kth.sePublications
Change search
Link to record
Permanent link

Direct link
Papadimitratos, PanosORCID iD iconorcid.org/0000-0002-3267-5374
Alternative names
Publications (10 of 166) Show all publications
Jin, H. & Papadimitratos, P. (2025). Accountable, Scalable and DoS-resilient Secure Vehicular Communication. Computers & Security, 156, Article ID 104469.
Open this publication in new window or tab >>Accountable, Scalable and DoS-resilient Secure Vehicular Communication
2025 (English)In: Computers & Security, ISSN 0167-4048, E-ISSN 1872-6208, Vol. 156, article id 104469Article in journal (Refereed) Published
Abstract [en]

Standardized Vehicular Communication (VC), mainly Cooperative Awareness Messages (CAMs) and Decentralized Environmental Notification Messages (DENMs), is paramount to vehicle safety, carrying vehicle status information and reports of traffic/road-related events respectively. Broadcasted CAMs and DENMs are pseudonymously authenticated for security and privacy protection, with each node needing to have all incoming messages validated within an expiration deadline. This creates an asymmetry that can be easily exploited by external adversaries to launch a clogging Denial of Service (DoS) attack: each forged VC message forces all neighboring nodes to cryptographically validate it; at increasing rates, easy to generate forged messages gradually exhaust processing resources and severely degrade or deny timely validation of benign CAMs/DENMs. The result can be catastrophic when awareness of neighbor vehicle positions or critical reports are missed. We address this problem making the standardized VC pseudonymous authentication DoS-resilient. We propose efficient cryptographic constructs, which we term message verification facilitators, to prioritize processing resources for verification of potentially valid messages among bogus messages and verify multiple messages based on one signature verification. Any message acceptance is strictly based on public-key based message authentication/verification for accountability, i.e., non-repudiation is not sacrificed, unlike symmetric key based approaches. This further enables drastic misbehavior detection, also exploiting the newly introduced facilitators, based on probabilistic signature verification and cross-checking over multiple facilitators verifying the same message; while maintaining verification latency low even when under attack, trading off modest communication overhead. Our facilitators can also be used for efficient discovery and verification of DENM or any event-driven message, including misbehavior evidence used for our scheme. Even when vehicles are saturated by adversaries mounting a clogging DoS attack, transmitting high-rate bogus CAMs/DENMs, our scheme achieves an average 50 ms verification delay with message expiration ratio less than 1%- a huge improvement over the current standard that verifies every message signature in a First-Come First-Served (FCFS) manner and suffers from having 50% to nearly 100% of the received benign messages expiring.

Place, publisher, year, edition, pages
Elsevier BV, 2025
Keywords
Accountability, Non-repudiation, Privacy, Pseudonymous authentication, Efficiency
National Category
Communication Systems
Identifiers
urn:nbn:se:kth:diva-364044 (URN)10.1016/j.cose.2025.104469 (DOI)001484700400001 ()2-s2.0-105003723127 (Scopus ID)
Note

QC 20250602

Available from: 2025-06-02 Created: 2025-06-02 Last updated: 2025-06-02Bibliographically approved
Spanghero, M. & Papadimitratos, P. (2025). Consumer INS coupled with carrier phase measurements for GNSS spoofing detection. In: : . Paper presented at ION ITM/PTTI, International Technical Meeting January 27 - 30, 2025 Long Beach, CA. Long Beach, CA, USA: Institute of Navigation
Open this publication in new window or tab >>Consumer INS coupled with carrier phase measurements for GNSS spoofing detection
2025 (English)Conference paper, Published paper (Refereed)
Abstract [en]

Global Navigation Satellite Systems enable precise localization and timing even for highly mobile devices, but legacy implementations provide only limited support for the new generation of security-enhanced signals. Inertial Measurement Units have proved successful in augmenting the accuracy and robustness of the GNSS-provided navigation solution, but effective navigation based on inertial techniques in denied contexts requires high-end sensors. However, commercially available mobile devices usually embed a much lower-grade inertial system. To counteract an attacker transmitting all the adversarial signals from a single antenna, we exploit carrier phase-based observations coupled with a low-end inertial sensor to identify spoofing and meaconing. By short-time integration with an inertial platform, which tracks the displacement of the GNSS antenna, the high-frequency movement at the receiver is correlated with the variation in the carrier phase. In this way, we identify legitimate transmitters, based on their geometrical diversity with respect to the antenna system movement. We introduce a platform designed to effectively compare different tiers of commercial INS platforms with a GNSS receiver. By characterizing different inertial sensors, we show that simple MEMS INS perform as well as high-end industrial-grade sensors. Sensors traditionally considered unsuited for navigation purposes offer great performance at the short integration times used to evaluate the carrier phase information consistency against the high-frequency movement. Results from laboratory evaluation and through field tests at Jammertest 2024 show that the detector is up to 90% accurate in correctly identifying spoofing (or the lack of it), without any modification to the receiver structure, and with mass-production grade INS typical for mobile phones.

Place, publisher, year, edition, pages
Long Beach, CA, USA: Institute of Navigation, 2025
National Category
Signal Processing
Identifiers
urn:nbn:se:kth:diva-359742 (URN)
Conference
ION ITM/PTTI, International Technical Meeting January 27 - 30, 2025 Long Beach, CA
Funder
Swedish Civil Contingencies Agency, RIT17-0005
Note

QC 20250213

Available from: 2025-02-11 Created: 2025-02-11 Last updated: 2025-03-17Bibliographically approved
Spanghero, M., Geib, F., Panier, R. & Papadimitratos, P. (2025). GNSS jammer localization and identification with airborne commercial GNSS receivers. IEEE Transactions on Information Forensics and Security, 20, 3550-3565
Open this publication in new window or tab >>GNSS jammer localization and identification with airborne commercial GNSS receivers
2025 (English)In: IEEE Transactions on Information Forensics and Security, ISSN 1556-6013, E-ISSN 1556-6021, Vol. 20, p. 3550-3565Article in journal (Refereed) Published
Abstract [en]

Global Navigation Satellite Systems (GNSS) are fundamental in ubiquitously providing position and time to a wide gamut of systems. Jamming remains a realistic threat in many deployment settings, civilian and tactical. Specifically, in Unmanned Aerial Vehicles (UAVs) sustained denial raises safety critical concerns. This work presents a strategy that allows detection, localization, and classification both in the frequency and time domain of interference signals harmful to navigation. A high-performance Vertical Take Off and Landing (VTOL) UAV with a single antenna and a commercial GNSS receiver is used to geolocate and characterize RF emitters at long range, to infer the navigation impairment. Raw IQ baseband snapshots from the GNSS receiver make the application of spectral correlation methods possible without extra software-defined radio payload, paving the way to spectrum identification and monitoring in airborne platforms, aiming at RF situational awareness. Live testing at Jammertest, in Norway, with portable, commercially available GNSS multi-band jammers demonstrates the ability to detect, localize, and characterize harmful interference. Our system pinpointed the position with an error of a few meters of the transmitter and the extent of the affected area at long range, without entering the denied zone. Additionally, further spectral content extraction is used to accurately identify the jammer frequency, bandwidth, and modulation scheme based on spectral correlation techniques.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2025
National Category
Signal Processing Control Engineering
Identifiers
urn:nbn:se:kth:diva-361264 (URN)10.1109/tifs.2025.3550050 (DOI)001457502700002 ()2-s2.0-105002263966 (Scopus ID)
Funder
Swedish Research Council, 2020-04621
Note

QC 20250520

Available from: 2025-03-14 Created: 2025-03-14 Last updated: 2025-05-20Bibliographically approved
Alhazbi, S., Hussain, A., Oligeri, G. & Papadimitratos, P. (2025). LLMs Have Rhythm: Fingerprinting Large Language Models Using Inter-Token Times and Network Traffic Analysis. IEEE Open Journal of the Communications Society, 6, 5050-5071
Open this publication in new window or tab >>LLMs Have Rhythm: Fingerprinting Large Language Models Using Inter-Token Times and Network Traffic Analysis
2025 (English)In: IEEE Open Journal of the Communications Society, E-ISSN 2644-125X, Vol. 6, p. 5050-5071Article in journal (Refereed) Published
Abstract [en]

As Large Language Models (LLMs) become increasingly integrated into many technological ecosystems across various domains and industries, identifying which model is deployed or being interacted with is critical for the security and trustworthiness of the systems. Current verification methods typically rely on analyzing the generated output to determine the source model. However, these techniques are susceptible to adversarial attacks, operate in a post-hoc manner, and may require access to the model weights to inject a verifiable fingerprint. In this paper, we propose a novel passive fingerprinting framework that operates in real-time and remains effective even under encrypted network traffic conditions. Our method leverages the intrinsic autoregressive generation nature of language models, which generate text one token at a time based on all previously generated tokens, creating a unique temporal pattern–like a rhythm or heartbeat–that persists even when the output is streamed over a network. We find that measuring the Inter-Token Times (ITTs)–time intervals between consecutive tokens–can identify different language models with high accuracy. We develop a Deep Learning (DL) pipeline to capture these timing patterns using network traffic analysis and evaluate it on 16 Small Language Models (SLMs) and 10 proprietary LLMs across different deployment scenarios, including local host machine (GPU/CPU), Local Area Network (LAN), Remote Network, and when using Virtual Private Network (VPN). Our experimental results demonstrate high classification performance with weighted F1-scores of 85% when tested on a different day, 74% across different networks, and 71% when traffic is tunneled through a VPN connection. This work opens a new avenue for model identification in real-world scenarios and contributes to more secure and trustworthy language model deployment.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2025
Keywords
Deep Learning, Fingerprinting, Large Language Models, Network Security, Network Traffic Analysis, Small Language Models
National Category
Communication Systems Computer Sciences Natural Language Processing
Identifiers
urn:nbn:se:kth:diva-366014 (URN)10.1109/OJCOMS.2025.3577016 (DOI)001515531400009 ()2-s2.0-105007645474 (Scopus ID)
Note

QC 20250704

Available from: 2025-07-04 Created: 2025-07-04 Last updated: 2025-07-04Bibliographically approved
Papadimitratos, P. (2025). Mix-Zones in Wireless Mobile Networks (3ed.). In: Sushil Jajodia, Pierangela Samarati, Moti Yung (Ed.), Encyclopedia of Cryptography, Security and Privacy: (pp. 1555-1559). Springer Nature
Open this publication in new window or tab >>Mix-Zones in Wireless Mobile Networks
2025 (English)In: Encyclopedia of Cryptography, Security and Privacy / [ed] Sushil Jajodia, Pierangela Samarati, Moti Yung, Springer Nature , 2025, 3, p. 1555-1559Chapter in book (Other academic)
Place, publisher, year, edition, pages
Springer Nature, 2025 Edition: 3
National Category
Communication Systems
Identifiers
urn:nbn:se:kth:diva-362680 (URN)10.1007/978-3-030-71522-9_1534 (DOI)2-s2.0-105002555056 (Scopus ID)
Note

Part of ISBN 9783030715229, 9783030715205

QC 20250428

Available from: 2025-04-23 Created: 2025-04-23 Last updated: 2025-04-28Bibliographically approved
Spanghero, M. & Papadimitratos, P. (2025). UnReference: analysis of the effect of spoofing on RTK reference stations for connected rovers. In: Proceedings of the 2025 IEEE/ION Position, Localization and Navigation Symposium (PLANS), Salt Lake City, UT, USA: . Paper presented at IEEE/ION Position, Localization and Navigation Symposium (PLANS), Salt Lake City, Utah, US, April 28 - May 1, 2025 (pp. 1-12).
Open this publication in new window or tab >>UnReference: analysis of the effect of spoofing on RTK reference stations for connected rovers
2025 (English)In: Proceedings of the 2025 IEEE/ION Position, Localization and Navigation Symposium (PLANS), Salt Lake City, UT, USA, 2025, p. 1-12Conference paper, Published paper (Refereed)
Abstract [en]

Global Navigation Satellite Systems (GNSS) provide standalone precise navigation for a wide gamut of applications. Nevertheless, applications or systems such as unmanned vehicles (aerial or ground vehicles and surface vessels) generally require a much higher level of accuracy than those provided by standalone receivers. The most effective and economical way of achieving centimeter-level accuracy is to rely on corrections provided by fixed reference station receivers to improve the satellite ranging measurements. Differential GNSS (DGNSS) and Real Time Kinematics (RTK) provide centimeter-level accuracy by distributing online correction streams to connected nearby mobile receivers typically termed rovers. However, due to their static nature, reference stations are prime targets for GNSS attacks, both simplistic jamming and advanced spoofing, with different levels of adversarial control and complexity. Jamming the reference station would deny corrections and thus accuracy to the rovers. Spoofing the reference station would force it to distribute misleading corrections. As a result, all connected rovers using those corrections will be equally influenced by the adversary independently of their actual trajectory. We evaluate a battery of tests generated with an RF simulator to test the robustness of a common DGNSS/RTK processing library and receivers. We test both jamming and synchronized spoofing to demonstrate that adversarial action on the rover using reference spoofing is both effective and convenient from an adversarial perspective. Additionally, we discuss possible strategies based on existing countermeasures (self-validation of the PNT solution and monitoring of own clock drift) that the rover and the reference station can adopt to avoid using or distributing bogus corrections.

National Category
Security, Privacy and Cryptography Electrical Engineering, Electronic Engineering, Information Engineering Signal Processing
Identifiers
urn:nbn:se:kth:diva-361268 (URN)
Conference
IEEE/ION Position, Localization and Navigation Symposium (PLANS), Salt Lake City, Utah, US, April 28 - May 1, 2025
Funder
Swedish Research Council, 2020-04621
Note

QC 20250317

Available from: 2025-03-15 Created: 2025-03-15 Last updated: 2025-03-17Bibliographically approved
Teixeira De Castro, H., Hussain, A., Blanc, G., El Hachem, J., Blouin, D., Leneutre, J. & Papadimitratos, P. (2024). A Model-based Approach for Assessing the Security of Cyber-Physical Systems. In: ARES 2024 - 19th International Conference on Availability, Reliability and Security, Proceedings: . Paper presented at 19th International Conference on Availability, Reliability and Security, ARES 2024, Vienna, Austria, Jul 30 2024 - Aug 2 2024. Association for Computing Machinery (ACM), Article ID 121.
Open this publication in new window or tab >>A Model-based Approach for Assessing the Security of Cyber-Physical Systems
Show others...
2024 (English)In: ARES 2024 - 19th International Conference on Availability, Reliability and Security, Proceedings, Association for Computing Machinery (ACM) , 2024, article id 121Conference paper, Published paper (Refereed)
Abstract [en]

Cyber-Physical Systems (CPSs) complexity has been continuously increasing to support new life-impacting applications, such as Internet of Things (IoT) devices or Industrial Control Systems (ICSs). These characteristics introduce new critical security challenges to both industrial practitioners and academics. This work investigates how Model-Based System Engineering (MBSE) and attack graph approaches could be leveraged to model secure Cyber-Physical System solutions and identify high-impact attacks early in the system development life cycle. To achieve this, we propose a new framework that comprises (1) an easily adoptable modeling paradigm for Cyber-Physical System representation, (2) an attack-graph-based solution for Cyber-Physical System automatic quantitative security analysis, based on the MulVAL security tool, (3) a set of Model-To-Text (MTT) transformation rules to bridge the gap between SysML and MulVAL. We illustrated the validity of our proposed framework through an autonomous ventilation system example. A Denial of Service (DoS) attack targeting an industrial communication protocol was identified and displayed as attack graphs. In future work, we intend to connect the approach to dynamic security databases for automatic countermeasure selection.

Place, publisher, year, edition, pages
Association for Computing Machinery (ACM), 2024
Keywords
Critical Infrastructures, Risk Analysis, Security and Privacy for Cyber-Physical Systems, Security by Design., Threats and Attack Modelling, Usable Security and Privacy
National Category
Computer Systems
Identifiers
urn:nbn:se:kth:diva-351960 (URN)10.1145/3664476.3670470 (DOI)2-s2.0-85200385847 (Scopus ID)
Conference
19th International Conference on Availability, Reliability and Security, ARES 2024, Vienna, Austria, Jul 30 2024 - Aug 2 2024
Note

Part of ISBN 9798400717185

QC 20240827

Available from: 2024-08-19 Created: 2024-08-19 Last updated: 2024-08-27Bibliographically approved
Eryonucu, C. & Papadimitratos, P. (2024). Detecting Mobile Crowdsensing Sybil Attackers via Presence Verification. In: CPSIoTSec 2024 - Proceedings of the 6th Workshop on CPS and IoT Security and Privacy, Co-Located with: CCS 2024: . Paper presented at 6th Workshop on CPS and IoT Security and Privacy, CPSIoTSec 2024, Salt Lake City, United States of America, October 14-18, 2024 (pp. 118-124). Association for Computing Machinery (ACM)
Open this publication in new window or tab >>Detecting Mobile Crowdsensing Sybil Attackers via Presence Verification
2024 (English)In: CPSIoTSec 2024 - Proceedings of the 6th Workshop on CPS and IoT Security and Privacy, Co-Located with: CCS 2024, Association for Computing Machinery (ACM) , 2024, p. 118-124Conference paper, Published paper (Refereed)
Abstract [en]

Mobile crowdsensing (MCS) relies on smart, portable devices to conveniently collect sensory data from our surroundings. MCS-based apps, e.g., Google Maps, are already well-integrated into our everyday lives. However, Sybil-based attacks, with an attacker creating many fake identities and the illusion of numerous contributors to influence MCS-based functionality, pose a significant threat. MCS systems need security, including mechanisms to vet incoming users and prevent the introduction of Sybil nodes. Intuitively, each incoming contributor can be verified to be an actual device near other devices by other newcomers and contributors already part of the MCS system. We propose a novel cooperative MCS user presence verification protocol based on this idea, also ensuring users are physically present in locations relevant to the MCS tasks. The protocol leverages a commodity component, Bluetooth, with each user broadcasting to prove their presence to users listening and recording Received Signal Strength Indicator (RSSI) values in multiple randomized rounds. The presence verification is done by a simple server tasked with registering users and orchestrating the protocol based on the collected information. The protocol identifies a broadcast signal on behalf of multiple users, indicating a potential Sybil behavior. We conduct extensive simulations to evaluate the performance of the proposed method, demonstrating its ability to find Sybils with high accuracy even when Sybils are nearly the majority in the protocol session.

Place, publisher, year, edition, pages
Association for Computing Machinery (ACM), 2024
Keywords
mobile crowdsensing, presence verification, sybil attacks
National Category
Communication Systems Telecommunications Computer Systems Computer Engineering
Identifiers
urn:nbn:se:kth:diva-359254 (URN)10.1145/3690134.3694826 (DOI)001446079600012 ()2-s2.0-85215532056 (Scopus ID)
Conference
6th Workshop on CPS and IoT Security and Privacy, CPSIoTSec 2024, Salt Lake City, United States of America, October 14-18, 2024
Note

Part of ISBN 9798400712449

QC 20250131

Available from: 2025-01-29 Created: 2025-01-29 Last updated: 2025-05-28Bibliographically approved
Liu, W. & Papadimitratos, P. (2024). Extending RAIM with a Gaussian Mixture of Opportunistic Information. In: Proceedings of the 2024 International Technical Meeting of The Institute of Navigation: . Paper presented at 2024 International Technical Meeting of The Institute of Navigation, January 23 - 25, 2024, Long Beach, California  (pp. 454-466).
Open this publication in new window or tab >>Extending RAIM with a Gaussian Mixture of Opportunistic Information
2024 (English)In: Proceedings of the 2024 International Technical Meeting of The Institute of Navigation, 2024, p. 454-466Conference paper, Published paper (Refereed)
Abstract [en]

Global navigation satellite systems (GNSS) are indispensable for various applications, but they are vulnerable to spoofing attacks. The original receiver autonomous integrity monitoring (RAIM) was not designed for securing GNSS. In this context, RAIM was extended with wireless signals, termed signals of opportunity (SOPs), or onboard sensors, typically assumed benign. However, attackers might also manipulate wireless networks, raising the need for a solution that considers untrustworthy SOPs. To address this, we extend RAIM by incorporating all opportunistic information, i.e., measurements from terrestrial infrastructures and onboard sensors, culminating in one function for robust GNSS spoofing detection. The objective is to assess the likelihood of GNSS spoofing by analyzing locations derived from extended RAIM solutions, which include location solutions from GNSS pseudorange subsets and wireless signal subsets of untrusted networks. Our method comprises two pivotal components: subset generation and location fusion. Subsets of ranging information are created and processed through positioning algorithms, producing temporary locations. Onboard sensors provide speed, acceleration, and attitude data, aiding in location filtering based on motion constraints. The filtered locations, modeled with uncertainty, are fused into a composite likelihood function normalized for GNSS spoofing detection. Theoretical assessments of GNSS-only and multi-infrastructure scenarios under uncoordinated and coordinated attacks are conducted. The detection of these attacks is feasible when the number of benign subsets exceeds a specific threshold. A real-world dataset from the Kista Science City area is used for experimental validation. Comparative analysis against baseline methods shows a significant improvement in detection accuracy achieved by our Gaussian Mixture RAIM approach. Moreover, we discuss leveraging RAIM results for plausible location recovery. The theoretical analysis and experimental validation underscore the efficacy of our spoofing detection approach. 

National Category
Engineering and Technology
Identifiers
urn:nbn:se:kth:diva-350552 (URN)10.33012/2024.19544 (DOI)2-s2.0-85191243122 (Scopus ID)
Conference
2024 International Technical Meeting of The Institute of Navigation, January 23 - 25, 2024, Long Beach, California 
Note

QC 20240717

Available from: 2024-07-16 Created: 2024-07-16 Last updated: 2024-07-17Bibliographically approved
Jin, H., Zhou, Z. & Papadimitratos, P. (2024). Future-proofing Secure V2V Communication against Clogging DoS Attacks. In: ARES 2024 - 19th International Conference on Availability, Reliability and Security, Proceedings: . Paper presented at 19th International Conference on Availability, Reliability and Security, ARES 2024, Vienna, Austria, Jul 30 2024 - Aug 2 2024. Association for Computing Machinery (ACM), Article ID 94.
Open this publication in new window or tab >>Future-proofing Secure V2V Communication against Clogging DoS Attacks
2024 (English)In: ARES 2024 - 19th International Conference on Availability, Reliability and Security, Proceedings, Association for Computing Machinery (ACM) , 2024, article id 94Conference paper, Published paper (Refereed)
Abstract [en]

Clogging Denial of Service (DoS) attacks have disrupted or disabled various networks, in spite of security mechanisms. External adversaries can severely harm networks, especially when high-overhead security mechanisms are deployed in resource-constrained systems. This can be especially true in the emerging standardized secure Vehicular Communication (VC) systems: mandatory message signature verification can be exploited to exhaust resources and prevent validating incoming messages sent by neighboring vehicles, information that is critical, often, for transportation safety. Efficient message verification schemes and better provisioned devices could serve as potential remedies, but existing solutions have limitations. We point out those and identify, challenges to address for scalable and resilient secure Vehicular Communication (VC) systems, and, most notably, the need for integrating defense mechanisms against clogging Denial of Service (DoS) attacks. We take the position that existing secure Vehicular Communication (VC) protocols are vulnerable to clogging Denial of Service (DoS) attacks and recommend symmetric key chain based pre-validation with mandatory signature verification to thwart clogging Denial of Service (DoS) attacks, while maintaining all key security properties, including non-repudiation to enable accountability.

Place, publisher, year, edition, pages
Association for Computing Machinery (ACM), 2024
Keywords
privacy, pseudonymous authentication, Security, vehicular communication
National Category
Communication Systems Computer Sciences
Identifiers
urn:nbn:se:kth:diva-351968 (URN)10.1145/3664476.3670932 (DOI)2-s2.0-85200338275 (Scopus ID)
Conference
19th International Conference on Availability, Reliability and Security, ARES 2024, Vienna, Austria, Jul 30 2024 - Aug 2 2024
Note

Part of ISBN [9798400717185]

QC 20240830

Available from: 2024-08-19 Created: 2024-08-19 Last updated: 2024-08-30Bibliographically approved
Organisations
Identifiers
ORCID iD: ORCID iD iconorcid.org/0000-0002-3267-5374

Search in DiVA

Show all publications