Nicola Zannone

Nicola Zannone
Eindhoven University of Technology | TUE · Department of Mathematics and Computer Science

PhD

About

202
Publications
114,006
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
3,924
Citations
Additional affiliations
February 2015 - September 2018
Delft University of Technology
Position
  • Professor (Assistant)
November 2012 - July 2016
Eindhoven University of Technology
Position
  • Professor (Assistant)
November 2008 - October 2012
Eindhoven University of Technology
Position
  • PostDoc Position
Education
November 2003 - March 2007
University of Trento
Field of study
  • Computer Science

Publications

Publications (202)
Chapter
Full-text available
Security Requirements Engineering is an emerging field which lies at the crossroads of Security and Software Engineering. Much research has focused on this field in recent years, spurred by the realization that security must be dealt with in the earliest phases of the software development process as these phases cover a broader organizational persp...
Conference Paper
Full-text available
Data protection legislation requires personal data to be collected and processed only for lawful and legitimate purposes. Unfortunately, existing protection mechanisms are not appropriate for purpose control: they only prevent unauthorized actions from occurring and do not guarantee that the data are actually used for the intended purpose. In this...
Article
Full-text available
Reputation is widely used in many domains, like electronic commerce, as a measure of trustworthiness based on ratings from members in a community. The adoption of reputation systems, however, relies on their ability to capture the actual trustworthiness of a target. Several reputation models have been proposed in the literature to aggregate trust i...
Article
Full-text available
The eXtensible Access Control Markup Language (XACML) has attracted significant attention from both industry and academia, and has become the de facto standard for the specification of access control policies. However, its XML-based verbose syntax and rich set of constructs make the authoring of XACML policies difficult and error-prone. Several aut...
Article
Full-text available
The last decades have seen a growing interest and demand for community-centered collaborative systems and platforms. These systems and platforms aim to provide an environment in which users can collaboratively create, share, and manage resources. While offering attractive opportunities for online collaboration and information sharing, they also ope...
Conference Paper
Full-text available
Phishing reporting is emerging as a key defense mechanism against phishing attacks. Whereas large enough organizations have specific policies in place for phishing reporting, user uptake is still limited, and a clear picture of what motivates users to report and which types of emails is still to be drawn. Yet, this is critical to devising better po...
Article
Recently released scan data on Shodan reveals that thousands of Industrial Control Systems (ICSs) worldwide are directly accessible via the Internet and, thus, exposed to cyber-attacks aiming at financial gain, espionage, or disruption and/or sabotage. Executing sophisticated cyber–physical attacks aiming to manipulate industrial functionalities re...
Conference Paper
Full-text available
User perception of phishing threats is fundamental for the uptake and effectiveness of many phishing countermeasures, including phishing reporting and awareness. Extant research focused on phishing victimization, but a clear understanding of the drivers influencing users' perception of phishing threats is still missing. This work investigates the r...
Article
Full-text available
Phishing attacks are a critical and escalating cybersecurity threat in the modern digital landscape. As cybercriminals continually adapt their techniques, automated phishing detection systems have become essential for safeguarding Internet users. However, many current systems rely on single-analysis models, making them vulnerable to sophisticated b...
Article
Full-text available
The revolutionary technologies behind Industry 4.0 have opened a new era for manufacturing: connected and autonomous machines, collaborative robotics, and monitoring techniques are spreading to increase productivity and sustainability. From the workers’ perspective, they bring new safety threats but also opportunities to solve old ones, while conce...
Article
Full-text available
The interdisciplinarity of the Social Engineering (SE) domain creates crucial challenges for the development and advancement of empirical SE research, making it particularly difficult to identify the space of open research questions that can be addressed empirically. This space encompasses questions on attack conditions, employed experimental metho...
Conference Paper
Full-text available
The recent proliferation of sophisticated threats targeting the plant of Industrial Control Systems (ICSs) has triggered a growing interest in the development of dedicated honeypots/honeynets in which the emulation of Operational Technology (OT) components plays a major role. This work presents a latitudinal study on a dataset comprising both IT an...
Conference Paper
Full-text available
Recently published scan data on Shodan shows how 105K Industrial Control Systems (ICSs) around the world are directly accessible from the Internet. In particular, highly sensitive components, such as Programmable Logic Controllers (PLCs), are potentially accessible to attackers who can implement several kinds of attacks. On the other hand, to accom...
Conference Paper
Full-text available
Phishing attacks are increasingly more sophisticated, with attackers exploiting publicly available information on their targets to personalize their attacks. Although an increasing body of research has investigated the effectiveness of tailored phishing campaigns, researchers have primarily focused on large enterprises. Company size, composition, a...
Conference Paper
Full-text available
Industrial control systems (ICSs) are vulnerable to cyber-physical attacks, i.e., security breaches in cyberspace that adversely affect the underlying physical processes. In this context, honeypots are effective countermeasures both to defend against such attacks and discover new attack strategies. In recent years, honeypots for ICSs have made sign...
Conference Paper
Full-text available
Third-Party Unmanned Aerial Vehicle (UAV) Services, a.k.a. Drone-as-a-Service (DaaS), are an increasingly adopted business model, which enables possibly unskilled users, with no background knowledge, to operate drones and run automated drone-based tasks. Although these services provide significant advantages, the resources provided by drones are ty...
Conference Paper
Full-text available
Modern software development practices increasingly rely on third-party libraries due to the inherent benefits of reuse. However, libraries may contain security vulnerabilities that can propagate to the dependent applications. To counter this, maintainers of dependent projects should monitor their dependencies and security reports to ensure that onl...
Conference Paper
Full-text available
Cyber-Physical Systems are exposed to cyber-physical attacks, i.e., security breaches in cyberspace that alter the underlying physical processes. We use Uppaal SMC to analyze a non-trivial coordinated multi-engine system equipped with both a tamperproof distributed intrusion detection system (IDS) and a tamperproof supervisor component to mitigate...
Chapter
Full-text available
New, sophisticated phishing campaigns victimize targets in few hours from attack delivery. Some methods, such as visual similarity-based techniques, can spot these zero-hour attacks, at the cost of additional user intervention. However, more research is needed to investigate the trade-off between automatic detection and user intervention. To enable...
Poster
Full-text available
Industrial control systems (ICSs) play a crucial role in modern society, controlling and automating processes in industries ranging from manufacturing to energy production. The increasing connectivity of ICSs with corporate networks has made them vulnerable to cyber attacks that can compromise the controlled physical processes. We present the archi...
Article
Full-text available
We are pleased to highlight the following ten articles which appeared in Frontiers in Computer Science in 2021. We have chosen to feature contributions from the following sections of the journal: Computer Security, Computer Vision, Human-Media Interaction and Mobile and Ubiquitous Computing. Computer science has grown to be a multifaceted field whe...
Article
Full-text available
The application of machine learning techniques to large and distributed data archives might result in the disclosure of sensitive information about the data subjects. Data often contain sensitive identifiable information, and even if these are protected, the excessive processing capabilities of current machine learning techniques might facilitate t...
Article
Full-text available
In recent years, the design of effective authorization mechanisms for IoT and, in particular, for smart home applications has gained increasing attention from researchers and practitioners. However, very little attention is given to the performance evaluation of those authorization mechanisms. To fill this gap, this paper presents a thorough experi...
Article
Full-text available
Decisional processes are at the basis of most businesses in several application domains. However, they are often not fully transparent and can be affected by human or algorithmic biases that may lead to systematically incorrect or unfair outcomes. In this work, we propose an approach for unveiling biases in decisional processes, which leverages ass...
Conference Paper
Full-text available
Internet of Things (IoT) platforms typically require IoT devices and users to provide fine-grained information to determine whether access to resources and services can be granted. However, this information can be sensitive for users and its disclosure can lead to severe privacy threats, forcing users to decide between receiving a service or protec...
Chapter
Full-text available
Relationship-Based Access Control (ReBAC) is a paradigm to specify access constraints in terms of interpersonal relationships. To express these graph-like constraints, a variety of ReBAC models with varying features and ad-hoc implementations have been proposed. In this work, we investigate the theoretical feasibility of realising ReBAC systems usi...
Article
Full-text available
Recent years have seen an increasing popularity of online collaborative systems like social networks and web-based collaboration platforms. Collaborative systems typically offer their users a digital environment in which they can work together and share resources and information. These resources and information might be sensitive and, thus, they sh...
Chapter
Full-text available
The problem of protecting datasets from the disclosure of confidential information, while published data remains useful for analysis, has recently gained momentum. To solve this problem, anonymization techniques such as k-anonymity, \(\ell \)-diversity, and t-closeness have been used to generate anonymized datasets for training classifiers. While t...
Chapter
Full-text available
The attack landscape is evolving, and attackers are employing new techniques to launch increasingly targeted and sophisticated social engineering attacks that exploit human vulnerabilities. Many organizations provide their employees with security awareness training to counter and mitigate such threats. However, recent studies have shown that curren...
Chapter
Full-text available
IFTTT is a platform that allows users to create applets for connecting smart devices to online services, or to compose online services, in order to provide customized functionalities in Internet of Things scenarios. Despite their flexibility and ease-of-use, IFTTT applets may create privacy risks for users, who might unknowingly share sensitive inf...
Conference Paper
Full-text available
The processing of personal data is becoming a key business factor, especially for high-tech system industries such as automotive and healthcare service providers. To protect such data, the European Union (EU) has introduced the General Data Protection Regulation (GDPR), with the aim to standardize and strengthen data protection policies across EU c...
Chapter
Full-text available
International Revenue Sharing Fraud (IRSF) is the most persistent type of fraud in the telco industry. Hackers try to gain access to an operator’s network in order to make expensive unauthorized phone calls on behalf of someone else. This results in massive phone bills that victims have to pay while number owners earn the money. Current anti-fraud...
Chapter
Full-text available
Despite the growing interest in Attribute-Based Access Control (ABAC) and the large amount of research devoted to the specification and evaluation of ABAC policies, to date only little work has addressed the issue of attribute management and retrieval. In many modern systems, the attributes needed for policy evaluation are often retrieved from exte...
Article
Full-text available
In recent years, the usage of online banking services has considerably increased. To protect the sensitive resources managed by these services against attackers, banks have started adopting Multi-Factor Authentication (MFA). To date, a variety of MFA solutions have been implemented by banks, leveraging different designs and features and providing a...
Chapter
Full-text available
Cooperative Intelligent Transport Systems (C-ITS) aims to enhance the existing transportation infrastructure through the use of sensing capabilities and advanced communication technologies. While improving the safety, efficiency and comfort of driving, C-ITS introduces several security and privacy challenges. Among them, a main challenge is the pro...
Chapter
Full-text available
Deviance mining is an emerging area in the field of Process Mining, with the aim of explaining the differences between normal and deviant process executions. Deviance mining approaches typically extract representative subprocesses characterizing normal/deviant behaviors from an event log and use these subprocesses as features for classification. Ex...
Technical Report
Full-text available
The motivation for this article arises from the security, complexity and interoperability challenges in cyber-physical systems (CPS) especially in energy and mobility domains. Handling peak consumption hours and balancing power levels in the energy grids are becoming more and more expensive for the energy sector, energy intensive industry and consu...
Article
Full-text available
A main challenge of attribute-based access control (ABAC) is the handling of missing information. Several studies have shown that the way standard ABAC mechanisms, e.g. based on XACML, handle missing information is flawed, making ABAC policies vulnerable to attribute-hiding attacks. Recent work has addressed the problem of missing information in AB...
Conference Paper
Full-text available
Multi-party access control has been proposed to enable collaborative decision making for the protection of co-owned resources. In particular, multi-party access control aims to reconcile conflicts arising from the evaluation of policies authored by different stakeholders for jointly-managed resources, thus determining whether access to those resour...
Article
Full-text available
In this study, we provide extensive analysis of the (unique) characteristics of phishing and spear-phishing attacks, argue that spear-phishing attacks cannot be well captured by current countermeasures, identify ways forward, and analyze an advanced spear-phishing campaign targeting white-collar workers in 32 countries.
Article
Full-text available
The Internet of Things (IoT) is an emerging technology that is revolutionizing the global economy and society. IoT enables a collaborative environment where different entities – devices, people and applications – exchange information for service provision. Despite the benefits that IoT technology brings to individuals, society and industry, its wid...
Conference Paper
Full-text available
Decisional processes are at the basis of several security and privacy applications. However, they are often not transparent and can be affected by human or algorithmic biases that may lead to systematically misleading or unfair outcomes. To unveil these biases, one has to identify which information was used to make the decision and to quantify to w...
Article
Full-text available
Big Data offers opportunities for in-depth data analytics and advanced personalized services. Yet, while valuable, data analytics might rely on data that should not have been used due to, e.g., privacy constraints from the data subject or regulations. As decision makers and data controllers often act outside any control mechanism and with no requir...
Chapter
Full-text available
Organizations need to monitor the execution of their processes to ensure they comply with a set of constraints derived, e.g., by internal managerial choices or by external legal requirements. However, preventive systems that enforce users to adhere to the prescribed behavior are often too rigid for real-world processes, where users might need to de...
Conference Paper
Full-text available
In the context of cooperative systems, data coming from multiple, autonomous, heterogeneous information sources, is processed and fused into new pieces of information that can be further processed by other entities participating in the cooperation. Controlling the access to such evolving and variegated data, often under the authority of different e...
Chapter
Full-text available
Mining local patterns of process behavior is a vital tool for the analysis of event data that originates from flexible processes, which in general cannot be described by a single process model without overgeneralizing the allowed behavior. Several techniques for mining local patterns have been developed over the years, including Local Process Model...
Article
Full-text available
Software applications play an important role in vehicle innovation, aiming at improved safety, efficiency, and comfort, and creating the new areas of cooperative intelligent transport systems and autonomous vehicles. To accommodate modern applications, vehicles have become increasingly computerized and connected. Despite the benefits that the adopt...
Article
Full-text available
Conformance checking allows organizations to compare process executions recorded by the IT system against a process model representing the normative behavior. Most of the existing techniques, however, are only able to pinpoint where individual process executions deviate from the normative behavior, without considering neither possible correlations...
Chapter
Full-text available
Access control systems are nowadays the first line of defence of modern IT systems. However, their effectiveness is often compromised by policy miscofigurations that can be exploited by insider threats. In this paper, we present an approach based on machine learning to refine attribute-based access control policies in order to reduce the risks of u...
Chapter
Full-text available
Security-by-design is an emerging paradigm that aims to deal with security concerns from the early phases of the system development. Although this paradigm can provide theoretical guarantees that the designed system complies with the defined processes and security policies, in many application domains users are allowed to deviate from them to face...
Conference Paper
Full-text available
The Internet of Things (IoT) is receiving considerable attention from both industry and academia because of the new business models that it enables and the new security and privacy challenges that it generates. Major Cloud Service Providers (CSPs) have proposed platforms to support IoT by combining cloud and edge computing. However, the security me...
Conference Paper
Full-text available
Multi-party access control is gaining attention and prominence within the community, as access control models and systems are faced with complex, jointly-owned and jointly-managed content. Traditional single-user approaches lack the richness and flexibility to accommodate these scenarios, resulting in undesired disclosure of sensitive data and reso...
Conference Paper
Full-text available
A main challenge of attribute-based access control (ABAC) is the handling of missing information. Several studies show that the way standard ABAC mechanisms (e.g., XACML) hand