FARES

Within the dynamic realm of Intelligent Transportation Systems (ITS), the Internet of Vehicles (IoV) marks a significant paradigm shift. The IoV represents an interconnected network linking vehicles, infrastructures, and the Internet itself, driven by wireless communication technologies. This paper dissects the privacy landscapes of ITS and IoV, exploring gaps in standards and academic literature. Leveraging European Telecommunications Standards Institute (ETSI) ITS G5 standards and IoV analyses in literature, we build two relational models to depict their current privacy landscape. A contrastive analysis reveals structural disparities and thematic differences. ITS, governed by established standards, exhibits a robust structure, while IoV, in its nascent stage, lacks formalisation. Privacy concerns differ, with IoV emphasising user consent and multi-party privacy. Detailed analysis highlights data collection, sharing, and privacy policy challenges. As ITS transitions to IoV, data volume expands, necessitating enhanced privacy safeguards. Addressing these challenges requires collaborative efforts to develop comprehensive privacy policies, prioritise user awareness, and integrate privacy by design principles. This paper offers insights into navigating the evolving landscape of transportation technologies, laying the groundwork for privacy-preserving ITS and IoV ecosystems.

Nowadays, the Information Technology landscape is permeated by a multitude of vulnerabilities and threats. The constantly rising number of heterogeneous devices makes difficult or even impossible a complete mapping of all possible threats to which they are exposed. Antivirus and Anti-malware tools have been developed to quickly detect anomalous software or behaviors. However, these solutions often rely on a knowledge base stored in such a kind of database. They are not effective against unknown attacks, also known as zero-day attacks. By relying on real-time (network/system) log analysis it is possible to detect attacker activities.

The log analysis plays a crucial role against cyber threats providing an effective tool in order to detect them rapidly and build advanced monitoring systems. However, log consultation can often be a challenging and costly task. Over time, useful tools and utilities have been developed to simplify the task for analysts.

This paper presents a system capable to detect attackers' activities in a Cyber Range platform enabling the visualization of the attackers' activity traces exploiting the attack graph.

A Software Bill of Materials (SBOM) is an inventory of the software components used to build a product, which can help customers track security risks throughout the development lifecycle. The popularity of SBOMs grew in May 2021 when the White House issued an executive order to improve the security of the software supply chain and the transparency of the government’s software inventory.

Although the growing interest in SBOM, many open challenges need to be addressed to help reduce exposure to cyber risks and enhance the security of software supply chains. To help the industry and research assemble the roadmap to achieve SBOM adoption in practice, in this paper, we analyze the challenges related to enabling technologies and the open issues that research must investigate. Furthermore, we perform a comparative analysis of the existing tools to generate SBOMs, demonstrating that the enabling technologies have not yet reached full automation and maturity.

Current trends in network intrusion detection systems (NIDS) capitalize on the extraction of features from the network traffic and the use of up-to-date machine and deep learning techniques to infer a detection model; in consequence, NIDS can be vulnerable to adversarial attacks. Differently from the plethora of contributions that apply (and misuse) feature-level attacks envisioned in application domains far from NIDS, this paper proposes a novel approach to adversarial attacks, which consists in a realistic problem-space perturbation of the network traffic. The perturbation is achieved through a traffic control utility. Experiments are based on normal and Denial of Service workloads in both legitimate and adversarial conditions, and the application of four popular techniques to learn the NIDS models. The results highlight the transferability of the adversarial examples generated by the proposed problem-space attack as well as the effectiveness at inducing traffic misclassifications across the NIDS models assessed.

The main goal of the EU GDPR is to protect personal data of individuals within the EU. This is expressed in several rights and, among them, in this work we focus on the Right to Erasure, more commonly known as the Right to Be Forgotten (RtBF).

There is an intriguing debate about the affordable costs and the actual technical feasibility of satisfying the RtBF in digital platforms. We note that some digital platforms process personal data in order to derive and store correlated data raising two main issues: 1) removing personal data could create inconsistencies in the remaining correlated data; 2) correlated data could also be personal data. As such, in some cases, erasing personal data can trigger an avalanche on the remaining information stored in the platform.

Addressing the above issues can be very challenging in particular when a digital platform has been originally built without embedding in its design specific methodologies to deal with the RtBF.

This work aims at illustrating concrete scenarios where the RtBF is technically hard to guarantee with traditional techniques. On the positive side, we show how zero-knowledge (ZK) proofs can be leveraged to design affordable solutions in various use cases, especially when considered at design time. ZK proofs can be instrumental

for compliance to the RtBF revolutionizing the current approaches to design compliant systems. Concretely, we show an assessment scheme allowing to check compliance with th RtBF leveraging the power of ZK proofs. We analyze the above assessment scheme considering specific hard-to-address use cases.

Fully Homomorphic Encryption (FHE) is a key technological enabler for secure computations as it allows a third-party to perform arbitrary computations on encrypted data learning neither the input nor the results of a computation. Notwithstanding the recent theoretical breakthroughs in FHE, building a secure and efficient FHE-based application is still a challenging engineering task where optimal choices are heavily application-dependent.

Taking linear regression as a case-study, we investigate the programming and configuration solutions to implement FHE-based applications. We show that, although obviously slower than the non-homomorphic version, the implementation of linear regression on homomorphically encrypted data is viable provided the programmer adopts appropriate programming expedients and parameters selection.

The Internet of Things (IoT) presents transformative opportunities for connectivity and automation across various sectors, but it also introduces significant security risks that need to be comprehensively addressed. Indeed, the growing integration of IoT devices, including their vulnerabilities, into critical infrastructures amplifies potential risks in daily life, making these systems prime targets for cyber-criminal activities, including espionage and sabotage. Cases where IoT devices have been misused, due to firmware vulnerabilities, embedded passwords, and hidden backdoors are real-world scenarios, that pose significant threats to privacy and security. That's why this paper aims to point out the urgency of addressing these issues as IoT applications continue to proliferate across healthcare, transportation, urban development and other sectors.

Different types of vulnerabilities and their implications with focus on urban critical infrastructures, which can lead to severe consequences like energy blackouts, water contamination, and widespread service disruptions, especially in densely populated areas, are discussed.

Moreover, the need of a multidimensional approach that encompasses technological, legal, social, and economic considerations, to deal with those broader cybersecurity and risk management implications of IoT is highlighted. As a consequence, the need for continuous evolution in security strategies to keep pace with the rapid advancements in IoT technologies is pointed out, thus arguing for a proactive approach to safeguard IoT systems against emerging threats and to ensure the safe and resilient operation of these increasingly integral parts of modern critical infrastructures.

In smart cities, graph embedding technologies, Graph Neural Networks (GNNs), and related variants are extensively employed to address predictive tasks within complex urban networks, such as traffic management, the Internet of Things (IoT), and public safety. These implementations frequently require processing substantial personal information and topological details in graph formats, thereby raising significant privacy concerns. Mitigating these concerns necessitates an in-depth analysis of existing privacy preservation techniques integrated with GNNs in the specific context of smart cities. To this end, this paper provides a comprehensive systematic review of current applications of privacy-aware GNNs in smart cities.

Our research commenced with a methodical literature search that identified 14 pertinent papers and summarized prevalent privacy preservation mechanisms, including federated learning, differential privacy, homomorphic encryption, adversarial learning, and user-trust-based approaches. Subsequent analysis examined how the integration of these technologies with GNNs enhances privacy security and model utility in smart city applications. Further, we proposed an analytical framework for privacy-aware GNNs across the machine learning lifecycle, assessing the challenges of current integration from a practical viewpoint. The paper concluded by suggesting potential directions for future research.