I am an Assistant Professor at the Security Group of the Technical University of Eindhoven, the Netherlands. Previously I worked and studied at the University of Trento, Italy, where graduated my PhD in 2015 with a thesis entitled: "Risk-based Vulnerability Management. Exploiting the economic nature of the attacker to build sound and measurable vulnerability mitigation strategies".
The gist of my research is to find the technical, economic, and strategic factors that drive vulnerability exploitation in the wild. To this aim I investigate the dynamic optimization problems the attacker solves when engineering a new attack, the underground markets in which the attackers operate, the technology they employ, and the rates at which attacks are delivered to the final users. My research draws from several field, including computer security, economics, risk analysis, and criminology.
I am also an acknowledged authoring member of the First.org SIG Team for the upcoming CVSS v3 framework (the worldwide standard-de-facto for vulnerability assessment).
My almost-updated curriculum vitae can be found here.
Feel free to send me an e-mail if you need to contact me. If you want to do that privately my PGP fingerprint is 950E 3DC8 EB66 DFF3 B64D 7848 A0AD 0BB6 5DC4 98F1. Public key here.
In Trento I was the lecturer for the 2015-2016 Network Security course (website).
My LinkedIn page (hardly updated) is this
My Twitter handle is @securescientist
Luca Allodi, Marco Corradin, Fabio Massacci. Then and Now: On The Maturity of the Cybercrime Markets. The lesson black-hat marketeers learned. To appear in the IEEE Transactions on Emerging Topics in Computing. Pre-print PDF
Luca Allodi. The Heavy Tails of Vulnerability Exploitation In the Proceedings of ESSoS 2015. To be published by Springer by March 2015. PDF
Luca Allodi, Fabio Massacci. Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security (TISSEC). 17, 1, Article 1 (August 2014), 20 pages. PDF
Luca Allodi. Attacker economics for Internet-scale vulnerability risk assessment (Extended Abstract) Research proposal, in Proceedings of Usenix LEET 2013. PDF
Luca Allodi, Vadim Kotov, Fabio Massacci. MalwareLab: Experimentation with Cybercrime Attack Tools. In Proceedings of Usenix CSET 2013. PDF
Luca Allodi Fabio Massacci. Analysis of exploits in the wild. Or: do Cybersecurity Standards Make Sense? Poster at IEEE Symposium on Security & Privacy 2013. PDF
Luca Allodi, Woohyun Shim, Fabio Massacci. Quantitative assessment of risk reduction with cybercrime black market monitoring. Proceedings of IEEE S&P 2013 International Workshop on Cyber Crime. PDF
Woohyun Shim, Luca Allodi, Fabio Massacci. Crime Pays If You Are Just an Average Hacker. Proceedings of IEEE/ASE 2012 Cyber Security Conference. PDF
Conference acceptance rate: 9%. Complementary publication in ASE Journal, 2012, Vol. 2. Journal acceptance rate: 3%. Best paper award.
Luca Allodi, Fabio Massacci. A Preliminary Analysis of Vulnerability Scores for Attacks in Wild. Proceedings of BADGERS 2012 CCS Workshop. PDF
Luca Allodi, Fabio Massacci, Woohuyn Shim. Crime payes if you are just an average hacker. Accepted Poster at GameSec 2012.
Luca Allodi. The dark side of vulnerability exploitation. Proceedings of the 2012 ESSoS Conference Doctoral Symposium. link [PDF]
Luca Allodi, Marco Cremonini, Luca Chiodi. The asymmetric diffusion of trust between communities: Simulations in dynamic social networks. Proceedings of the 2011 Winter Simulation Conference. June 13, 2011. Finalist "Best Theoretical Paper Award Wintersim 2011" link
Luca Allodi, Marco Cremonini, Luca Chiodi. Modifying Trust Dynamics through Cooperation and Defection in Evolving Social Networks. Springer LNCS 6740, pp. 131-145, 2011. link
(Oct 2014) Luca Allodi. Efficient Vulnerability Management: Measuring Vulnerabilities and Exploits for Better Security Strategies. Seminar on Road-Mapping Cybersecurity Research and Innovation, Florence, IT.
(May 2014) Luca Allodi. My software has a vulnerability, should I worry? An empirical validation of the industry standard. Seminar at Durham University, Durham, UK.
(Aug 2013) Luca Allodi, Fabio Massacci. My software has a vulnerability, should I worry?(An Empirical Study on Symantec Threats and Exploit Kits). Seminar at Accenture Labs, Washington D.C.
Luca Allodi. My Software has a vulnerability, should I Worry? An empirical validation of an industry standard. Seminar at George Mason University, Fairfax, VA.
(Aug 2013) Luca Allodi. Attacker Economics for Internet-scale vulnerability Risk Assessment (Extended Abstract). Presentation at Usenix Security LEET Workshop 2013.
(Aug 2013) Luca Allodi. MalwareLab: Experimenting with Cybercrime Attack Tools. 2013 Usenix Security CSET Workshop. Presentation at Usenix Security CSET Wrkshop 2013.
(Aug 2013) Luca Allodi. How CVSS is DOSsing your patching policy (and wasting your money). Presentation at BlackHat USA 2013.
(Apr 2013) Luca Allodi. Risk Metrics for Vulnerabilities exploited in the wild. Lecture at the University of Milan, DTI Crema.
(Feb 2013) Luca Allodi. Exploitation in the Wild. What attacks do, and what should(n't) we care about. Seminar at the University of Rome, Tor Vergata.
(Dec 2012) Woohyun Shim, Luca Allodi, Fabio Massacci. Crime Pays If You Are Just an Average Hacker. Presentation at the 2012 CyberSecurity Conference in Alexandria, Virginia (U.S.).
(Oct 2012) Luca Allodi, Fabio Massacci. A Preliminary Analysis of Vulnerability Scores for Attacks in Wild. Presentation at 2012 CCS BADGERS Workshop, Raleigh North Carolina (U.S).
(July 2012) Luca Allodi, Fabio Massacci. Economics of cybercrime. Joint meeting with Ufa State Aviation University, Russia. Trento, Italy.
(June 2012) Luca Allodi. A quick analysis on data quality for risk evaluation. Rump session at WEIS 2012. Berlin.
(April 2012) Luca Allodi, Fabio Massacci. Some preliminary analysis of the economics of malware kits and traffic brokers. Workshop on “Collaborative Security and Privacy Technologies”. Berlin.
(June 2011) Luca Allodi, Marco Cremonini. Dynamic Social Networks. Modeling Trust, Shocks and Hype. University of Bologna. Engineering department of Cesena, Italy.
During my Master degree thesis I got interested in Social Network Dynamics, the diffusion of information within networks, and the different roles of nodes.
I am now working on new ways to integrate security metrics with cyber attacks economics; in particular, I am interested in understanding if analysis of new trends in cybercrime attacks (APTs, black markets, botnet rentals..) can be exploited to improve current metrics for security.
On my free time, I am an avid mid-long distance (20+ kms) trail runner. Back in Trento I ran on several peaks; Rosengarten/Catinaccio group (↑ ~2300-2700mt), Marzola (↑ ~1700mt), Bondone (↑ ~2200mt), Calisio (↑ ~1000mt) and Chegul (↑ ~1400mt) are some examples.
Faculty of Mathematics and Computer Science
Eindhoven Technical University
P.O. Box 513, 5600 MB
Eindhoven, the Netherlands