Center for Cybersecurity

Internships

Archive Year 2023

Call September 2023

Start of Applications: Thursday 14 September 2023 at 00:00

Deadline for Applications: Wednesday 27 September 2023 at 23:59

Application Form: https://forms.gle/s7DbDUCGAMtDCQ3y5

Access Control for BPMN — Implementation, Constraints, and Resilience ALEPH ST

ID: p-2023-09-aleph-5

Description:

Workflows represent a series of activities that need to be executed in a specific order to achieve a certain goal. Business Process Model and Notation (BPMN) is the standard most widely adopted by organizations to model business processes as workflows. Within this context, the FBK's Center for Cybersecurity developed a methodology for deriving role-based access control policies from BPMN workflows automatically based on their syntax and that of BPMN symbols [1, 2]. The main goal of this project revolves around the implementation of the aforementioned methodology in a programming language of choice (e.g., Python, Kotlin, Rust). The project then seeks to enhance the capabilities of the aforementioned methodology to include the specification of constraints such as (dynamic and static) separation of duty. Finally — according to the time available — the project aims to investigate the relationship between the access control policies derived from BPMN workflows and the concepts of policy resiliency, workflow satisfiability, and policy change impact analysis.

Levels: BSc, MSc

Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu), Alessandro Tomasi (altomasi@fbk.eu)

Prerequisites:

  • Basic knowledge of IT security.
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin).
  • Knowledge of access control models and BPMN (although not required) would be advantageous.

Objectives:

  • Familiarization and study of the context (i.e., BPMN workflows, RBAC) and the methodology proposed by the FBK's Center for Cybersecurity.
  • Enhancement of the aforementioned methodology to support the specification of further constraints.
  • Implementation of the methodology and (optional) investigation of the concepts of policy resiliency, workflow satisfiability, and policy change impact analysis.

Topics: Access Control, Workflows, BPMN

Notes: The objectives may be weighted differently according to interest, availability, and the chosen topic.

References:

Adversarial Attacks in AI and their Consequences ST

ID: p-2023-09-st-1

Description:

Adversarial attacks in artificial intelligence (AI) refer to deliberate manipulations of input data to deceive AI systems and produce incorrect or unintended outputs. These attacks have gained significant attention due to their potential to undermine the reliability and security of AI applications. This internship aims to explore the landscape of adversarial attacks in AI, analyze their consequences, and assess the associated risks. The goal is to gain insights into the vulnerabilities of AI systems and potentially propose strategies to mitigate the impact of adversarial attacks.

Levels: BSc, MSc

Supervisor: Majid Mollaeefar (mmollaeefar@fbk.eu)

Prerequisites:

  • Understanding of machine learning principles and algorithms
  • Knowledge of computer security and cybersecurity concepts

Objectives:

  • Literature Review
  • Experimental Analysis
  • Risk Assessment

Topics: Adversarial attacks in AI, Consequences and risks of adversarial attacks

Artificial Intelligence for Autonomous Cyber Defense ST

ID: p-2023-09-st-2

Description:

Technological developments include (i) the deployment and management of pervasive (wireless) sensor networks, which are the essential ingredients of the digital transformation ecosystem (e.g., Smart Manufacturing, Digital Health, and Digital societies). On the other hand, we need to consider that it increases the surfaces, nature, and speed of cyber-attacks. Keeping this in mind, we must develop new data-driven, autonomous agents and Artificial Intelligence; specifically, Reinforcement Learning (RL) is a promising technique for developing Autonomous Cyber Defense (ACD) Agents.

Level: MSc

Supervisor: Muhammad Imran (mimran@fbk.eu)

Prerequisites:

  • Python
  • Pytorch
  • Cyber Security
  • Basics of AI

Objectives:

  • Identification and implementation of RL algorithms as Autonomous Cyber Defense Agents.
  • Scalable Training simulator development for selected RL agents.
  • Identification of type of trained agents (e.g., defensive, or offensive or defensive & offensive both) Type of security threats we want to address.

Topics: Autonomous Cyber Defense (ACD), Reinforcement Learning (RL)

Automated Vulnerability Detection for TLS Deployments ST

ID: p-2023-09-st-3

Description:

TLSAssistant v2 is the latest version of our state-of-the-art analysis tool [1], a modular framework able to perform a wide set of checks and easily extensible with new features. Its main focus is to streamline the mitigation process of known and newly discovered TLS attacks, even for non-expert users, and it has recently gained the ability to assess security compliance against EU and US regulations.
The primary objective of this internship is to implement a novel module for the detection of new vulnerabilities in different scenarios (such as certificate chain validation, Android and iOS misconfigurations, and many others). The choice of the additional module will be made together with the selected candidate to maximize student interest and participation. Having to work with state-of-the-art tools and newly discovered vulnerabilities, the candidate will need determination and a willingness to overcome the challenges he or she is likely to face.

Levels: BSc, MSc

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Matteo Rizzi (mrizzi@fbk.eu)

Time frame: Available starting from January 2024

Prerequisites:

  • Experience with Python 3 development
  • Basic knowledge of the TLS protocol
  • Problem-solving

Topics: Research tool, Vulnerability detection, Actionable mitigations, TLS misconfiguration

Notes: Multiple positions available.

References:

  • [1] TLSAssistant: Fully-featured tool that combines state-of-the-art TLS analyzers with a report system that suggests appropriate mitigations and shows the full set of viable attacks • Link

Automatic Security Testing Tool for Identity Management Protocols ST

ID: p-2023-09-st-4

Description:

Identity Management (IdM) protocols are the protocols supporting Single-Sign On (SSO) which is an authentication schema allowing the user to access different services using the same set of credentials. Two of the most known IdM protocols are SAML 2.0 SSO and OAuth 2.0/OpenID Connect. Several solutions for corporations like Google, Meta (Facebook) and for Public Administration like eIDAS and SPID are based on IdM protocols. We propose improving the tool to extend its capabilities by designing and implementing new features.

Levels: BSc, MSc

Supervisors: Andrea Bisegna (a.bisegna@futuroeconoscenza.it), Roberto Carbone (carbone@fbk.eu)

Prerequisites: Preferably basic knowledge of Java.

Objectives:

  • Literature Review (guidelines and best practices)
  • Ethical analysis
  • Risk Assessment

Topics: Identity Management protocols, Attack patterns, Penetration testing

Computational and Security Evaluation of Different Authentication/Authorization Protocols for IoT Devices ST

ID: p-2023-09-st-5

Description:

The rapid proliferation of Internet of Things (IoT) devices has introduced new dimensions of convenience and complexity to our lives. Ensuring the secure authentication and authorization of these devices is a critical challenge in maintaining the integrity and security of IoT ecosystems. This internship project focuses on conducting a comprehensive evaluation of various authentication and authorization mechanisms for IoT devices (e.g., CoAP), with a strong emphasis on the security and performance of the different solutions.

Levels: BSc, MSc

Supervisors: Umberto Morelli (u.morelli@futuroeconoscenza.it), Amir Sharif (asharif@fbk.eu)

Prerequisites:

  • Practice with programming and software development.
  • Familiarity with IoT concepts, protocols, and security considerations.
  • Basic understanding of authentication and authorization mechanisms, cryptographic principles, and security best practices.
  • Strong analytical and problem-solving skills.
  • Interest in cybersecurity, IoT, and network protocols.

Objectives: The primary objectives of this internship project are to analyze, compare, and assess different authentication and authorization mechanisms for IoT devices. By leveraging computational benchmarks and security assessments, the project aims to identify the most suitable protocols that strike a balance between performance and security in IoT environments.

Topics: Internet of Things, Authentication, Access Control

Cryptographic Access Control for Blockchain-based Applications ALEPH ST

ID: p-2023-09-aleph-4

Description:

Given the limited trust and inherently centralized nature of Cloud-based applications, the blockchain emerges as the ideal solution to guarantee the integrity and the confidentiality of sensitive data in cross-organizational scenarios. However, the basic security properties offered by the blockchain should be coupled with fine-grained access control policies (e.g., role- and attribute-based access control) enforced through cryptography (e.g., hybrid cryptography, multi-authority attribute-based encryption) for best security. The main goal of this project is to investigate how cryptographic access control is and can be used in blockchain-based applications to enforce access control policies in complex cross-organizational scenarios.

Levels: BSc, MSc

Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu), Riccardo Longo (rlongo@fbk.eu)

Prerequisites:

  • Basic knowledge of IT security.
  • Basic knowledge of cryptography from cryptography-related courses.
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin).

Objectives:

  • Familiarization and study of the state of the art in the use of the Blockchain for advanced data protection.
  • Evaluation of available techniques and design of a solution joining cryptographic access control with the Blockchain for high assurance of data integrity and confidentiality.
  • Implementation of the proposed approach in a tool developed and actively maintained by the FBK's Center for Cybersecurity [1].

Topics: Access Control, Cryptography, Blockchain

References:

  • [1] CryptoAC • Link

Cryptographic Revocation ALEPH

ID: p-2023-09-aleph-1

Description:

There is a strong interest in privacy-enhancing technologies to satisfy the complex requirements of digital identity, in particular minimizing the personal data shared at each presentation and preventing others from correlating the activity of digital identity credential holders between presentations. Important use cases are the Mobile Driver's License (ISO 18013-5) and the European Digital Identity Wallet. Cryptographic accumulators, e.g., [BdM93, N05, LLX07, BBF18, VB20] are efficient protocols to prove set (non-)membership that have been proposed as privacy-enhancing credential revocation mechanisms for digital credentials, e.g., [CL02]. During the internship, you will have an opportunity to consider theoretical and practical aspects of these technologies, to be agreed upon based on your interest and prior knowledge. We are particularly interested in a performance comparison of algorithms of interest, possibly using existing libraries (e.g., accumulator-rs).

Level: MSc

Supervisor: Alessandro Tomasi (altomasi@fbk.eu)

Prerequisites:

  • An undergraduate course in cryptography is required for basic notions.
  • Knowledge of RSA, elliptic curve cryptography, and zero-knowledge proofs would be highly advantageous.
  • Knowledge of programming languages (i.e., Python, Rust) would be highly advantageous.

Objectives:

  • Summary of chosen technologies.
  • Comparison of technologies on metrics of interest for the chosen scenario, e.g., complexity (number of operations), proof size, and offline functionality.
  • Exploration of alternatives for cryptographic agility, e.g., other elliptic curves or hash functions.

Topics: Digital Identity, Cryptography, Privacy Enhancing Technologies

Notes: The objectives may be weighted differently according to interest, availability, and the chosen topic.

References:

  • [BBF18] "Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains". D Boneh, B Bünz, B Fisch. IACR 2018, CRYPTO 2019. • DOI, Video
  • [BdM93] "One-way accumulators: a decentralized alternative to digital signatures." J C Benaloh, M de Mare, Eurocrypt 93. • DOI
  • [CL02] "Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials." J Camenisch, A Lysyanskaya, CRYPTO 2002. • DOI
  • [LLX07] "Universal Accumulators with Efficient Nonmembership Proofs". Li, J., Li, N., Xue, R., 2007. • DOI
  • [N05] "Accumulators from Bilinear Pairings and Applications." L Nguyen, CT-RSA 2005. • DOI
  • [VB20] "Dynamic Universal Accumulator with Batch Update over Bilinear Groups". G. Vitto, A. Biryukov, IACR 2020, CT-RSA 2022. • DOI, Video
  • [CHAHC22] "Curve Trees: Practical and Transparent Zero-Knowledge Accumulators." M Campanelli, M Hall-Andersen, S Holmgaard Kamp. • Link

Cryptographic Unlinkability in Digital Identity Protection ALEPH

ID: p-2023-09-aleph-8

Description:

Studying unlinkability in the world of digital identity holds significant importance. It helps create strong and privacy-preserving digital identity systems, allowing people to protect their privacy by preventing others from linking their actions and building profiles. A good example use case of this study is the European Digital Identity Wallet, which stores information such as IDs and mobile driving licenses. Cryptographic techniques such as selective disclosure and zero-knowledge mechanisms [1, 2, 3] can ensure that digital identity systems provide only the necessary information, contributing to the unlikability of identity credentials and user privacy in regards. However, it's imperative to question the reliability of these techniques. Machine learning, with its proficiency in pattern recognition and data analysis, is a powerful tool in this context. It possesses the capability to uncover hidden links and vulnerabilities within these systems, enabling the detection and mitigation of re-identification and profiling [4]. During your internship, you will get a chance to explore both the theory and practical aspects of these techniques, based on your interests and prior knowledge. Our specific focus centers on investigating the key factors that contribute to the unlinkability of identity credentials, with a special emphasis on the implementation of unlinkability techniques in their creation and presentation within the relevant use case. We will also use machine learning to see how any of these key factors, i.e., credential's info (attribute, metadata, ...) can make it easier or harder to stay anonymous.

Level: MSc

Supervisors: Zahra Ebadi Ansaroudi (zebadiansaroudi@fbk.eu), Alessandro Tomasi (altomasi@fbk.eu)

Prerequisites:

  • An undergraduate course in cryptography is required for basic notions.
  • Knowledge of RSA, selective disclosure, and zero-knowledge proofs would be highly advantageous.
  • Knowledge of machine learning (particularly deep learning algorithms such as conventual neural networks) would be highly advantageous.
  • Knowledge of programming languages (i.e., Python, Rust) would be highly advantageous.

Objectives:

  • State-of-the-art study on available cryptographic unlinkability techniques.
  • Comparison of the unlinkability techniques on metrics of interest for the chosen unlikability scenarios and case studies. This could be employing machine learning-based analysis and proving whether the unlinkability is violated for chosen case studies or not.

Topics: Digital Identity, Verifiable Credentials, Cryptography, Privacy Enhancing Technologies, Machine Learning

Notes: The objectives may be weighted differently according to interest, availability, and the chosen topic.

References:

  • [1] Alp'ar, G., Jacobs, B.: Credential design in attribute-based identity management (2013)
  • [2] Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Advances in Cryptology—EUROCRYPT 2001: International Conference on the Theory and Application of Cryptographic Techniques Innsbruck, Austria, May 6-10, 2001 Proceedings 20. pp. 93-118. Springer (2001)
  • [3] Ringers, S., Verheul, E., Hoepman, J.H.: An efficient self-blindable attribute-based credential scheme. In: Financial Cryptography and Data Security: 21st International Conference, FC 2017, Sliema, Malta, April 3-7, 2017, Revised Selected Papers 21. pp. 3-20. Springer (2017)
  • [4] Van Otterlo, M.: A machine learning view on profiling. Privacy, Due Process and the Computational Turn-Philosophers of Law Meet Philosophers of Technology. Abingdon: Routledge pp. 41-64 (2013)

Developing a Web-based Assessment Tool for Training Courses and Dissemination Events ST

ID: p-2023-09-st-6

Description:

One of the strategic objectives of the European Union Agency for Cybersecurity (ENISA) to address the shortage and gap in cybersecurity skills is to increase user awareness among the general public and in primary and secondary education, as well as to strengthen training and promote cybersecurity in higher education [1]. To contribute to this effort, we are developing CyberQ, a web-based application that aims to assess users' cybersecurity awareness during dissemination events and training courses.
The goal of this internship is to expand the inner structure, features, and user interface/user experience of the CyberQ prototype, as well as the set of predefined questions. This internship will give the student hands-on experience developing a useful and practical tool as well as an in-depth understanding of the complexities of cybersecurity awareness.
The selected candidate will be able to contribute to the ongoing effort to raise cybersecurity awareness among the general public as well as in primary and secondary education. They will also be able to apply their knowledge and skills to develop a tool to promote cybersecurity in higher education and beyond.

Levels: BSc, MSc

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Matteo Rizzi (mrizzi@fbk.eu)

Time frame: Available starting from January 2024

Prerequisites:

  • Experience with Python 3 and Jinja2 development
  • Problem-solving
  • Basic knowledge of common attacks (e.g. phishing, sniffing)

Topics: Awareness evaluation, Dissemination tools, Gamification

References:

  • [1] Addressing Skills Shortage and Gap Through Higher Education, ENISA • Link

DevSecOps for Cloud Native Applications CLEANSE

ID: p-2023-09-cil-1

Description:

"The purpose and intent of DevSecOps is to build on the mindset that everyone is responsible for security with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required," describes Shannon Lietz, co-author of the "DevSecOps Manifesto."
DevSecOps (development, security, and operations) is an approach to automate the integration of cybersecurity processes at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery. It represents a natural and necessary evolution in the way development organizations approach security.
For Cloud Native Applications, security regards multiple levels (code, container, deployment, orchestrator, etc.) and the approach to introduce security should consider all of them.

Levels: BSc, MSc

Supervisor: Pietro De Matteis (pdematteis@fbk.eu)

Objectives: The main target is related cloud native application development life cicle, based on micriservices and distribuited deployment (for example Docker and Kubernetes).
Additional:

  • analyze scenarios and use cases
  • evaluate guidelines, best practices and tools

Topics: Cloud Native Applications, Secure coding, Software Development Life Cycle (SDLC), Container and orchestrator

Notes: Multiple positions available.

Enhancing Access Control Systems using Machine Learning ST

ID: p-2023-09-st-7

Description:

Access control systems play a critical role in ensuring the security and privacy of physical spaces, digital resources, and sensitive information. With the advent of machine learning, there is a growing opportunity to enhance traditional access control systems by incorporating intelligent and adaptive mechanisms. This internship will focus on exploring and implementing machine learning techniques to improve access control systems' efficiency, accuracy, and user experience.

Levels: BSc, MSc

Supervisor: Tahir Ahmad (ahmad@fbk.eu)

Prerequisites:

  • Machine Learning Fundamentals
  • Programming skills (Python)
  • Cybersecurity basics

Objectives:

  • Conduct a thorough literature review on the intersection of machine learning and access control in cybersecurity.
  • Develop a prototype of an adaptive access control system that adjusts permission levels based on user behavior and contextual information.
  • Conduct experiments to evaluate the accuracy of the anomaly detection model and the effectiveness of the adaptive access control policies.
  • Document the implementation details, challenges faced, and lessons learned during the internship.

Topics: Adaptive access control, Access patterns, User behavior analysis, Contextual Information

Enhancing Cryptographic Access Control with Predicates and Negative Permissions ALEPH ST

ID: p-2023-09-aleph-6

Description:

Cryptographic Access Control (CAC) is often employed to protect the confidentiality of Cloud-hosted sensitive data from both external attackers and curious service providers while enforcing access control policies. In CAC, the sensitive data is encrypted, and the permission to access the encrypted data is embodied by the (secret) decrypting key. Unfortunately, CAC usually incurs significant computational overhead — mainly due to cryptographic computations — that limits its applicability in real-world scenarios. Moreover, by itself, CAC does not provide suitable abstractions for specifying additional information and constraints (e.g., on how much a user is trusted) that may instead be useful to relieve such a computational overhead. Put in the context of an already ongoing collaboration with the University of Pittsburgh, the main goal of this project is to enhance CAC by investigating one or more of the following ideas:

  1. Logic Predicates: express assumptions and requirements about users and resources;
  2. Negative Permissions: deny accesses explicitly through a careful distribution of cryptographic keys;
  3. Improved Performance: investigate other means (e.g., use of symmetric vs. asymmetric cryptography) to directly relieve the computational overhead of CAC.

Levels: BSc, MSc

Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Prerequisites:

  • Basic knowledge of IT security.
  • Basic knowledge of cryptography from cryptography-related courses.
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin).

Objectives:

  • Familiarization and study of the state of the art in the use of the CAC techniques for advanced data protection.
  • Evaluation of the aforementioned ideas and design of solutions to enhance the capabilities of CAC.
  • Implementation of the proposed solutions in a tool developed and actively maintained by the FBK's Center for Cybersecurity [1].

Topics: Access Control, Cryptography

Notes: The objectives may be weighted differently according to interest, availability, and the chosen topic.

References:

  • [1] CryptoAC • Link

Enhancing mIDAssistant Plugin Capability ST

ID: p-2023-09-st-8

Description:

The mIDAssistant plugin has emerged as a valuable resource for native app developers seeking to integrate third-party Identity Management providers (IdMPs) into their applications. By providing a wizard-based approach, mIDAssistant simplifies and streamlines the integration process, ultimately enhancing the security of authentication and authorization protocols based on OAuth and OpenID Connect within their native apps. However, the tool has its limitations, and this internship project aims to address those limitations while expanding its capabilities to support a wider range of functionalities and integration scenarios.

Levels: BSc, MSc

Supervisors: Amir Sharif (asharif@fbk.eu), Giada Sciarretta (g.sciarretta@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Prerequisites:

  • Proficiency in software development, particularly in native app development and relevant programming (JAVA, Xamarin) languages.
  • Familiarity with Identity Management Protocols: OAuth 2.0, and OpenID Connect.
  • Strong problem-solving and analytical skills.

Objectives: The primary objectives of this internship project are to enhance the mIDAssistant tool's capabilities, improve the quality of integrated code, and extend its support for various IdMPs and integration profiles. The project will focus on addressing the current limitations while optimizing the integration process to ensure cleaner and more secure code generation.

Topics: Native Apps, Digital Identity, OAuth/OIDC

References:

  • [1] mIDAssistant • Link

Evaluating the Impact of eBPF Observability Solutions on System Resources RiSING

ID: p-2023-09-rising-4

Description:

eBPF (Extended Berkeley Packet Filter) is a recent development in the Linux kernel that allows users to programmatically monitor, observe, and manage kernel activity in a safe and extensible way [1]. In the past years, research has flourished on the topic, with solutions being developed ranging from system call monitoring to container observability, network management and more [2, 3]. However, while moving monitoring solutions to the kernelspace has inherent security and speed advantages, often the overhead of the monitoring activity itself is disregarded. The project will begin by learning about eBPF, its capabilities, and how to understand and write eBPF code. The final objectives of this project are twofold. First, candidates will evaluate the state-of-the-art literature, assessing the strengths and weaknesses of several observability solutions and quantitatively analyzing the overhead on the system resources (e.g., CPU, memory). Second, candidates will focus on decreasing resource usage in these solutions; examples may include upgrades of the kernel version, better selection of observed features, and more.

Level: MSc

Supervisors: Matteo Franzil (mfranzil@fbk.eu), Luis Augusto Dias Knob (l.diasknob@fbk.eu)

Prerequisites:

  • Basic knowledge of Linux system calls
  • Knowledge of computer networking and containers
  • Experience with Python 3 and Go; adaptability to other languages is a plus

Topics: Observability, Computer networking, eBPF

References:

  • [1] ebpf.io, ‘What is eBPF? An Introduction and Deep Dive into the eBPF Technology’, Mar. 05, 2022. • Link
  • [2] J. Levin and T. A. Benson, ‘ViperProbe: Rethinking Microservice Observability with eBPF’, in 2020 IEEE 9th International Conference on Cloud Networking (CloudNet), Piscataway, NJ, USA: IEEE, Nov. 2020, pp. 1–8. • DOI, Link
  • [3] C. Cassagnes, L. Trestioreanu, C. Joly and R. State, "The rise of eBPF for non-intrusive performance monitoring," NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium, Budapest, Hungary, 2020, pp. 1-7. • DOI

Exploring Trustworthy AI ST

ID: p-2023-09-st-9

Description:

Trustworthy AI refers to the development and deployment of artificial intelligence systems that are reliable, ethical, and accountable. As AI becomes increasingly integrated into various domains, ensuring its trustworthy behavior is crucial for building public trust and safeguarding against unintended consequences. This internship aims to explore the concept of Trustworthy AI, analyze existing approaches, and propose strategies to enhance the trustworthiness of AI systems.

Levels: BSc, MSc

Supervisor: Majid Mollaeefar (mmollaeefar@fbk.eu)

Prerequisites:

  • Understanding of machine learning principles and algorithms
  • Familiarity with ethical considerations in AI

Objectives:

  • Literature Review (guidelines and best practices)
  • Ethical analysis
  • Risk Assessment

Topics: Trustworthy AI (Concepts and dimensions), Ethical considerations in AI, AI trustworthiness assessment

Identifying Anomaly Behavior in Container Orchestrator Auditing Logs RiSING

ID: p-2023-09-rising-1

Description:

Kubernetes is the facto container orchestrator in public and private clouds. It presents many features that facilitate the management not only of containers but also several elements that help implement more complex applications, like secrets, configmaps, services, and ingresses. All the configurations are handled through an API that manages the access using an RBAC system. These requests to the API are logged by the auditing module, which can be configured with different granularity. If a User or Service Account is compromised, some malicious actor can execute commands to obtain confidential information, like passwords or application topologies. Given the substantial volume of logged events, threshold-based or string-pattern matching algorithms can not be enough to identify malicious behavior in the cluster. So, this project aims to explore the state-of-the-art and compare existing anomaly detection algorithms and their applicability to auditing logs.

Levels: BSc, MSc

Supervisor: Luis Augusto Dias Knob (l.diasknob@fbk.eu)

Prerequisites:

  • Experience with Python 3
  • Experience with Kubernetes and containers
  • Experience with deep learning frameworks (e.g., PyTorch, Tensorflow, Keras) is preferable

Topics: Auditing logs, Anomaly detection, Kubernetes, Public cloud

Key Recovery ALEPH

ID: p-2023-09-aleph-3

Description:

Safeguarding private keys presents many issues, especially for the general public. Private keys can be easily lost or forgotten, leading to the inaccessibility of the assets which they control. On the other hand, delegating full control of the keys to a third party for safekeeping is risky and may not be viable. We would like to implement and test a recently proposed cryptographic key recovery scheme [BLM22] based on a distributed secret sharing that allows some parties to be offline during the key-generation process.

Level: MSc

Supervisors: Riccardo Longo (rlongo@fbk.eu), Alessandro Tomasi (altomasi@fbk.eu), Stefano Berlato (sberlato@fbk.eu)

Prerequisites:

  • Knowledge of secret sharing and Elliptic Curve Cryptography.
  • Programming experience in Rust, C, Python, or equivalent.
  • Knowledge of Pedersen commitment is not required but would be beneficial.

Objectives:

  • Development of a cryptographic proof of concept software.
  • Performance evaluation and comparison.

Topics: Secret Sharing, Decentralization

References:

  • [1] Aleph: e-voting • Link
  • [BLM22] M Battagliola, R Longo, A Meneghetti: Extensible Decentralized Secret Sharing and Application to Schnorr Signatures. • Link

Mind the Gap Between Security Protocol Verification Tools ST

ID: p-2023-09-st-10

Description:

In recent years, more and more online services are being exposed over the Internet to enable a seamless experience for the citizens (e.g., eHealth, eGovernment and home banking platforms). Depending on their level of sensibility, these services may require a strong authentication of the claimants, in order to have guarantees on their (digital) identity. Authentication protocols thus represent a significant target for malicious entities, who frequently try to compromise them to illegitimately access the underlying services and gain advantages. For this reason, evaluating the security of Identity Management protocols represents a fundamental task, as it allows to identify potential attackers and define countermeasures to mitigate them. Among the techniques that are commonly used in this field, formal methods represent the most precise, yet computationally complex: they usually require a formal specification of the protocol under the evaluation, and verify that the security properties to guarantee hold during the execution of the protocol.
The state of the art currently features many tools to perform security protocol verification, each one with its own peculiarities. Within the Security & Trust research unit, we are currently using the tool SATMC [1]; however, we would like to explore other tools (e.g., Tamarin [2], ProVerif [3], VerifPal [4]) in order to understand similarities and differences, as well as face challenges related to how the gap with SATMC can be filled.

Level: MSc

Supervisors: Marco Pernpruner (mpernpruner@fbk.eu), Giada Sciarretta (g.sciarretta@fbk.eu)

Prerequisites: Basics of Identity Management (authentication, public and private keys).

Objectives:

  • Become familiar with an assigned tool for security protocol verification.
  • Understand the core features of the assigned tool.
  • Model some known authentication protocols by following the specifications of the assigned tool.
  • Compare the assigned tool with SATMC, a tool for security protocol verification that is currently being used within the Security & Trust research unit.

Topics: Identity Management, Security Protocol Verification

Notes: Multiple positions available.

References:

  • [1] Alessandro Armando, Roberto Carbone, Luca Compagna. "SATMC: A SAT-Based Model Checker for Security-Critical Systems". In 20th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2014) • ,
  • [2] Tamarin • Link
  • [3] ProVerif • Link
  • [4] VerifPal • Link

Multi-Objective Microservice Orchestration ALEPH RiSING

ID: p-2023-09-aleph-7

Description:

Microservices are the basic building blocks for modern Cloud-native applications. However, the orchestration — and especially the placement — of microservices should be aware of the functional and security requirements of the underlying applications. The main goal of this project revolves around the design of a methodology and a toolset for orchestrating (microservices in) Cloud-native applications to balance the minimization of risks due to the possible presence of security threats (e.g., malicious insider attackers, curious tenants) and the achievement of service performance requirements (e.g., expressed on computational resources, network throughput and latency).

Levels: BSc, MSc

Supervisors: Stefano Berlato (sberlato@fbk.eu), Silvio Cretti (scretti@fbk.eu), Domenico Siracusa (dsiracusa@fbk.eu)

Prerequisites:

  • Basic knowledge of IT security.
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin).
  • Knowledge of the microservice architectural paradigm and orchestrators (e.g., Kubernetes) would be highly advantageous.

Objectives:

  • Familiarization and study of the state of the art in the orchestration of microservices.
  • Study and elicitation of requirements for applications deployed in prominent use case scenarios.
  • Design and implementation of a methodology for the effective orchestration of microservices in a tool developed and actively maintained by the FBK's Center for Cybersecurity [1].

Topics: Cloud-native Applications, Security, Multi-Objective Optimization

References:

  • [1] FogAtlas • Link

Robustness of Intrusion Detection Systems against Adversarial Machine Learning attacks RiSING

ID: p-2023-09-rising-3

Description:

A Network Intrusion Detection System (NIDS) serves as the initial line of defence against network attacks that threaten the integrity of data, systems, and networks. Over recent years, Deep Neural Networks (DNNs) have been increasingly used in NIDSs to detect malicious traffic due to their remarkable accuracy in identifying malicious network activity. Nonetheless, DNNs exhibit susceptibility to Adversarial Machine Learning (AML) attacks, where subtle alterations to input data can lead to misclassification by the neural network. This vulnerability has particularly severe consequences, as adversarial attacks pose a substantial threat to overall network security. While the majority of current research in the field of AML has been directed towards computer vision tasks like image classification and object recognition, there has been a notable increase in interest and activity within the cybersecurity domain. Nevertheless, several challenges persist in this domain, encompassing both performance-related issues and the practicality of applying these methods to real-world scenarios. The primary objective of this project is to explore innovative and practical methodologies aimed at enhancing the resilience of NIDSs against AML attacks.

Level: MSc

Supervisor: Roberto Doriguzzi Corin (rdoriguzzi@fbk.eu)

Time frame: from February 2023

Prerequisites:

  • Basic knowledge of network security
  • Basic knowledge of computer networking
  • Basic knowledge of the Python programming language and Deep Learning libraries

Objectives:

  • Familiarization and study of the state-of-the-art related to AML attacks and defenses
  • Evaluation of available AML techniques against state-of-the-art DL-based NIDS to spot limitations in the existing solutions
  • Design and implementation of a novel solution

Topics: Network security, Deep learning, Adversarial Machine Learning

References:

  • [1] He, Ke, Dan Dongseong Kim, and Muhammad Rizwan Asghar. "Adversarial machine learning for network intrusion detection systems: a comprehensive survey." IEEE Communications Surveys & Tutorials (2023).
  • [2] Alhajjar, Elie, Paul Maxwell, and Nathaniel Bastian. "Adversarial machine learning in network intrusion detection systems." Expert Systems with Applications 186 (2021): 115782.
  • [3] Jmila, Houda, and Mohamed Ibn Khedher. "Adversarial machine learning for network intrusion detection: A comparative study." Computer Networks 214 (2022): 109073.

Rust E-voting Cryptographic Library ALEPH

ID: p-2023-09-aleph-2

Description:

Electronic voting (e-voting) includes processes in whole or in part executed by electronic means, such as by using voting machines to cast ballots, using scanners to digitize paper ballots, or casting votes remotely over the internet (i-voting). Cryptography is at the heart of end-to-end verifiable protocols, including additively homomorphic encryption to tally votes without decrypting each one, secure multi-party computation to avoid a single authority from having all private keys, and zero-knowledge proofs to prove ballot correctness, among other properties. During a recent e-voting project, we developed a library for cryptographic functions in Python based on the MIRACL core library and the protocol summarized in [LMST22]. The successful applicant will have the opportunity to assist in performing the same task in the more secure and performant Rust language.

Level: MSc

Supervisors: Riccardo Longo (rlongo@fbk.eu), Alessandro Tomasi (altomasi@fbk.eu)

Prerequisites:

  • Knowledge of ElGamal, secret sharing, and Elliptic Curve Cryptography.
  • Programming experience in Rust, C, Python, or equivalent.

Objectives:

  • Development of a cryptographic library.
  • Performance evaluation and comparison.

Topics: Electronic voting, Zero-knowledge, Secure multi-party cryptography

References:

  • [1] Aleph: e-voting • Link
  • [2] The MIRACL Core Cryptographic Library • Link
  • [LMST22] Riccardo Longo, Umberto Morelli, Chiara Spadafora, Alessandro Tomasi. Adaptation of an i-voting scheme to Italian Elections for Citizens Abroad. In: Seventh International Joint Conference on Electronic Voting (E-Vote-ID 2022). • DOI

System Calls Misuse Detection in Containerized Systems RiSING

ID: p-2023-09-rising-2

Description:

Containers have arisen as a lightweight alternative to virtual machines (VMs). While they have become the industry standard for deploying microservices, container security remains the foremost concern and a significant obstacle to adoption for numerous companies. Containers, as bundles of applications and services packaged together, are susceptible to software bugs or to the inclusion of malware, whether intentionally or inadvertently. These anomalous programs possess the same capabilities as any other component within the container image, making them potential threats to other containers or hosts within the ecosystem. The goal of this project is to investigate Machine Learning (ML) methods to detect container anomalies through the analysis of their systems calls, i.e., of their interactions with the kernel of the hosting machine.

Level: MSc

Supervisor: Roberto Doriguzzi Corin (rdoriguzzi@fbk.eu)

Time frame: from February 2023

Prerequisites:

  • Basic knowledge of container technologies (e.g., Docker, Linux containers, etc.)
  • Basic knowledge of the Linux OS
  • Basic knowledge of the Python programming language and Deep Learning libraries

Objectives:

  • Familiarization and study of the state-of-the-art related to container security
  • Evaluation of available techniques for anomaly detection in containerized systems
  • Design and implementation of an online ML-based solution for the detection of container anomalies through the analysis of the containers' system calls.

Topics: Containerized systems, Machine Learning, Anomaly Detection

References:

  • [1] El Khairi, Asbat, et al. "Contextualizing system calls in containers for anomaly-based intrusion detection." Proceedings of the 2022 on Cloud Computing Security Workshop. 2022.
  • [2] Bèlair, Maxime, Sylvie Laniepce, and Jean-Marc Menaud. "Leveraging kernel security mechanisms to improve container security: a survey." Proceedings of the 14th international conference on availability, reliability and security. 2019.
  • [3] Sultan, Sari, Imtiaz Ahmad, and Tassos Dimitriou. "Container security: Issues, challenges, and the road ahead." IEEE access 7 (2019)

Threat Modeling for Digital Identity Wallet ST

ID: p-2023-09-st-11

Description:

In an increasingly digital world, the security of personal and sensitive information is paramount. Digital identity wallets have emerged as a convenient and secure solution for individuals to manage and control their personal identity data, enabling seamless interactions across various online services. However, ensuring the robust security of these wallets is of utmost importance to prevent potential breaches and unauthorized access. This internship project focuses on applying threat modeling procedures (e.g., OWASP and STRIDE) to enhance the security posture of a digital identity wallet system.

Levels: BSc, MSc

Supervisors: Amir Sharif (asharif@fbk.eu), Giada Sciarretta (g.sciarretta@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Prerequisites:

  • Basic understanding of cybersecurity principles.
  • Pre-Knowledge of the OpenID Connect protocol is a plus.
  • Strong analytical and problem-solving skills.
  • Knowledge of STRIDE framework and OWASP threat modeling procedures (prior experience is a plus).

Objectives: The primary objective of this internship project is to conduct a comprehensive threat modeling analysis for a digital identity wallet system. By utilizing the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) framework and the OWASP (Open Web Application Security Project) threat modeling procedures, the project aims to identify potential vulnerabilities, assess associated risks, and propose effective mitigation strategies.

Topics: Digital Identity, Threat Modeling, Identity Wallet