Multistep attacks, that involve multiple correlated intrusion activities to reach the intended target, are common in the current cybersecurity landscape. On the other hand, modern Network Intrusion Detection Systems (NIDS) are still designed to generate alerts related to single attacks, with no or minimal correlations between dierent security alerts. Hence the burden of correlating security alerts and reconstructing complete attack scenarios is entirely placed on system administrators.
The diffusion of mobile devices and technologies supporting transparent network mobility can have detrimental effects on network security.
We propose a new defense strategy based on the exchange of state information among distributed NIDSs that is able to tackle mobility-based NIDS evasion.
The pcap traces in this page refer to our experiments carried out in a real IPv6 network with support for node mobility through the MIPv6 extension.
Several instruments exist to inspect network traffic or host activities and notify the network administrator when illicit or suspect activities are detected. In principle, those alerts are to be further investigated to assess whether the detected activities resulted in a real danger for the monitored systems and, if this is the case, to devise and apply the appropriate countermeasures.
State of the art
We are witnessing a constant increase in the use of mobile Internet-ready devices, allowing for mobile users to seamlessly roam among different networks. Node mobility and roaming is supported by most of the commonly deployed wireless access point. Moreover, specific protocols (like MipV4) are able to extend the pervasive IPv4 network by providing support for node mobility.
Complex network topologies, characterized by the presence of several subnetworks, Virtual Private Networks (VPN) and mobile users, cannot be effectively monitored by a centralized monitoring solution. Distributed IDS architectures are commonly deployed, but the presence of a centralized aggregation server represent a hard limit to the architecture scalability.