Praktikum, Master Thesis, and Ph.D. Thesis

If your are interested in doing a Praktikum, a diploma thesis, or a doctoral thesis in the area of computer security, please contact me by sending an email to this address. Note that some of the Praktika and theses are funded. That is, you get paid to be able to concentrate on the given tasks.

Topics


Virus Collection

Anti-virus software requires an accurate and up-to-date virus description database. Thus, it is of particular importance to get samples of unknown viruses as quickly as possible to start immediate analysis and signature generation. This work aims to analyze current approaches to get virus samples and to develop novel techniques to obtain such samples (both for SMTP-based viruses and other spreading mechanisms). The work will be funded and is performed in cooperation with Ikarus Software (an Austria anti-virus vendor).

Prerequisites: Excellent programming, very good networking knowledge.


Worm Early Warning System

Recent epidemics have shown the potential of fast-spreading worms to infect a large percentage of vulnerable machines within minutes. Thus, it is imperative to stop a worm outbreak as soon as possible, using fully-automated mechanisms. This work aims to analyze current worm detection and containment approaches and to develop novel techniques to quickly and accurately detect spreading worms. The work will be funded and is performed in cooperation with Ikarus Software (an Austria anti-virus vendor).

Prerequisites: Very good programming, excellent networking knowledge.


Mail Content Analysis and Spam Detection

Email spam is becoming an increasing problem, and studies show that a large fraction of all email sent worldwide is unsolicited. Current solutions such as SpamAssassin still work satisfactorily, but spammers have caught up and explicitly target the current detection mechanisms (rule sets and Bayesian content analysis). This work aims to analyze current Spam detection approaches and to develop novel techniques to separate Spam from Ham. The work will be funded and is performed in cooperation with Ikarus Software (an Austria anti-virus vendor).

Prerequisites: Very good programming, very good networking knowledge, SpamAssassin knowledge favorable.


Virus Detection

Anti-virus software requires an accurate and up-to-date virus description database. Currently, the number of new viruses that emerge every month reaches into the thousands. For each virus, a precise signature needs to be specified. Thus, it is important to automate the signature generation, and to minimize false positives that occur when a signature accidentally matches a benign file. This work aims to analyze the current approaches for signature generation and to develop techniques and tools to support the fast and accurate signature generation. The work will be funded and is performed in cooperation with Ikarus Software (an Austria anti-virus vendor).

Prerequisites: Excellent programming, very good operating system knowledge, virus development knowledge favorable.


Anomaly Intrusion Detection

Intrusion detection is the task of detecting attacks against a network and its resources. Anomaly detection is based on the analysis of network traffic or system/application behavior. The idea is to build models of normal behavior. Then, any deviations from normal behavior can be flagged as an attack. We have previously built a small collection of models that analyze web service requests and operating system calls. This work aims to analyze the effectiveness of the present models and to provide additional or improved ones. In addition, the detection domain can be extended (for example, to web services).

Prerequisites: Excellent programming, good networking and operating system knowledge, background in statistics.


Intrusion Alert Correlation

An intrusion detection system attempts to identify attacks against a network and its resources. Alert correlation is a process that takes as input the alerts produced by one or more intrusion detection systems and provides a more succinct and high-level view of occurring or attempted intrusions. The aim of this work is to analyze current alert correlation approaches and to identify their shortcomings. Based on this analysis, novel correlation techniques should be developed that address additional issues such as privacy concerns when different organizations want to share and correlate some of their information.

Prerequisites: Excellent programming, very good networking knowledge.


Internet Routing Security

The Border Gateway Protocol (BGP) is the de-facto Internet routing protocol between ASes (autonomous systems). It is known that BGP has weaknesses that are fundamental to the protocol design. Many solutions to these weaknesses have been proposed, but most require resource intensive cryptographic operations and modifications to the existing protocol and router software. For this reason, none of them have been widely adopted. This work aims to analyze the problems of BGP and the solutions that have been proposed. Based on this analysis, novel techniques should be developed that help to detect attacks and common misconfigurations, using only passive traffic analysis without protocol modifications.

Prerequisites: Very good programming, excellent networking knowledge.


Vulnerability Testing Framework

The evaluation of security protection mechanisms is a tedious task that is often done in an ad-hoc fashion. For testing, the developer usually identifies a few attacks and checks the effectiveness of her tool in these cases. This neither allows the comparison between different protection mechanisms nor a reasonable coverage. This work aims to develop a testing framework for security solutions. For this framework, it is required to come up with ways to automatically set up a diverse test environment, integrate the security mechanism under analysis into this setup, and then run a set of test instances.

Prerequisites: Excellent programming, very good Unix operating system knowledge.


Praktikum Information


The purpose of a Praktikum is to gain experience in the design and development of a real-world software project. You have to become acquainted with standard open-source development tools such as build tools (autoconf, automake), debuggers (gdb, valgrind) or version control systems (cvs). In addition, you should learn how to write solid and stable code. Praktika are available most of the time (there is always some work that needs to be done), so feel free to ask.

Master and Ph.D. Thesis Information


When doing a master thesis or a Ph.D. thesis, I expect you to perform scientific research. This means that you have to find an interesting problem (alternatively, you can ask me about one) and solve it in a novel fashion. Then, you have to verify the feasibility of your solution by providing experimental data. The difference between a master and a Ph.D. thesis is the problem size and the expected degree of your autonomy. When doing a master thesis, you can focus on a particular problem and you will receive more guidance when difficult problems crop up. When doing a Ph.D. thesis, you are expected to be able to compete with world-leading experts in a particular field at the time you graduate.