Quick Info
- LSF(todo)
- Moodle(todo)
The seminar materials can be found in our Moodle course.
CS5900.tbd
Malware Analysis and Communication
Seminar Malware Analysis and Communication (Bachelor)
Forschungstrends im Bereich Malware Analysis and Communication (Master)
Malware Analysis and Communication is a dynamic field of research focused on the deep technical investigation of malicious software, with a special emphasis on how malware communicates. Understanding the intricate communication protocols, stealth techniques, and infrastructure used by malware is fundamental to detecting threats, analyzing their impact, and developing effective countermeasures. Therefore, this seminar aims to equip students with the skills to dissect and understand these complex communication mechanisms and to analyze the malicious software that employs them.
In this seminar, we will dive into the core of malware operations. You will explore a variety of advanced topics, such as the architecture of command-and-control (C2) systems, sophisticated malware protocols, and techniques like traffic morphing and code obfuscation used to evade detection. Beyond the purely technical, we will also examine the human factors involved, such as the usability of the analysis tools security professionals rely on to investigate these threats. The primary learning objective is to develop skills in academic research and writing. You will learn how to structure research findings, write a high-quality paper, and present your work effectively for discussion.
The central task of this seminar is to research an advanced topic, write a seminar paper, and prepare a presentation under our guidance. Your final evaluation will be based on the quality of your written paper, your oral presentation, and your active participation in class discussions, reflecting both your research and communication skills.
The following list describes the topics. The actual topics to be worked on are parts of these subject areas and are assigned individually via Moodle.
Themes
This research area examines the evolution of malware command-and-control infrastructures. Early malware relied on simple, centralized models like IRC or HTTP, making them vulnerable to single-point-of-failure takedowns. Modern malware, however, employs far more resilient and stealthy communication strategies. Research in this field investigates decentralized peer-to-peer (P2P) botnets that lack a central server, the use of legitimate online services (e.g., social media, cloud storage, code repositories) as C2 channels, and the rise of fast-flux networks. The goal is to understand how these architectures work, how they provide resilience against takedown efforts, and to develop new methods for tracking, mapping, and disrupting these advanced C2 networks.
This topic focuses on the methods malware uses to hide its communication from network security tools like firewalls and intrusion detection systems (IDS). The core challenge for defenders is to distinguish malicious traffic from legitimate user activity. This research area explores techniques such as custom encryption protocols to hide C2 commands, traffic morphing to change the communication's signature constantly, and Domain Generation Algorithms (DGAs) to create thousands of potential C2 domains, making blacklisting ineffective. Analyzing these techniques requires a deep understanding of cryptography, network protocols, and reverse engineering to uncover the underlying patterns and build more intelligent detection systems.
While C2 is about controlling malware, data exfiltration is about stealing information. This research area investigates “covert channels” communication methods that abuse legitimate protocols in unintended ways to sneak data out of a network. This includes techniques like DNS tunneling, where data is hidden in DNS queries, or ICMP tunneling, which uses ping requests. More advanced methods may even involve network steganography, hiding data within the headers of ordinary-looking network packets or inside images and other media files. The focus is on detecting these low-and-slow data leaks that are designed to fly under the radar of traditional security monitoring.
Even with the best automated tools, a human analyst is often the last line of defense in understanding a complex malware campaign. This topic explores the intersection of malware communication analysis and human-computer interaction. It investigates the usability and cognitive load of network forensic tools (like Wireshark or Suricata), the effectiveness of different data visualization techniques for identifying malicious patterns in network traffic, and the mental models analysts use to track sophisticated attackers. The goal is to design better tools and processes that reduce analyst fatigue, minimize human error, and accelerate the process of turning raw network data into actionable threat intelligence.
Prof. Dr. Steffen Wendzel
- Room: 5209 (O27)
- Email: steffen.wendzel(at)uni-ulm.de
- Phone: +49 (0) 731 50-22500
Organisational Information
Next course start: Wintersemester 2025/26
Frequency: every 2nd semester
Location: tbd
Time: tbd
ECTS: 4
Seminar: (2 contact hours per week); written seminar paper, presentation materials, and presentation as part of a seminar talk
Registration via the central seminar allocation tool on Moodle(todo) by tbd.
The actual topic assignment takes place in our internal Moodle(todo) course.
Bachelor: preferably in English
Master: English
Topics can only be worked on individually. To obtain all credits, a seminar paper must be written and a presentation followed by a discussion is required.
Degree programs: B.Sc. and M.Sc. in Computer Science, Media Informatics, Software Engineering