IPv6 fragmentation remains a subtle yet impactful security concern in modern high-throughput, low-latency networks, where packet inspection is constrained by performance requirements and out-of-path monitoring architectures. This thesis investigates how discrepancies in IPv6 fragment reassembly behaviour between passive Intrusion Detection Systems (IDS) and endpoint hosts can lead to detection gaps, misinterpretation, and even exploitable evasion opportunities. Using a permutation-based testing model inspired by prior work, the study evaluates 720 overlapping fragment sequences across multiple operating systems and analyses the detection behaviour of Suricata deployed inside a 5G-simulated User Plane Function. The results reveal inconsistencies in reassembly policies, particularly under retransmission conditions, and demonstrate that alerts are not always semantically aligned with the payload seen by the host. A proof-of-concept exfiltration attack further illustrates how timing-based fragment delivery can bypass IDS inspection while reconstructing sensitive data at an attacker-controlled receiver. To mitigate these risks, the thesis proposes temporal IP ID tracking, overlap enforcement, and targeted traffic normalisation, especially in programmable or inline network functions. These findings highlight fragmentation as a persistent and under-addressed attack surface and call for more context-aware, timing-resilient detection strategies in next-generation networks.

SAGE is a deterministic and unsupervised learning pipeline that can generate attack graphs from intrusion alerts without input knowledge from a security analyst. Using a suffix-based probabilistic deterministic finite automaton (S-PDFA), the system compresses over 1 million alerts into less than 500 attack graphs (AGs), which are concise and manageable. Unlike other frequency analysis methods, SAGE does not discard infrequent high-severity alerts, which are crucial for learning the penetration strategies of attackers. This paper compares the baseline algorithm (i.e. S-PDFA) with a modelling assumption generated by swapping the S-PDFA with a PDFA. The aim is to validate the quality of SAGE and propose possible solutions for PDFA usage, allowing the algorithm to generate AGs in real-time. We compare them both quantitatively and qualitatively using size, complexity, completeness and interpretability metrics. Our findings show that AGs generated by the PDFA are more readable and as complete while being slightly larger (i.e. 16% larger) than the baseline S-PDFA. In certain cases, it can also better capture different attack strategies, proving that, if further optimized, it can perform better than the baseline.