PGP fingerprint: 950E 3DC8 EB66 DFF3 B64D 7848 A0AD 0BB6 5DC4 98F1
P.O. Box 513, 5600 MB, Eindhoven, The Netherlands
2017-2018: Offensive Computer Security Laboratory (TU/e) (To come).
2016: Network Security (Trento) (website).
My LinkedIn page (hardly updated) is this
My Twitter handle is @securescientist
- Cybercrime markets investigation. Develop a classification infrastructure for "darknet" underground markets. Further details via email. PGP key above.
- Contextual risk assessment for CIED medical devices. (PDF) This research project aims at identifying and measuring risk factors for implanted medial devices through the study of real-world applications and deployment conditions at the JBZ hospital.
I am an Assistant Professor at the Security Group of the Eindhoven University of Technology, in the Netherlands. Previously I worked and studied at the University of Trento, Italy, where graduated my PhD in 2015 with a thesis entitled: "Risk-based Vulnerability Management. Exploiting the economic nature of the attacker to build sound and measurable vulnerability mitigation strategies".
The gist of my research is to find the technical, economic, and strategic factors that drive vulnerability exploitation in the wild. To this aim I investigate the dynamic optimization problems the attacker solves when engineering a new attack, the underground markets in which the attackers operate, the technology they employ, and the rates at which attacks are delivered to the final users. My research draws from several field, including computer security, economics, risk analysis, and criminology.
I am also an acknowledged authoring member of the First.org SIG Team for the upcoming CVSS v3 framework (the worldwide standard-de-facto for vulnerability assessment).
Allodi, L. and Massacci, F. (2017), Security Events and Vulnerability Data for Cybersecurity Risk Estimation. Risk Analysis, 37: 1606–1627. doi:10.1111/risa.12864 Impact factor: 2.225, ISI Journal Citation Reports Ranking: 2015: 6/49 (Social Sciences Mathematical Methods); 17/101 (Mathematics Interdisciplinary Applications). Pre pub version
Luca Allodi, Marco Corradin, Fabio Massacci. Then and Now: On The Maturity of the Cybercrime Markets. The lesson black-hat marketeers learned. IEEE Transactions on Emerging Topics in Computing, 4(1):35–46, Jan 2016. Impact factor: 4.12 (2016 Scopus CiteScore). Pre pub version
Luca Allodi, Fabio Massacci. Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security (TISSEC). 17, 1, Article 1 (August 2014), 20 pages. Impact factor: 3.45 (2014 Scopus CiteScore); flagship ACM journal on security. PDF
Luca Allodi, Marco Cremonini, Fabio Massacci, Woohyun Shim. The effect of security education and expertise on security assessments: the case of software vulnerabilities. Presented at WEIS 2018, Innsbruck, AT. Preprint
Jukka Ruohonen, Luca Allodi. A bug bounty perspective on the disclosure of web vulnerabilities. Presented at WEIS 2018, Innsbruck, AT. Preprint
Tho Le, Roland van Rijswijk-Deij, Luca Allodi and Nicola Zannone. Economic Incentives on DNSSEC Deployment: Time to Move from Quantity to Quality. To appear in the Proceedings of the 16th IEEE/IFIP Network Operations and Management Symposium (NOMS 2018). Preprint
Luca Allodi and Sandro Etalle. 2017. Towards Realistic Threat Modeling: Attack Commodification, Irrelevant Vulnerabilities, and Unrealistic Assumptions. In Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense (SafeConfig '17). ACM, New York, NY, USA, 23-26. DOI: https://doi.org/10.1145/3140368.3140372 Preprint
Luca Allodi. 2017. Economic Factors of Vulnerability Trade and Exploitation. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). ACM, New York, NY, USA, 1483-1499. DOI: https://doi.org/10.1145/3133956.3133960 (Acc. rate 18%). Preprint
Luca Allodi, Fabio Massacci. Attack potential in Impact and Complexity. In the Proceedings of ARES 2017. Preprint
Allodi, L., Biagioni, S., Crispo, B., Labunets, K., Massacci, F., & Santos, W. (2017, November). Estimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment. In International Conference on Future Data and Security Engineering (pp. 23-39). Springer, Cham.
Luca Allodi, Fabio Massacci, Julian Williams. The Work-Averse Cyber Attacker Model. Evidence from two million attack signatures. Presented at WEIS 2017. SSRN version
Luca Allodi, Fabio Massacci. The Work-Averse Attacker Model. In the Proceedings of the 2015 European Conference on Information Systems (ECIS 2015). PDF
Luca Allodi. The Heavy Tails of Vulnerability Exploitation In the Proceedings of ESSoS 2015. To be published by Springer by March 2015. PDF
Luca Allodi. Attacker economics for Internet-scale vulnerability risk assessment (Extended Abstract) Research proposal, in Proceedings of Usenix LEET 2013. PDF
Luca Allodi, Vadim Kotov, Fabio Massacci. MalwareLab: Experimentation with Cybercrime Attack Tools. In Proceedings of Usenix CSET 2013. PDF
Luca Allodi Fabio Massacci. Analysis of exploits in the wild. Or: do Cybersecurity Standards Make Sense? Poster at IEEE Symposium on Security & Privacy 2013. PDF
Luca Allodi, Woohyun Shim, Fabio Massacci. Quantitative assessment of risk reduction with cybercrime black market monitoring. Proceedings of IEEE S&P 2013 International Workshop on Cyber Crime. PDF
Woohyun Shim, Luca Allodi, Fabio Massacci. Crime Pays If You Are Just an Average Hacker. Proceedings of IEEE/ASE 2012 Cyber Security Conference. PDF
Conference acceptance rate: 9%. Complementary publication in ASE Journal, 2012, Vol. 2. Journal acceptance rate: 3%. Best paper award.
Luca Allodi, Fabio Massacci. A Preliminary Analysis of Vulnerability Scores for Attacks in Wild. Proceedings of BADGERS 2012 CCS Workshop. PDF
Luca Allodi, Fabio Massacci, Woohuyn Shim. Crime payes if you are just an average hacker. Accepted Poster at GameSec 2012.
Luca Allodi. The dark side of vulnerability exploitation. Proceedings of the 2012 ESSoS Conference Doctoral Symposium. link [PDF]
Luca Allodi, Marco Cremonini, Luca Chiodi. The asymmetric diffusion of trust between communities: Simulations in dynamic social networks. Proceedings of the 2011 Winter Simulation Conference. June 13, 2011. Finalist "Best Theoretical Paper Award Wintersim 2011" link
Luca Allodi, Marco Cremonini, Luca Chiodi. Modifying Trust Dynamics through Cooperation and Defection in Evolving Social Networks. Springer LNCS 6740, pp. 131-145, 2011. link
Conferences and magazines
(Oct 2014) Luca Allodi. Efficient Vulnerability Management: Measuring Vulnerabilities and Exploits for Better Security Strategies. Seminar on Road-Mapping Cybersecurity Research and Innovation, Florence, IT.
(May 2014) Luca Allodi. My software has a vulnerability, should I worry? An empirical validation of the industry standard. Seminar at Durham University, Durham, UK.
(Aug 2013) Luca Allodi, Fabio Massacci. My software has a vulnerability, should I worry?(An Empirical Study on Symantec Threats and Exploit Kits). Seminar at Accenture Labs, Washington D.C.
Luca Allodi. My Software has a vulnerability, should I Worry? An empirical validation of an industry standard. Seminar at George Mason University, Fairfax, VA.
(Aug 2013) Luca Allodi. Attacker Economics for Internet-scale vulnerability Risk Assessment (Extended Abstract). Presentation at Usenix Security LEET Workshop 2013.
(Aug 2013) Luca Allodi. MalwareLab: Experimenting with Cybercrime Attack Tools. 2013 Usenix Security CSET Workshop. Presentation at Usenix Security CSET Wrkshop 2013.
(Aug 2013) Luca Allodi. How CVSS is DOSsing your patching policy (and wasting your money). Presentation at BlackHat USA 2013.
(Apr 2013) Luca Allodi. Risk Metrics for Vulnerabilities exploited in the wild. Lecture at the University of Milan, DTI Crema.
(Feb 2013) Luca Allodi. Exploitation in the Wild. What attacks do, and what should(n't) we care about. Seminar at the University of Rome, Tor Vergata.
(Dec 2012) Woohyun Shim, Luca Allodi, Fabio Massacci. Crime Pays If You Are Just an Average Hacker. Presentation at the 2012 CyberSecurity Conference in Alexandria, Virginia (U.S.).
(Oct 2012) Luca Allodi, Fabio Massacci. A Preliminary Analysis of Vulnerability Scores for Attacks in Wild. Presentation at 2012 CCS BADGERS Workshop, Raleigh North Carolina (U.S).
(July 2012) Luca Allodi, Fabio Massacci. Economics of cybercrime. Joint meeting with Ufa State Aviation University, Russia. Trento, Italy.
(June 2012) Luca Allodi. A quick analysis on data quality for risk evaluation. Rump session at WEIS 2012. Berlin.
(April 2012) Luca Allodi, Fabio Massacci. Some preliminary analysis of the economics of malware kits and traffic brokers. Workshop on “Collaborative Security and Privacy Technologies”. Berlin.
(June 2011) Luca Allodi, Marco Cremonini. Dynamic Social Networks. Modeling Trust, Shocks and Hype. University of Bologna. Engineering department of Cesena, Italy.
During my Master degree thesis I got interested in Social Network Dynamics, the diffusion of information within networks, and the different roles of nodes.
I am now working on new ways to integrate security metrics with cyber attacks economics; in particular, I am interested in understanding if analysis of new trends in cybercrime attacks (APTs, black markets, botnet rentals..) can be exploited to improve current metrics for security.
On my free time, I am an avid mid-long distance (20+ kms) trail runner. Back in Trento I ran on several peaks; Rosengarten/Catinaccio group (↑ ~2300-2700mt), Marzola (↑ ~1700mt), Bondone (↑ ~2200mt), Calisio (↑ ~1000mt) and Chegul (↑ ~1400mt) are some examples.