I am an Assistant Professor at the Security Group of the Eindhoven University of Technology, in the Netherlands. I investigate the security of Industrial Control Systems (ICS) to improve their defense capabilities. My research focuses in the areas of network intrusion detection and incident response. I collaborate with the Eindhoven Security Hub Security Operations Center initiative.
I was one of the three founders of the spin-off SecurityMattters, with the goal of bringing to the market SilentDefense, a platform for network monitoring, asset inventory and network intrusion detection for Industrial Control Systems. At SecurityMatters I served as the CTO, and I was responsible of the company’s R&D.
Download my resumé.
PhD in Computer Science, 2011
University of Twente
MSc in Computer Science, 2005
Ca’ Foscari University of Venice
BSc in Computer Science, 2002
Ca’ Foscari University of Venice
In this work, we present the first collection of publicly disclosed security incidents involving Building Automation Systems (BAS). We then provide a qualitative study of attackers targeting BAS and unveil their main characteristics and differences to traditional CPS attackers. We learn that BAS attackers show a lower sophistication level and that most BAS attacks target the smart IoT components present in modern build- ings. Further, access to the BAS is often not the attacker’s final goal but “just” a mean to achieve their actual goal. Lastly, we do not observe any advanced, state-sponsored BAS attacks hinting that these play less of a role in BAS (compared to CPS).
In this paper, we introduce a novel, PLC-compatible control-flow integrity (CFI) mechanism named ECFI to protect such devices from control-flow hijacking attacks. Our CFI approach is the first system for real-time PLCs and considers the runtime operation of the PLC as the highest priority.
This paper discusses a novel approach to specification-based intrusion detection in the field of networked control systems. Our approach reduces the substantial human effort required to deploy a specification-based intrusion detection system by automating the development of its specification rules.
Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems. Specifically, current systems fail to detect recent process control attacks. In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity.
In this paper we investigate and test the actual effectiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, exploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms.
In this paper we investigate the effectiveness of a widely studied category of network intrusion detection systems: anomaly-based algorithms using n-gram analysis for payload inspection. Our tests show that the analyzed systems, in presence of data with high variability, cannot deliver high detection and low false positive rates at the same time.
Download my PGP key. Fingerprint: AF58 B421 3E79 08FC 0ACE BE6D 3F45 80EA 5293 0E70.