InternetSecurityWatch consists of three subprojects that investigate Internet services, their security, and attacker behavior. We examine the Internet from several perspectives:

• As a host with vulnerable services (honeypot)
• As a host monitoring unused IP addresses (network telescope)
• As an Internet scanner

The following sections provide a detailed description of all three projects.

Honeypot

A large portion of global Internet communication relies on publicly accessible services, such as web and mail servers. Some of these services are unintentionally exposed to the Internet or are updated only irregularly, making them especially interesting targets for attackers. Researchers are also interested in the diversity of services accessible on the Internet. To gain an overview of Internet services, both attackers and researchers use scanners that probe the IP address space for reachable services.

To study who uses Internet scanners, we have deployed services on Internet-connected servers that exist solely to be scanned and attacked, so-called honeypots. To make the honeypots attractive to scanners and attackers, they are intentionally configured insecurely or simulate infrastructure that is interesting for attackers. All scans and interactions with the honeypots are recorded, allowing us to analyze them afterward. This includes examining who is scanning our honeypots and how the scans are performed, for example, the intervals between scans and which ports are targeted.

Publications:

• M. Schramm, N. Lohmiller, S. Kaniewski, and T. Heer, “I Still Know Who You Scanned Last Summer: An Update on the Landscape of Internet Scanners,” in Computation and Communication for Smart Systems Symposium (C2S3), Esslingen, Germany, Apr. 2025.
• J. Mayer, M. Schramm, L. Bechtel, N. Lohmiller, S. Kaniewski, M. Menth, and T. Heer, “I Know Who You Scanned Last Summer: Mapping the Landscape of Internet-Wide Scanners,” in IFIP Networking, Thessaloniki, Greece, Jun. 2024, doi: 10.23919/IFIPNetworking62109.2024.10619808. PDF

Network Telescope

Network telescopes monitor unused IP address space. “Unused” means that no packets are expected in this range, as no services are running to process them. In reality, however, packets do arrive. These packets must therefore originate from Internet scans, DDoS backscatter, or misconfigurations. We operate a server that captures incoming packets in this unused IP address space. The captured packets are then analyzed to gain a better understanding of the behavior of Internet scanners and attackers.

Internet Scanner

Anyone operating services such as web or mail servers on the Internet should ensure that these services are always up to date and securely configured. Otherwise, there is a risk that attackers could exploit vulnerabilities to compromise the underlying infrastructure.

In this project, we monitor whether administrators regularly update Internet-facing services and whether updates are applied promptly after a new release or the disclosure of a security vulnerability. We also examine which algorithms are offered by the servers to secure connections (encryption, signatures, etc.) during connection establishment, and whether these meet current best practices or even exceed them. This allows us to draw conclusions about the overall security of services on the Internet. To collect information on Internet services, we use an Internet scanner that is continuously being expanded. One of the main challenges is handling the large volumes of data generated in the process.

Publications:

• R. Müller, J. Ruppert, K. Will, L. Wüsteney, and T. Heer, “Analyzing the Software Patch Discipline Across Different Industries and Countries,” 球探比分网 und Datensicherheit — DuD, vol. 46, no. 5, May 2022, doi: 10.1007/s11623-022-1602-y.
• R. Müller, J. Ruppert, K. Will, L. Wüsteney, and T. Heer, “Analyzing the Software Patch Discipline Across Different Industries and Countries,” in Sicherheit, Karlsruhe, Germany, Apr. 2022, doi: 10.18420/sicherheit2022_10.

With the convergence of IT and OT networks, industrial networks are becoming increasingly complex, making it difficult for administrators to maintain a clear overview. One aspect of this complexity is the dependencies between devices and services within the network. A dependency exists, for example, when the control of an industrial robot relies on information about a part to be processed from another service in the network. Understanding these dependencies is crucial to assess their impact on production in the event of a failure and to implement preventive measures to avoid downtime. If a failure does occur and production is affected, knowledge of these dependencies enables faster identification and resolution, or workarounds, of the problem.

The goal of this project is to analyze the data transmitted within the network to identify and examine communication relationships, and thus dependencies, between devices and services. The focus is on communication standards increasingly used in industrial networks, such as MQTT, OPC UA, and OPC UA PubSub. Additionally, we are developing a testbed with a simulated industrial process to generate network traffic for analysis.

The increasing adoption of large language models (LLMs), such as ChatGPT and GitHub Copilot, has improved efficiency in software development, particularly in code generation. Despite their advantages, code generated by LLMs often contains security vulnerabilities that can be exploited by attackers. At the same time, the overall number of vulnerabilities continues to rise: in 2024, over 40,000 publicly disclosed cybersecurity vulnerabilities were reported. Ensuring software quality and security therefore requires efficient and scalable vulnerability management processes. A promising approach is to leverage the language understanding capabilities of LLMs for vulnerability management.

As part of this research project, we investigate methods for using LLMs to detect vulnerabilities in project code. Among other things, we study how to best prepare code and vulnerability data for the language understanding capabilities of LLMs, how to handle the learning of new vulnerabilities, and how to efficiently detect different types of vulnerabilities across diverse code structures and programming styles.

Publications:

• S. Kaniewski, D. Holstein, F. Schmidt, and T. Heer, “Vulnerability Handling of AI-Generated Code – Existing Solutions and Open Challenges,” in Conference on Artificial Intelligence x Science, Engineering, and Technology (AIxSET), Laguna Hills, California, USA, Oct. 2024, doi: 10.1109/AIxSET62544.2024.00026. PDF

Wireless communication has become indispensable in many areas, such as the Industrial Internet of Things (IIoT), enterprise networks, and everyday private use. Because data is transmitted over the air, these systems are inherently more vulnerable to eavesdropping and targeted attacks, especially if appropriate security mechanisms are not implemented.

To secure wireless systems, most currently rely on asymmetric cryptographic methods such as RSA, Diffie-Hellman, or elliptic curves, primarily for key exchange and authentication. However, these methods are considered insecure against future quantum computers, which could efficiently solve the underlying mathematical problems using Shor’s algorithm. This creates an urgent need for post-quantum cryptography (PQC) methods.

PQC algorithms are designed to resist attacks by quantum computers but often involve higher computational and communication overhead. This presents a particular challenge for wireless systems with limited resources.

The goal of this project is to investigate which post-quantum cryptography algorithms are best suited for various wireless protocols, such as Wi-Fi, Zigbee, or Bluetooth. Selected PQC alternatives will be implemented and tested within these protocols to gain a better understanding of the practical transition to post-quantum cryptography.