MB's picture

Dr. Marco Balduzzi holds a Ph.D. in applied IT security from Télécom ParisTech and a M.Sc. in computer engineering from the University of Bergamo. His interests concern all aspect of computer security, with particular emphasis on real problems that affect systems and networks. Some topics of interest are web and browser security, vulnerabilities detection, code analysis, cybercrime in general, privacy in social networks, threats related to new technologies, and finally botnets and malware detection.

Marco been involved in IT security since 2002 with international experiences in both industry and academia. He previously worked as consultant and engineer for different global companies before joining Trend Micro as senior research scientist. He published in important peer-reviewed academic conferences and gave talks in all the major security conferences in the industry. His work in applied security is often recognized and published by important media world-wide.

Over the last years, he served in the review committee of conferences, workshops and journals. Being a Free Software sympathizer, he has been involved in open-source projects and underground hacking communities, mainly during his studies. Nowadays he's more into climbing, and research, of course :)

* You can contact me via email at name.surname<at>this_domain, LinkedIn or Twitter.





List of publications: DBLP, Google Scholar

"Real-Time Detection of Malware Downloads via Large-Scale URL->File->Machine Graph Mining"
Babak Rahbarinia, Marco Balduzzi and Roberto Perdisci
The 11th ACM Asia Conference on Computer and Communications Security
AsiaCCS 2016, Xi'an, China, May 30 - June 3 2016
[ abstract, pdf, slides ]

"MobiPot: Understanding Mobile Telephony Threats with Honeycards"
Marco Balduzzi, Payas Gupta, Lion Gu, Debin Gao and Mustaque Ahamad
The 11th ACM Asia Conference on Computer and Communications Security
AsiaCCS 2016, Xi'an, China, May 30 - June 3 2016
[ abstract, pdf ]

"Automatic Extraction of Indicators of Compromise for Web Application"
Onur Catakoglu, Marco Balduzzi, Davide Balzarotti
The 25th International World Wide Web Conference
WWW 2016, Montreal, Canada, April 11-15 2016

[ abstract, pdf, slides ]

"A Security Evaluation of AIS, Automated Identification System"
Marco Balduzzi, Alessandro Pasta, Kyle Wilhoit
The 30th Annual Computer Security Applications Conference
ACSAC 2014, New Orleans, Louisiana, USA, December 8-12 2014

[ abstract, pdf, bib, slides, sourcecode ]

"Soundsquatting: Uncovering the use of homophones in domain squatting" (Best Paper Award)
Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens, Wouter Joosen
The 17th Information Security Conference
ISC 2014, Hong Kong, October 12-14 2014

[ abstract, pdf, bib, slides ]

"Automated Measurements of Novel Internet Threats [Paperback]"
Dr. Marco Balduzzi
LAP LAMBERT Academic Publishing, ISBN 978-3-659-41582-1, 120 pages, July 20 2013
[ description, book, bib, cover ]

"Targeted Attacks Detection With SPuNge"
Marco Balduzzi, Vincenzo Ciangaglini, Robert McArdle
The 11th Annual Conference on Privacy, Security and Trust
PST 2013, Tarragona, Catalonia, July 10-12 2013

[ abstract, pdf, bib ]

"The Role of Phone Numbers in Understanding Cyber-Crime Schemes"
Andrei Costin, Jelena Isacenkova, Marco Balduzzi, Aurélien Francillon, Davide Balzarotti
The 11th Annual Conference on Privacy, Security and Trust
PST 2013, Tarragona, Catalonia, July 10-12 2013

[ abstract, pdf, bib ]

"The role of phone numbers in understanding cyber-crime (technical report)"
Andrei Costin, Jelena Isacenkova, Marco Balduzzi, Aurélien Francillon, Davide Balzarotti
EURECOM Research Report RR-13-277, February 2013
[ abstract, pdf, bib ]

"Web Application Security, Dagstuhl Seminar 12401 (conference report)"
Lieven Desmet, Martin Johns, Benjamin Livshits, Andrei Sabelfeld
Schloss Dagstuhl, 30/09/12 - 05/10/12
[ abstract, pdf, bib ]

"A Security Analysis of Amazon's Elastic Compute Cloud Service"
Marco Balduzzi, Jonas Zaddach, Davide Balzarotti, Engin Kirda, Sergio Loureiro
The 11th Edition of the Computer Security track at the 27th ACM Symposium on Applied Computing
SEC@SAC 2012, Trento, Italy, March 26-30 2012

[ abstract, pdf, bib, press (forbes| infoWorld| ZDNet) ]

"Reverse Social Engineering Attacks in Online Social Networks"
Danesh Irani, Marco Balduzzi, Davide Balzarotti, Engin Kirda, Calton Pu
The 8th Conference on Detection of Intrusions and Malware & Vulnerability Assessment
DIMVA 2011, Amsterdam, The Netherlands, July 7-8 2011

[ abstract, pdf, bib, slides ]

"Exposing the Lack of Privacy in File Hosting Services"
Nick Nikiforakis, Marco Balduzzi, Steven Van Acker, Wouter Joosen, Davide Balzarotti
The 4th Usenix Workshop on Large-Scale Exploits and Emergent Threats
LEET 2011, Boston, US, March 29 2011

[ abstract, pdf, bib, slides, press (the register| slashdot) ]

"Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications" (Best Paper Award)
Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, Engin Kirda
The 18th Annual Network and Distributed System Security Symposium
NDSS 2011, San Diego, US, February 6-9 2011

[ abstract, pdf, bib ]

"EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis"
Leyla Bilge, Engin Kirda, Christopher Kruegel, Marco Balduzzi
The 18th Annual Network and Distributed System Security Symposium
NDSS 2011, San Diego, US, February 6-9 2011

[ abstract, pdf, bib, slides ]

"A Summary of Two Practical Attacks against Social Networks (invited paper)"
Leyla Bilge, Marco Balduzzi, Davide Balzarotti, Engin Kirda
The 21st Tyrrhenian Workshop on Digital Communications: Trustworthy Internet
Island of Ponza, Italy, September 6-8 2010

[ abstract, bib ]

"Abusing Social Networks for Automated User Profiling"
Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti and Christopher Kruegel
The 13th International Symposium on Recent Advances in Intrusion Detection
RAID 2010, Ottowa, Canada, September 15-17 2010

[ abstract, pdf, bib, slideshare ]

"Security by virtualization: A novel antivirus for personal computers [Paperback]"
Marco Balduzzi
VDM Verlag Dr. Müller e.K., ISBN 978-3-639-25624-6, Paperback, 104 pages, May 7 2010
[ description, book, bib, cover ]

"Take a Deep Breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype"
Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico and Lorenzo Cavallaro
The 7th Conference on Detection of Intrusions and Malware & Vulnerability Assessment
DIMVA 2010, Bonn, Germany, July 8-9 2010

[ abstract, pdf, bib, slides ]

"A Solution for the Automated Detection of Clickjacking Attacks"
Marco Balduzzi, Manuel Egele, Engin Kirda, Davide Balzarotti, Christopher Kruegel
The 5th ACM Symposium on Information, Computer and Communications Security
AsiaCCS 2010, Beijing, China, April 13-16 2010

[ abstract, pdf, bib ]


Academic Conferences

  • AsiaCCS 2016, Xi'an, China
  • WWW 2016, Montreal, Canada
  • ACSAC 2014, New Orleans, US
  • ISC 2014, Hong Kong
  • BTIA 2014, Summer School, Cagliari, Italy
  • PST 2013, Tarragona, Spain
  • Schloss Dagstuhl, Web Application Security Seminar 2012, Saarbrucken, Germany
  • SEC@SAC 2012, Trento, Italy
  • DIMVA 2011, Amsterdam, NL
  • LEET 2011, Boston, US
  • NDSS 2011, San Diego, US
  • RAID 2010, Ottawa, Canada
  • DIMVA 2010, Bonn, Germany
  • AsiaCCS 2010, Beijing, China

Hacking Conferences

Black Hat Europe 2016, London, UK - 1-4/11/2016
Traditional AV Is Dead? Real-Time Machine-Learning Detection of Modern Malware Downloads (sponsored talk [ abstract ]
Machine-Learning Use and Validation of Indicators of Compromise for Early Detection (sponsored talk) [ abstract ]

HackInBo, Bologna, Italy - 14-15/05/2016 (invited talk) [ video recording ]

Automatic Extraction of Indicators of Compromise for Web Application. RuhrSec, Bochum (Germany) - 29/04/2016 (invited talk)
[ slides (slideshare), photos, video recording ]

Cybercrime In The DeepWeb:
- OWASP NL Chapter Event (invited talk)
- Black Hat Europe 2015, Amsterdam, Netherlands - 12/11/2015 [ abstract, slides (slideshare), video recording ]
- Hack In The Box 2015 (HITB GSEC), Singapore - 15/10/2015 [ abstract, video recording, press (Motherboard VICE) ]

Targeted attacks detection and investigations. ISACA and OWASP Conference, Mestre, Italy - 07/10/2015 (keynote talk) [abstract]
Security Summit, Milan, Italy - 17/03/2015 (invited talk)

AIS Exposed. New vulnerabilities and attacks. Hack In The Box 2014 (HITB AMS), Amsterdam, Netherlands - 28/05/2014
[ abstract, slides (slideshare), press (PCWorld | CHE FUTURO) ]

AIS Exposed. Understanding Vulnerabilities and Attacks 2.0, Black Hat Asia, Singapore - 27/03/2014
[ abstract, video recording ]

ISACA and OWASP Conference, Venice, Italy - 03/10/2014 (invited talk)
The Vessel Tracking & Monitoring Conference, London, UK - 27/02/2014
Security Summit, Milan, Italy - 18/03/2014 (invited talk)

Hey Captain, Where’s Your Ship? Attacking Vessel Tracking Systems for Fun and Profit, Hack In The Box 2013 (HITB KUL), Kuala Lumpur, Malaysia - 16/10/2013
[ abstract, slides (slideshare), press (ABC News | Net Security | MIT Techology Review | Softpedia) ]

HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
- OWASP AppSec Research Europe 2013, Hamburg, Germany - 22/08/2013 [ abstract, slides (slideshare), video recording ]
- OWASP Italy @ Security Summit 2014, Milan, Italy - 18/03/2014

Cutting-edge research in system security, OWASP Italy Day 2012, Rome, Italy - 23/11/2012 (invited talk)
[ slides ]

SatanCloud: Un Viaje por los Riesgos a la Privacidad y Seguridad del Cloud Computing
- SECURITY-ZONE 2012, Cali, Colombia - 06/12/2012 (invited talk) [abstract]
- 8dot8 Computer Security Conference 2012, Santiago, Chile - 18/10/2012 (invited talk) [abstract, press (El Mercurio)]

SatanCloud: A Journey Into the Privacy and Security Risks of Cloud Computing, Hack In The Box 2012 (HITB AMS), Amsterdam, Netherlands - 25/05/2012
[ abstract, slides (slideshare), video recording ]

A journey into the privacy and security risks of a cloud computing service, Black Hat Webcast Series, April 2012 - 19/04/2012 (invited talk)
[ abstract, slides ]

Detección Automática de vulnerabilidades HPP en aplicaciones Web
- SECURITY-ZONE 2011, Cali, Colombia - 28/11/2011 (invited talk) [ abstract ]
- 8dot8 Computer Security Conference, Santiago, Chile - 18/11/2011 [ abstract, press (yahoo!) ]

Attacking the Privacy of Social Network Users, Hack In The Box 2011 (HITB KUL), Kuala Lumpur, Malaysia - 11/10/2011
[ abstract, slides (slideshare), video recording, press ]

Automated Detection of HPP Vulnerabilities in Web Applications, Black Hat USA 2011, Las Vegas, NV - 04/08/2011
[ abstract, slides v.03 ]

The (in)security of File Hosting Services, OWASP Netherlands Chapter Meeting, Amsterdam - 06/07/2011 (invited talk)
[ abstract, slides (pdf) ]

Emerging Attacks on Social Networks, FORTINET, Sophia-Antipolis - 30/06/2011 (invited talk)

HPP v.02, Black Hat Webcast Series, May 2011 - 25/05/2011 (invited talk)
[ abstract + registration, slides v.02 ]

Building Large Scale Detectors for Web-based Malware (Cova, Canali), OWASP AppSec Europe 2011, Dublin, Ireland - 09/07/2011
[ Conference Page, slides (pdf) ]

HTTP Parameter Pollution, Swiss Cyber Storm 2011, Rapperswil, Switzerland - 12/05/2011
[ abstract, video recording ]

Security Info Session, SAP - 27/04/2011 (invited talk)

CSI Filter 3, Computer Security Institute - 07/04/2011 (invited talk)
[ program ]

HTTP Parameter Pollution Vulnerabilities in Web Applications, Black Hat Europe 2011, Barcelona, Spain - 17/03/2011
[ abstract, whitepaper, slides (pdf), slides (slideshare), press (forbes | la stampa) ]

Clickjacking, OWASP BeNeLux 2010, Eindhoven, Netherlands - 02/11/2010 (invited talk)
[ pdf, odp, html ]

New Insights into Clickjacking, OWASP AppSec Research Europe 2010, Stockholm, Sweden - 24/06/2010
[ pdf, odp, html, slideshare, video recordings (1, 2) ]

Security by Virtualization, Metro Olografix Hacking Party, Pescara, Italy - 19/05/2007
[ pdf ]

Network multimedia with GNU/Linux, LinuxDay @ School by BgLUG, Val Seriana, Italy - 04/03/2006
[ pdf sxi ]

Secure networking with GNU/Linux, LinuxDay 2005, Bergamo, Italy - 26/11/2005
[ pdf sxi html recording-mp3 ]

Introduction to software development in the GNU/Linux environment (particular references to C language), Version 0.2, LinuxDay 2004, Bergamo, Italy - 27/11/2004
[ pdf sxi html ]

Risks and insecurities of IT infrastructures, SatEXPO 2004, Vicenza, Italy - 30/09/2004
[ pdf sxi html ]

Techniques for prevention, protection and identification of IT attacks, SatEXPO 2004, Vicenza, Italy - 30/09/2004
[ pdf sxi html ]

Introduction to software development in the GNU/Linux environment (particular references to C language), MOCA 2004, Pescara, Italy - 21/05/2004
[ pdf sxi html ]

Network programming with libpcap and libnet, Webb.it 2004, Padova, Italy - 06/05/2004
[ pdf sxi html example-sources ]

Security analysis of routing protocols, Security Date 2004, Ancona, Italy - 29/04/2004
[ pdf sxi html ]

Intrusion Detection Systems (IDS): state of art and research, HackMeeting 2004, Genova, Italy - 02/04/2004
[ pdf html ]

Security of the GNU/Linux operating systems, Linuxday 2003, Bergamo, Italy - 29/11/2003
[ pdf ]

Low-level network programming with libpcap and libnet, HackMeeting 2003, Torino, Italy - 20/06/2003
[ pdf sxi html example-sources ]


Supervised students and collaborations

  • 2014, Babak Rahbarinia, Malware Modeling and Detection -- Prof. at Auburn University Montgomery
  • 2014, Onur Catakoglu, Web Security -- Ph.D. with EURECOM
  • 2013, Maurizio Abba', Web Security -- now with LastLine Inc.
  • 2012, Mariano Graziano, Malware Analysis -- Ph.D. with EURECOM
  • 2011, Dario Ghilardi, Web Security (static analysis techniques) -- now with WebRain Inc.

White-Papers and Additional

  • Below the Surface: Exploring the Deep Web (Trend Micro WP) [ pdf ]
  • (IN)SECURE Magazine #40, Digital ship pirates: Researchers crack vessel tracking system [ pdf ]
  • Hakin9 Issue 7/2011 on Web App Security, HTTP Parameter Pollution Vulnerabilities in Web Applications [ download ]
  • Hakin9 Issue Exploiting Software 1/2011, Smashing the Stack 1 [ download ]
  • Hakin9 Issue Exploiting Software 2/2011, Smashing the Stack 2 [ download ]
  • On the Influence of Free Software on Code Reuse in Software Development
  • How the virus Remote Shell Trojan (RST) works


Here's a list of "old school" material that I produced several years ago, during the free time of my studies ... :-)
  • Nast Packet sniffer and LAN analyzer based on Libnet and Libpcap. It can sniff in normal or in promiscuous mode the packets on a network interface and log them. It dumps packets's header and payload in ascii or ascii-hex formats. You can apply a filter. The sniffed data can be saved in a separated file. As analyzer tool, it has many features like to build LAN hosts list, to follow a TCP-DATA stream, to find LAN internet gateways, to discover promiscuous nodes, to reset an established connection, to perform a single and multi half-open port-scan, to find link type, to catch daemon banner of LAN nodes, to control arp answers for discover possible arp-spoofs, to byte-count, to apply optional filters and to write report logs. [ homepage screenshots ]
  • Gspoof Tool that makes easier and accurate the building and the sending of TCP/IP packets. It works from console (command line) and it has an easy-to-use graphical interface written in GTK+ too. You can add a payload, send multiple packets specifying delay and number, enable explicit congestion notification support and much more. [ homepage screenshots ]
  • Vida A multi-datapipe handler, wrote in C with the ncurses library, for unix and unix-like OS. [ homepage ]
  • UmL Userspace logger that does not require r00t privileges. It works hijacking the libc functs, as described by halflife in "Shared Library Redirection" (Phrack 51). UmL logs read()/recv() output and intercepts open(), open64(), close(), socket(), connect(), exit(). There are many other important functions like recvfrom()/recvmsg(), fopen(), write(), etc... this code it's only a proof on concept ;-)
  • SS A simple stupid multi-server, very useless stuff :^) Written as training for script-kiddies, just a funny code :pP
  • IPGenerator An ip-listgenerator (/16 netmask) and an ip-parser for nmap -oG output.
  • The MCL suite: scanner, parser,translator to C-language and complier MCL language has been developed for the university project of "languages and compiler" (and the "M" stands for the initials of its developers!). MCL is a compact and syntactically clean language, for writing math expressions and procedures in simple and fast way. It supports functions, the while iteration, the if test, global and local variables, input and output, comments and other crazy features :-).
    The package contains a reference paper (in Italian), the parser (mcl.l) and the scanner (
    mcl.y), the scripts to build the translator to C-language and the compiler.
  • Linux VNC-4.1.1 evil client patch - BID 17978 Patch to exploit the VNC vulnerability 17978, which permits to log into the server with NULL authentication, although the password is required. Read my buqtraq post.
Underground Groups
  • 2600 The Hacker Quarterly: huge American Hacker movement.
  • Chaos Computer Club: famous German Hacker group that organizes periodically international meetings.
  • Phrack.org: a Hacker magazine by the community, for the community.
  • THC The Hacker's Choice: international group of experts that acts in the Information Security from 1995.
  • Softproject: Italian no-profit association involved in the Information Security. It publishes the BFi magazine.
Security Resources
  • BugTraq: full disclosure moderated mailing list for the detailed discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them.
  • Packet Storm: no-profit organization comprised of security professionals that offers an abundant resource of up-to-date and historical security tools, exploits, and advisories.
  • Security Focus: international website that offers a huge database of advisories and exploits.
Linux related resources: