B-CoC: A Blockchain-Based Chain of Custody for Evidences Management in Digital Forensics

One of the main issues in digital forensics is the management of evidences. From the time of evidence collection until the time of their exploitation in a legal court, evidences may be accessed by multiple parties involved in the investigation that take temporary their ownership. This process, called Chain of Custody (CoC), must ensure that evidences are not altered during the investigation, despite multiple entities owned them, in order to be admissible in a legal court. Currently digital evidences CoC is managed entirely manually with entities involved in the chain required to fill in documents accompanying the evidence. In this paper, we propose a Blockchain-based Chain of Custody (B-CoC) to dematerialize the CoC process guaranteeing auditable integrity of the collected evidences and traceability of owners. We developed a prototype of B-CoC based on Ethereum and we evaluated its performance

Android Malware Family Classification Based on Resource Consumption over Time

The vast majority of today's mobile malware targets Android devices. This has pushed the research effort in Android malware analysis in the last years. An important task of malware analysis is the classification of malware samples into known families. Static malware analysis is known to fall short against techniques that change static characteristics of the malware (e.g. code obfuscation), while dynamic analysis has proven effective against such techniques. To the best of our knowledge, the most notable work on Android malware family classification purely based on dynamic analysis is DroidScribe. With respect to DroidScribe, our approach is easier to reproduce. Our methodology only employs publicly available tools, does not require any modification to the emulated environment or Android OS, and can collect data from physical devices. The latter is a key factor, since modern mobile malware can detect the emulated environment and hide their malicious behavior. Our approach relies on resource consumption metrics available from the proc file system. Features are extracted through detrended fluctuation analysis and correlation. Finally, a SVM is employed to classify malware into families. We provide an experimental evaluation on malware samples from the Drebin dataset, where we obtain a classification accuracy of 82%, proving that our methodology achieves an accuracy comparable to that of DroidScribe. Furthermore, we make the software we developed publicly available, to ease the reproducibility of our results.Comment: Extended Versio

Italian National Framework for Cybersecurity and Data Protection

Data breaches have been one of the most common source of concerns related to cybersecurity in the last few years for many organizations. The General Data Protection Regulation (GDPR) in Europe, strongly impacted this scenario, as organizations operating with EU citizens now have to comply with strict data protection rules. In this paper we present the Italian National Framework for Cybersecurity and Data Protection, a framework derived from the NIST Cybersecurity Framework, that includes elements and tools to appropriately take into account data protection aspects in a way that is coherent and integrated with cybersecurity aspects. The goal of the proposed Framework is to provide organizations of different sizes and nature with a flexible and unified tool for the implementation of comprehensive cybersecurity and data protection programs

Emerging and Established Trends to Support Secure Health Information Exchange

This work aims to provide information, guidelines, established practices and standards, and an extensive evaluation on new and promising technologies for the implementation of a secure information sharing platform for health-related data. We focus strictly on the technical aspects and specifically on the sharing of health information, studying innovative techniques for secure information sharing within the health-care domain, and we describe our solution and evaluate the use of blockchain methodologically for integrating within our implementation. To do so, we analyze health information sharing within the concept of the PANACEA project that facilitates the design, implementation, and deployment of a relevant platform. The research presented in this paper provides evidence and argumentation toward advanced and novel implementation strategies for a state-of-the-art information sharing environment; a description of high-level requirements for the transfer of data between different health-care organizations or cross-border; technologies to support the secure interconnectivity and trust between information technology (IT) systems participating in a sharing-data “community”; standards, guidelines, and interoperability specifications for implementing a common understanding and integration in the sharing of clinical information; and the use of cloud computing and prospectively more advanced technologies such as blockchain. The technologies described and the possible implementation approaches are presented in the design of an innovative secure information sharing platform in the health-care domain

Automatic invariant selection for online anomaly detection

Invariants are stable relationships among system metrics expected to hold during normal operating conditions. The violation of such relationships can be used to detect anomalies at runtime. However, this approach does not scale to large systems, as the number of invari- ants quickly grows with the number of considered metrics. The resulting “background noise” for the invariant-based detection system hinders its effectiveness. In this paper we propose a general and automatic approach for identifying a subset of mined invariants that properly model system runtime behavior with a reduced amount of background noise. This translates into better overall performance (i.e., less false positives)

AndroDFA: android malware classification based on resource consumption

The vast majority of today's mobile malware targets Android devices. An important task of malware analysis is the classification of malicious samples into known families. In this paper, we propose AndroDFA (DFA, detrended fluctuation analysis): an approach to Android malware family classification based on dynamic analysis of resource consumption metrics available from the proc file system. These metrics can be easily measured during sample execution. From each malware, we extract features through detrended fluctuation analysis (DFA) and Pearson's correlation, then a support vector machine is employed to classify malware into families. We provide an experimental evaluation based on malware samples from two datasets, namely Drebin and AMD. With the Drebin dataset, we obtained a classification accuracy of 82%, comparable with works from the state-of-the-art like DroidScribe. However, compared to DroidScribe, our approach is easier to reproduce because it is based on publicly available tools only, does not require any modification to the emulated environment or Android OS, and by design, can also be used on physical devices rather than exclusively on emulators. The latter is a key factor because modern mobile malware can detect the emulated environment and hide its malicious behavior. The experiments on the AMD dataset gave similar results, with an overall mean accuracy of 78%. Furthermore, we made the software we developed publicly available, to ease the reproducibility of our results.</p

Nirvana: A non-intrusive black-box monitoring framework for rack-level fault detection

Many organizations today still manage mid or large in-house data centers that require very expensive maintenance efforts, including fault detection. Common monitoring frameworks used to quickly detect faults are complex to deploy/maintain, expensive, and intrusive as they require the installation of probes on monitored hw/sw to collect raw data. Such intrusiveness can be problematic as it imposes installation/management overhead and may interfere with security/privacy policies. In this paper we introduce NIRVANA, a novel monitoring system for fault detection that works at rack-level and is (i) non-intrusive, i.e., it does not require the installation of software probes on the hosts to be monitored and (ii) black-box, i.e., agnostic with respect to monitored applications. At the core of our solution lies the observation that aggregated features that can be monitored at rack-level in a non-intrusive and black-box way, show predictable behaviors while the system works in both fault-free and faulty states, it is therefore possible to detect and identify faults by monitoring and analyzing any perturbations to these behaviors. An extensive experimental evaluation shows that non-intrusiveness does not significantly hamper the fault detection capabilities of the monitoring system, thus validating our approach

2013 Italian Cyber Security Report. Critical Infrastructure and Other Sensitive Sectors Readiness.

This work gives a break down of the Italian standpoint in the context of the protection of national critical infrastructure and other sensitive sectors from cyber attacks from the legal and technological viewpoints. In particular Chapter 1 discusses the notion of critical infrastructures and cyber security in the US and the EU. It goes on to discuss the evolution and the number of cyber attacks sector by sector reported in the world and in Italy and to provide some number related to the cost of cyber crime in Italy. In Chapter 2 the Italian scenario is introduced in terms of the legislative landscape and of regulatory changes in the last decade. The chapter then analyzes the current situation of the Computer Emergency Response Teams (CERT) present in Italy. Chapter 3 gives an overview, from both a legislative and operational perspective, of the level of maturity of some developed countries (namely, France, the UK, Germany and the USA.) in protecting their critical infrastructure and other sensitive economic sectors. From this comparison, it seems Italy lags behind other developed countries in terms of implementation of cyber security strategy. Italy still lacks a clear operational directive for the creation of a national CERT which makes difficult, on one hand, assessing the exposure of Italy to cyber attacks and, on the other hand, quick and coordinated deployment of countermeasures, in particular, when advanced persistent threats are discovered. In order to conduct a deep analysis of the Italian cyber security situation, we sent an anonymous questionnaire to the four main sectors of the Italian economy i.e. public administration, utilities, large industries - sensible to the intellectual properties theft - and financial sector. Chapter 4 discusses the results of this exercise. Among other observations, the study points out that some sector is not fully aware to be a sensitive sector for cyber attack and that a breach in its information system could cause an economic/technical problem at national or EU level, that the defense measures (already employed) neglect advanced persistent threats, but that organizations have, on the average, good recovery capability. Finally, chapter 5 presents a set of recommendations for a national cyber security strategy. These recommendations span all the phases of the risk management process. In this preface it is worthwhile highlighting that the following are considered priorities: the realization of a national CERT (with a clear role and mission), cooperation among operators in the same sector and with the best sectors of academia, the conceivability of a national cyber security agency and a nationwide methodology for classifying threats. The interested reader can go through the complete list for details