Barbara Carminati

Christian Rondanini, Barbara Carminati, Elena Ferrari et al.

The proliferation of edge devices has created an urgent need for security solutions capable of detecting malware in real time while operating under strict computational and memory constraints. Recently, Large Language Models (LLMs) have demonstrated remarkable capabilities in recognizing complex patterns, yet their deployment on edge devices remains impractical due to their resource demands. However, in edge malware detection, static or centrally retrained models degrade under evolving threats and heterogeneous traffic; locally trained models become siloed and fail to transfer across domains. To overcome these limitations, in this paper, we present a continuous learning architecture for edge-based malware detection that combines local adaptation on each device with global knowledge sharing through parameter-efficient LoRA adapters. Lightweight transformer models (DistilBERT, DistilGPT-2, TinyT5) run on edge nodes and are incrementally fine-tuned on device-specific traffic; only the resulting LoRA modules are aggregated by a lightweight coordinator and redistributed, enabling cross-device generalization without exchanging raw data. We evaluate on two public IoT security datasets, Edge-IIoTset and TON-IoT, under multi-round learning to simulate evolving threats. Compared to isolated fine-tuning, the LoRA-based exchange yields up to 20-25% accuracy gains when models encounter previously unseen attacks from another domain, while maintaining stable loss and F1 across rounds. LoRA adds less than 1% to model size (~0.6-1.8 MB), making updates practical for constrained edge hardware.

Tran Thanh Lam Nguyen, Edoardo Di Tullio, Barbara Carminati et al.

Mobile apps offer significant benefits, but their privacy protections often remain ineffective and confusing for users. While prior work mainly analyzes app privacy vulnerabilities, few approaches help users understand, set, and enforce their privacy preferences. This paper presents PrivacyAssist, a multi-agent LLM-based platform that detects inconsistencies between user-granted permissions and developers' declared sensitive data collection and sharing practices. Using Retrieval-Augmented Generation (RAG), PrivacyAssist provides concise explanations and real-time on-device warnings to support informed installation decisions. We evaluate PrivacyAssist with 200 users and 2,347 Android apps, finding that only 16% of apps are fully consistent between granted permissions and declared data practices.

Christian Rondanini, Barbara Carminati, Elena Ferrari et al.

The rapid evolution of malware attacks calls for the development of innovative detection methods, especially in resource-constrained edge computing. Traditional detection techniques struggle to keep up with modern malware's sophistication and adaptability, prompting a shift towards advanced methodologies like those leveraging Large Language Models (LLMs) for enhanced malware detection. However, deploying LLMs for malware detection directly at edge devices raises several challenges, including ensuring accuracy in constrained environments and addressing edge devices' energy and computational limits. To tackle these challenges, this paper proposes an architecture leveraging lightweight LLMs' strengths while addressing limitations like reduced accuracy and insufficient computational power. To evaluate the effectiveness of the proposed lightweight LLM-based approach for edge computing, we perform an extensive experimental evaluation using several state-of-the-art lightweight LLMs. We test them with several publicly available datasets specifically designed for edge and IoT scenarios and different edge nodes with varying computational power and characteristics.

Tran Thanh Lam Nguyen, Barbara Carminati, Elena Ferrari

Modern life has witnessed the explosion of mobile devices. However, besides the valuable features that bring convenience to end users, security and privacy risks still threaten users of mobile apps. The increasing sophistication of these threats in recent years has underscored the need for more advanced and efficient detection approaches. In this chapter, we explore the application of Large Language Models (LLMs) to identify security risks and privacy violations and mitigate them for the mobile application ecosystem. By introducing state-of-the-art research that applied LLMs to mitigate the top 10 common security risks of smartphone platforms, we highlight the feasibility and potential of LLMs to replace traditional analysis methods, such as dynamic and hybrid analysis of mobile apps. As a representative example of LLM-based solutions, we present an approach to detect sensitive data leakage when users share images online, a common behavior of smartphone users nowadays. Finally, we discuss open research challenges.

Gokhan Sagirlar, Barbara Carminati, Elena Ferrari

In general, a botnet is a collection of compromised internet computers, controlled by attackers for malicious purposes. To increase attacks' success chance and resilience against defence mechanisms, modern botnets have often a decentralized P2P structure. Here, IoT devices are playing a critical role, becoming one of the major tools for malicious parties to perform attacks. Notable examples are DDoS attacks on Krebs on Security and DYN, which have been performed by IoT devices part of botnets. We take a first step towards detecting P2P botnets in IoT, by proposing AutoBotCatcher, whose design is driven by the consideration that bots of the same botnet frequently communicate with each other and form communities. As such, the purpose of AutoBotCatcher is to dynamically analyze communities of IoT devices, formed according to their network traffic flows, to detect botnets. AutoBotCatcher exploits a permissioned Byzantine Fault Tolerant (BFT) blockchain, as a state transition machine that allows collaboration of a set of pre-identified parties without trust, in order to perform collaborative and dynamic botnet detection by collecting and auditing IoT devices' network traffic flows as blockchain transactions. In this paper, we focus on the design of the AutoBotCatcher by first defining the blockchain structure underlying AutoBotCatcher, then discussing its components.

Gokhan Sagirlar, Barbara Carminati, Elena Ferrari

Internet of Things (IoT) is now evolving into a loosely coupled, decentralized system of cooperating smart objects, where high- speed data processing, analytics and shorter response times are becoming more necessary than ever. Such decentralization has a great impact on the way personal information generated and consumed by smart objects should be protected, because, without centralized data management, it is more difficult to control how data are combined and used by smart objects. To cope with this issue, in this paper, we propose a framework where users of smart objects can specify their privacy preferences. Compliance check of user individual privacy preferences is performed directly by smart objects. Moreover, acknowledging that embedding the enforcement mechanism into smart objects implies some overhead, we have extensively tested the proposed framework on different scenarios, and the obtained results show the feasibility of our approach.