(0000-0003-3044-5345)[C11] Anomaly-based Intrusion Detection System Using ESP32-WROOM-DA
International Conference on Convergent and Smart Systems (ICCSS 2024)
Internet of Things (IoT) devices are increasingly employed in monitoring and controlling both domestic and industrial infrastructures. However, security measures are often neglected due to the computational resource limitations of these devices. Despite numerous research initiatives aimed at developing Intrusion Detection Systems (IDS) for IoT, practical implementation-focused studies remain scarce. The goal of this research is to develop an anomaly-based IDS, or more precisely, a detection engine of an IDS, using a supervised approach with three different neural network models: Sequential Neural Network (SNN), Recurrent Neural Network (RNN), and Deep Recurrent Neural Network (DRNN). The objective is to determine whether it is feasible to create a high-performing IDS, characterized by high accuracy, while simultaneously maintaining low resource requirements— a critical aspect when deploying on microcontrollers with limited hardware capabilities. The IDS must be capable of performing multiclass classification to distinguish between normal packet flows, DoS attacks, Probe attacks, and also binary classifications. To achieve this, the IDS is first trained and then tested on the NSL-KDD dataset. Feature extraction is conducted using both the Random Forest algorithm and the Shap algorithm. According to the results presented in the final chapter, the most accurate IDS utilizes the SNN model trained with features determined by Shap in binary classification, achieving a precision level of 94.04\%. This IDS, when deployed on the ESP32-WROOM-32 microcontroller, reports a minimum inference time of 0.226 ms, an average time of 3.198 ms, and a maximum time of 10.478 ms, requiring just over 8 KB of SRAM for installation.
[C10] Decentralized Identity Management and Privacy-Enhanced Federated Learning for Automotive Systems: A Novel Framework
2024 IEEE 27th International Symposium on Real-Time Distributed Computing (ISORC)
Federated Learning (FL) has revolutionized collaborative machine learning by decentralizing data processing, enhancing the efficiency of traditional Machine Learning (ML) approaches, and mitigating privacy concerns associated with data exchange. Despite these advantages, security challenges persist, particularly in securely transmitting model updates within vehicular networks and authenticating nodes participating in the protocol. This paper presents an innovative framework that addresses authentication and mobility challenges in automotive systems through the integration of Decentralized Identity Management (IdM) and FL. Highlighting the need for robust authentication in automotive systems, the research concurrently explores avenues to optimize FL performance within this specific context. Through the incorporation of a decentralized authentication mechanism and the establishment of synchronization means, our proposed framework ensures security and synchronization in the transmission of model weights. This comprehensive solution paves the way for notable advancements in collaborative ML in highly dense and distributed contexts, such as the vehicular networks.
[C9] Improve Wallet Interoperability and Federation in Blockchain-Based User-Centric Authentication for Healthcare
2nd International Workshop on Trends in Digital Identity (TDI 2024)
The continuous enhancement and extensive digitalization of medical services have raised various challenges regarding security and privacy. Among these, authentication is one of the most critical, considering identity spoofing and weak passwords. Recently, novel authentication methods such as user-centric authentication are trying to solve the problem by moving identity data and relative claim verification away from a centralized identity manager. When turning this paradigm into the medical domain, it is needed to encompass that not all users are equal, but certain classes are characterized by precise privileges with respect to authentication, such as doctors that must be prioritized over patients. Moreover, it is unfeasible to impose a single technology and infrastructure within an ecosystem characterized by current medical applications; therefore, multiple different solutions need to coexist. In this paper, we discuss a novel framework able to cope with the interoperability, backup and restore of Blockchain-based Self-Sovereign Identity (SSI) wallets. We particularly evaluated the system in a medical context by outlining the different roles of holders with related wallet typologies. Our approach demonstrates its feasibility through the use of a shared registry and smart contract that can smoothly work with two kinds of wallet implementation in a federation of issuers and verifiers.
[C8] VulnHunt-GPT: a Smart Contract vulnerabilities detector based on OpenAI ChatGPT
The 39th ACM/SIGAPP Symposium on Applied Computing (SAC 2024)
Smart contracts are self-executing programs that can run on a blockchain. Due to the fact of being immutable after their deployment on blockchain, it is crucial to ensure their correctness. For this reason, various approaches for static analysis of smart contracts have been proposed, but they may be on the one hand imprecise or on the other hand difficult to train. In this paper, we propose a novel approach for detecting smart contract vulnerabilities using OpenAI's Generative Pre-trained Transformer 3 (GPT-3) language model. Our approach, called VulntHunt-GPT, uses GPT-3 to examine Ethereum smart contracts in order to identify the most popular vulnerabilities according to OWASP. We train VulntHunt-GPT on a dataset of smart contract functions and vulnerabilities to improve its accuracy. Our experiments show that VulntHunt-GPT outperforms almost all the existing state-of-the-art approaches in detecting a variety of vulnerabilities, including reentrancy attacks, integer overflow, and uninitialized storage. In addition, we conduct a case study to demonstrate the effectiveness of VulntHunt-GPT in detecting real-world smart contract vulnerabilities. We show that VulntHunt-GPT can identify previously unknown vulnerabilities in popular smart contracts, highlighting its potential for improving smart contract security. Our approach provides a promising direction for using natural language processing techniques to improve smart contract security and reduce the risk of smart contract exploits.
[C7] Ethereum Attestation Service as a solution for the revocation of hardware-based password-less mechanisms
The 39th ACM/SIGAPP Symposium on Applied Computing (SAC 2024)
Hardware-based solutions are becoming more and more popular as a result of the increased need for practical and safe authentication methods. However, one of the key challenges in these systems is the lack of a robust mechanism to revoke compromised credentials effectively. The Ethereum Attestation Service (EAS), which uses the blockchain-based Ethereum platform to create a decentralized, tamper-resistant infrastructure for credential attestation and revocation, is presented in this article as a novel solution to this critical issue. By combining the transparency and immutability of blockchain technology with smart contracts and cryptographic techniques, the EAS enables secure and auditable management of certificates. The conducted study investigates the limitations of existing revocation methods of password-less mechanisms and proposes the EAS as a viable alternative. In the design phase, the paper demonstrates the system's efficiency in handling attestation requests, verifying attestations, and securely managing revocations. EAS excels in providing reliable revocation, thereby reducing the risks associated with compromised hardware-based passwordless systems. Moreover, this research explores the benefits of EAS-based revocation within the IoT context, where Physically Unclonable Functions (PUFs) face similar challenges as HSMs. Experimental results, obtained in a testnet environment, reveal reduced authentication times, making this solution suitable for real-time scenarios as well.
[C6] Enhancing Security in User-Centered Authentication using KERI
The 32nd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (PDP 2024)
In the context of the widespread adoption of user-centric authentication methods, safeguarding the confidentiality of private keys during the exchange of credentials has become a critical concern. Key Event Receipt Infrastructure (KERI), distinguished by its distinctive design focusing on key events and receipts, aligns seamlessly with the ethos of user-centric authentication, eschewing the necessity for blockchain integration. This research leverages the architectural model of KERI to discern potential implications within the contemporary landscape of Self-Sovereign Identity (SSI) ecosystems, thereby contributing to the evolution of identity management practices. The need for this research arises from the recognition that while SSI obviates the need for central authorities, thereby augmenting privacy and security, the imperative to preserve and securely store private keys persists. Our primary findings confirm that the integration of KERI within the SSI ecosystem provides a more resilient protocol for authentication by preventing the exchange of any kind of key used for the generation of the proof. This approach aims to prevent attacks in line with the principles of decentralization and trustlessness inherent in blockchain technologies. This research contributes to the expanding body of literature devoted to security and access management within the dynamic realm of user-centric applications and authentication.
[J2] Securing the Internet of Medical Things with ECG-based PUF encryption
IET Cyber-Physical Systems: Theory & Applications
The Internet of Things (IoT) is revolutionizing the healthcare industry by enhancing personalized patient care. However, the transmission of sensitive health data in IoT systems presents significant security and privacy challenges, further exacerbated by the difficulty of exploiting traditional protection means due to poor battery equipment and limited storage and computational capabilities of IoT devices. The authors analyze techniques applied in the medical context to encrypt sensible data and deal with the unique challenges of resource-constrained devices. A technique that is facing increasing interest is the Physical Unclonable Function (PUF), where biometrics are implemented on integrated circuits' electric features. PUFs, however, demand special hardware, so in this work, instead of considering the physical device as a source of randomness, an ElectroCardioGram (ECG) can be taken into consideration to make a ‘virtual’ PUF. Such an mechanism leverages individual ECG signals to generate a cryptographic key for encrypting and decrypting data. Due to the poor stability of the ECG signal and the typical noise existing in the measurement process for such a signal, filtering and feature extraction techniques must be adopted. The proposed model considers the adoption of pre-processing techniques in conjunction with a fuzzy extractor to add stability to the signal. Experiments were performed on a dataset containing ECG records gathered over 6 months, yielding good results in the short term and valuable outcomes in the long term, paving the way for adaptive PUF techniques in this context.
[C5] Decentralized Authentication for Web of Things: a Self-Sovereign Identity (SSI)-based solution
2024 International Conference on Computing, Networking and Communications (ICNC): Edge Computing, Cloud Computing and Big Data
As the Internet of Things (IoT) continues to expand its reach, encompassing a vast array of devices and applications, including mission-critical ones, the need for secure and privacy-aware solutions increases. Traditional centralized authentication mechanisms may not be suitable for the highly distributed and heterogeneous nature of IoT environments, and they also have a very high demand in terms of energy and memory, which does not match the availability of resource-constrained devices. In this study, we suggest a novel solution to these difficulties based on Self-Sovereign Identity (SSI) principles, while taking into account the innovative Web of Things (WoT) architecture. It discusses how these elements from SSI can be applied in a WoT environment to establish trust between devices, users, and applications. Additionally, the paper explores the potential challenges and opportunities of integrating SSI into the WoT ecosystem, such as scalability, interoperability, and authentication. Through a comprehensive analysis of the SSI paradigm and its applicability in the WoT context, this paper sheds light on the transformative potential of device-centric identity management. It underscores the importance of privacy, security, and individual control in an increasingly interconnected world, advocating for SSI as a solution that aligns with the values of the digital age. By embracing SSI, stakeholders in the WoT ecosystem can ensure a more secure and trustworthy environment for all parties.
[U1] Green Operations of SWIPT Networks: The Role of End-User Devices
Submitted to IEEE Transactions on Green Communications and Networking
Internet of Things (IoT) devices often come with batteries of limited capacity that are not easily replaceable or rechargeable, and that constrain significantly the sensing, computing, and communication tasks that they can perform. The Simultaneous Wireless Information and Power Transfer (SWIPT) paradigm addresses this issue by delivering power wirelessly to energy-harvesting IoT devices with the same signal used for information transfer. For their peculiarity, these networks require specific energy-efficient planning and management approaches. However, to date, it is not clear what are the most effective strategies for managing a SWIPT network for energy efficiency. In this paper, we address this issue by developing an analytical model based on stochastic geometry, accounting for the statistics of user-perceived performance and base station scheduling. We formulate an optimization problem for deriving the energy optimal configuration as a function of the main system parameters, and we propose a genetic algorithm approach to solve it. Our results enable a first-order evaluation of the most effective strategies for energy-efficient provisioning of power and communications in a SWIPT network. We show that the service capacity brought about by users brings energy-efficient dynamic network provisioning strategies that radically differ from those of networks with no wireless power transfer.
[J1] Strengthening Automotive Cybersecurity: A Comparative Analysis of ISO/SAE 21434-Compliant Automatic Collision Notification (ACN) Systems
Vehicles 2023
The increasing usage of autonomous and automatic systems within the automotive industry is steering us towards a more interconnected world. This enhanced interconnectivity fosters a more streamlined driving experience, reduces costs, and provides timely driver assistance. The electric/electronic (EE) architectures of modern vehicles are inherently complex due to the multitude of components they encompass. Contemporary architectures reveal that these components converge at an electronic control unit (ECU) called the central gateway, which could potentially represent a single point of failure. While this central unit is typically adequately safeguarded, the same cannot be said for the connected components, which often remain vulnerable to cyber threats. The ISO/SAE 21434 standard paved the way for automotive cybersecurity and could be used in parallel with other standards such as ISO 26262 and ISO PAS 21488. Automatic collision notification (ACN) is one of the most typical systems in a vehicle, and limited effort has been dedicated to identifying the most suitable architecture for this feature. This paper addresses the existing security and privacy gap of this feature by conducting a comparative analysis of security threats in two distinct ACN architectures. Notably, despite ACN architectures exhibiting inherent similarities, the primary distinction between the two architectures lies in their strategies for crash estimation and detection, followed by subsequent communication with emergency response teams. A rigorous security assessment was conducted using the ISO/SAE 21434 standard, employing the TARA and STRIDE methodologies through the Ansys medini analyze software. This analysis identified an average of 310 threats per architecture, including a significant number of high-level threats (11.8% and 15%, respectively), highlighting the importance of a comprehensive evaluation.
[C4] Decentralized Authentication in Microservice Architectures with SSI and DID in Blockchain
The 14th ieee international conference on Cloud Computing Technology and Science - CloudCom 2023
Microservice architectures aim at high modularity, reuse, and efficiency of code by structuring applications as a collection of services that are independently deployable, loosely coupled, and organized around business capabilities. As they are starting to be used in sensitive applications, security has started to be a priority, where authentication is one of the first protection means to be offered to developers by those products supporting microservice development. However, the available authentication solutions in these products are highly centralized, leveraging JSON Web Token (JWT) or related standards. This poses a serious issue in meeting the recent privacy legal obligations. In this paper, we propose a solution for integrating a decentralized blockchain-based authentication solution within the context of Istio, which is a service mesh supporting microservice developments. The usage of a Smart Contract, in combination with Decentralized Identifiers (DIDs) and JWT, paves the way for a concrete and fully decentralized revocation system without adding overhead or modification to existing microservices.
[C3] Using Knowledge Graphs to ensure Privacy Policies in decentralized data collection systems
2023 International Conference on Research in Adaptive and Convergent Systems - RACS 2023
As data collection systems become more complex and pervasive, ensuring transparency and accountability in the acquisition and use of personal data becomes increasingly critical. This work investigates the use of knowledge graphs as a solution to this problem, emphasizing their capacity to represent and enforce privacy laws in a decentralized setting. Knowledge graphs provide full privacy management and can be applied also to decentralized systems by providing a consistent representation of data and privacy policies. We specifically discuss how knowledge graphs can be used to track consent management and data retention policies; we also present a case study of our framework in action, demonstrating how it can be used to ensure transparency in an increasingly popular decentralized data collection system. The implementation of such a framework in a decentralized context shows that the use of knowledge graphs can provide a transparent and accountable view of the data collection process, improving trust and confidence in the system among both data subjects and regulators.
[C2] Self-Sovereign Identity (SSI) Attribute-Based Web Authentication
20th International Conference on Security and Cryptography - SECRYPT 2023
Web authentication is primarily based on password usage, representing the weakest link in the entire security chain. The number of services offered over the web is continuously increasing, and with them also the number of required passwords that users need to create and securely store. Despite various standards for password-less or multi-factor authentication, another issue is that most web authentication means use an identity provider (or a federation of providers) advocated to create, manage and check digital identity claims; able to profile user habits related to web navigation and violate rights in terms of privacy. Recently, we are witnessing a radical change of perspective, where identity checks and enforcement are moved away from the providers and more focused on users. Within such user-centric approaches, Self-Sovereign Identity (SSI) has faced progressive popularity, and some authentication mechanisms based on SSI have been proposed. This paper aims to describe a solution ba sed on Hyperledger Aries which is capable to achieve zero-knowledge proof to make an attribute-based authentication and authorization for the web able to cope with the recent legal obligations in terms of privacy.
[C1] A Decentralized Smart City Using Solid and Self-Sovereign Identity
Computational Science and Its Applications – ICCSA 2023 Workshops
In the Internet of Things (IoT) context, a considerable quantity of data flows from sensors to centralized servers, holding sensitive information related to users. Unfortunately, how servers store these data instances is usually poorly documented and does not offer any transparency to the users but may pave the way to possible privacy violations. Web decentralization is a prominent solution to cope with these issues and legal obligations regarding data protection so that multiple domains are progressively adopting it as the principal technological enabler. The IoT is not among them yet, as a centralized approach is still the most common one; however, moving data location away from servers to prefer gateways or directly to devices closer to users and under their direct control can realize a more decentralized approach and alleviate the issues related to performance, throughput as well as data protection. This paper aims to exploit existing data decentralization solutions, like Social Linked Data (Solid), to define a more distributed data management for IoT and propose a proof-of-concept implementation of a Smart City platform where users can store and directly manage data produced by public or private IoT devices. Despite providing decentralized data handling, Solid is still affected by a centralized identity management and authentication implementation represented by OpenID Connect. Therefore, to fulfill our vision of a decentralized IoT, we also investigate how decentralizing authentication within Solid and a new user-centric approach based on Self-Sovereign Identity (SSI) represents a promising solution.