Network Security Research

Today, network security relies largely on systems techniques like secure protocols and rule/pattern-based methods.

We are applying statistical, decision theoretic, pattern recognition, and machine learning techniques to the automated and adaptive analysis of network traffic. We focus on

  • Identification and remediation of DDoS attacks and intrusion attempts (zero-day exploits)
  • Behavioral analysis and anomaly detection
  • Traffic modeling and forecasting in networks
  • Early warning in critical infrastructures

DDoS Remediation

DDoS attacks are one of the most threatening assaults on the Internet today. Servers are flooded with a tremendous number of nonsense requests from thousands of clients in order to cause a server overload or even a crash. Usually, a single attacker controls a powerful (bot) network of trojan horse infected PCs and let them attack a web service simultaneously without the knowledge of the PC owner. DDoS attacks seriously harm e-businesses such as web shops, online auctions, online banking or simply cause an image loss of a company. Massive DDoS attacks may also harm the IP network as well, for example congesting links of an Internet Service Provider (ISP).

ncs.jpgThe fact, that the requests origin from computers all over the world and might even look like legitimate request messages makes it very hard to filter them or firewall them in a classical way.

Nevertheless, the requests are machine generated and not initiated by a human. Our new approach to detect and prevent DDoS attacks claims to detect anomaly patterns which are a result of these machine generated packets. Therefore, we use pattern recognition methods to determine and filter the non-legitimate packets based on multiple parameters, such as routing information, origin networks, coherences on document structures and many others.

Our remediation research is part of the Deutsche Telekom Laboratories project NetCentric Security. For network monitoring as a basis of this project we are also in a close cooperation with the Fraunhofer FOKUS institute using their OpenIMP software.

A demo video and further information can be found on our detailed NetCentric Security project page.

A web demo to generate firewall filter rules against DDoS attacks can be found on the IP Density Estimation demo page.

Botnet Traffic Simulator (BoNeSi)

Simulating DDoS Traffic from bot networks is fairly easy as long as source IP addresses can be spoofed (SYN, UDP or ICMP floods). Simulating a TCP based botnet requires to implement a very fast TCP stack. BoNeSi, our botnet simulator is able to simulate a TCP based HTTP-GET flood on a victim. Since non spoofed IP connections require correct routing setup, this tool can only be used in closed testbed setups. We are able to establish several thousands of HTTP connections from different IP addresses from just a single host running BoNeSi making this tool perfect to simulate advanced bot networks. It can be used to test firewall systems, routing hardware, DDoS Mitigation Systems or webservers directly.

BoNeSi is Open Source. Further information and downloads can be found on the BoNeSi project homepage.

Apache Traffic Replay Generator (repache)

Repache replays Apache logfiles in a network. Repache take a previously recorded apache logfile and generates the TCP packets including handshake, request and connection teardown with the recorded IP address. The advantage of repache is that it preseves the original IP and therefore it can be used to test IP geolocation services, intrusion detection systems and webservers under realistic conditions.

Repache and further documentation can be found on the repache project homepage.

High Performance Traffic Shaping for Linux (nf-HiShape)

nf-HiShape is a kernel module for traffic shaping according to source IP address. It limits the bandwidth usage of user-defined IP address ranges and was implemented by the constraint of high-performance operation as well as easy usage.The kernel module hooks into the netfilter (nf) code of Linux kernel and can be used on any standard PC. The focus of nf-HiShape is that it can be used to define thousands of rules (IP-ranges) with multiple bandwidth settings, which is not possible with Linux tc for example. This provides new application scenarios such as traffic shaping of countries or flexible DDoS mitigation.

The nf-HiShape software consits of the kernel module itself and a user-land tool for its configuration. Further information can be found on the nf-HiShape project homepage.

Geo Location of IP addresses

Today, geo location services (identifying in which country an IP address is located) are used widely, e.g. for determining the closest download mirror server or restricting online TV applications due to national copyright contracts. There are several commercial providers offering this data but since this information is available in the Regional Internet Registraries databases (RIR) for free, we decided to start an open source project ip-countryside to get this information for free and updated.

The software is available on the ip-countryside project homepage and an online demo can be found here.


If you have any questions, please feel free to contact Markus Goldstein.


Our recent publications in this area are listed below.

Anomaly Detection in Large Datasets
Markus Goldstein
Pages 248,
PhD-Thesis, Dr. Hut, Technische Universit√§t Kaiserslautern, M√ľnchen, 2/2014

Server-side Prediction of Source IP Addresses using Density Estimation
Markus Goldstein, Matthias Reif, Armin Stahl, Thomas Breuel
Availability, Reliability and Security, 2009. ARES 09. Fourth International Conference on, Pages 82-89, Fukuoka, Japan, IEEE Computer Society Press, 3/2009

Anomaly Detection by Combining Decision Trees and Parametric Densities
Matthias Reif, Markus Goldstein, Armin Stahl, Thomas Breuel
Pattern Recognition, 2008. ICPR 2008., Tampa, FL, USA, IEEE, 12/2008

High Performance Traffic Shaping for DDoS Mitigation
Markus Goldstein, Matthias Reif, Armin Stahl, Thomas Breuel
Proceedings of the 2008 ACM CoNEXT conference, Madrid, Spain, ACM, SIGCOMM, 12/2008

Bayes Optimal DDoS Mitigation by Adaptive History-Based IP Filtering
Markus Goldstein, Christoph Lampert, Matthias Reif, Armin Stahl, Thomas Breuel
Seventh International Conference on Networking, Pages 174-179, Cancun, Mexico, IEEE Computer Society, 4/2008

Last modified:: 17.04.2015