Internships and Master's theses

            Since 1999, Open Systems offers internships and support in Master's theses to students from ETH Zurich, EPF Lausanne and other universities on a regular basis. This way, students can gain some work experience, while Open Systems benefits from the interesting and innovative ideas of those students.


            Extracting Cyber Threat Intelligence from the Internet Background Noise
            by Thomas Mizraji

            Master's Thesis ETH Lausanne
            Network Architecture Lab
            School of Computer and Communication Sciences
            March 2017

            Following the implicit deny model for the deployed firewall policies causes that unsolicited traffic from the internet, also known as Internet Background Radiation (IBR) or Internet Background Noise (IBN), is blocked. The goal of this research is to use the 4000 devices part of the Mission Control Security Services around the world as a global sensor network to monitor and analyze the internet activities by logging, collecting and correlating blocked unsolicited traffic from the internet.

            Read more (pdf)

            Network Anomaly Detection in Global WAN Environments
            by Ketevani Zaridze

            Master's Thesis ETH Lausanne
            School of Computer and Communication Sciences
            March 2017

            Modern global Wide Area Networks (WANs) are encountering a growing number of cyber threats. Safe and secure communication along with availability and stability are important factors for today's corporate, private or public networks, but relying only on perimeter security systems is ineffective, as they do not have the capability to prevent all malicious network activity. Network traffic analytics based on collecting logs generated by distributed sensors within the infrastructure and applying anomaly detection and behavioral profiling methods in order to identify potentially malicious activity can be used to compensate the shortcomings of the traditional methods. Network anomaly detectors can help the operator to recognize suspicious network activities that can be caused not only by attacks but also by system misconfiguration or failures.

            Read more (pdf)

            Automated Risk Score for Large-Scale Network Intrusion Detection
            by Pedro Mendez Montejano

            Master's Thesis ETH Zurich
            Department of Computer Science
            September 2016

            This master's thesis presents an end-to-end system which predicts the risk value imposed by a host inside a network. The proposed system is composed by two modules: the analysis and the risk prediction module. The former employs unsupervised learning techniques to analyze security events. The latter component uses a random forest classifier to predict the risk value of a host. The input data for both components is a new set of categorical and statistical variables defined in this work. Those variables are extracted from data provided by the intrusion detection system and the network traffic collector. By combining theses two data sources, we are able to extract a risk and network profile of the host.
            The proposed system is able to identify hosts with high, medium, low and very low risk levels. An analysis of the accuracy of its predictions is presented. Furthermore, by focusing on hosts with higher predicted risk levels instead of security alerts, the number of alerts and false positives can be reduced, and we present results with the percentage of reduction.

            Read more (pdf)

            goProbe: a Scalable Distributed Network Monitoring Solution
            by Lennart Elsen, Fabian Kohn, Christian Decker and
            Roger Wattenhofer

            Paper based on Master's Thesis ETH Zurich
            Distributed Computing Group
            December 2015

            This paper describes a decentralized approach, eliminating the need for a central collector and storing local views of network traffic patterns on the respective devices performing the capture. In order to allow for the analysis of captured data, queries formulated by analysts are distributed across all devices. Processing takes place in a parallelized fashion on the respective local data. Consequently, instead of continually transferring raw metadata, significantly smaller aggregate results are sent to a central location which are then combined into the requested final result. The proposed system describes a lightweight and scalable monitoring solution, enabling the efficient use of available system resources on the distributed devices, hence allowing for high performance, real-time traffic analysis on a global scale. The solution was implemented and deployed globally on hosts managed and maintained by a large managed network security services provider.

            Read more (pdf)

            Passive Collection and Analysis of SSL/TLS Connections and Certificates
            by Fabian Zeindler

            Master's Thesis ETH Zurich
            Department of Computer Science
            May 2015

            Secure communication on the internet is based upon one of our most security-critical ecosystems, the X.509 Public Key Infrastructure (PKI). In recent years, numerous incidents, attacks and new findings severely weakened the trust in the present system.
            By examining 7 months of HTTPS connection data, passively logged at over 600 geographically distributed vantage points on the infrastructure of a globally operating managed security provider, we take a closer look at the current state of the PKI landscape. In our comprehensive analysis we examine the properties of X.509 certificates, HTTPS connections, as well as the PKI and Certificate Authority (CA) system in general.

            Read more (pdf)

            Source meta-information authentication along adaptive network paths for policy enforcement
            by Lukas Limacher

            Master's Thesis ETH Zurich
            Network Security Group D-INFK
            July 2015

            Source authentication is an important concept in networking which can be used to construct higher-level secure systems. However, building such systems has proven to be challenging in today’s internet due to the prevalence of IP address spoofing. Proposed solutions attempting to address this problem are not efficient, as they (1) need a lot of computational resources to provide source authentication or (2) do not take into account network properties for efficient routing.

            Read more (pdf)

            Messaging Challenges in a Globally Distributed Network
            by Raphael Thomas Seebacher

            Master's Thesis ETH Zurich
            Department of Computer Engineering and Networks Laboratory
            September 2013

            When operating more than 2600 hosts distributed in over 180 countries around the globe, as it is the case for Mission Control Security Services of Open Systems AG, efficient messaging is absolutely crucial in order to be able to monitor hosts, detect and react to incidents and, hence, to remain in control. With the current messaging architecture reaching its limits, this master thesis takes on investigating this architecture's properties to then design, prototype and evaluate a next generation architecture.

            Read more (pdf)

            Analysis of the SSL-Certificate, Landscape and Proposal for an Extended Validation Method
            by Nicolas Rüegg

            Master's Thesis ETH Zurich
            Department of Computer Science
            April 2013

            During the past years, adversaries repeatedly induced trusted public key certification authorities (CA) to illegitimately issue certificates for well-known domains to them. This severely weakened trust in the certification authority system. One of the major problems is that domain owners can not restrict which certification authorities can issue their certificates.
            This work aims at increasing trust in a domain's authenticity by employing an extended certificate validation method which can be used immediately without changes to the current infrastructure.

            Read more (pdf)

            Visualization of virtual private networks in network management systems
            by Florian S. Gysin

            Master's Thesis ETH Lausanne, EPFL
            School of Computer and Communication Sciences
            March 2013

            We employ user centered design techniques to improve the usability of a set of tools for visualizing and configuring VPN networks at Open Systems AG. Through user and task analysis we identify user goals and tasks and uncover issues with the existing platform. This platform uses an adjacency matrix to visualize networks and we show that it does not adequately support users in their tasks. Through rapid prototyping and usability-driven design, we propose a new set of different tools, each responsible for the visualization of a certain aspect of VPN networks important to the user. The proposed designs include a geographical node-link diagram, a node-link based path inspector and a separate editor view. They are evaluated in a user study at Open Systems AG and have been shown to provide good support for users performing tasks on VPN networks. In an outlook on future work, we propose how to proceed from here on and introduce the idea of multiple coordinated views to combine the separate tools into one framework.

            Read more (pdf)

            Highly available Virtual Machines in Global Wide Area Networks
            by Lukas Frelich

            Master's Thesis ETH Lausanne, EPFL
            School of Computer and Communication Sciences
            September 2012

            Current virtualization platforms have greatly simplified the implementation of high availability. Instead of specifically designing a particular service, we can set a whole virtual machine, including all its services to be highly available. However, as those solutions require shared storage among the cluster nodes, their use is limited to fast local area networks. In this thesis we look into how these concepts could be extended to clusters, whose nodes are geographically separated and connected only through a slow network. We focus on the core problem of replacing shared storage with synchronized independent storages. To provide an efficient and fast means of synchronization, we have designed and developed SyncedFS - a FUSE file system, which logs activity on the files to speed up the synchronization. To assess the performance of SyncedFS, we compare it in different network setups to DRBD and GlusterFS, which are widely used solutions for this task. The results of our experiments show that SyncedFS performs very well in the setups with the network throughput considerably smaller than the write data transfer rate of the used storage.

            Read more (pdf)

            Automatic Rating of VPN Links
            by Guido Hungerbühler

            Master's Thesis ETH Zurich
            Department of Computer Engineering and Networks Laboratory
            March 2012

            Understanding VPN tunnel performance is crucial in helping to improve the quality of globally distributed networks. If we know the performance of every individual tunnel, we are able to spot problems and pinpoint bottlenecks in the network. We present a novel way of analyzing and visualizing the long-term performance of VPN tunnels. By using geographical clustering of VPN endpoints, we found that tunnels which connect similar regions also show performance characteristics that are alike. This makes it possible to define performance baselines with respect to specific regions.
            Furthermore, it enables the detection of individual connections that constantly perform below standard. The proposed method takes advantage of globally spread networks with multiple links between distinct regions. We developed a ready-to-use prototype, which rates VPN tunnels and visualizes problems in the network.

            Read more (pdf)

            Application-Level Network Performance Monitoring
            by Manuel Stich

            Master's Thesis ETH Lausanne, EPFL
            School of Computer and Communication Sciences
            September 2011

            The end-to-end network performance, in a globally distributed company network, has an important impact on the overall performance of business critical applications. It is, therefore, of high interest to be able to continuously monitor the end-to-end network performance. This thesis proposes a distributed, passive monitoring system, capable of measuring end-to-end performance and finding out what link is responsible for how much delay.

            Read more (pdf)

            Detection of Bad Performance in VPN Tunnels
            by Jonas Wagner

            Master's Thesis ETH Lausanne, EPFL
            School of Computer and Communication Sciences
            March 2011

            The quality of these VPN connections is very important for the Mission Control customers as business-critical applications are running over it (e.g. SAP, Voice over IP, Video Conferencing). A broken or a bad connection may lead to a situation where people cannot work efficiently and processes cannot be followed anymore. Therefore, the monitoring of these connections is very important to proactively react and take first steps to fix the problem. This thesis evaluates methodologies for the automatic detection of bad tunnel performance.

            Read more (pdf)

            Event Correlation Engine
            by Andreas Müller

            Master's Thesis ETH Zurich
            Department of Computer Engineering and Networks Laboratory
            August 2009

            As modern IT systems running on distributed platforms tend to become more and more complex, the required management effort grows as well, and it is no longer economical to manage a complete system manually. This thesis investigates the use of a correlation engine in the context of a global network offering various services, as a means to facilitate the monitoring of the network and of the individual services.

            Read more (pdf)

            Rating Autonomous Systems
            by Laurent Zimmerli

            Master's Thesis ETH Zurich
            Department of Computer Engineering and Networks Laboratory
            August 2008

            The quality of end-to-end connections over the internet depends on the quality of the traversed Autonomous Systems. In this thesis, we developed an approach to rate Autonomous Systems by their quality. The approach is based on traceroute measurement data. Rating Autonomous Systems supports real-time internet debugging and helps determine high quality ISPs.

            Read more (pdf)

            Signature-based Extrusion Detection
            by Cecile Luessi

            Master's Thesis ETH Zurich
            Department of Computer Engineering and Networks Laboratory
            August 2008

            An «Intrusion Detection System (IDS)» is an important component for the comprehensive protection of a company network. Unfortunately, a great number of false alarms make the application of an IDS difficult. This thesis investigates whether the outbound traffic of an infected host can be used to detect intrusion and, if so, how this can be done. Its focus lies on the distinction between attempted and successful attacks.

            Read more (pdf)

            Security Policy Compliance at VPN Sites
            by Patrik Bless

            Master's Thesis ETH Lausanne, EPFL
            October 2006

            Computing environments continue to grow more insecure by the day. A myriad of threats of all kinds menace corporate, governmental, and even private information system infrastructures. In order to support security officers and engineers, a policy toolbox was developed for the Mission Control Security Gateway Service.

            Read more (pdf)

            Automatic Monitoring of Internet Service Provider (ISP) Topologies
            by Janneth Malibago

            Master's Thesis ETH Zurich
            Department of Computer Engineering and Networks Laboratory
            August 2006

            Manual, real-time debugging is the standard solution for solving internet connectivity problems. In this thesis, a long-term monitoring strategy is pursued that continuously monitors internet routing paths with traceroute. By correlating route changes and latency variations, the reason for connectivity outages, e.g. re-routing via another ISP, can be quickly determined.

            Read more (pdf)

            Passive Measurement of Network Quality
            by Dominique Giger

            Project Thesis ETH Zurich
            Department of Computer Engineering and Networks Laboratory
            May 2006

            Traditionally, network latency and packet loss statistics are gathered by doing active ping probes. The passive technique proposed in this thesis calculates these statistics by analyzing the actual VPN traffic in real time. Tests show that this is a viable method for very accurate, non-intrusive statistics measurement.

            Read more (pdf)

            Scan Detection Based Identification of Worm Infected Hosts
            by Christoph Göldi and Roman Hiestand

            Master's Thesis ETH Zurich
            Department of Computer Engineering and Networks Laboratory
            April 2005

            The number of new worms on the internet increases rapidly. Worm infections cause traffic overloads in office networks and congestions of internet links, which cost the industry yearly several billion dollars. An implementation of a generic worm detection algorithm has been done based on the analysis of worm scan traffic. Tests have shown that worms are detected in short time and with a very low false positive rate. The developed detection method enables affected companies to quickly react to worm infections and thus helps prevent major financial losses.

            Read more (pdf)

            Smart Intrusion Detection
            by Thomas Singer and Rolf Sigg

            Master's Thesis ETH Zurich
            Department of Computer Engineering and Networks Laboratory
            March 2001

            Intrusion detection is the art of detecting inappropriate, incorrect, or anomalous activity on computers and computer networks. Today, the majority of intrusion detection systems try to accomplish this task by acting something like a virus scanner. They look at captured network packets or system logs in order to find occurrences of patterns...

            Read more (pdf)