MSc and BSc Theses

1. Intent-Based Configuration of Campus Firewalls with LLMs

Jonas Weßner | 2025 | M.Sc. Thesis | Supervisors: Prof. Dr. Björn Scheuermann, Prof. Dr. Frank Kargl | Technische Universität Darmstadt

Campus firewalls are essential for securing internal network segments and controlling access to sensitive resources. Traditionally, firewall policy management in such environments relies on manual processes, in which user requests are interpreted and translated into technical rules by specialized IT staff. This approach is time-consuming and difficult to scale. Intent-Based Networking (IBN) offers a promising alternative, where high-level, goal-oriented instructions are used to directly configure the network. In this thesis, we design an intent-based campus firewall system that leverages generative Large Language Models (LLMs) to translate natural-language user requests into firewall configuration updates. In a survey with network administrators, we identify several requirements for an intent-based campus firewall system, one of which is the ability to use institution-specific knowledge to interpret vague end-user requests. Based on these findings, we propose a modular framework that includes an LLM-based intent translation module for converting vague end-user requests into structured representations, as well as formal algorithms for updating firewall configurations accordingly. To evaluate our design, we construct a novel dataset for intent translation in a university network, developed in consultation with domain experts. The dataset incorporates institutional knowledge through a dedicated knowledge base, enabling the system to resolve complex, context-sensitive requests. A comprehensive evaluation shows that, with appropriate system design and model tuning, user requests of varying complexity and abstraction can be interpreted with over 95% accuracy. Our results demonstrate the potential of LLMs to bridge the gap between human-friendly communication and precise network policy specification, laying the foundation for more autonomous and user-centric firewall management.

2. Anonymization of NetFlow-based Monitoring

Paul Prechtel | 2025 | M.Sc. Thesis | Supervisors: Prof. Dr. Frank Kargl, Prof. Dr. Franz J. Hauck | Universität Ulm

Network monitoring with NetFlow and IP Flow Information Export (IPFIX) flow records is ubiquitous among ISPs to get insights on the network, for example for determining link utilization, popular remote ASNs or the frequency of specific failure situations. They also provide a lightweight approximation of the real network usage. However, few use privacy preserving measures beyond IP address pseudonymization, and research was approaching IPFIX flow record anonymization by applying hand-written anonymization rules for each data field. Unfortunately, this approach is not reliably protecting the privacy of end users, as deanonymization attacks have frequently shown. Although modern research uses differential privacy for its mathematically guaranteed worst-case information disclosure performance, they apply complicated variants with questionable usability for the general uses of this data by ISPs. To solve this problem, this thesis applies the relatively easy to understand bounded sum differential privacy method on aggregate byte statistics that are already in use by a medium sized ISP. This thesis integrates the application of differential privacy into a modified Prometheus exporter to effectively be a drop-in replacement for the existing software stack. It hereby adds Laplace or Gaussian noise to each byte value on each Prometheus export call, and by varying the epsilon, delta, upper byte threshold and scraping interval parameters can the amount of noise be controlled. The results are unfortunately underwhelming, with unsatisfactory usability caused by too much noise. Nonetheless, this approach is helpful to be explainable, easily integrable into existing IPFIX statistics pipelines, and to be able to store and publish these statistics without fear of privacy leakage or legal trouble.

3. Design of a Technical and Operational Concept for Holistic Information Security in a Biotech Laboratory

Tobias Ziefle | 2024 | M.Sc. Thesis | Supervisors: Dr. Georg Wolff, Benjamin Steinert | Eberhard Karls Universität Tübingen

The Biotechnology industry increasingly relies on interconnected, data-driven systems to accelerate research, drug development, and clinical trials. This dependence exposes Biotech organizations to significant cyber security threats, particularly given the high value of sensitive patient data and Intellectual Property. This thesis presents a comprehensive information security framework tailored to the unique operational and regulatory requirements of Biotech laboratories, with a focus on protecting legacy laboratory devices. The proposed security framework builds on the Zero Trust approach and is structured in five sections: A continuous Information Security Life-cycle, Identity and Access Management, Endpoint Protection, Network Security, and Backup and Disaster Recovery. Each component is specifically designed to safeguard valuable data assets and ensure operational resilience in an environment with limited IT resources. A SIEM system, based on the Elastic Stack, is implemented as part of the Endpoint Protection strategy to address vulnerabilities in legacy laboratory equipment. This system enables real-time threat detection and response, enhanced by CyberThreat Intelligence (CTI) integration for enriched data analysis. A demonstration of the SIEM’s capabilities in detecting a Meterpreter based malware attack showcases the practical effectiveness of the security framework.

4. Design and Implementation of a Zero Trust User-Agent Policy Enforcement Point

Janek Schoffit | 2024 | M.Sc. Thesis | Supervisors: Prof. Dr. Michael Menth, Prof. Dr. Frank Kargl | Eberhard Karls Universität Tübingen

This thesis focuses on enhancing client security within a zero trust architecture by designing a user-agent policy enforcement point capable of managing client-side processes and regulating their network requests, thereby mitigating the risk of compromise to both the client and the network. Therefore, a strategy is needed to prevent interference between processes and to control each network request independently, thus enhancing the overall security of the architecture. Previous research primarily focuses on network architecture through the development of zero trust service function chaining, without addressing client security explicitly, a gap this thesis aims to fill. Compartmentalization through isolation technologies is used to prevent process and storage interference, while enabling network segmentation, making it possible to authenticate and authorize network requests individually. Consequently, a design concept is devised and evaluated through a proof of concept, implementing a generalized framework for communication with isolation technologies and enforcing network policies via a proxy with respect on compartment and user identification. This approach minimizes the attack surface of malicious processes targeting the client or propagating within the network, as the user-agent policy enforcement point can manage compartment lifecycles based on request behaviour, thereby enhancing the overall security of the zero trust architecture.

5. Design and Implementation of a Modular High-Performance Threat Detection Pipeline using IPFIX Data

Janik Steegmüller | 2024 | M.Sc. Thesis | Supervisors: Gabriel Paradzik, Benjamin Steinert | Eberhard Karls Universität Tübingen

This thesis introduces a way of scaling the open-source intrusion detection system ’Maltrail’ using the Internet Protocol Flow Information Export (IPFIX) protocol. Moreover, this work embeds Maltrail into a performant and extensible threat detection pipeline. With the increasing intensity and complexity of cyberattacks, detecting malicious activity in private networks is becoming more important. Network intrusion detection systems can be used for this purpose, monitoring network traffic and detecting malicious or unusual network traffic. Most open-source Intrusion Detection System (IDS) software is sufficient for small-scale networks but lacks scaling capabilities for enterprise or university networks. Thus, Malfix is developed in the course of this thesis, which enables Maltrail to analyze IPFIX flows and leverage its scaling capabilities. For this, the IPFIX protocol is extended to support the transfer of Maltrail threat detection information. Additionally, using Malfix as core IDS, an intrusion detection pipeline based on an event streaming architecture is designed and implemented. A profiler is used to detect performance bottlenecks in Malfix and improvements are implemented to overcome them. Furthermore, the performance of Malfix is evaluated in terms of processing speed and efficiency by conducting various benchmarks. This shows the availability of potential production use at the University of Tübingen.

6. Centralized Detection of Shared Bottlenecks Between Competing Network Flows

Wilhelm Steffen | 2024 | B.Sc. Thesis | Supervisor: Michael König | Institute of Telematics, Karlsruhe Institute of Technology

7. Performance Evaluations of TCP in High Bandwidth Environments

Valentin Gretchenliev | 2024 | B.Sc. Thesis | Supervisor: Michael König | Institute of Telematics, Karlsruhe Institute of Technology

8. C3 Security: Protecting C3 Communication and Detecting Suspicious Sending Behavior

Daniel Hamann | 2024 | M.Sc. Thesis | Supervisor: Michael König | Institute of Telematics, Karlsruhe Institute of Technology

9. Examining QUIC Implementation Performance Through Unified Traffic Generation

Mihai Tanase | 2024 | B.Sc. Thesis | Supervisor: Michael König | Institute of Telematics, Karlsruhe Institute of Technology

10. Evaluation and Comparison of Block Lists Based on Public Threat Intelligence Feeds Using Network Traffic of the University of Tübingen in 2024

Emily List | 2024 | B.Sc. Thesis | Supervisor: Benjamin Steinert | Eberhard Karls Universität Tübingen

This thesis evaluates and compares twenty-one free text-based IP address threat intelligence feeds within a university context. It explores the topic of Cyber Threat Intelligence (CTI) and the use of TI feeds as block lists for proactive defence against cyber threats. The methodology involves selecting feeds based on timeliness, accuracy, reliability, usability, and effectiveness, combining qualitative web research with statistical analyses to evaluate and compare performance. The findings reveal that the selected feeds are heterogeneous in volume and accuracy, and some lack transparency in data acquisition. Usability analysis confirms that all feeds are manageable in size and format by modern hardware firewalls. The effectiveness analysis shows that over half of the feeds have a significant number of IP address hits within the university network. While most feeds are updated frequently, with high download reliability and good hit rates, many are not timely enough for proactive defence. The best-performing feeds can be integrated into a combined block list to deploy in the university network. Acknowledging limitations, the thesis suggests future research to expand the scope and validate findings across additional feeds and contexts.

11. TCP-C3: Accelerating TCP Congestion Control with C3

Jan Koppenhagen | 2024 | B.Sc. Thesis | Supervisor: Michael König | Institute of Telematics, Karlsruhe Institute of Technology

12. Test and Deployment Considerations of Distributed Active Performance Measurement Techniques in an ISP Backbone Network with Segment Routing Capabilities

Yannick Huber | 2024 | M.Sc. Thesis | Supervisors: Marco Häberle, Benjamin Steinert | Eberhard Karls Universität Tübingen

Active measurements are an essential tool for collecting end to end performance metrics inside data networks. However, the execution of active measurement tests can be costly and time-consuming. This thesis evaluates multiple ways of improving the use of active network performance measurements. This is done by exploring three different aspects. Firstly, the thesis examines the use of new SR-MPLS capabilities to measure the bandwidth of specific routes inside a network using only one host. Secondly, the use of the perfSONAR network measurement toolkit is evaluated for automating distributed measurements. Finally, the bandwidth limitations of existing browser-based speed tests are inspected. The use of new SR-MPLS capabilities for performance measurements is explored by developing a new speed test concept based on SR-MPLS. This concept allows a host to test the network by running bandwidth tests on a circular path to itself. An implementation of this concept shows that it reaches average bandwidth speeds of up to 30,54 Gbps. The capabilities and challenges of the perfSONAR toolkit are explored in a lab environment to validate the usability of perfSONAR for automating distributed measurements. Examinations conducted in this lab setup are then used to show how perfSONAR can be used in a centrally managed deployment. For the browser-based speed tests, the bandwidth limitations of existing tests are explored in a 100 Gbps test setup. Measuring the maximum achievable bandwidth speeds shows that the current limiting factor for browser-based speed tests are the browsers themselves. By using the librespeed-cli tool, the capabilities of the LibreSpeed test are probed without the limitations introduced by using a browser. It is shown that LibreSpeed can reach an average total upload speed of 68,47 Gbps and an average download speed of 56,89 Gbps to a single host. These speeds are achieved by running an optimal amount of parallel client instances of the librespeed-cli tool. It is also shown that the LibreSpeed server can reach an accumulative download speed of 90 Gbps when testing multiple parallel running clients distributed over different hosts.