Personal tools


We are currently working on the projects listed below. More information on these is going to follow soon.

Privacy-Preserving Electronic Bartering 

Bartering is defined as the cashless act of trading goods and services in exchange for other goods and services. Bartering has been practiced since the early days of humanity and still plays a crucial role in the global economy. Today, a majority of bartering transactions is carried out via online platforms which allow their users to find potential trade partners in a convenient way. An inherent requirement of these platforms is that a user has to disclose its trading capabilities to the operator and typically also to all other users. As a consequence, private information on the personal preferences of a user is leaked which can undermine his bargaining position.

Within our research project (in cooperation with Stevens Institute of Technology), we designed decentralized cryptographic protocols that allow multiple users to determine potential trade partners and to barter offered goods and services while keeping their trade capabilities private. More precisely, a user only learns what he gets and what he has to give away, but no more information about what his trade partners do in return and no information about the trade capabilities and activities of other users.

Ongoing work deals with bringing theoretical solutions into practice by designing a privacy-preserving bartering system which is capable of handling a large number of users and provides several functionalities known from classic bartering platforms.


Privacy Preserving Algorithms

The Research Training Group UnRAVeL is composed of theoretical and applied computer scientists from different fields. The aim of this group is to develop new theories, algorithms and verification techniques in order to improve probabilistic modelling and analysis.

Within the Research Training Group we develop Privacy Preserving Algorithms that compute functionalities for multiple parties in settings that change over time. More precisely, we want to develop models and algorithms that can deal with this kind of uncertainty.

UnRAVeL homepage:

Please direct potential thesis interest and other questions to: Andreas Klinger


DNS-based Network Fingerprinting

Internet connected devices make use of the Domain Name System (DNS) to translate human readable domain names into IP addresses. Since DNS is unencrypted, often outsourced, and used prior to most network connections, it is possible to fingerprint the software that initializes such connections, by passively monitoring DNS traffic.

DONUT (Domain Oriented Network Unmasking Tool) is a system for fingerprinting device types, operating systems, applications, and network structures based on DNS traffic. It is extensible, modular, and uses a rule-based approach to detect software specific fingerprints, which allows to easily extend its database. In addition to fingerprinting software, DONUT is able to detect NAT configurations and, to a certain extent, de-NAT DNS traffic.

Our current work focuses on extending fingerprinting rules, improving De-NATing, and evaluating other approaches for DNS-based fingerprinting, for example using machine learning.

Please direct potential thesis interest and other questions to: Sebastian Schäfer


Domain Generation Algorithm Detection

Bots communicate with a Command & Control (C2) server in order to obtain instructions or to exfiltrate gathered data. Since connection attempts to a C2 server utilizing fixed IP addresses or fixed domain names are easy to block, botnets rely on Domain Generation Algorithms (DGAs). DGAs periodically generate a large number of algorithmically-generated domains (AGDs) which serve as rendezvous points with a C2 server. These AGDs are pseudo-randomly generated using a seed, enabling a botnet herder to predict and to register one or more generated domain names in advance. If the bots query one of these domain names, they obtain a valid IP address for their C2 server. All other queries result in Non-Existent Domain (NXD) responses. The utilization of DGAs makes it much harder to prevent all possible connection attempts of bots to their C2 server.

FANCI (Feature-based Automated NXDomain Classification and Intelligence) is a system which can detect infections with DGA-based malware by monitoring NXD responses in DNS traffic. It utilizes classical machine learning classifiers such as random forests or support vector machines to classify domain names into DGA-related and benign NXDs. FANCI does not require any additional context information since the features for classification are extracted solely from the individual NXD that is to be classified.

Ongoing work deals with further improving FANCI's performance and adding multiclass classification capabilities in order to attribute AGDs to specific malware families. Simultaneously, we research on different deep learning approaches for the binary and multiclass classification task.

Please direct potential thesis interest and other questions to: Arthur Drichel


Security Education

Enable Risk-aware Behavior to Secure End-users (ERBSE) is a project funded by the NERD postgraduate research training group that promotes research into human-centered systems security.
The ERBSE project aims to combine didactic aspects with online security, by examining what kind of technical knowledge is necessary to improve end-user security and in the next step analyzing ways to teach this knowledge to end-users in an effective way.
The focus of the project is on creating and evaluating learning-games as a platform to teach IT security.
The Research Group IT-Security contributes to this project by researching threats that affect or exploit end-users and overseeing the ERBSE researchers working at the RWTH Aachen.

Please direct potential thesis interest and other questions to: Vincent Drury



Sharing and Automation for Privacy Preserving Attack Neutralization (SAPPAN) is a project founded by the Horizon 2020 program of the European Union. The main objective of SAPPAN is to develop a cyber threat intelligence system that decreases the effort required by a security analyst today to come up with a suitable response to and a way to recover from an attack. We aim to reach this goal with the help of scalable, distributed, privacy-preserving and usable cyber threat intelligence, which allows for massive data acquisition from multiple sources, advanced analytics on shared information, and intelligence sharing.

Our focus in the project is to develop new systems for local and federated threat detection and assessment using machine learning and privacy enhancing technologies.

Please direct potential thesis interest and other questions to: Sebastian Schäfer or Arthur Drichel



Previous projects we were involved in:

Privacy Preserving Applications 

Today, applications collect and analyze a vast quantity of (digital) information to optimize performance and availability. Rarely, the privacy concerns of users concerning confidential information is respected. Within our research we try to improve certain applications by developing new privacy-preserving protocols which have the same functionality but consider the privacy concerns of users.

A common problem is the collaboration between organizations. Each party defines their own set of rules under which they are willing to collaborate, e.g., interact, share and exchange resources or information with others. Typically, these individual policies differ for different parties. Thus, collaboration requires the resolving of differences and reaching a consensus. This process is generally referred to as policy reconciliation. Current solutions for policy reconciliation do not take into account the privacy concerns of reconciliating parties. Within our research we've developed new protocols that meet the privacy requirements of the organizations and allow parties to find a common policy rule which optimizes their individual preferences.

A following challenging task is the secure information exchange between organizations respecting their privacy concerns. The participating parties have an interest in the availability as well as in the confidentiality of information. A solution should respect the privacy concerns and maximize the availability of information. A possible approach to solve this problem is pseudonymization. Within our research we've constructed new privacy-preserving protocols based on restricted linkable pseudonyms solving the conflict between availability and confidentiality of information.

Project homepage: Privacy-preserving applications.

Mobile Malware

In the last decade mobile devices gained popularity and due to their functionality comparable to recent computers users tend to store their sensitive information on mobile devices rendering them an attractive target for mobile malware writers. As a consequence, mobile malware population increases every single year.

The first area of our research studies the ability of host-based anomaly detection systems to detect mobile malware using low level features such as system calls. Our second focus aims to identify sensor placements in current 3G and 4G backbone networks and detect traffic initiated by mobile malware directly in mobile operators' networks.

Security for Wireless Mesh Networks

In contrast to infrastructure wireless networking, wireless mesh networks employ multi-hop communication. This fact and the different use cases of multi and single provider setup impose new security challenges. Keeping the dynamic nature of these networks in mind, bootstrapping security associations onto the nodes, as well as detection and mitigating malicious behavior is the current focus of our study.


ASMONIA (Attack analysis and Security concepts for MObile Network infrastructures, supported by collaborative Information exchAnge) is a projected funded by the German Federal Ministry of Education and Research. ASMONIA aims to improve the resilience and reliability of current and future mobile networks and their backbone infrastructure. 
Recent cyberwar incidents and the iPhone worm demonstrate the need for protection and collaborative early warning concepts tailored to the telecommunication sector. Additionally, threats to mobile networks will increase with the growing use of untrusted and malicious applications on modern mobile devices. Simultaneously, the utilization of mobile networks becomes more multifaceted (e.g., public/private use), and the technical heterogeneity (3G, 4G, non-3G and future generations) and complexity (roaming, interworking) of the overall system grows due to its interconnectedness. This trend will likely continue well into the future, due to the growing number of heterogeneous (e.g., wireless) interfaces on end devices and the increasing use of applications whose integrity cannot be guaranteed a priori.
The overall goal of ASMONIA is the development of a holistic security concept for mobile network infrastructures that satisfies the diverse requirements of modern networks. Integrity protection and attack detection solutions that exploit characteristics of resilient and flexible systems like cloud computing will therefore be integrated. The additional integration of collaborative information exchange mechanisms will improve the security level of modern communication networks.
In this project we work together with: Cassidian Systems, ERNW GmbH, Fraunhofer SIT, Hochschule Augsburg, Nokia Siemens Network (as well as associated partners DTAG, BSI, and BDBOS).

Security and Privacy in WLAN Roaming

Currently, roaming in Wi-Fi networks is cumbersome, or outright impossible. While there are WLAN networks in many locations, these are either not accessible without manual configuration effort, or insecure, or must be run be the same party the user already has an account with. A proper roaming protocol would help to solve these problems. We have developed a novel protocol suite for roaming WLAN devices that supports authentication, key agreement, and secure payment between roaming devices and network operators.

Project homepage: Security and Privacy in WLAN Roaming.

Malware Collection and Botnet Monitoring

The threat that malware imposes on computer networks has grown in past years. A big portion of malware samples includes "botnet" functionality and can thus be controlled by its author. Within our research we try to improve current and develop new methods of acquiring and analysing malware. From the malware samples we extract command & control information and are thus able to monitor the botnet's activity. The overall goal of this research is a more secure and less malicious Internet environment.

The work is conducted in cooperation with the Alliance.