Dorjan Hitaj

MaleficNet: Hiding Malware into Deep Neural Networks using Spread-Spectrum Channel Coding 

Dorjan Hitaj, Giulio Pagnotta, Briland Hitaj, Luigi V. Mancini, Fernando Perez-Cruz

The training and development of good deep learning models is often a challenging task, thus leading individuals (developers, researchers, and practitioners alike) to use third-party models residing in public repositories, fine-tuning these models to their needs usually with little-to-no effort. Despite its’ undeniable benefits, this practice can lead to new attack vectors. In this paper, we demonstrate the feasibility and effectiveness of one such attack, namely malware embedding in deep learning models. We push the boundaries of current state-of-the-art by introducing MaleficNet, a technique that combines spread-spectrum channel coding with error correction techniques, injecting malicious payloads in the parameters of deep neural networks, all while causing no degradation to the model’s performance and successfully bypassing state-of-the-art detection and removal mechanisms. We believe this work will raise awareness against these new, dangerous, camouflaged threats, assist the research community and practitioners in evaluating the capabilities of modern machine learning architectures, and pave the way to research targeting the detection and mitigation of such threats.

Venue:  ESORICS 2022 [PDF] IEEE-Transactions on Dependable and Secure Computing 2025 (extended version) [PDF]

MAYA: Addressing Inconsistencies in Generative Password Guessing through a Unified Benchmark

William Corrias, Fabio De Gaspari, Dorjan Hitaj, Luigi V. Mancini

Recent advances in generative models have led to their application in password guessing, with the aim of replicating the complexity, structure, and patterns of human-created passwords. Despite their potential, inconsistencies and inadequate evaluation methodologies in prior research have hindered meaningful comparisons and a comprehensive, unbiased understanding of their capabilities. This paper introduces MAYA, a unified, customizable, plug-and-play benchmarking framework designed to facilitate the systematic characterization and benchmarking of generative password-guessing models in the context of trawling attacks. Through our evaluation, sequential models consistently outperform other generative architectures and traditional password-guessing tools, demonstrating unique capabilities in generating accurate and complex guesses. Moreover, the diverse password distributions learned by the models enable a multi-model attack that outperforms the best individual model. By releasing MAYA, we aim to foster further research, providing the community with a new tool to consistently and reliably benchmark generative password-guessing models.

Venue:  47th IEEE Symposium on Security and Privacy 2026 [PDF]

Minerva: A File-Based Ransomware Detector

Dorjan Hitaj, Giulio Pagnotta, Fabio De Gaspari, Lorenzo De Carli, Luigi V. Mancini

Ransomware attacks have caused billions of dollars in damages in recent years, and are expected to cause billions more in the future. Consequently, significant effort has been devoted to ransomware detection and mitigation. Behavioral-based ransomware detection approaches have garnered considerable attention recently. These behavioral detectors typically rely on process-based behavioral profiles to identify malicious behaviors. However, with an increasing body of literature highlighting the vulnerability of such approaches to evasion attacks, a comprehensive solution to the ransomware problem remains elusive. This paper presents Minerva, a novel, robust approach to ransomware detection. Minerva is engineered to be robust by design against evasion attacks, with architectural and feature selection choices informed by their resilience to adversarial manipulation. We conduct a comprehensive analysis of Minerva across a diverse spectrum of ransomware types, encompassing unseen ransomware as well as variants designed specifically to evade Minerva. Our evaluation showcases the ability of Minerva to accurately identify ransomware, generalize to unseen threats, and withstand evasion attacks. Furthermore, over 99% of detected ransomware are identified within 0.52sec of activity, enabling the adoption of data loss prevention techniques with near-zero overhead.

Venue: ACM ASIA Conference on Computer  and Communications Security ACM ASIACCS 2025  [PDF]

TATTOOED: A Robust Deep Neural Network Watermarking Scheme based on Spread-Spectrum Channel Coding

Giulio Pagnotta, Dorjan Hitaj, Briland Hitaj, Fernando Perez-Cruz, Luigi V. Mancini

The proliferation of deep learning applications in several areas has led to the rapid adoption of such solutions from an ever-growing number of institutions and companies. These entities' deep neural network (DNN) models are often trained on proprietary data. They require powerful computational resources, with the resulting DNN models being incorporated in the company's work pipeline or provided as a service. Being trained on proprietary information, these models provide a competitive edge for the owner company. At the same time, these models can be attractive to competitors (or malicious entities), which can employ state-of-the-art security attacks to obtain and use these models for their benefit. As these attacks are hard to prevent, it becomes imperative to have mechanisms that enable an affected entity to verify the ownership of its DNN with high confidence. This paper presents TATTOOED, a robust and efficient DNN watermarking technique based on spread-spectrum channel coding. TATTOOED has a negligible effect on the performance of the DNN model and is robust against several state-of-the-art mechanisms used to remove watermarks from DNNs. 

Venue: Annual Computer Security Applications Conference (ACSAC) 2024  [PDF]

DOLOS: A Novel Architecture for Moving Target Defense

Giulio Pagnotta, Fabio De Gaspari, Dorjan Hitaj, Mauro Andreolini, Michele Colajanni, Luigi V. Mancini.

Moving Target Defense and Cyber Deception emerged in recent years as two key proactive cyber defense approaches, contrasting with the static nature of the traditional reactive cyber defense. The key insight behind these approaches is to impose an asymmetric disadvantage for the attacker by using deception and randomization techniques to create a dynamic attack surface. Moving Target Defense (MTD) typically relies on system randomization and diversification, while Cyber Deception is based on decoy nodes and fake systems to deceive attackers. However, current Moving Target Defense techniques are complex to manage and can introduce high overheads, while Cyber Deception nodes are easily recognized and avoided by adversaries. This paper presents DOLOS, a novel architecture that unifies Cyber Deception and Moving Target Defense approaches. DOLOS is motivated by the insight that deceptive techniques are much more powerful when integrated into production systems rather than deployed alongside them. DOLOS combines typical Moving Target Defense techniques, such as randomization, diversity, and redundancy, with cyber deception and seamlessly integrates them into production systems through multiple layers of isolation. We extensively evaluate DOLOS against a wide range of attackers, ranging from automated malware to professional penetration testers, and show that DOLOS is effective in slowing down attacks and protecting the integrity of production systems.

Venue:  IEEE Transactions on Information Forensics and Security [PDF]

FedComm: Federated Learning as a Medium for Covert Communication

Dorjan Hitaj, Giulio Pagnotta, Briland Hitaj, Fernando Perez-Cruz, Luigi V. Mancini

This paper thoroughly investigates the communication capabilities of an FL scheme. In particular, we show that a party involved in the FL learning process can use FL as a covert communication medium to send an arbitrary message. We introduce FedComm, a novel covert-communication technique that enables robust sharing and transfer of targeted payloads within the FL framework. Our extensive theoretical and empirical evaluations show that FedComm provides a stealthy communication channel, with minimal disruptions to the training process. Our experiments show that FedComm, allowed us to successfully deliver 100% of a payload in the order of kilobits before the FL procedure converges. Our evaluation also shows that FedComm is independent of the application domain and the neural network architecture used by the underlying FL scheme.

Venue: IEEE Transactions on Dependable and Secure Computing 2023  [PDF]

The Naked Sun: Malicious Cooperation Between Benign-Looking Processes

Fabio De Gaspari, Dorjan Hitaj, Giulio Pagnotta, Lorenzo DeCarli, Luigi V. Mancini

Recent progress in machine learning has generated promising results in behavioral malware detection, which identifies malicious processes via features derived by their runtime behavior. Such features hold great promise as they are intrinsically related to the functioning of each malware, and are therefore difficult to evade. Indeed, while a significant amount of results exists on evasion of static malware features, evasion of dynamic features has seen limited work.

This paper thoroughly examines the robustness of behavioral ransomware detectors to evasion. Ransomware behavior tends to differ significantly from that of benign processes, making it a low-hanging fruit for behavioral detection (and a difficult candidate for evasion). Our analysis identifies a set of novel attacks that distribute the overall malware workload across a small set of cooperating processes to avoid the generation of significant behavioral features. Our most effective attack decreases the accuracy of a state-of-the-art detector from 98.6% to 0% using only 18 cooperating processes. Furthermore, we show our attacks to be effective against commercial ransomware detectors.

Venue: ACNS '20  [PDF], Extended journal publication: Neural Computing and Applications'22

Capture the Bot: Using Adversarial Examples to Improve CAPTCHA Robustness to Bot Attacks

Dorjan Hitaj, Briland Hitaj, Sushil Jajodia, Luigi V. Mancini

To date, CAPTCHAs have served as the first line of defense to prevent unauthorized access by (malicious) bots to web-based services, while at the same time maintaining a trouble-free experience for human visitors. However, recent work in the literature has shown that sophisticated bots using advancements in Machine Learning (ML) can easily bypass existing CAPTCHA-based defenses. This work introduces CAPTURE, a novel CAPTCHA scheme based on adversarial examples. Typically adversarial examples are used to lead an ML model astray. With CAPTURE, we attempt to make a “good use” of such mechanisms in order to increase the robustness and security of existing CAPTCHA schemes. Our empirical evaluations show that CAPTURE can produce CAPTCHA challenges that are easy for humans to solve, while at the same time, CAPTURE can effectively thwart sophisticated ML-based bot solvers.

Venue: IEEE Intelligent Systems'20  [PDF]