- Research Activities
The
group's work in Security and Computer Network started in 1994, with
special interest in public key systems as a basis for applications
in secure wide area network communications. Since then, ten students
have graduated with a thesis in network security, supervised by Prof.
Bergadano. This activities continued until the present day, with significant
collaboration with the University of Cambridge. This collaboration
has included research on such issues as public key certification,
innovative digital signature mechanisms, and WWW security. From 1994
until 1996, research activities in the area of secure agent architectures
were investigated, in collaboration with Prof. Vita, at the University
of Messina. In 1996, activities in computer security were also started,
especially in the areas of password checking, intrusion detection
and Web Security. Other undergraduate theses are under completion
in this area, also supervised by Prof. Bergadano. On the other hand,
in the wider area of computer networks, Prof. Sirovich has investigated
the ISO/OSI protocols during the past ten years, with special reference
to network management and directory services.
A list of the activities for year 2004/05 follows:
a) User Identification within biometric analysis
We try to ascertain user identity through the way individuals type
on a computer keyboard. Using an original method able to compute the
''distance'' between two typing samples, we were able to reach an
accuracy of less than 4% of false alarms and of less than 0.01% of
unspotted impostors, for typing samples of fixed text long about 700
characters. We are now working of the extension of our application
to completely free text, that is, text chosen and entered by the users
because of their normal job. This will allow us to monitor individuals
that have already passed the authentication phase and are using a
computer. Individual showing typing habits different by those described
in the profile of the account they are using will in this way be identified
as potential intruders.
b) Lightweight Security for Internet Polls
We have investigated the security of Polls in an open Internet scenario,
where (1) clients cannot be customized or initialized in any way,
(2) remote networks have arbitrary architectures including possible
proxies and NAT, and (3) it is practically impossible to distribute
tokens or passwords. Another requirement is that IP locking cannot
be used, because it prevents a large number of legal votes. We have
developed a method that is not based on IP-locking and yet is secure
against automated attacks, that could massively change the result
of the poll.
c) Web Performance
The World Wide Web is one of the most used interfaces to access remote
data and commercial and non commercial services and the number of
actors involved in these transactions is growing very quickly. Everyone
using the Web, experiences how the connection to a popular web site
may be very slow during rush hours and it is well known that web users
tend to leave a site if the wait time for a page to be served exceeds
a given value. Therefore, performance and service quality attributes
have gained enormous relevance in service design and deployment. This
has led to the development of Web stressing tools largely available
in the market. One of the most common critics to this approach, is
that synthetic workload produced by web stressing tools is far to
be realistic. Moreover, Web sites need to be analysed for discovering
commercial rules and user profiles, and models must be extracted from
log files and monitored data. We deal with a methodology based on
the integrated usage of web mining techniques and standard web monitoring
and assessment tools. This is a joint research with CSP S.ca.r.l.
d) Peer-to-Peer Systems
Micro Payments schemes in peer-to-peer systems can be used for giving fairness to a
profit sharing environment protecting intellectual properties. In this environment,
the owner is accounted for each copy of the file she authored, but also the distributors
are credited as well, because they shared their own bandwidth, cpu and storage for
disseminating copies. This scheme, named FairPeers, is implemented in a hybrid topology,
in which some central authorities are necessary, with the drawback that when the number
of transactions grows, these entities can represent single points of failure.
We also propose a generic model that can be used to analytically evaluate such a market
place and assess its performance in terms of scalability w.r.t. the total number of
printed coins and the overall transactions that can occur in the given peer-to-peer system.
e) Proactive Password Checking
The important problem of user password selection is addressed and a new proactive password
checking technique is presented. In a training phase, a decision tree is generated based
on a given dictionary of weak passwords. Then, the decision tree is used to determine whether
a user password should be accepted. Experimental results described here show that the method
leads to very high dictionary compression (from 100 to 3 in the average) with low error rates
(of the order of 1%). We survey previous approaches to proactive password checking, and
provide an in-depth comparison.
[1] Bergadano Francesco,
Cavagnino Davide,
Nesta . Server-based Access Verification. International Workshop on Electronic Government and Commerce: Design, Modeling, Analysis and Security (EGCDMAS 2004), International Workshop on Electronic Government and Commerce: Design, Modeling, Analysis and Security, INSTICC Press, ISBN 972-8865-17-1, 2004. |
[2] Basso Alessandro,
Bergadano Francesco,
Coradazzi I,
Dal Checco Paolo. Lightweigth Security for Internet Polls. International Workshop on Electronic Government and Commerce: Design, Modeling, Analysis and Security (EGCDMAS 2004), International Workshop on Electronic Government and Commerce: Design, Modeling, Analysis and Security, INSTICC Press, ISBN 972-8865-17-1, 2004. |
[3] Catalano D,
Ruffo Giancarlo. A Fair Micro-Payment Scheme for Profit Sharing in a P2P Network. 1st International Workshop on Hot Topics in Peer-to-Peer Systems (HOT-P2P 2004), 1st International Workshop on Hot Topics in Peer-to-Peer Systems, IEEE Press, ISBN 0-7695-2269-6, 2004. |
[4] Politi R,
Ruffo Giancarlo,
Schifanella Rossano,
Sereno Matteo. WALTy: A User Behavior Tailored Tool for Evaluating Web Application Performance. 3rd IEEE International Symposium on Network Computing and Applications (IEEE NCA04), 3rd IEEE International Symposium on Network Computing and Applications, IEEE Press, ISBN 0-7695-2242-4, 2004. |
[5] Politi R,
Ruffo Giancarlo,
Schifanella Rossano,
Sereno Matteo. WALTy: A Tool for Evaluating Web Application Performance. 1st International Conference on Quantitative Evaluation of Systems (QEST), 1st International Conference on Quantitative Evaluation of Systems, IEEE Press, ISBN 0-7695-2185-1, 2004. |
[6] Ruffo Giancarlo. Legal File and Profit Sharing in a Peer to Peer Network. Security and Management (SAM'04) Conference, Security and Management, CSREA Press, ISBN 1-932415-37-8, 2004. |
[7] Gunetti Daniele,
Picardi Claudia. Keystroke Analysis of free Text. ACM Transactions on Information and System Security (ACM TISSEC), 8(3):312--347. ACM Press. ISSN 1094-9224, 2005. |
[8] Gunetti Daniele,
Picardi Claudia,
Ruffo Giancarlo. Keystroke Analysis of Different Languages: a Case Study.. Proc. of the Sixth Symposium on Intelligent Data Analysis (IDA 2005), Lectures Notes in Computer Science (LNCS). In Famili, A.F.; Kok, J.N.; Pena, J.M.; Siebes, A.; Feelders, A. ed(s), volume 3646, pp. 133--144. Springer, ISBN 3-540-28795-7, ISSN 0302-9743, 2005. |
[9] Gunetti Daniele,
Picardi Claudia,
Ruffo Giancarlo. Dealing with Different Languages and Old Profiles in Keystroke Analysis. Proc. of the Nineth Congress of the Italian Association for Artificial, Lectures Notes in Computer Science (LNCS). In S. Bandini ed(s), volume 3673, pp. 347--358. Springer, ISBN 3-540-29041-9, ISSN 0302-9743, 2005. |
[10] Bergadano Francesco,
Ruffo Giancarlo. EnFilter: a Password Enforcement and Filter. in Proc. ICIAP 2005 - Special Session in ''Pattern Recognition in Computer Security'', Lectures Notes in Computer Science (LNCS). In Fabio Roli, Sergio Vitulano ed(s), volume 3617, pp. 75--82. Springer, ISBN 3-540-28869-4, ISSN 0302-9743, 2005. |
[11] Catalano D,
Ruffo Giancarlo,
Schifanella Rossano. A P2P Market Place Based on Aggregate Signatures. Parallel and Distributed Processing and Applications - ISPA 2005 Workshops, Lectures Notes in Computer Science (LNCS). In Guihai Chen, Yi Pan, Minyi Guo, Jian Lu ed(s), volume 3759, pp. 54--63. Springer, ISBN 3-540-29770-7, ISSN 0302-9743, 2005. |
[12] Bergadano Francesco,
Cavagnino Davide. Dealing with packet loss in the Interactive Chained Stream Authentication protocol. Computers & Security, 24(2):139--146. Elsevier. ISSN 0167-4048, 2005. |
[13] Ruffo Giancarlo,
Schifanella Rossano. Scalability Evaluation of a Peer-to-Peer Market Place based on Micro-Payments. 2nd Inter. Workshop on Hot Topics in Peer-to-Peer Systems (HOT-P2P 2005). In Anglano, Chiola ed(s), pp. 183--190. IEEE Press, ISBN 0-7695-2417-6, 2005. |