Information Systems Security

MAD: Multistep Attack Detection

MAD: Multistep Attack Detection

Multistep attacks, that involve multiple correlated intrusion activities to reach the intended target, are common in the current cybersecurity landscape. On the other hand, modern Network Intrusion Detection Systems (NIDS) are still designed to generate alerts related to single attacks, with no or minimal correlations between di erent security alerts. Hence the burden of correlating security alerts and reconstructing complete attack scenarios is entirely placed on system administrators.

Defeating MIPv6 Evasion


The diffusion of mobile devices and technologies supporting transparent network mobility can have detrimental effects on network security. 

We propose a new defense strategy based on the exchange of state information among distributed NIDSs that is able to tackle mobility-based NIDS evasion.

The pcap traces in this page refer to our experiments carried out in a real IPv6 network with support for node mobility through the MIPv6 extension.

Selective alerts

Selective alerts for the run-time protection of distributed systems


State of the art

Several instruments exist to inspect network traffic or host activities and notify the network administrator when illicit or suspect activities are detected. In principle, those alerts are to be further investigated to assess whether the detected activities resulted in a real danger for the monitored systems and, if this is the case, to devise and apply the appropriate countermeasures.

HonIDS 3.0

HonIDS 3.0: DHT based architecture for network intrusion detection, malware gathering and analysis


State of the art

Distributed architectures for malware analysis are centralized or hierarchical. In both cases, the overall architecture has a single point of failure, as well as poor load distribution capabilities.



MobSec: Security issues in Mobile Networks


State of the art

We are witnessing a constant increase in the use of mobile Internet-ready devices, allowing for mobile users to seamlessly roam among different networks. Node mobility and roaming is supported by most of the commonly deployed wireless access point. Moreover, specific protocols (like MipV4) are able to extend the pervasive IPv4 network by providing support for node mobility.

HonIDS 2.0

HonIDS 2.0: Scalable, hierarchical cooperative architecture for Intrusion Detection and Malware analysis


State of the art

Complex network topologies, characterized by the presence of several subnetworks, Virtual Private Networks (VPN) and mobile users, cannot be effectively monitored by a centralized monitoring solution. Distributed IDS architectures are commonly deployed, but the presence of a centralized aggregation server represent a hard limit to the architecture scalability.