Master Thesis - Industrial Intrusion Detection System

The former IT security centers EC SPRIDE and CASED funded by the German Federal Government and the State of Hesse, respectively, have been united to bundle their strengths in the “Center for Research in Security and Privacy” (CRISP). Under the core topic “Security at Large” its research activities focus on the study of security for large systems, starting with their individual components up to their interaction within comprehensive security Solutions.

What we expect from you

  • Motivation to learn about specialized architectures and protocols
  • Experience with networks and their security
  • Experience with data processing and parser development

What you can expect from us

Industrial Control Systems (ICS) and the architecture surrounding them increase their connectivity in the currently developing fourth industrial revolution (Industry 4.0). Instead of a computerized production plant we now have "Smart Factories" that embrace the Internet of Things and Cloud Computing. Together with the increased openness of the production comes a greater need for security since systems may become easier to reach by competitors or state-level adversaries in Cyber War Scenarios.
In order to protect a factory and ensure its ongoing production without any interruption, it is vital to detect attacks as quickly as possible to stop an attacker from spreading inside the factory network. However, it is crucial that any protection feature or device inside this network does not interfere with the availability of the whole system, since production outages are very costly. Thus, a reasonable approach is employing an Intrusion Detection System (IDS) that can work on copies of the communication packets that are being exchanged in a secured Network.
In contrast to the usual computer networks we see in office environments, networks in ICS scenarios transport a different set of protocols. This contains a wide variety of protocols, each uniquely tailored to fulfill a certain demand (e.g. real time capabilities, suitable for small embedded devices). On top of that most of the protocols are designed to just carry numbers whose interpretation is up to the Receiver.
As a result of this diversity, an Industrial IDS must have additional capabilities when analyzing the data streams it encounters. The focus of this thesis proposal is on the feasibility of implementing these capabilities with the following steps:
  • Feasibility of building parsers for most industrial protocols based on parser definition languages (e.g. P4 [1], BinPAC [2], Spicy [3])
  • Creation of tools or extension of these languages to enable interpretation of the values transported by the protocols
  • Creation of rules that work on these interpretations to generate events and alerts
The thesis title and tasks will be adjusted/specified after the interview based on the experiences and study qualifications of the successful applicant

Fraunhofer is Europe’s largest application-oriented research organization. Our research efforts are geared entirely to people’s needs: health, security, communication, energy and the environment. As a result, the work undertaken by our researchers and developers has a significant impact on people’s lives. We are creative. We shape technology. We design products. We improve methods and techniques. We open up new vistas.

Please aplly online or send an email at:

Fraunhofer SIT
Rheinstraße 75
64295 Darmstadt
Pedro Larbig
E-Mail: pedro.larbig[at]
Phone: 06151 869 242

Job Reference: SIT-2017-3 Closing Date: