Curriculum Vitæ

Table of Contents

Summary

I like to explore and analyze! I especially enjoy creating tools to extract data, analyze and explain unknown phenomena in any ICT system, at any scale.

I am happily doing this as a Senior Threat Researcher at Trend Micro’s Forward-Looking Threat Research (FTR) team. The team’s mission is to scout the future for novel security risks and threats.

Activities

For the past 17 years I have had both industrial and academic work experience, as an employee, professor, and consultant. As such, I have experience dealing with various realms, from large corporate environments, research laboratories, to small companies.

My work activities range from pure development to research, including both technical and dissemination tasks. In the past, I’ve done vulnerability assessment and web penetration-testing activities as a consultant, and I was hired multiple times as a technical expert witness for courts in Italy. Being member of various review boards and scientific program committees, I have extensive experience in assessing the quality of technical documents and other scientific artifacts.

Research

Although I enjoy doing research in really any area of computer security, my experience includes various topics under the “cyber security” and “cyber crime” umbrella terms, such as threat analysis and intelligence, malware analysis, mobile security, fraud analysis and detection, web- and social-network security, and data visualization for security.

A distinctive aspect of my work is that I always strive to follow data-driven or learning-based approaches. The most recent example is a large-scale, data-analysis tool that I developed to find web-defacement campaigns. In agreement with the employer, I’ve partially open-sourced the tool after demoing it at Black Hat US Arsenal (2017). I’ve worked on similar projects on other topics: botnet data analysis and intelligence, mobile ransomware analysis, banking fraud intelligence, malware behavior mining, web-scale threat measurements, anomaly detection.

Research Dissemination and Speaking Experience

I published tenths of research papers at refereed international conferences or journals, as well as technical white papers and technical blog posts. I’ve presented my work at various international venues including both academic and industrial conferences (e.g., Black Hat), as well as closed-door events.

Thanks to my extensive teaching experience, I have acquired professional proficency at speaking to and engaging with various types of audiences in both English and Italian languaeg. Thanks to these activities, I’ve grown accustomed to travel internationally and interact with a variety of cultures.

My work has been recognized by several research groups (UC Santa Barbara, Foundation for Research and Technology Hellas, Northeaster Univeristy, Stony Brook University, KU Leven, and Royal Holloway University of London), with which I collaborated in various occasions.

Teamwork and Management Experience

In addition to teamwork in small groups of researchers, I have been teaching computer programming, computer and network security, digital forensics, and information systems. Since 2014 I was a professor for the Computer Security course and co-teach Advanced Topics in Computer Security.

I coordinated the organization of computer-security challenges and international competitions (CTFs). I’ve advised several PhD students. During my research projects, I am keen to involve people actively and work closely with them. During my academic career, this resulted in more than 35 theses and hundreds of people that I supervised since 2009.

Technical Skills

R&D activities highly demand flexibility, and thus I’m always keen to learn a new technology. Thanks to this, I have gained hands-on experience with a wide variety of technical development and research tools, at all levels of the modern ICT stack: from a disassembler or other command-line tools, to full-fledged web-development frameworks, storage systems, as well as dev-ops or system-administration tools.


Positions, Education and Awards

Record of Employment

Education

Toolbox & Technical Skills

Awards


Presence in the Infosec Community

Through various activities such as international collaborations, public speaking and conference organization, I feel I belong to the “small” world that we all call “the infosec community”. The researchers with which I collaborate can be easily extrapolated by looking at my publication list. Therefore, I’m hereby listing the rest.

Selected Talks

DefPloreX: A Machine Learning Toolkit for Large-Scale E-Crime Forensics
Balduzzi, Marco and Maggi, Federico and Ciancaglini, Vincenzo and Flores, Ryan and Gu, Lion. Black Hat Arsenal USA (Peer-reviewed Demo), Las Vegas, US. (July 27, 2017) - Link: https://www.blackhat.com/us-17/arsenal.html#defplorex-a-machine-learning-toolkit-for-large-scale-ecrime-forensics [PDF]

Breaking the Laws of Robotics: Attacking Industrial Robots
Quarta, Davide and Pogliani, Marcello and Polino, Mario and Maggi, Federico and Zanero Stefano. Black Hat Briefings USA (Peer-reviewed Talk), Las Vegas, US. (July 27, 2017) - Link: https://www.blackhat.com/us-17/briefings.html#breaking-the-laws-of-robotics-attacking-industrial-robots [PDF]

ShieldFS: The Last Word in Ransomware-Resilient File Systems
Continella, Andrea and Guagnelli, Alessandro and Zingaro, Giovanni and De Pasquale, Giulio and Barenghi, Alessandro and Zanero, Stefano and Maggi, Federico. Black Hat Briefings USA (Peer-reviewed Talk), Las Vegas, US. (July 27, 2017) - Link: https://www.blackhat.com/us-17/briefings.html#shieldfs-the-last-word-in-ransomware-resilient-file-systems [PDF]

Talking Behind Your Back: Attacks and Countermeasures of Ultrasonic Cross-Device Tracking
Mavroudis, Vasilios and Hao, Shuang and Fratantonio, Yanick and Maggi, Federico and Vigna, Giovanni and Kruegel, Christopher. Black Hat Briefings Europe (Peer-reviewed Talk), London, UK. (November 3, 2016) - Link: https://www.blackhat.com/eu-16/briefings.html [PDF]

Pocket-sized Badness: Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game
Federico Maggi and Stefano Zanero. Black Hat Briefings Europe (Peer-reviewed Talk), London, UK. (November 3, 2016) - Link: https://www.blackhat.com/eu-16/briefings.html [PDF]

A Walk Through the Construction of the First Mobile Malware Tracker
Federico Maggi. Android Security Symposium (Invited Talk), Vienna, Austria. (September 11, 2015) - Link: https://usmile.at/symposium/program [PDF]

Come to the Dark Side: We Have Apps!
Federico Maggi. HackInBo (Invited Talk), Bologna, Italy. (October 11, 2014) - Link: http://www.hackinbo.it/ [PDF]

Tracking and Characterizing Botnets Using Automatically Generated Domains
Federico Maggi. Honeynet Workshop (Invited Talk), Warsaw, Poland. (May 14, 2014) [PDF]

Phoenix & Cerberus: Botnet Tracking via Precise DGA Characterization
Federico Maggi. Google Tech Talk (Invited Talk), Google, Mountain View, CA, USA. (May 2014) [PDF]

Malicious Android Apps: Overview, Status and Dilemmas
Federico Maggi. (January 3, 2014) - Link: http://s.maggi.cc/android-malware-2013 [PDF]

AndroTotal: A Scalable Framework for Android Antimalware Testing
Federico Maggi. Secure (Invited Talk), Warsaw, Poland. (October 9, 2013) [PDF]

iSnoop: How to Steal Secrets from Touchscreen Devices
Federico Maggi, Alberto Volpatto, and Stefano Zanero. Black Hat Briefings Abu Dhabi (Peer-reviewed Talk), Abu Dhabi. (December 2011) - Link: https://www.blackhat.com/html/bh-ad-11/bh-ad-11-archives.html [PDF]

International Conference Organization

I was organizer of international conferences, part of their review boards, or served as an external reviewer.

I was part of the Tower of Hanoi (ToH) team, with which I’ve gained experience in playing, organizing, and running CTF competitions.

Referee Service

Although I’m not a strong supporter of journals in this area, in the past I have served for the following journals as a reviewer:


Research

My research activity revolves around a multitude of topics in the area of cyber security and e-crime, with a spin on data-analysis-oriented approaches.

Research Topics

I focus on analysis and mitigation of current and future threats using data analysis. I’ve been using ML since the beginning of my academic career. Nowadays, there is a lot of hype around machine learning (ML) and artificial intelligence (AI), and sometimes these two branches of science are brutally confused, to the point that people write “ML/AI” or say “ML or AI,” like they were synonyms. I prefer to take a step back, and simply say that I use data-analysis techniques, which has a much broader meaning. In particular, I do research on threat analysis and intelligence, malware analysis (including mobile malware), banking fraud analysis and detection, web and social-network security, vishing (voice phishing), and measurement. In addition, I did contributions in the field of security visualization.

In the past I made contributions in the field of anomaly detection: I developed and tested anomaly-based tools to mitigate Internet threats by (1) avoiding their spread via vulnerable web applications, (2) detecting unexpected activities in the operating system’s kernel (sing of malware infections or compromised processes), and (3) dealing with high number of alerts using alert correlation.

I occasionally extend my research beyond such topics: I let new ideas grow into research projects and involve multiple research institutions as needed by the specific vertical.

Highlighted Projects

When I’m involved in a research project, I always make an effort to leave some online artifact to demonstrate the idea, being it a simple web application or, sometimes, the source code. I hereby highlight the main research projects that I’ve contributed to, in reverse chronological order.

Robosec: Industrial Robot Security

Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory. Besides the mechanical arm, inside an industrial robot there are not just electromechanical components but a multitude of complex embedded controllers. These embedded controllers are often interconnected with other computers in the factory network, safety systems, and to the Internet for remote monitoring and maintenance. In this scenario, industrial routers also play a key role, because they directly expose the robot’s controller. Therefore, the impact of a single, simple vulnerability can grant attackers an easy entry point.

Technical brief: Rogue Robots

Material, F.A.Q., press: http://robosec.org

Elevator pitch: Rogue Robots - Testing the Limits of an Industrial Robot’s Security

Brief video: Rogue Robots: Testing the Limits of an Industrial Robot’s Security

Attack demo: Attacking Industrial Robots

Breaking the Laws of Robotics: Attacking Industrial Robots
Quarta, Davide and Pogliani, Marcello and Polino, Mario and Maggi, Federico and Zanero Stefano. Black Hat Briefings USA (Peer-reviewed Talk), Las Vegas, US. (July 27, 2017) - Link: https://www.blackhat.com/us-17/briefings.html#breaking-the-laws-of-robotics-attacking-industrial-robots [PDF]

An Experimental Security Analysis of an Industrial Robot Controller
Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, and Stefano Zanero.
In Proceedings of the 38th IEEE symposium on security and privacy. S&P ’17. San Jose, CA: ACM. DOI: http://dx.doi.org/10.1109/SP.2017.20 (May 2017) [PDF]

CAN DoS: Denial of Service on In-vehicle Networks

In many instances, researchers and engineers have found ways to hack into modern, internet-capable cars, as has been documented and reported several times. One famous example is the Chrysler Jeep hack that researchers Charlie Miller and Chris Valasek discovered. This hack and those that have come before it have mostly been reliant on specific vulnerabilities in specific makes and/or brands of cars. And once reported, these vulnerabilities were quickly resolved. But what should the security industry’s response be when a hack is found that is not only successful in being able to drastically affect the performance and function of the car, but is also stealthy and vendor neutral?

Blog post: The Crisis of Connected Cars: When Vulnerabilities Affect the CAN Standard

Talk video: A Stealth DoS Attack Against CAN-based Automotive Networks

Attack demo: CAN Denial-of-Service Attack Demo on the Giulietta

Source code: CAN-Denial-of-Service

ICS-CERT Alert: ICS-ALERT-17-209-01

A Stealth, Selective, Link-Layer Denial-of-Service Attack Against Automotive Networks
Andrea Palanca, Eric Evenchick, Federico Maggi, and Stefano Zanero.
In Michalis Polychronakis & Michael Meier, eds. Detection of intrusions and malware, and vulnerability assessment: 14th international conference, dimva 2017, bonn, germany, july 6-7, 2017, proceedings. Bonn, Germany: Springer International Publishing, 185–206. DOI: http://dx.doi.org/10.1007/978-3-319-60876-1_9 (July 6, 2017) [PDF]

DefPloreX: A Machine-Learning Toolkit for Large-scale eCrime Forensics

Called DefPloreX (a play on words from “Defacement eXplorer”) is a flexible toolkit based on open-source libraries for efficiently analyzing millions of defaced web pages. It can also be used on web pages planted as a result of an attack in general. It uses a combination of machine-learning and visualization techniques to turn unstructured data into meaningful high-level descriptions. The most interesting aspect of DefPloreX is that it automatically groups similar defaced pages into clusters, and organizes web incidents into campaigns. Requiring only one pass on the data, the clustering technique we use is intrinsically parallel and not memory bound.

Source code: https://github.com/trendmicro/defplorex

DefPloreX: A Machine Learning Toolkit for Large-Scale E-Crime Forensics
Balduzzi, Marco and Maggi, Federico and Ciancaglini, Vincenzo and Flores, Ryan and Gu, Lion. Black Hat Arsenal USA (Peer-reviewed Demo), Las Vegas, US. (July 27, 2017) - Link: https://www.blackhat.com/us-17/arsenal.html#defplorex-a-machine-learning-toolkit-for-large-scale-ecrime-forensics [PDF]

AndRadar: Mobile app marketplace monitoring and reputation analysis

The main goal is to provide a dashboard to analyze and monitor the spreading of Android malware in marketplaces. AndRadar uses lightweight fingerprints to lookup malware samples without the need to download them from the markets. Once a matching app is found, AndRadar tracks its page, developer, and any kind of meta data associated to it. AndRadar’s data is then crunched into a set of indicators that summarize, for example, the efficiency of a malware author in publishing its app, the speed of the market in responding to threats, etc., and provide an overall reputation of each developer, market and app. By combining data coming from different marketplaces, AndRadar can track spreading campaigns also across markets. No such tool like AndRadar exists so far, so we released it to the public.

Web app: http://andradar.hosting.necst.it

AndRadar: Fast Discovery of Android Applications in Alternative Markets
Martina Lindorfer, Stamatis Volanis, Alessandro Sisto, Matthias Neugschwandtner, Elias Athanasopoulos, Federico Maggi, Christian Platzer, Stefano Zanero, and Sotiris Ioannidis.
In Sven Dietrich, ed. Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture notes in computer science. Springer International Publishing, 51–71. DOI: http://dx.doi.org/10.1007/978-3-319-08509-8_4 (July 2014) - Link: http://link.springer.com/chapter/10.1007/978-3-319-08509-8_4 [PDF]

Grab ’n Run: Secure dynamic code loading for Android

A simple and effective Java Library that you can easily add to your Android projects to perform secure dynamic class loading operations over standard DexClassLoader. In this context, one single mistake could open the application (and, therefore, the entire device) to serious security vulnerabilities, such as remote code execution. The main goal of Grab’s Run is to offer an alternative to the native Android APIs, and its design enforces that even the most inexperienced developer cannot perform well-known, serious mistakes.

Source code: https://github.com/lukeFalsina/Grab-n-Run

Grab ’N Run: Secure and Practical Dynamic Code Loading for Android Applications
Luca Falsina, Yanick Fratantonio, Stefano Zanero, Christopher Kruegel, Giovanni Vigna, and Federico Maggi.
In Proceedings of the 31st Annual Computer Security Applications Conference. ACSAC ’15. Los Angeles, USA: ACM, 201–210. DOI: http://dx.doi.org/10.1145/2818000.2818042 (December 2015) [PDF]

BitIodine: Automatic Bitcoin tracker

The goal was to process the blockchain to find clusters of Bitcoin wallets that belonged to the same real user. BitIodine classifies such users and labels them, and finally visualizes complex information extracted from the Bitcoin network. Labels are enriched with information on the user’s identity and actions, which are automatically scraped from openly available information sources. BitIodine also supports manual investigation by finding paths and reverse paths between addresses or users. We tested BitIodine on several real-world use cases, identified an address likely to belong to the encrypted Silk Road cold wallet, and investigated the CryptoLocker ransomware and accurately quantified the number of ransoms paid, as well as information about the victims.

Source code: https://bitiodine.net

BitIodine: Extracting Intelligence from the Bitcoin Network
Michele Spagnuolo, Federico Maggi, and Stefano Zanero.
In Financial Cryptography and Data Security. Lecture notes in computer science (lncs). Barbados: Springer Berlin Heidelberg, 457–468. DOI: http://dx.doi.org/10.1007/978-3-662-45472-5_29 (March 3, 2014) [PDF]

HelDroid: Mobile ransomware analysis and detection

The main goal is to find indicators of compromise that are generic enough to be able to detect unknown ransomware families. We focused on Android mainly for ease of prototyping, but the ideas can be ported to other OSs. HelDroid characterizes a ransomware from three angles: misuse of encryption, device locking and display of threatening text. HelDroid uses taint analysis to extract data flows that indicate misuse of crypto routines (e.g., read-encrypt- write cycles) and the use of device-locking techniques (e.g., display of immortal window). Any text extracted from the sample is analyzed using a natural language processing classifier, which is trained on samples of threatening vs. non-threatening sentences. We tested HelDroid on hundreds of thousands of samples and it exhibit very high recall with little errors, even on samples that the system has never seen. Thus, we released an API that can be used by anyone to submit suspicious APKs for analysis. On top of that, a PoC Android app has been built.

Web service and data: http://ransom.mobi

Pocket-sized Badness: Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game
Federico Maggi and Stefano Zanero. Black Hat Briefings Europe (Peer-reviewed Talk), London, UK. (November 3, 2016) - Link: https://www.blackhat.com/eu-16/briefings.html [PDF]

HelDroid: Dissecting and Detecting Mobile Ransomware
Niccolò Andronio, Stefano Zanero, and Federico Maggi.
In International Symposium on Research in Attacks, Intrusions and Defenses (RAID). Lecture notes in computer science. Kyoto, Japan, 382–404. DOI: http://dx.doi.org/10.1007/978-3-319-26362-5_18 (October 2015) [PDF]

Prometheus: Automatic signature generation for WebInject-based banking trojan detection

The goal is to extract signatures that capture the WebInject behavior of trojans. WebInject-based trojans are still the most popular e-crime tool. Prometheus (formerly Zarathustra) is based on a technique that we call web page differential analysis, which extracts and generates a model of the differences between a web page visited from an infected (virtual) machine and the very same page visited from a clean machine. These differences are unavoidable for the malware to carry out its functionality, and thus allow to create robust indicators of compromise. We generalize these differences using custom heuristics to reduce the chances of false positives.

Zarathustra: Extracting WebInject Signatures from Banking Trojans
Claudio Criscione, Fabio Bosatelli, Stefano Zanero, and Federico Maggi.
In Proceedings of the Twelfth Annual International Conference on Privacy, Security and Trust (PST). Toronto, Canada: IEEE Computer Society, 139–148. DOI: http://dx.doi.org/10.1109/PST.2014.6890933 (July 2014) [PDF]

BankSealer: Automatic banking fraud detection

The goal is to analyze banking and credit-card transactions and, with as little knowledge as possible, predict whether new ones are fraudulent or not (e.g., due to a banking trojan working on the victim’s computer, made by a cyber criminal with stolen credentials). BankSealer is based on lightweight statistical learning on feature models (e.g., amount, timestamp, recipient country, description) extracted by each transaction. BankSealer is currently deployed at one of the largest Italian banks and has been proven effective at detecting frauds, to the point that my co-authors have created a startup out of it!

Spin-off: https://banksealer.com

Fast and Transparent Online Banking Fraud Detection and Investigation
Federico Maggi. Hek.si (Invited Talk), Ljubljana, Slovenia. (April 15, 2016) [PDF]

BankSealer: An Online Banking Fraud Analysis and Decision Support System
Michele Carminati, Roberto Caron, Federico Maggi, Ilenia Epifani, and Stefano Zanero.
In Nora Cuppens-Boulahia, Frédéric Cuppens, Sushil Jajodia, Anas Abou El Kalam, & Thierry Sans, eds. ICT Systems Security and Privacy Protection. IFIP advances in information and communication technology. Springer Berlin Heidelberg, 380–394. DOI: http://dx.doi.org/10.1007/978-3-642-55415-5_32 (June 2, 2014) - Link: http://link.springer.com/chapter/10.1007/978-3-642-55415-5_32 [PDF]

DroydSeuss: Android malware tracking and intelligence

The main goal is to provide a malware tracker similar to ZeusTracker, but for mobile bankers. This tool uses static analysis to extract relevant C&C endpoints (e.g., phone number, web URLs) and monitors them by running each sample in a sandbox on a daily basis. On top of this, DroydSeuss attaches meta data to both C&C endpoints and malware samples (e.g., country, code feature) that are used to mine association rules. These rules are automatically extracted and can tell useful information such as “there is a group of malware samples that seem to be coming from the same author spreading in a certain country”. We made the tool public and immediately attracted other researcher’s attention. Thanks to the data feed produced by DroydSeuss we were able to find (and confirm) one malware campaign spreading against Chinese and Korean bank customers and to discover a strange, rare sample that was using Baidu as a C&C.

Web service: http://droydseuss.necst.it

DroydSeuss: A Mobile Banking Trojan Tracker - Short Paper
Alberto Coletta, Victor Van der Veen, and Federico Maggi.
In Financial Cryptography and Data Security. Lecture notes in computer science (lncs). Springer Berlin Heidelberg. (February 2016) [PDF]

A Walk Through the Construction of the First Mobile Malware Tracker
Federico Maggi. Android Security Symposium (Invited Talk), Vienna, Austria. (September 11, 2015) - Link: https://usmile.at/symposium/program [PDF]

iSnoop: Automatic eavesdropping from touchscreen keyboards

Spying on a person is an easy and effective method to obtain sensitive informations, even when the victim is well protected against common digital attacks. Modern mobile devices allow people to perform some information sensitive actions in unsafe places, where anyone could easily observe the victim while typing. What if your mobile phone has a cool touchscreen interface that gives you graphical feedback as you type (iPhone, Android, BlackBerry Torch)? Does it make shoulder surfing easier or, worse, automatable? We believe so, and to demonstrate it, we developed a practical shoulder surfing attack that automatically reconstructs the sequence of keystrokes by aiming a camera at the target touchscreen while the victim is typing.

Attack demo: Fast, Automatic iPhone Shoulder Surfing

iSnoop: How to Steal Secrets from Touchscreen Devices
Federico Maggi, Alberto Volpatto, and Stefano Zanero. Black Hat Briefings Abu Dhabi (Peer-reviewed Talk), Abu Dhabi. (December 2011) - Link: https://www.blackhat.com/html/bh-ad-11/bh-ad-11-archives.html [PDF]

A Fast Eavesdropping Attack Against Touchscreens
Federico Maggi, Alberto Volpatto, Simone Gasparini, Giacomo Boracchi, and Stefano Zanero.
In Proceedings of the 7th International Conference on Information Assurance and Security (IAS). 320–325. DOI: http://dx.doi.org/10.1109/ISIAS.2011.6122840 (December 5, 2011) [PDF]

Funded Research Projects

Prior to joining Trend Micro, Inc., my academic research has been supported by the following projects, in which I was either the PI or was directly involved as a researcher.


Teaching and Advising Experience

In 2013–2017, I have been a lecturer for the Computer Security course of the 5th School of Engineering (Ingegneria dell’Informazione) of Politecnico di Milano.

I have been doing teaching since Master of Science (MSc), during which I’ve tutored undergraduate students in computer programming courses (Informatica 1) between 2005 and 2007. In the following list, this activity is referred to as “Lab. Tutor”: this involves guiding students in problem-solving tasks during their programming assignment in laboratory classes. Such classes are taught by so-called “Lab. Teaching Assistants (TAs)”. I was “Lab. TA” between 2007 and 2010 for the same computer programming courses, which meant preparing, solving and testing computer-programming problems of increasing difficulty (mainly in ANSI C), assigning them to students, coordinating the activity of one or two Lab. Tutors, and evaluating the solutions produced by students.

In 2008–2016 I have been TA for other courses. In particular, I thought classes in computer and network security, graduate-level courses, and prepared and graded exams for such courses. I also prepared and demonstrated practical tutorial lessons (e.g., live penetration testing exercises) to introduce young students to ethical hacking and CTFs. Also, I have been TA for non-security courses on topics such as computer system performance evaluation and information systems. For these courses I was required to teach how to solve practical exercises, prepare and grade exams, and also to prepare homework and small web application for students to request assignments, submit their solutions and automate grading.

Taught Courses

Here’s the timeline of my teaching experience:

Students Advised

I supervised 2 PhD students (Andrea Continella and Chengyu Zheng) Additionally I co-supervised 3 PhD students (Michele Carminati, Mario Polino, and Davide Quarta).

In addition, I’ve always involved undergraduate and graduate students in my research activity, and strive to work closely and directly with them, as opposed to just assign work. Moreover, I supervised graduate and undergraduate students during their master and bachelor theses.

Three-Factor, Ecg-Based Authentication: Security Analysis of the Nymi Wristband.
Jiang Wu. Politecnico di Milano. (April 27, 2016) - Link: https://hdl.handle.net/10589/120485

Apollo: Eliciting and Analyzing Advanced Webinject-Based Malware.
Samuele Rodi. Politecnico di Milano. (July 27, 2016) - Link: https://hdl.handle.net/10589/122746

Cerberus from the Proof of Concept to the Real System.
Alex Moriggia. Politecnico di Milano. (December 21, 2016) - Link: https://hdl.handle.net/10589/134579

Talos: Precise and Fast Detection of Modern Mobile Ransomware.
Nicola Della Rocca. Politecnico di Milano. (July 28, 2016) - Link: https://hdl.handle.net/10589/123871

OpenST: Feasibility Study and Prototype of a Low-Cost Hardware-Based System Call Tracer.
Chengyu Zheng. Politecnico di Milano. (September 30, 2015) - Link: https://hdl.handle.net/10589/112609

DriveDroid: A Remote Execution Environment and Ui Exerciser for Android Malware Analysis.
Emanuele Uliana and Claudio Rizzo. Politecnico di Milano. (September 30, 2015) - Link: https://hdl.handle.net/10589/111721

PANDORA: A Flexible and Transparent Windows Native Api Tracer.
Simone Mazzoni. Politecnico di Milano. (July 28, 2015) - Link: https://hdl.handle.net/10589/108691

RADAR : A Ransomware Detection and Remediation System.
Alessandro Guagnelli and Giovanni Zingaro. Politecnico di Milano. (April 27, 2015) - Link: https://hdl.handle.net/10589/120785

Grab ’N Run: Practical and Safe Dynamic Code Loading in Android.
Luca Falsina. Politecnico di Milano. (April 29, 2015) - Link: https://hdl.handle.net/10589/106725

ADMIRE: Android Developers & Marketplaces Intelligence and Reputation Engine.
Matteo Danelli. Politecnico di Milano. (September 30, 2015) - Link: https://hdl.handle.net/10589/112003

Droydseuss: A Mobile Banking Trojan Tracking Service.
Alberto Coletta. Politecnico di Milano. (April 29, 2015) - Link: https://hdl.handle.net/10589/106646

Heldroid: Fast and Efficient Linguistic-Based Ransomware Detection.
Nicolò Andronio. Politecnico di Milano. (April 29, 2015) - Link: https://hdl.handle.net/10589/107202

AAMO: Automatic Android Malware Obfuscation.
Federico Pellegatta. Politecnico di Milano. (July 25, 2014) - Link: https://hdl.handle.net/10589/94484

SimDroidUI: A New Method of Ui-Based Clustering of Android Applications.
Giuseppe Palese. Politecnico di Milano. (December 18, 2014) - Link: https://hdl.handle.net/10589/102101

PRIVMUL: PRIVilege Separation for Multi-User Logic Applications.
Andrea Mambretti. Politecnico di Milano. (December 18, 2014) - Link: https://hdl.handle.net/10589/102103

CERBERUS: Detection and Characterization of Automatically-Generated Malicious Domains.
Edoardo Colombo. Politecnico di Milano. (April 29, 2014) - Link: https://hdl.handle.net/10589/92341

Prometheus: Prometheus: A Web-Based Platform for Analyzing Banking Trojans.
Andrea Braschi and Andrea Continella. Politecnico di Milano. (October 3, 2014) - Link: https://hdl.handle.net/10589/97643

AndroTotal: A Flexible Platform for Scalable Android Antivirus Testing.
Andrea Valdi. Politecnico di Milano. (April 22, 2013) - Link: https://hdl.handle.net/10589/78622

AndroCrawl: Studying Android Alternative Marketplaces.
Alessandro Sisto. Politecnico di Milano. (December 18, 2013) - Link: https://hdl.handle.net/10589/88407

Finding, Characterizing and Tracking Domain Generation Algorithms from Passive Dns Monitoring.
Stefano Schiavoni. Politecnico di Milano. (April 22, 2013) - Link: https://hdl.handle.net/10589/78505

Jackdaw: Automatic Behavior Extractor and Semantic Tagger.
Mario Polino and Andrea Scorti. Politecnico di Milano. (October 3, 2013) - Link: https://hdl.handle.net/10589/85226

DroidSaGe: An Automated Android Sandbox Generator.
Eros Lever. Politecnico di Milano. (December 18, 2013) - Link: https://hdl.handle.net/10589/88332

Social Authentication: Vulnerabilities, Mitigations and Redesign.
Marco Lancini. Politecnico di Milano. (April 22, 2013) - Link: https://hdl.handle.net/10589/78569

PuppetDroid: A Remote Execution Environment and Ui Exerciser for Android Malware Analysis.
Andrea Gianazza. Politecnico di Milano. (October 3, 2013) - Link: https://hdl.handle.net/10589/84662

BankSealer: A Transaction Monitoring System for Internet Banking Fraud Detection.
Michele Carminati and Roberto Caron. Politecnico di Milano. (October 3, 2013) - Link: https://hdl.handle.net/10589/84804

Zarathustra: Detecting Banking Trojans via Automatic, Platform-Independent Webinjects Extraction.
Fabio Bosatelli. Politecnico di Milano. (April 22, 2013) - Link: https://hdl.handle.net/10589/78343

XSS Peeker: An Analysis of Black-Box Web Scanners on Detecting Cross-Site Scripting Vulnerabilities.
Enrico Bazzoli. Politecnico di Milano. (December 18, 2013) - Link: https://hdl.handle.net/10589/88421

ScriptShark: Analisi Semi-Statica Del Codice Javascript Per La Protezione Da Attacchi Informatici.
Riccardo Zucchinali. Politecnico di Milano. (April 23, 2012) - Link: https://hdl.handle.net/10589/52322<Paste>

Automated Collection and Analysis of Runtime-Generated Strings in a Web Browser.
Manuel Fossemò. Politecnico di Milano. (October 4, 2011) - Link: https://hdl.handle.net/10589/29001

BURN: Baring Unknown Rogue Networks.
Luca Di Mario. Politecnico di Milano. (July 20, 2011) - Link: https://hdl.handle.net/10589/21503

Uno Studio Sistematico Delle Inconsistenze Nei Nomi Dei Malware.
Andrea Bellini. Politecnico di Milano. (March 31, 2011) - Link: https://hdl.handle.net/10589/17142

Negoziazione Cooperativa E Meccanismi Adattativi Per Mitigare Gli Attacchi Contro Le Applicazioni Web.
Alberto Volpatto. Politecnico di Milano. (2010)

Pcapstat: Un Sistema Per Supportare L’analisi Del Traffico Di Rete.
Luca Visentin and Stefano Todisco. Politecnico di Milano. (2010)

WebLorica: Un Framework Per Lo Sviluppo Di Anomaly Detection System Per Applicazioni Web.
Alessandro Rizzi and Stefano Schiavoni. Politecnico di Milano. (2010)

Metodi K-Nearest-Neighbor Per La Rilevazione Automatica Di Attacchi Informatici.
Lorenzo Peri. Politecnico di Milano. (2010)

Un Sistema Di Raccolta Dati Per Lo Studio Delle Minacce Celate Dagli Url Brevi.
Eros Lever. Politecnico di Milano. (2010)

FacePrivacy.
Marco Lancini. Politecnico di Milano. (2010)

Analisi Sperimentale Delle Vulnerabilità Di Google ReCAPTCHA.
Marco Clerici and Mattia Sasso. Politecnico di Milano. (2010)

Reingegnerizzazione Di Un Riconoscitore Automatico Di Attacchi Di Rete.
Simone Benefico and Andrea Colombo. Politecnico di Milano. (2010)

Apprendimento E Simulazione Dell’attività Di Un Utente Mediante L’utilizzo Di Modelli Semi- Markoviani Nascosti.
Erika Gressi. Politecnico di Milano. (2009)

Kernel Auditing Su Linux 2.6 in Formato Openbsm.
Matteo Michelini. Politecnico di Milano. (2008)

Valutazione Automatica Delle Performance Di Sistemi Di Anomaly Detection.
Pietro Testa. Politecnico di Milano. (2007)

Analisi E Test Automatizzati Di Sistemi Di Anomaly Detection Network-Based.
Claudio Magni. Politecnico di Milano. (2007)

Reingengerizzazione Ed Ottimizzazione Di Un Sistema Di Anomaly Detection Host Based.
Matteo Debiasi and Matteo Falsitta. Politecnico di Milano. (2007)


References and Endorsements

I’ve collaborated with several researchers and Professors around the world. If you are looking to receive an opinion on me, or a recommendation letter, you can contact:

Professor Stefano Zanero <[email protected]>
Dipartimento di Elettronica, Informazione e Bioingegneria
Politecnico di Milano
Via Ponzio 34/5
I-20133, Milano (MI), Italia

Professor Christopher Krügel <[email protected]>
1117 Engineering I
Department of Computer Science
University of California, Santa Barbara
Santa Barbara, CA 93106, United States

Professor Giovanni Vigna <[email protected]>
2159 Engineering I
Department of Computer Science
University of California, Santa Barbara
Santa Barbara, CA 93106, United States

Professor Herbert Bos <[email protected]>
Computer Systems Section
VU Amsterdam
De Boelelaan 1081
1081 HV Amsterdam

Although I don’t really believe in publicly disclosed recommendations, I have requested, given and received some recommendations via LinkedIn. Feel free to check those out, FWIW.


That’s all folks! Thanks for reading!