Publications

[AsiaCCS26b] SoK: Reshaping Research on Network Intrusion Detection Systems

Conference Apruzzese, G., ACM Asia Conference on Computer and Communications Security, 2026
Oneliner: We endorse future work in this space to follow the three assertions stated here.

[AsiaCCS26a] “What is the Problem Space?” Defining Host-space Adversarial Perturbations against Network Intrusion Detection Systems

Conference Verkerken, M., D'hooge, L., Volckaert, B., De Turck, Filip, & Apruzzese, G., ACM Asia Conference on Computer and Communications Security, 2026
Oneliner: Changing one character of one command can lead to a complete bypass.

[SaTML26b] Adversarial News and Lost Profits: Manipulating Headlines in LLM-Driven Algorithmic Trading

Conference Rizvani, A., Apruzzese, G., Laskov, P., IEEE Conference on Secure and Trustworthy Machine Learning, 2026
Oneliner: Placing an "e" instead of an "e" in a news headline can lead to substantial economical losses.

[SaTML26a] ConCap: Practical Network Traffic Generation for (ML- and) Flow-based Intrusion Detection Systems

Conference Verkerken, M., D'hooge, L., Volckaert, B., De Turck, F., Apruzzese, G., IEEE Conference on Secure and Trustworthy Machine Learning, 2026
Oneliner: We propose a full-fledged system to create fine-grained labeled NetFlows. ML-driven experiments in NIDS have no excuses not to use contemporary attacks now.

[ESORICS26] “bot lane noob” Towards Deployment of NLP-based Toxicity Detectors in Video Games

Conference Ave, J., Pekaric, I., Frohner, M., Apruzzese, G., European Symposium on Research In Computer Security, 2026
Oneliner: To fight toxicity, we manually labeled an (open-source) dataset of toxic LoL matches, and show its utility for NLP applications.

[TAISAP26] Misleading Large Language Models used (or misused) in Scientific Peer-Reviewing via Hidden Prompt-Injection Attacks

Journal Collu, M. G., Salviati, U., Confalonieri, R., Conti., M., Apruzzese, G. , ACM Transactions on AI Security and Privacy, 2026
Oneliner: We systematically analyse how, and why, LLMs can be misled in a peer-review context.

[EuroSP26] I can’t recognize (yet): Delayed Rendering to Defeat Visual Phishing Detectors

Conference Yuan, Y., Rado, C. A., Apruzzese, G., Conti, M., & Mancini, L. V., IEEE European Symposium on Security and Privacy, 2026
Oneliner: We identify and systematically analyse a fundamental weakness of visual phishing detectors.

[DIMVA26] Can SOC Operators Explain their Decisions while Triaging Alarms? A Real-World Study

Conference Moosmann, J., Pekaric, I., Apruzzese, G., Conference on Detection of Intrusions and Malware & Vulnerability Assessment, 2026
Oneliner: Apparently, the operators of our examined SOC mostly rely on 'gut feelings'.

[eCrime25] Department-Specific Security Awareness Campaigns: A Cross-Organizational Study of HR and Accounting

Conference Pfister, M., Apruzzese, G., & Pekaric, I., APWG Symposium on Electronic Crime Research, 2025
Oneliner: Takeaway: instead of looking at an entire organization, security-awareness campaigns should focus on specific departments (as trivial as it may sound, not many papers did this).

[TWEB25] It’s not Easy: Applying Supervised Machine Learning to Detect Malicious Extensions in the Chrome Web Store

Journal Rosenzweig, B., Dalla Valle, V., Apruzzese, G., Fass, A., ACM Transactions on the Web [ORAL @ TheWebConf'26], 2025
Oneliner: Nobody really _tried_ to use supervised ML to detect browser extensions. So, we tried. Results were...

[IntellSystS25] Exploiting AI for Attacks: On the Interplay between Adversarial AI and Offensive AI

Journal Schröer, S. L., Pajola, L., Castagnaro, A., Apruzzese, G., & Conti, M., IEEE Intelligent Systems, 2025
Oneliner: There are far too many terms associated to "AI." We examine and clarify them a bit.

[AsiaCCS25] The Impact of Emerging Phishing Threats: Assessing Quishing and LLM-generated Phishing Emails against Organizations

Conference Weinz, M., Zannone, N., Allodi, L., & Apruzzese, G., ACM Asia Conference on Computer and Communications Security, 2025
Oneliner: We (are the first to) carry out a large-scale and cross-organizational user study on the effectiveness of quishing and LLM-written phishing emails (spoiler alert: they work very well).

[AISec25] E-PhishGEN: Unlocking Novel Research in Phishing Email Detection

Workshop Pajola, L., Caripoti, Banzer, S., E., Pizzi, S., Conti, M. and Apruzzese, G., ACM Workshop on Artificial Intelligence Security [BEST PAPER AWARD], 2025
Oneliner: Most research in phishing email detection uses outdated datasets, so we try to make things a bit better.

[DTRAP25] Using a Stack to Find an AI Needle: Topic Modeling for Cyber Threat Intelligence

Journal Schröer, S. L., Seideman, J. D., and Luo, S., and Apruzzese, G., and Dietrich, S., and Laskov, P., ACM Digital Threats: Research and Practice, 2025
Oneliner: We carry out (among others) a user study with CTI practitioners: what do they _want_? And how do they see scholarly literature in CTI?

[ICWSM25] Elephant in the Room: Dissecting and Reflecting on the Evolution of Online Social Network Research

Conference Pajola, L., Schroeer, S. L., Tricomi, P. P., Conti, M., Apruzzese, G., International AAAI Conference on Web and Social Media, 2025
Oneliner: What has been done in 17 years of research on online social networks? We investigate this question by creating and analysing the Minerva-OSN dataset.

[CODASPY25] The Ephemeral Threat: Assessing the Security of Algorithmic Trading Systems powered by Deep Learning

Conference Rizvani, A., Apruzzese, G., & Laskov, P., ACM Conference on Data and Application Security and Privacy, 2025
Oneliner: Did you know that very little has been done in the adversarial ML domain w.r.t. ML applications in computational finance?

[SaTML25] SoK: On the Offensive Potential of AI

Conference Schröer, S. L., Apruzzese, G., Human, S., Laskov, P., Anderson, H. S., Bernroider, E. W. N., Fass, A., Nassi, B., Rimmer, V., Roli, F., Salam, S., Shen, A., Sunyaev, A., Wadhwa-Brown, T., Wagner, I., Wang, G., IEEE Conference on Secure and Trustworthy Machine Learning, 2025
Oneliner: A long-term and community-driven effort to systematize and address the threat of "offensive AI"...

[HICSS25] “We provide our resources in a dedicated repository”: Surveying the Transparency of HICSS publications

Conference Pekaric, I., Apruzzese, G., Hawaii International Conference on System Sciences, 2025
Oneliner: Only a tiny fraction of the HICSS papers published in 2017--2024 have a functional and publicly available repository.

[COMST25] Distributed Energy Resource Management System (DERMS) Cybersecurity Scenarios, Trends, and Potential Technologies: A Review

Journal Suguranaj, N. and Balaji, S. R. A. and Subash Chandar, B. and Rajagopalan, P. and Kose, U. and Loper, D. C. and Mahfuz, T. and Chakraborty, P. and Ahmad, S. and Kim, T. and Apruzzese, G. and Dubey, A. and Strezoski, L. and Blakely, B. and Ghosh, S. and Bharata Reddy, M. J. and Padullaparti, H. V. and Ranganathan, P., IEEE Communications Surveys & Tutorials, 2025
Oneliner: A comprehensive and security-focused review on the broad domain of DERMS

[AISec24] When Adversarial Perturbations meet Concept Drift: an Exploratory Analysis on ML-NIDS

Workshop Apruzzese, G., Fass, A., & Pierazzi, F., ACM Workshop on Artificial Intelligence Security, 2024
Oneliner: What happens when two popular phenomena in ML security join forces?

[CHIPLAY24] “Are Crowdsourcing Platforms Reliable for Video Game-related Research?” A Case Study on Amazon Mechanical Turk

Workshop Eisele, L., Apruzzese, G., Annual Symposium on Computer-Human Interaction in Play (WiP track), 2024
Oneliner: Game-related user studies should validate the responses collected via AMT.

[eCrime24] “Hey Google, Remind me to be Phished” Exploiting the Notifications of the Google (AI) Assistant on Android for Social Engineering Attacks

Conference Weinz, M., Schröer, S. L., & Apruzzese, G., APWG Symposium on Electronic Crime Research, 2024
Oneliner: There is a functionality of the Google Assistant that needs to be looked at...

[COSE24] Beyond the West: Revealing and Bridging the Gap between Western and Chinese Phishing Website Detection

Journal Yuan, Y. and Apruzzese, G., and Conti. M., Computers & Security, 2024
Oneliner: Apparently, most research on phishing website detection only focused on the Western side of the world...

[BPM24] LLM4PM: A case study on using Large Language Models for Process Modeling in Enterprise Organizations

Conference Ziche, C., Apruzzese, G., Business Process Management Conference -- Industry Forum [BEST INDUSTRY FORUM PAPER AWARD], 2024
Oneliner: How can LLM be used at the Hilti group for BPM?

[SEC24] It Doesn’t Look Like Anything to Me: Using Diffusion Model to Subvert Visual Phishing Detectors

Conference Hao, Q., Yuan, Y., Diwan, N., Apruzzese, G., Conti, M., & Gang, W., USENIX Security Symposium, 2024
Oneliner: We design a new attack that bypasses 3 SOTA visual-based phishing website detection systems in an end-to-end fashion, as well as end-users (humans)

[CoG24] “Hey Players, there is a problem…”: On Attribute Inference Attacks against Videogamers

Conference Eisele, L., Apruzzese, G., IEEE Conference on Games, 2024
Oneliner: Apparently, game-related research overlooks the privacy risks of the video-gaming ecosystem.

[SCC24] Machine Learning in Space: Surveying the Robustness of on-board ML models to Radiation

Conference Lange, K., Fontana, F., Rossi, F., Varile, M., Apruzzese, G., IEEE Space Computing Conference, 2024
Oneliner: A joint work with space-industry practitioners.

[WACCO24] The Ephemeral Threat: Attacking Algorithmic Trading Systems powered by Deep Learning

Workshop Rizvani, A., Laskov, P., Apruzzese, G., Workshop on Attackers and Cyber-Crime Operations, 2024
Oneliner: We delve into the security of machine learning applications in computational finance.

[WWW24] “Are Adversarial Phishing Webpages a Threat in Reality?” Understanding the Users` Perception of Adversarial Webpages

Conference Yuan, Y., Hao, Q., Apruzzese, G., Conti, M., & Gang, W., The Web Conference, 2024
Oneliner: This work is orthogonal to [eCrime23]: adversarial webpages should be compared to non-adversarial ones!

[SAC24] Understanding the Process of Data Labeling in Cybersecurity

Conference Braun, T., Pekaric, I., Apruzzese, G., ACM Symposium on Applied Computing, 2024
Oneliner: Nobody ever questioned "how labelling is done by cybersecurity practitioners". We try to uncover this mystery.

[HICSS24] Voices from the Frontline: Revealing the AI Practitioners` viewpoint on the European AI Act

Conference Koh, F., Grosse, K., Apruzzese, G., Hawaii International Conference on System Sciences, 2024
Oneliner: What do AI practitioners think about the European regulation?

[DTRAP23] Multi-SpacePhish: Extending the Evasion-space of Adversarial Attacks against Phishing Website Detectors using Machine Learning

Journal Yuan, Y. and Apruzzese, G., and Conti. M., ACM Digital Threats: Research and Practice, 2023
Oneliner: We extend the [ACSAC'22] paper with new experiments by _mixing_ the perturbation spaces!

[eCrime23] “Do Users fall for Real Adversarial Phishing?” Investigating the Human Response to Evasive Webpages

Conference Draganovic, A., Dambra, S., Aldana Iuit, J., Roundy, K., Apruzzese, G., APWG Symposium on Electronic Crime Research [Runner-up for BEST PAPER AWARD], 2023
Oneliner: The first user-study assessing the human capabilities to recognize real "adversarial" phishing webpages that evaded a real phishing detection system based on deep learning

[ESORICS23] Attacking Logo-based Phishing Website Detectors with Adversarial Perturbations

Conference Lee, J., Xin, Z., Ng. M. P. S., Sabharwal, K., Apruzzese, G., Divakaran. D. M., European Symposium on Research In Computer Security, 2023
Oneliner: A novel attack against state-of-the-art DL methods for logo identification, validated via two user-studies.

[EuroSP23] SoK: Pragmatic Assessment of Machine Learning for Network Intrusion Detection

Conference Apruzzese, G., Laskov, P., & Schneider, J., IEEE European Symposium on Security and Privacy, 2023
Oneliner: Changing the evaluation methodology of research papers on ML applications for NIDS.

[JISA23] Dual Adversarial Attacks: Fooling Humans and Classifiers

Journal Schneider, J., & Apruzzese, G., Journal of Information Security and Applications, 2023
Oneliner: We extend the [DLS22] paper and we also carry out a user-study!

[CODASPY23] Attribute Inference Attacks in Online Multiplayer Video Games: a Case Study on Dota2

Conference Tricomi, P. P., Facciolo, L., Apruzzese, G., & Conti, M., ACM Conference on Data and Application Security and Privacy, 2023
Oneliner: We discovered a privacy issue affecting millions of video gamers!

[SaTML23] Real Attackers Don`t Compute Gradients: Bridging the Gap Between Adversarial ML Research and Practice

Conference Apruzzese, G., Anderson, H. S., Dambra, S., Freeman, D., Pierazzi, F., & Roundy, K. A., IEEE Conference on Secure and Trustworthy Machine Learning, 2023
Oneliner: Let's change the domain of adversarial ML. For real.

[ICSS22] Cybersecurity in the Smart Grid: Practitioners` Perspective

Workshop Meyer, J. & Apruzzese, G., Industrial Control System Security Workshop (co-located with ACSAC), 2022
Oneliner: Elucidating the disconnection between Research and Practice.

[ACSAC22] SpacePhish: The Evasion-space of Adversarial Attacks against Phishing Website Detectors using Machine Learning

Conference Apruzzese, G., Conti, M., & Yuan, Y., Annual Computer Security Applications Conference, 2022
Oneliner: Revisiting adversarial attacks against phishing website detectors—even real ones. (Artifact: Reusable)

[TDSC22] Mitigating Adversarial Gray-Box Attacks against Phishing Detectors

Journal Apruzzese, G., & Subrahmanian, V.S., IEEE Transactions on Dependable and Secure Computing, 2022
Oneliner: A new phishing dataset, and a new defensive mechanism based on feature randomization.

[TNSM22b] Wild Networks: Exposure of 5G Network Infrastructures to Adversarial Examples

Journal Apruzzese, G., Vladimirov, R., Tastemirova, A., & Laskov, P., IEEE Transactions on Network and Service Management, 2022
Oneliner: Introducing the "myopic" threat model for adversarial ML attacks.

[EuroSP22] SoK: The Impact of Unlabelled Data in Cyberthreat Detection

Conference Apruzzese, G., Laskov, P., & Tastemirova, A., IEEE European Symposium on Security and Privacy [OUTSTANDING PRESENTATION AWARD], 2022
Oneliner: How to properly evaluate semisupervised learning methods.

[DTRAP22] The Role of Machine Learning in Cybersecurity

Journal Apruzzese, G., Laskov, P., de Oca, E. M., Mallouli, W., Rapa, L. B., Grammatopoulos, A. V., & Franco, F. D., ACM Digital Threats: Research and Practice, 2022
Oneliner: Explaining ML & Cybersecurity in a notation-free way -- a joint effort involving Researchers, Practitioners and Regulatory Bodies.

[DLS22] Concept-based Adversarial Attacks: Tricking Humans and Classifiers Alike

Workshop Schneider, J., & Apruzzese, G., IEEE Symposium on Security and Privacy – Deep Learning and Security Workshop, 2022
Oneliner: What's the point of minimal perturbations if we want to fool humans?

[TNSM22a] The Cross-evaluation of Machine Learning-based Network Intrusion Detection Systems

Journal Apruzzese, G., Pajola, L., & Conti, M., IEEE Transactions on Network and Service Management, 2022
Oneliner: Let's mix 'n match those datasets!

[ARES21] On the Evaluation of Sequential Machine Learning for Network Intrusion Detection

Conference Corsini, A., Yang, S. J., & Apruzzese, G., International Conference on Availability, Reliability and Security, 2021
Oneliner: Are temporal patterns useful for ML-NIDS? Let's test this out with a fair comparison between LSTM and traditional FNN.

[DTRAP21] Modeling Realistic Adversarial Attacks against Network Intrusion Detection Systems

Journal Apruzzese, G., Andreolini, M., Ferretti, L., Marchetti, M., & Colajanni, M., ACM Digital Threats: Research and Practice, 2021
Oneliner: Using adversarial examples against ML-NIDS is not a feasible strategy.

[IM21] Towards an Efficient Detection of Pivoting Activity

Workshop Husák, M., Apruzzese, G., Yang, S. J., & Werner, G., IFIP/IEEE International Symposium on Integrated Network Management, 2021
Oneliner: Uh-oh! It appears that detecting pivoting on external traffic is unfeasible!

[DiB20] DReLAB - Deep REinforcement Learning Adversarial Botnet: A benchmark dataset for adversarial attacks against botnet Intrusion Detection Systems

Journal Venturi, A., Apruzzese, G., Andreolini, M., Colajanni, M., & Marchetti, M., Data in Brief, 2021
Oneliner: Dataset, code snippet and tutorial for [TNSM20].

[TNSM20] Deep Reinforcement Adversarial Learning Against Botnet Evasion Attacks

Journal Apruzzese, G., Andreolini, M., Marchetti, M., Venturi, A., & Colajanni, M., IEEE Transactions on Network and Service Management, 2020
Oneliner: Offense is the best Defense! At little-to-no performance degradation.

[TETCI20] Hardening Random Forest Cyber Detectors against Adversarial Attacks

Journal Apruzzese, G., Andreolini, M., Colajanni, M., & Marchetti, M., IEEE Transactions on Emerging Topics in Computational Intelligence, 2020
Oneliner: Applying Defensive Distillation to Random Forest!

[Sym20] AppCon: Mitigating Evasion Attacks to ML Cyber Detectors

Journal Apruzzese, G., Andreolini, M., Marchetti, M., Colacino, V. G., & Russo, G., Symmetry, 2020
Oneliner: Ensembling ensembles: each detector focuses on a specific attack against a specific network application!

[NCA19] Evaluating the effectiveness of Adversarial Attacks against Botnet Detectors

Conference Apruzzese, G., Colajanni, M., & Marchetti, M., IEEE International Symposium on Network Computing and Applications [BEST STUDENT PAPER AWARD], 2019
Oneliner: Previously, in [NCA18], we evaded 1 classifier on 1 dataset. Now, we evade 12 classifiers on 4 datasets!

[CyCon19] Addressing Adversarial Attacks Against Security Systems based on Machine Learning

Conference Apruzzese, G., Colajanni, M., Ferretti, L., & Marchetti, M., International Conference on Cyber Conflict, 2019
Oneliner: This is not just a review! We also propose an original defense against Poisoning!

[NCA18] Evading Botnet Detectors Based on Flows and Random Forest with Adversarial Samples

Conference Apruzzese, G., & Colajanni, M., IEEE International Symposium on Network Computing and Applications [BEST STUDENT PAPER AWARD], 2018
Oneliner: The first paper using adversarial examples against Botnet Detectors (yes, the title has a typo).

[CyCon18] On the Effectiveness of Machine and Deep Learning for Cyber Security

Conference Apruzzese, G., Colajanni, M. Ferretti, L., Guido, A., & Marchetti, M., IEEE International Conference on Cyber Conflict, 2018
Oneliner: The right paper, at the right time, in the right place?

[TETC17] Detection and Threat Prioritization of Pivoting Attacks in Large Networks

Journal Apruzzese, G., Pierazzi, F., Colajanni, M., & Marchetti, M., IEEE Transactions on Emerging Topics in Computing, 2017
Oneliner: How to detect lateral movement (through pivoting) using Network Flows.

[NCA17] Identifying Malicious Hosts Involved in Periodic Communications

Conference Apruzzese, G., Marchetti, M., Colajanni, M., Zoccoli, G. G., & Guido, A., IEEE International Symposium on Network Computing and Applications, 2017
Oneliner: Use one to find many (apparently, this paper has been integrated into a real SIEM product!)

[CyCon17] Scalable Architecture for Online Prioritisation of Cyber Threats

Conference Pierazzi, F., Apruzzese, G., Colajanni, M., Guido, A., & Marchetti, M., IEEE International Conference on Cyber Conflict, 2017
Oneliner: My very first paper!

Giovanni Apruzzese