MARCO SIMONI

PhD Graduate

PhD program:: XXXVIII

supervisor: Andrea Saracino
co-supervisor: Paolo Mori

Thesis title: Toward Reliable and Adaptive Large Language Models in the Cybersecurity Domain

Large Language Models (LLMs) exhibit not only strong reasoning abilities but also a remarkable capacity for decision support in knowledge-intensive domains; however, applying them to cybersecurity demands reliability, interpretability, and continuous adaptability, qualities that general-purpose models still lack. This work aims to make LLMs reliable and adaptive tools across five interconnected domains that span the entire cybersecurity lifecycle: malware and threat analysis, cyber threat intelligence, vulnerability detection, access control, and misinformation. The research begins by employing Transformer models to learn behavioral patterns encoded in API call sequences. Although these models perform well in detecting and categorizing malicious activity, they struggle to capture higher-level semantic relationships between threats, tactics, and defences. To address this limitation, the work introduces knowledge graphs that connect malware samples, attack techniques, vulnerabilities, and countermeasures, enabling dynamic updates and multi-hop connections across entities. Building on this, a retrieval augmented assistant is developed to integrate both structured graph data and unstructured textual sources, thereby reducing hallucinations and improving factual reliability. The system is then extended with specialized, task-oriented modules that translate analytical insight into operational capability: a reinforcement learning–based vulnerability detector, a natural language translator for access control policy generation, and a misinformation engine for both generation and detection. Finally, the thesis focuses on improving the reasoning process itself, introducing methods that generate more concise, stable, and interpretable output while reducing computational cost. Overall, the research demonstrates that reliability in cybersecurity does not arise from a single universal model but from an ecosystem of task-aware LLMs built on structured knowledge, retrieval, and optimized reasoning.

Research products

11573/1752442 - 2026 - On-device derivation of IoT usage control policies: Automating U-XACML policy generation from natural language with LLMs in smart homes environments

Alajramy, Loay; Simoni, Marco; Rasori, Marco; Saracino, Andrea; Mori, Paolo - 01a Articolo in rivista

paper: FUTURE GENERATION COMPUTER SYSTEMS (Elsevier BV:PO Box 211, 1000 AE Amsterdam Netherlands:011 31 20 4853757, 011 31 20 4853642, 011 31 20 4853641, EMAIL: nlinfo-f@elsevier.nl, INTERNET: http://www.elsevier.nl, Fax: 011 31 20 4853598) pp. - - issn: 0167-739X - wos: WOS:001591206400001 (0) - scopus: 2-s2.0-105013685403 (0)

11573/1752452 - 2026 - Cybersecurity with LLMs and RAGs: Challenges and Innovations

Simoni, Marco; Saracino, Andrea - 02a Capitolo o Articolo

book: Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST - (9783031944574; 9783031944581)

11573/1752464 - 2025 - Unmasking Model Behavior: How LLMs Reason on Vulnerability Detection

Fontana, Aleksandar; Simoni, Marco - 02a Capitolo o Articolo

book: Lecture Notes in Computer Science - (9783032006387; 9783032006394)

11573/1752449 - 2025 - Leveraging Knowledge Graphs and LLMs for Structured Generation of Misinformation

Nayab, Sania; Simoni, Marco; Rossolini, Giulio - 02a Capitolo o Articolo

book: International Conference on Availability, Reliability and Security - (9783032006387; 9783032006394)

11573/1752441 - 2025 - MATRIX: A Comprehensive Graph-Based Framework for Malware Analysis and Threat Research

Simoni, Marco; Saracino, Andrea - 02a Capitolo o Articolo

book: Proceedings of the International Conference on Security and Cryptography - ()

11573/1752435 - 2025 - MoRSE: Bridging the Gap in Cybersecurity Expertise with Retrieval Augmented Generation

Simoni, Marco; Saracino, Andrea; P, Vinod; Conti, Mauro - 02a Capitolo o Articolo

book: Proceedings of the ACM Symposium on Applied Computing - ()

11573/1724719 - 2023 - Graph-Based Android Malware Detection and Categorization through BERT Transformer

Saracino, Andrea; Simoni, Marco - 04b Atto di convegno in volume

conference: ARES 2023 (Benevento; Italy)

book: ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security - (979-8-4007-0772-8)