royal Holloway University of London},
  Date          = {2012-05-01},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_longshore_talk_2012.pdf}
}

@Thesis{          zucchinali_thesis_2012,
  Author        = {Zucchinali, Riccardo},
  Title         = {ScriptShark: Analisi semi-statica del codice JavaScript per
                  la protezione da attacchi informatici},
  Date          = {2012-04-23},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/52322<Paste>}
}

@InProceedings{   maggi_phdthesispaper_2012,
  ShortTitle    = {PhDThesisPaper},
  Author        = {Maggi, Federico and Zanero, Stefano},
  Title         = {Integrated Detection of Anomalous Behavior of Computer
                  Infrastructures},
  Publisher     = {IEEE},
  BookTitle     = {Proceedings of the IEEE/IFIP Network Operations and
                  Management Symposium (NOMS)},
  Pages         = {866--871},
  Abstract      = {Our research concentrates on anomaly detection techniques,
                  which have both industrial applications such as network
                  monitoring and protection, as well as research applications
                  such as software behavioral analysis or malware
                  classification. During our doctoral research, we worked on
                  anomaly detection from three different perspective, as a
                  complex computer infrastructure has several weak spots that
                  must be protected. We first focused on the operating system,
                  central to any computer, to avoid malicious code to subvert
                  its normal activity. Secondly, we concentrated on web
                  applications, which are the main interface to modern
                  computing: Because of their immense popularity, they have
                  indeed become the most targeted entry point of intrusions.
                  Last, we developed novel techniques with the aim of
                  identifying related events (e.g., alerts reported by
                  intrusion detection systems) to build new and more compact
                  knowledge to detect malicious activity on large-scale
                  systems. During our research we enhanced existing anomaly
                  detection tools and also contributed with new ones. Such
                  tools have been tested over different datasets, both
                  synthetic data and real network traffic, and lead to
                  interesting results that were accepted for publication at
                  main security venues.},
  DOI           = {10.1109/NOMS.2012.6212001},
  ISBN          = {978-1-4673-0269-2},
  Date          = {2012-04-16},
  File          = {files/papers/conference-papers/maggi_phdthesispaper_2012.pdf}
}

@InProceedings{   maggi_avlabelling_2011,
  ShortTitle    = {AVLabelling},
  Author        = {Maggi, Federico and Bellini, Andrea and Salvaneschi, Guido
                  and Zanero, Stefano},
  Title         = {Finding Non-trivial Malware Naming Inconsistencies},
  Publisher     = {Springer-Verlag},
  BookTitle     = {Proceedings of the 7th International Conference on
                  Information Systems Security (ICISS)},
  Volume        = {7093},
  Series        = {Lecture Notes in Computer Science},
  Pages         = {144--159},
  Abstract      = {Malware analysts, and in particular antivirus vendors, never
                  agreed on a single naming convention for malware specimens.
                  This leads to confusion and difficulty more for researchers
                  than for practitioners for example, when comparing coverage
                  of different antivirus engines, when integrating and
                  systematizing known threats, or comparing the classifications
                  given by different detectors. Clearly, solving naming
                  inconsistencies is a very difficult task, as it requires that
                  vendors agree on a unified naming convention. More
                  importantly, solving inconsistencies is impossible without
                  knowing exactly where they are. Therefore, in this paper we
                  take a step back and concentrate on the problem of finding
                  inconsistencies. To this end, we first represent each
                  vendor's naming convention with a graph-based model. Second,
                  we give a precise definition of inconsistency with respect to
                  these models. Third, we define two quantitative measures to
                  calculate the overall degree of inconsistency between
                  vendors. In addition, we propose a fast algorithm that finds
                  non-trivial (i.e., beyond syntactic differences)
                  inconsistencies. Our experiments on four major antivirus
                  vendors and 98,798 real-world malware samples confirm
                  anecdotal observations that different vendors name viruses
                  differently. More importantly, we were able to find
                  inconsistencies that cannot be inferred at all by looking
                  solely at the syntax.},
  DOI           = {10.1007/978-3-642-25560-1_10},
  Date          = {2011-12-15},
  File          = {files/papers/conference-papers/maggi_avlabelling_2011.pdf}
}

@InProceedings{   maggi_iclearshot_2011,
  ShortTitle    = {iClearshot},
  Author        = {Maggi, Federico and Volpatto, Alberto and Gasparini, Simone
                  and Boracchi, Giacomo and Zanero, Stefano},
  Title         = {A Fast Eavesdropping Attack Against Touchscreens},
  BookTitle     = {Proceedings of the 7th International Conference on
                  Information Assurance and Security (IAS)},
  Pages         = {320--325},
  Abstract      = {The pervasiveness of mobile devices increases the risk of
                  exposing sensitive information on the go. In this paper, we
                  arise this concern by presenting an automatic attack against
                  modern touchscreen keyboards. We demonstrate the attack
                  against the Apple iPhone 2010's most popular touchscreen
                  device although it can be adapted to other devices (e.g.,
                  Android) that employ similar key-magnifying keyboards. Our
                  attack processes the stream of frames from a video camera
                  (e.g., surveillance or portable camera) and recognizes
                  keystrokes online, in a fraction of the time needed to
                  perform the same task by direct observation or offline
                  analysis of a recorded video, which can be unfeasible for
                  large amount of data. Our attack detects, tracks, and
                  rectifies the target touchscreen, thus following the device
                  or camera's movements and eliminating possible perspective
                  distortions and rotations In real-world settings, our attack
                  can automatically recognize up to 97.07 percent of the
                  keystrokes (91.03 on average), with 1.15 percent of errors
                  (3.16 on average) at a speed ranging from 37 to 51 keystrokes
                  per minute.},
  DOI           = {10.1109/ISIAS.2011.6122840},
  ISBN          = {978-1-4577-2154-0},
  Date          = {2011-12-05},
  File          = {files/papers/conference-papers/maggi_iclearshot_2011.pdf}
}

@Unpublished{     maggi_isnoop_talk_2011,
  ShortTitle    = {iSnoop},
  Author        = {Maggi, Federico and Volpatto, Alberto and Zanero, Stefano},
  Title         = {iSnoop: How to Steal Secrets From Touchscreen Devices},
  EventTitle    = {Black Hat Briefings Abu Dhabi},
  Abstract      = {Spying on a person is an easy and effective method to obtain
                  sensitive informations, even when the victim is well
                  protected against common digital attacks. Modern mobile
                  devices allow people to perform some information sensitive
                  actions in unsafe places, where anyone could easily observe
                  the victim while typing. What if your mobile phone has a cool
                  touchscreen interface that gives you graphical feedback as
                  you type (iPhone, Android, BlackBerry Torch)? Does it make
                  shoulder surfing easier or, worse, automatable?
                  
                  We believe so, and to demonstrate it, we developed a
                  practical shoulder surfing attack that automatically
                  reconstructs the sequence of keystrokes by aiming a camera at
                  the target touchscreen while the victim is typing. Our attack
                  exploits feedback such as magnified keys, often appearing in
                  predictable positions. This feedback mechanism has been
                  adopted by the top three touchscreen vendors (Apple iOS,
                  Google Android, RIM BlackBerry); in newer version of these
                  mobile OSs, the user has no way to disable it. To demonstrate
                  the effectiveness of our approach, we implemented it against
                  the iPhone (the most popular one), but it can be easily
                  adapted to similar devices with minor modifications.
                  
                  Our attack takes into account that, in real-world scenarios,
                  both the victim's device and attacker's spying camera are not
                  standing in fixed positions. To compensate their movements
                  and misalignments, our system detects and rectifies the
                  target screen before identifying keystokes. By doing that, we
                  are able to automatically recognize up to 97.07\% of the
                  keystrokes, with as low as 1.15\% errors and an average
                  processing speed that makes it a fast and quasi-real-time
                  alternative to shoulder surfing.},
  Location      = {Abu Dhabi},
  Date          = {2011-12},
  URL           = {https://www.blackhat.com/html/bh-ad-11/bh-ad-11-archives.html},
  HowPublished  = {Peer-reviewed Talk},
  File          = {files/talks/maggi_isnoop_talk_2011.pdf}
}

@Thesis{          fossemò_thesis_2011,
  Author        = {Fossemò, Manuel},
  Title         = {Automated Collection and Analysis of Runtime-Generated
                  Strings in a Web Browser},
  Date          = {2011-10-04},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/29001}
}

@InProceedings{   maggi_iclearshotposter_2011,
  ShortTitle    = {iClearshotPoster},
  Author        = {Maggi, Federico and Volpatto, Alberto and Gasparini, Simone
                  and Boracchi, Giacomo and Zanero, Stefano},
  Title         = {POSTER: Fast, Automatic iPhone Shoulder Surfing},
  Publisher     = {ACM},
  BookTitle     = {Proceedings of the 18th Conference on Computer and
                  Communication Security (CCS)},
  Abstract      = {Touchscreen devices increase the risk of shoulder surfing to
                  such an extent that attackers could steal sensitive
                  information by simply following the victim and observe his or
                  her portable device. We underline this concern by proposing
                  an automatic shoulder surfing attack against modern
                  touchscreen keyboards that display magnified keys in
                  predictable positions. We demonstrate this attack against the
                  Apple iPhone although it can work with other layouts and
                  different devices and show that it recognizes up to 97.07\%
                  (91.03\% on average) of the keystrokes, with only 1.15\% of
                  errors, at 37 to 51 keystrokes per minute: About eight times
                  faster than a human analyzing a recorded video. Our attack
                  accurately recovers the sequence of keystrokes input by the
                  user. A previous attack, which targeted desktop scenarios and
                  thus worked with very restrictive settings, is similar in
                  spirit to ours. However, as it assumes that camera and target
                  keyboard are both in fixed, perpendicular position, it cannot
                  suite mobile settings, characterized by moving target and
                  skewed, rotated viewpoints. Our attack, instead, requires no
                  particular settings and even allows for natural movements of
                  both target device and shoulder surfer's camera. In addition,
                  our attack yields accurate output without any grammar or
                  syntax checks, so that it can detect large context-free text
                  or non-dictionary words.},
  DOI           = {10.1145/2093476.2093498},
  Date          = {2011-10-01},
  File          = {files/papers/conference-papers/maggi_iclearshotposter_2011.pdf}
}

@Thesis{          di-mario_thesis_2011,
  Author        = {Di Mario, Luca},
  Title         = {BURN: Baring Unknown Rogue Networks},
  Date          = {2011-07-20},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/21503}
}

@InProceedings{   maggi_syssecpolimi_2011,
  ShortTitle    = {SysSecPOLIMI},
  Author        = {Maggi, Federico and Zanero, Stefano},
  Title         = {System Security research at Politecnico di Milano},
  Publisher     = {IEEE Computer Society},
  BookTitle     = {Proceedings of the 1st SysSec Workshop (SysSec)},
  Abstract      = {This paper summarizes the past, present and future lines of
                  research in the systems security area pursued by the
                  Performance Evaluation Lab of Politecnico di Milano. We
                  describe our past research in the area of learning algorithms
                  applied to intrusion detection, our current work in the area
                  of malware analysis, and our future research outlook,
                  oriented to the cloud, to mobile device security, and to
                  cyber-physical systems.},
  DOI           = {10.1109/SysSec.2011.30},
  Date          = {2011-07-06},
  Keywords      = {workshop},
  File          = {files/papers/workshop-papers/maggi_syssecpolimi_2011.pdf}
}

@InProceedings{   roveta_burn_2011,
  ShortTitle    = {BURN},
  Author        = {Roveta, Francesco and Di Mario, Luca and Maggi, Federico and
                  Caviglia, Giorgio and Zanero, Stefano and Ciuccarelli,
                  Paolo},
  Title         = {BURN: Baring Unknown Rogue Networks},
  Publisher     = {ACM},
  BookTitle     = {Proceedings of the 8th International Symposium on
                  Visualization for Cyber Security (VizSec)},
  Pages         = {6:1--6:10},
  Location      = {New York, NY, USA},
  Abstract      = {Manual analysis of security-related events is still a
                  necessity to investigate non-trivial cyber attacks. This task
                  is particularly hard when the events involve slow, stealthy
                  and large-scale activities typical of the modern
                  cybercriminals' strategy. In this regard, visualization tools
                  can effectively help analysts in their investigations. In
                  this paper, we present BURN, an interactive visualization
                  tool for displaying autonomous systems exhibiting rogue
                  activity that helps at finding misbehaving networks through
                  visual and interactive exploration. Up to seven values are
                  displayed in a single visual element, while avoiding
                  cumbersome and confusing maps. To this end, animations and
                  alpha channels are leveraged to create simple views that
                  highlight relevant activity patterns. In addition, BURN
                  incorporates a simple algorithm to identify migrations of
                  nefarious services across autonomous systems, which can
                  support, for instance, root-cause analysis and law
                  enforcement investigations.},
  DOI           = {10.1145/2016904.2016910},
  ISBN          = {978-1-4503-0679-9},
  Date          = {2011-06-20},
  File          = {files/papers/conference-papers/roveta_burn_2011.pdf}
}

@InProceedings{   maggi_cloudids_2011,
  ShortTitle    = {CloudIDS},
  Author        = {Maggi, Federico and Zanero, Stefano},
  Title         = {Is the future Web more insecure? Distractions and solutions
                  of new-old security issues and measures},
  Publisher     = {EWI},
  BookTitle     = {Proceedings of the Worldwide Cybersecurity Summit},
  Pages         = {1--9},
  Abstract      = {The world of information and communication technology is
                  experiencing changes that, regardless of some skepticism, are
                  bringing to life the concept of ``utility computing''. The
                  nostalgics observed a parallel between the emerging paradigm
                  of cloud computing and the traditional time-sharing era,
                  depicting clouds as the modern reincarnation of mainframes
                  available on a pay-per-use basis, and equipped with virtual,
                  elastic, disks-as-a-service that replace the old physical
                  disks with quotas. This comparison is fascinating, but more
                  importantly, in our opinion, it prepares the ground for
                  constructive critiques regarding the security of such a
                  computing paradigm and, especially, one of its key
                  components: web services. In this paper we discuss our
                  position about the current countermeasures (e.g., intrusion
                  detection systems, anti-malware), developed to mitigate
                  well-known web security threats. By reasoning on said
                  affinities, we focus on the simple case study of
                  anomaly-based approaches, which are employed in many modern
                  protection tools, not just in intrusion detectors. We
                  illustrate our position by the means of a simple running
                  example and show that attacks against injection
                  vulnerabilities, a widespread menace that is easily
                  recognizable with ordinary anomaly-based checks, can be
                  difficult to detect if web services are protected as they
                  were regular web applications. Along this line, we
                  concentrate on a few, critical hypotheses that demand
                  particular attention. Although in this emerging landscape
                  only a minority of threats qualify as novel, they could be
                  difficult to recognize with the current countermeasures and
                  thus can expose web services to new attacks. We conclude by
                  proposing simple modifications to the current countermeasures
                  to cope with the aforesaid security issues.},
  ISBN          = {978-1-4577-1449-8},
  Date          = {2011-06-01},
  File          = {files/papers/conference-papers/maggi_cloudids_2011.pdf}
}

@InProceedings{   maggi_phonephishinghoneypot_2011,
  ShortTitle    = {PhonePhishingHoneypot},
  Author        = {Maggi, Federico and Sisto, Alessandro and Zanero, Stefano},
  Title         = {A social-engineering-centric data collection initiative to
                  study phishing},
  Publisher     = {ACM},
  BookTitle     = {Proceedings of the First Workshop on Building Analysis
                  Datasets and Gathering Experience Returns for Security
                  (BADGERS)},
  Pages         = {107--108},
  Location      = {New York, NY, USA},
  Abstract      = {Phishers nowadays rely on a variety of channels, ranging
                  from old-fashioned emails to instant messages, social
                  networks, and the phone system (with both calls and text
                  messages), with the goal of reaching more victims. As a
                  consequence, modern phishing became a multi-faceted, even
                  more pervasive threat that is inherently more difficult to
                  study than traditional, email-based phishing. This short
                  paper describes the status of a data collection system we are
                  developing to capture different aspects of phishing
                  campaigns, with a particular focus on the emerging use of the
                  voice channel. The general approach is to record inbound
                  calls received on decoy phone lines, place outbound calls to
                  the same caller identifiers (when available) and also to
                  telephone numbers obtained from different sources.
                  Specifically, our system analyzes instant messages (e.g.,
                  automated social engineering attempts) and suspicious emails
                  (e.g., spam, phishing), and extracts telephone numbers, URLs
                  and popular words from the content. In addition, users can
                  voluntarily submit voice phishing (vishing) attempts through
                  a public website. Extracted telephone numbers, URLs and
                  popular words will be correlated to recognize campaigns by
                  means of cross-channel relationships between messages.},
  DOI           = {10.1145/1978672.1978687},
  ISBN          = {978-1-4503-0768-0},
  Date          = {2011-04-10},
  Keywords      = {workshop},
  File          = {files/papers/workshop-papers/maggi_phonephishinghoneypot_2011.pdf}
}

@Thesis{          bellini_thesis_2011,
  Author        = {Bellini, Andrea},
  Title         = {Uno studio sistematico delle inconsistenze nei nomi dei
                  malware},
  Date          = {2011-03-31},
  Institution   = {Politecnico di Milano},
  URL           = {https://hdl.handle.net/10589/17142}
}

@InProceedings{   volpatto_cooperativeids_2010,
  ShortTitle    = {CooperativeIDS},
  Author        = {Volpatto, Alberto and Maggi, Federico and Zanero, Stefano},
  Title         = {Effective Multimodel Anomaly Detection Using Cooperative
                  Negotiation},
  Publisher     = {Springer Berlin/Heidelberg},
  BookTitle     = {Proceedings of the Decision and Game Theory for Security
                  (GameSec)},
  Volume        = {6442},
  Series        = {Lecture Notes in Computer Science},
  Pages         = {180--191},
  DOI           = {10.1007/978-3-642-17197-0_12},
  ISBN          = {978-3-642-17196-3},
  Date          = {2010-11-22},
  File          = {files/papers/conference-papers/volpatto_cooperativeids_2010.pdf}
}

@TechReport{      maggi_cloudids_tr_2010,
  ShortTitle    = {CloudIDS},
  Author        = {Maggi, Federico and Zanero, Stefano},
  Title         = {Rethinking security in a cloudy world},
  Institution   = {Politecnico di Milano},
  Number        = {2010-11},
  Abstract      = {The world of information and communication technology is
                  experiencing changes that, regardless of some skepticism, are
                  bringing to life the concept of ``utility computing''. The
                  nostalgics observed a parallel between the emerging paradigm
                  of cloud computing and the traditional time-sharing era,
                  depicting clouds as the modern reincarnation of mainframes
                  available on a pay-per-use basis, and equipped with virtual,
                  elastic, paid disks-as-a-service that replace the old
                  physical disks with quotas. This comparison is fascinating,
                  but more importantly, in our opinion, it prepares the ground
                  for constructive critiques regarding the security of such
                  computing paradigm. In this paper we explore similar
                  analogies to discuss our position about the current
                  countermeasures (e.g., intrusion detection systems,
                  anti-viruses), developed to mitigate well-known security
                  threats. By reasoning on said affinities, we focus on the
                  simple case of anomaly-based approaches, which are employed
                  in many modern protection tools, not just in intrusion
                  detectors. We illustrate our position by the means of a
                  simple running example and show that attacks against
                  injection vulnerabilities, a current menace that is easily
                  recognizable with ordinary anomaly-based checks, can be
                  difficult to detect if web services are assumed to be regular
                  web applications. Along this line, we concentrate on a few,
                  critical hypotheses that demand particular attention. We
                  conclude that, although only a minority of threats qualify as
                  novel, they are well camouflaged and can be difficult to
                  recognize behind the confusion caused by the cloud computing
                  excitement.},
  Date          = {2010-11-11},
  File          = {files/papers/reports/maggi_cloudids_tr_2010.pdf}
}

@TechReport{      maggi_iclearshot_tr_2010,
  ShortTitle    = {iClearshot},
  Author        = {Maggi, Federico and Volpatto, Alberto and Gasparini, Simone
                  and Boracchi, Giacomo and Zanero, Stefano},
  Title         = {Don't touch a word! A practical input eavesdropping attack
                  against mobile touchscreen devices},
  Institution   = {Politecnico di Milano},
  Number        = {2010-59},
  Abstract      = {Spying on a person is a subtle, yet easy and reliable method
                  to obtain sensitive information. Even if the victim is well
                  protected from digital attacks, spying may be a viable
                  option. In addition, the pervasiveness of mobile devices
                  increases an attacker's opportunities to observe the victims
                  while they are accessing or entering sensitive information.
                  This risk is exacerbated by the remarkable user-friendliness
                  of modern, mobile graphical interfaces, which, for example,
                  display visual feedback to improve the user experience and
                  make common tasks, \$\ensuremath{\backslash}backslash\$eg,
                  typing, more natural. Unfortunately, this turns into the
                  well-known trade-off between usability and security. In this
                  work, we focus on how usability of modern mobile interfaces
                  may affect the users' privacy. In particular, we describe a
                  practical eavesdropping attack, able to recognize the
                  sequence of keystrokes from a low-resolution video, recorded
                  while the victim is typing on a touchscreen. Our attack
                  exploits the fact that modern virtual keyboards, as opposed
                  to mechanical ones, often display magnified, virtual keys in
                  predictable positions. To demonstrate the feasibility of this
                  attack we implemented it against 2010's most popular
                  smart-phone (i.e., Apple's iPhone). Our approach works under
                  realistic conditions, because it tracks and rectifies the
                  target screen according to the victim's natural movements,
                  before performing the keystroke recognition. On real-world
                  settings, our attack can automatically recognize up to
                  97.07\% (91.03\% on average) of the keystrokes, with a 1.15\%
                  error rate and a speed between 37 and 51 keystrokes per
                  minute. This work confirms that touchscreen keyboards that
                  magnify keys make automatic eavesdropping attacks easier than
                  in classic mobile keyboards.},
  Date          = {2010-11-01},
  File          = {files/papers/reports/maggi_iclearshot_tr_2010.pdf}
}

@InProceedings{   maggi_phonephishing_2010,
  ShortTitle    = {PhonePhishing},
  Author        = {Maggi, Federico},
  Title         = {Are the Con Artists Back? A Preliminary Analysis of Modern
                  Phone Frauds},
  Publisher     = {IEEE Computer Society},
  BookTitle     = {Proceedings of the International Conference on Computer and
                  Information Technology (CIT)},
  Pages         = {824--831},
  Abstract      = {Phishing is the practice of eliciting a person's
                  confidential information such as name, date of birth or
                  credit card details. Typically, the phishers use simple
                  technologies (e.g., e-mailing) to spread social engineering
                  attacks with the goal of persuading a large amount of victims
                  into voluntarily disclose sensitive data. Phishing based on
                  e-mail and web technologies is certainly the most popular
                  form. It has indeed received ample attention and some
                  mitigation measures have been implemented. In this paper we
                  describe our study on vishing (voice phishing), a form of
                  phishing where the scammers exploit the phone channel to ask
                  for sensitive information, rather than sending e-mails and
                  cloning trustworthy websites. In some sense, the traditional
                  ala-Mitnick phone scams are streamlined by attackers using
                  techniques that are typical of modern, e-mail-based phishing.
                  We detail our analysis of an embryonic, real-world database
                  of vishing attacks reported by victims through a
                  publicly-available web application that we build for this
                  purpose. The vishing activity that we registered in our
                  preliminary analysis is targeted against the U.S. customers.
                  According to our samples, we analyzed to what extent the
                  criminals rely on automated responders to streamline the
                  vishing campaigns. In addition, we analyzed the content of
                  the conversations and found that words such as 'credit',
                  'press' (a key) or 'account' are fairly popular. In addition,
                  we describe the data collection infrastructure and motivate
                  why gathering data about vishing is more difficult than for
                  regular e-mail phishing.},
  DOI           = {10.1109/CIT.2010.156},
  ISBN          = {978-0-7695-4108-2},
  Date          = {2010-06-29},
  File          = {files/papers/conference-papers/maggi_phonephishing_2010.pdf}
}

@InProceedings{   maggi_traces_2010,
  ShortTitle    = {Traces},
  Author        = {Maggi, Federico},
  Title         = {A Recognizer of Rational Trace Languages},
  Publisher     = {IEEE Computer Society},
  BookTitle     = {Proceedings of the International Conference on Computer and
                  Information Technology (CIT)},
  Pages         = {257--264},
  Abstract      = {A one-pass recognition algorithm is presented to solve the
                  membership problem for rational trace languages. The
                  algorithm is detailed through the formal specification of the
                  Buffer Machine, a non-deterministic, finite-state automaton
                  with multiple buffers that can solve the membership problem
                  in polynomial time. The performances and characteristics of
                  the proposed solution are evaluated on a testbed
                  implementation using pseudo-random traces, strings, languages
                  and dependency relations.},
  DOI           = {10.1109/CIT.2010.77},
  ISBN          = {978-0-7695-4108-2},
  Date          = {2010-06},
  File          = {files/papers/conference-papers/maggi_traces_2010.pdf}
}

@InProceedings{   robertson_longtail_2010,
  ShortTitle    = {LongTail},
  Author        = {Robertson, William and Maggi, Federico and Kruegel,
                  Christopher and Vigna, Giovanni},
  Title         = {Effective Anomaly Detection with Scarce Training Data},
  Publisher     = {The Internet Society},
  BookTitle     = {Proceedings of the Network and Distributed System Security
                  Symposium (NDSS)},
  Abstract      = {Learning-based anomaly detection has proven to be an
                  effective black-box technique for detecting unknown attacks.
                  However, the effectiveness of this technique crucially
                  depends upon both the quality and the completeness of the
                  training data. Unfortunately, in most cases, the traffic to
                  the system (e.g., a web application or daemon process)
                  protected by an anomaly detector is not uniformly
                  distributed. Therefore, some components (e.g.,
                  authentication, payments, or content publishing) might not be
                  exercised enough to train an anomaly detection system in a
                  reasonable time frame. This is of particular importance in
                  real-world settings, where anomaly detection systems are
                  deployed with little or no manual configuration, and they are
                  expected to automatically learn the normal behavior of a
                  system to detect or block attacks. In this work, we first
                  demonstrate that the features utilized to train a
                  learning-based detector can be semantically grouped, and that
                  features of the same group tend to induce similar models.
                  Therefore, we propose addressing local training data
                  deficiencies by exploiting clustering techniques to construct
                  a knowledge base of well-trained models that can be utilized
                  in case of undertraining. Our approach, which is independent
                  of the particular type of anomaly detector employed, is
                  validated using the realistic case of a learning-based system
                  protecting a pool of web servers running several web
                  applications such as blogs, forums, or Web services. We run
                  our experiments on a real-world data set containing over 58
                  million HTTP requests to more than 36,000 distinct web
                  application components. The results show that by using the
                  proposed solution, it is possible to achieve effective attack
                  detection even with scarce training data.},
  DOI           = {10.1.1.183.3323},
  Date          = {2010-03-01},
  File          = {files/papers/conference-papers/robertson_longtail_2010.pdf}
}

@Unpublished{     maggi_phdthesisfbk_talk_2010,
  ShortTitle    = {PhDThesisFBK},
  Author        = {Maggi, Federico},
  Title         = {Detecting Anomalous Behaviors in Computer Infrastructures},
  Location      = {Fondazione Bruno Kessler, Trento},
  Date          = {2010-02-25},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_phdthesisfbk_talk_2010.pdf}
}

@Unpublished{     maggi_justintime_talk_2010,
  ShortTitle    = {JustInTime},
  Author        = {Maggi, Federico},
  Title         = {Just-in-Time Training of Anomaly Detectors},
  EventTitle    = {Computer Systems Seminar},
  Location      = {Vrije Universiteit, Amsterdam},
  Date          = {2010-01-21},
  HowPublished  = {Invited Talk},
  File          = {files/talks/maggi_justintime_talk_2010.pdf}
}

@PhdThesis{       maggi_phdthesis_2010,
  Author        = {Maggi, Federico},
  Title         = {Integrated Detection of Anomalous Behavior of Computer
                  Infrastructures},
  Date          = {2010},
  shortitle     = {PhDThesis},
  Location      = {Milano, Italy},
  URL           = {https://github.com/phretor/cs-phd-dissertation-latex-template},
  Abstract      = {This dissertation details our research on anomaly detection
                  techniques, that are central to several classic
                  security-related tasks such as network monitoring, but it
                  also have broader applications such as program behavior
                  characterization or malware classification. In particular, we
                  worked on anomaly detection from three different perspective,
                  with the common goal of recognizing awkward activity on
                  computer infrastructures. In fact, a computer system has
                  several weak spots that must be protected to avoid attackers
                  to take advantage of them. We focused on protecting the
                  operating system, central to any computer, to avoid malicious
                  code to subvert its normal activity. Secondly, we
                  concentrated on protecting the web applications, which can be
                  considered the modern, shared operating systems; because of
                  their immense popularity, they have indeed become the most
                  targeted entry point to violate a system. Last, we
                  experimented with novel techniques with the aim of
                  identifying related events (e.g., alerts reported by
                  intrusion detection systems) to build new and more compact
                  knowledge to detect malicious activity on large-scale
                  systems.
                  
                  Our contributions regarding host-based protection systems
                  focus on characterizing a process' behavior through the
                  system calls invoked into the kernel. In particular, we
                  engineered and carefully tested different versions of a
                  multi-model detection system using both stochastic and
                  deterministic models to capture the features of the system
                  calls during normal operation of the operating system.
                  Besides demonstrating the effectiveness of our approaches, we
                  confirmed that the use of finite-state, deterministic models
                  allow to detect deviations from the process' control flow
                  with the highest accuracy; however, our contribution combine
                  this effectiveness with advanced models for the system calls'
                  arguments resulting in a significantly decreased number of
                  false alarms.
                  
                  Our contributions regarding web-based protection systems
                  focus on advanced training procedures to enable learning
                  systems to perform well even in presence of changes in the
                  web application source code---particularly frequent in the
                  Web 2.0 era. We also addressed data scarcity issues that is a
                  real problem when deploying an anomaly detector to protect a
                  new, never-used-before application. Both these issues
                  dramatically decrease the detection capabilities of an
                  intrusion detection system but can be effectively mitigated
                  by adopting the techniques we propose.
                  
                  Last, we investigated the use of different stochastic and
                  fuzzy models to perform automatic alert correlation, which is
                  as post processing step to intrusion detection. We proposed a
                  fuzzy model that formally defines the errors that inevitably
                  occur if time-based alert aggregation (i.e., two alerts are
                  considered correlated if they are close in time) is used.
                  This model allow to account for measurements errors and avoid
                  false correlations due to delays, for instance, or incorrect
                  parameter settings. In addition, we defined a model to
                  describe the alert generation as a stochastic process and
                  experimented with non-parametric statistical tests to define
                  robust, zero-configuration correlation systems.
                  
                  The aforementioned tools have been tested over different
                  datasets---that are thoroughly documented in this
                  document---and lead to interesting results.},
  Institution   = {Politecnico di Milano},
  File          = {files/papers/dissertations/maggi_phdthesis_2010.pdf}
}

@InProceedings{   criscione_masibty_2009,
  ShortTitle    = {Masibty},
  Author        = {Criscione, Claudio and Maggi, Federico and Salvaneschi,
                  Guido and Zanero, Stefano},
  Title         = {Integrated Detection of Attacks Against Browsers, Web
                  Applications and Databases},
  Publisher     = {IEEE Computer Society},
  BookTitle     = {Proceedings of the European Conference on Network Defense
                  (EC2ND)},
  Abstract      = {Anomaly-based techniques were exploited successfully to
                  implement protection mechanisms for various systems.
                  Recently, these approaches have been ported to the web domain
                  under the name of ``web application anomaly detectors'' (or
                  firewalls) with promising results. In particular, those
                  capable of automatically building specifications, or models,
                  of the protected application by observing its traffic (e.g.,
                  network packets, system calls, or HTTP requests and
                  responses) are particularly interesting, since they can be
                  deployed with little effort. Typically, the detection
                  accuracy of these systems is significantly influenced by the
                  model building phase (often called training), which clearly
                  depends upon the quality of the observed traffic, which
                  should resemble the normal activity of the protected
                  application and must be also free from attacks. Otherwise,
                  detection may result in significant amounts of false
                  positives (i.e., benign events flagged as anomalous) and
                  negatives (i.e., undetected threats). In this work we
                  describe Masibty, a web application anomaly detector that
                  have some interesting properties. First, it requires the
                  training data not to be attack-free. Secondly, not only it
                  protects the monitored application, it also detects and
                  blocks malicious client-side threats before they are sent to
                  the browser. Third, Masibty intercepts the queries before
                  they are sent to the database, correlates them with the
                  corresponding HTTP requests and blocks those deemed
                  anomalous. Both the accuracy and the performance have been
                  evaluated on real-world web applications with interesting
                  results. The system is almost not influenced by the presence
                  of attacks in the training data and shows only a negligible
                  amount of false positives, although this is paid in terms of
                  a slight performance overhead.},
  DOI           = {10.1109/EC2ND.2009.13},
  ISBN          = {978-0-7695-3983-6},
  Date          = {2009-11-09},
  File          = {files/papers/conference-papers/criscione_masibty_2009.pdf}
}

@Article{         maggi_fuzzyalertaggregation_article_2009,
  ShortTitle    = {FuzzyAlertAggregation},
  Author        = {Maggi, Federico and Matteucci, Matteo and Zanero, Stefano},
  Title         = {Reducing false positives in anomaly detectors through fuzzy
                  alert aggregation},
  JournalTitle  = {Information Fusion},
  Volume        = {10},
  Number        = {4},
  Pages         = {300--311},
  Abstract      = {In this paper we focus on the aggregation of IDS alerts, an
                  important component of the alert fusion process. We exploit
                  fuzzy measures and fuzzy sets to design simple and robust
                  alert aggregation algorithms. Exploiting fuzzy sets, we are
                  able to robustly state whether or not two alerts are ``close
                  in time'', dealing with noisy and delayed detections. A
                  performance metric for the evaluation of fusion systems is
                  also proposed. Finally, we evaluate the fusion method with
                  alert streams from anomaly-based IDS.},
  DOI           = {10.1016/j.inffus.2009.01.004},
  ISSN          = {1566-2535},
  Date          = {2009-10-01},
  File          = {files/papers/journal-papers/maggi_fuzzyalertaggregation_article_2009.pdf}
}

@InProceedings{   maggi_conceptdrift_2009,
  ShortTitle    = {ConceptDrift},
  Author        = {Maggi, Federico and Robertson, William and Kruegel,
                  Christopher and Vigna, Giovanni},
  Title         = {Protecting a Moving Target: Addressing Web Application
                  Concept Drift},
  BookTitle     = {Proceedings of the International Symposium on Recent
                  Advances in Intrusion Detection (RAID)},
  Abstract      = {Because of the ad hoc nature of web applications, intrusion
                  detection systems that leverage machine learning techniques
                  are particularly well-suited for protecting websites. The
                  reason is that these systems are able to characterize the
                  applications' normal behavior in an automated fashion.
                  However, anomaly-based detectors for web applications suffer
                  from false positives that are generated whenever the
                  applications being protected change. These false positives
                  need to be analyzed by the security officer who then has to
                  interact with the web application developers to confirm that
                  the reported alerts were indeed erroneous detections. In this
                  paper, we propose a novel technique for the automatic
                  detection of changes in web applications, which allows for
                  the selective retraining of the affected anomaly detection
                  models. We demonstrate that, by correctly identifying
                  legitimate changes in web applications, we can reduce false
                  positives and allow for the automated retraining of the
                  anomaly models. We have evaluated our approach by analyzing a
                  number of real-world applications. Our analysis shows that
                  web applications indeed change substantially over time, and
                  that our technique is able to effectively detect changes and
                  automatically adapt the anomaly detection models to the new
                  structure of the changed web applications.},
  DOI           = {10.1007/978-3-642-04342-0_2},
  Date          = {2009-09-23},
  File          = {files/papers/conference-papers/maggi_conceptdrift_2009.pdf}
}

@InProceedings{   frossi_hybridsyscalls_2009,
  ShortTitle    = {HybridSyscalls},
  Author        = {Frossi, Alessandro and Maggi, Federico and Rizzo, Gian Luigi
                  and Zanero, Stefano},
  Title         = {Selecting and Improving System Call Models for Anomaly
                  Detection},
  BookTitle     = {Proceedings of the International Conference on Detection of
                  Intrusions and Malware, and Vulnerability Assessment
                  (DIMVA)},
  Abstract      = {We propose a syscall-based anomaly detection system that
                  incorporates both deterministic and stochastic models. We
                  analyze in detail two alternative approaches for anomaly
                  detection over system call sequences and arguments, and
                  propose a number of modifications that significantly improve
                  their performance. We begin by comparing them and analyzing
                  their respective performance in terms of detection accuracy.
                  Then, we outline their major shortcomings, and propose
                  various changes in the models that can address them: we show
                  how targeted modifications of their anomaly models, as
                  opposed to the redesign of the global system, can noticeably
                  improve the overall detection accuracy. Finally, the impact
                  of these modifications are discussed by comparing the
                  performance of the two original implementations with two
                  modified versions complemented with our models.},
  DOI           = {10.1007/978-3-642-02918-9_13},
  Date          = {2009-07-09},
  File          = {files/papers/conference-papers/frossi_hybridsyscalls_2009.pdf}
}

@Article{         maggi_syscallseq_article_2008,
  ShortTitle    = {SyscallSeq},
  Author        = {Maggi, Federico and Matteucci, Matteo and Zanero, Stefano},
  Title         = {Detecting Intrusions through System Call Sequence and
                  Argument Analysis},
  JournalTitle  = {IEEE Transactions on Dependable and Secure Computing
                  (TODS)},
  Volume        = {7},
  Number        = {4},
  Pages         = {381--395},
  Abstract      = {We describe an unsupervised host-based intrusion detection
                  system based on system calls arguments and sequences. We
                  define a set of anomaly detection models for the individual
                  parameters of the call. We then describe a clustering process
                  which helps to better fit models to system call arguments,
                  and creates inter-relations among different arguments of a
                  system call. Finally, we add a behavioral Markov model in
                  order to capture time correlations and abnormal behaviors.
                  The whole system needs no prior knowledge input; it has a
                  good signal to noise ratio, and it is also able to correctly
                  contextualize alarms, giving the user more information to
                  understand whether a true or false positive happened, and to
                  detect variations over the entire execution flow, as opposed
                  to punctual variations over individual instances.},
  DOI           = {10.1109/TDSC.2008.69},
  ISSN          = {1545-5971},
  Date          = {2008-11-17},
  File          = {files/papers/journal-papers/maggi_syscallseq_article_2008.pdf}
}

@TechReport{      maggi_traces_tr_2008,
  ShortTitle    = {Traces},
  Author        = {Maggi, Federico},
  Title         = {Specification and Evaluation of an Efficient Recognizer for
                  Rational Trace Languages},
  Institution   = {Politecnico di Milano},
  Number        = {2008-23},
  Abstract      = {An improved, one-pass version of a two-pass, Earley-like
                  recognition algorithm is here proposed to solve the
                  Membership Problem for rational trace languages in polynomial
                  time. The algorithm is first described through the formal
                  specification of what we called a Non Deterministic Buffer
                  Machine (NDBM); secondly, the recognition is detailed through
                  a deterministic algorithm along with some running examples.
                  In addition, we describe our prototype implementation of the
                  algorithm used to empirically evaluate the performances and
                  the characteristics of the proposed solution. To this end, we
                  designed pseudo-random testing data generators that are here
                  described as well.},
  Date          = {2008-06-01},
  File          = {files/papers/reports/maggi_traces_tr_2008.pdf}
}

@Article{         maggi_antiforensics_article_2008,
  ShortTitle    = {AntiForensics},
  Author        = {Maggi, Federico and Zanero, Stefano and Iozzo, Vincenzo},
  Title         = {Seeing the invisible: forensic uses of anomaly detection and
                  machine learning},
  JournalTitle  = {Operating Systems Review of the ACM Special Interest Group
                  on Operating Systems (SIGOPS)},
  Volume        = {42},
  Number        = {3},
  Pages         = {51--58},
  Abstract      = {Anti-forensics is the practice of circumventing classical
                  forensics analysis procedures making them either unreliable
                  or impossible. In this paper we propose the use of machine
                  learning algorithms and anomaly detection to cope with a wide
                  class of definitive anti-forensics techniques. We test the
                  proposed system on a dataset we created through the
                  implementation of an innovative technique of anti-forensics,
                  and we show that our approach yields promising results in
                  terms of detection.},
  DOI           = {10.1145/1368506.1368514},
  ISSN          = {0163-5980},
  Date          = {2008-04-01},
  File          = {files/papers/journal-papers/maggi_antiforensics_article_2008.pdf}
}

@TechReport{      maggi_recordmatching_tr_2008,
  ShortTitle    = {RecordMatching},
  Author        = {Maggi, Federico},
  Title         = {A Survey of Probabilistic Record Matching Models, Techniques
                  and Tools},
  Institution   = {Politecnico di Milano},
  Number        = {2008-22},
  Abstract      = {Probabilistic record linkage regards the use of stochastic
                  decision models to solve the problem of record linkage (also
                  known as record matching). Data quality has became a key
                  aspect in many institutions and the demand for novel,
                  effective techniques is increasing. Record linkage in general
                  has been studied in the last three decades and a solid
                  probabilistic decision framework has been proposed along with
                  several extensions and specific estimation methods. This
                  paper is a survey work narrowed to the most recent and
                  promising approaches also including a selection of data
                  cleansing tools based on probabilistic decision models.},
  Date          = {2008-04-01},
  File          = {files/papers/reports/maggi_recordmatching_tr_2008.pdf}
}

@InProceedings{   maggi_alertcorrelation_2007,
  ShortTitle    = {AlertCorrelation},
  Author        = {Maggi, Federico and Zanero, Stefano},
  Title         = {On the Use of Different Statistical Tests for Alert
                  Correlation - Short Paper},
  BookTitle     = {Proceedings of the International Symposium on Recent
                  Advances in Intrusion Detection (RAID)},
  Pages         = {167--177},
  Abstract      = {In this paper we analyze the use of different types of
                  statistical tests for the correlation of anomaly detection
                  alerts. We show that the Granger Causality Test, one of the
                  few proposals that can be extended to the anomaly detection
                  domain, strongly depends on good choices of a parameter which
                  proves to be both sensitive and difficult to estimate. We
                  propose a different approach based on a set of simpler
                  statistical tests, and we prove that our criteria work well
                  on a simplified correlation task, without requiring complex
                  configuration parameters.},
  DOI           = {10.1007/978-3-540-74320-0_9},
  Date          = {2007-09-05},
  File          = {files/papers/conference-papers/maggi_alertcorrelation_2007.pdf}
}