Stephan Kleber

Stephan Kleber schloss sein Informatikstudium an der Universität Ulm im Jahr 2011 mit dem Master of Science ab. Bis 2012 arbeitete er im Rechenzentrum des Universitätsklinikums Ulm (ZIK). In dieser Zeit betreute er auch Lehrveranstaltungen und Abschlußarbeiten im Institut für Medieninformatik im Bereich IT-Security und Privacy. 2012/2013 arbeitete er in einer Kooperation zwischen dem Institut für Organisation und Management von Informationssystemen und dem Institut für Verteilte Systeme als akademischer Mitarbeiter am bwGRiD-Portalprojekt mit. Von 2013 bis 2018 war er akademischer Mitarbeiter im Institut für Verteilte Systeme.

Seit 2019 arbeitet Stephan Kleber als Security Architect bei Daimler TSS, während er seine Promotion vorantreibt.


Ich interessiere mich generell für Security und Privacy in IT-Systemen.

Meine Schwerpunkte liegen in den Bereichen:

  • Analyse von Netzwerkprotokollen und Protocol Reverse Engineering
  • Einsatz von Physisch(en) Unkopierbaren Funktionen - Physical(ly) Unclonable Functions (PUFs)
  • Sicherheit drahtloser Kommunikation, insbesondere bei Implantierbaren Medizingeräten (Implantable Medical Devices, IMDs)

Daneben bin ich auch interessiert an den Bereichen:

  • Security und Forensik von Mobilen Geräten
  • Privacyimplikationen bei der Nutzung Mobiler Geräte
  • Malware Analyse
  • Penetration Testing
  • Sicherheit von Web-Technologien

Seit 2008 nehme ich regelmäßig am iCTF der UCSB im Team Ulm Security Sparrows der Universität Ulm teil.



Kleber, S. and Kargl, F. 2022. Refining Network Message Segmentation with Principal Component Analysis. Proceedings of the tenth annual IEEE Conference on Communications and Network Security (Austin, TX, USA, Oct. 2022).
Reverse engineering of undocumented protocols is a common task in security analyses of networked services. The communication itself, captured in traffic traces, contains much of the necessary information to perform such a protocol reverse engineering. The comprehension of the format of unknown messages is of particular interest for binary protocols that are not human-readable. One major challenge is to discover probable fields in a message as the basis for further analyses. Given a set of messages, split into segments of bytes by an existing segmenter, we propose a method to refine the approximation of the field inference. We use principle component analysis (PCA) to discover linearly correlated variance between sets of message segments. We relocate the boundaries of the initial coarse segmentation to more accurately match with the true fields. We perform different evaluations of our method to show its benefit for the message format inference and subsequent analysis tasks from literature that depend on the message format. We can achieve a median improvement of the message format accuracy across different real-world protocols by up to 100 %.
Kleber, S., Stute, M., Hollick, M. and Kargl, F. 2022. Network Message Field Type Classification and Recognition for Unknown Binary Protocols. Proceedings of the DSN Workshop on Data-Centric Dependability and Security (Baltimore, Maryland, USA, Jun. 2022).
Reverse engineering of unknown network protocols based on recorded traffic traces enables security analyses and debugging of undocumented network services. In particular for binary protocols, existing approaches (1) lack comprehensive methods to classify or determine the data type of a discovered segment in a message, e.,g., a number, timestamp, or network address, that would allow for a semantic interpretation and (2) have strong assumptions that prevent analysis of lower-layer protocols often found in IoT or mobile systems. In this paper, we propose the first generic method for analyzing unknown messages from binary protocols to reveal the data types in message fields. To this end, we split messages into segments of bytes and use their vector interpretation to calculate similarities. These can be used to create clusters of segments with the same type and, moreover, to recognize specific data types based on the clusters' characteristics. Our extensive evaluation shows that our method provides precise classification in most cases and a data-type-recognition precision of up to 100% at reasonable recall, improving the state-of-the-art by a factor between 1.3 and 3.7 in realistic scenarios. We open-source our implementation to facilitate follow-up works.


Kröll, T., Kleber, S., Kargl, F., Hollick, M. and Classen, J. 2021. ARIstoteles - Dissecting Apple’s Baseband Interface. Proceedings of the European Symposium on Research in Computer Security (2021).
Wireless chips and interfaces expose a substantial remote attack surface. As of today, most cellular baseband security research is performed on the Android ecosystem, leaving a huge gap on Apple devices. With iOS jailbreaks, last-generation wireless chips become fairly accessible for performance and security research. Yet, iPhones were never intended to be used as a research platform, and chips and interfaces are undocumented. One protocol to interface with such chips is Apple Remote Invocation (ARI), which interacts with the central phone component CommCenter and multiple user-space daemons, thereby posing a Remote Code Execution (RCE) attack surface. We are the first to reverse-engineer and fuzz-test the ARI interface on iOS. Our Ghidra scripts automatically generate a Wireshark dissector, called ARIstoteles, by parsing closed-source iOS libraries for this undocumented protocol. Moreover, we compare the quality of the dissector to fully-automated approaches based on static trace analysis. Finally, we fuzz the ARI interface based on our reverse-engineering results. The fuzzing results indicate that ARI does not only lack public security research but also has not been well-tested by Apple. By releasing ARIstoteles open-source, we also aim to facilitate similar research in the future.


Kleber, S., Heijden, R.W. van der and Kargl, F. 2020. Message Type Identification of Binary Network Protocols using Continuous Segment Similarity. Proceedings of the Conference on Computer Communications (2020).
Protocol reverse engineering based on traffic traces infers the behavior of unknown network protocols by analyzing observable network messages. To perform correct deduction of message semantics or behavior analysis, accurate message type identification is an essential first step. However, identifying message types is particularly difficult for binary protocols, whose structural features are hidden in their densely packed data representation. In this paper, we leverage the intrinsic structural features of binary protocols and propose an accurate method for discriminating message types. Our approach uses a continuous similarity measure by comparing feature vectors where vector elements correspond to the fields in a message, rather than discrete byte values. This enables a better recognition of structural patterns, which remain hidden when only exact value matches are considered. We combine Hirschberg alignment with DBSCAN as cluster algorithm to yield a novel inference mechanism. By applying novel autoconfiguration schemes, we do not require manually configured parameters for the analysis of an unknown protocol, as required by earlier approaches. Results of our evaluations show that our approach has considerable advantages in message type identification result quality but also execution performance over previous approaches.


Kleber, S. and Kargl, F. 2019. Poster: Network Message Field Type Recognition. Proceedings of the 26th Conference on Computer and Communications Security (London, UK, Nov. 2019), 2581–2583.


Lukaseder, T., Stölze, K., Kleber, S., Erb, B. and Kargl, F. 2018. An SDN-based Approach for Defending Against Reflective DDoS Attacks. 2018 IEEE 43th Conference on Local Computer Networks (2018). (acceptance rate: 28%)
Distributed Reflective Denial of Service (DRDoS) attacks are an immanent threat to Internet services. The potential scale of such attacks became apparent in March 2018 when a memcached-based attack peaked at 1.7 Tbps. Novel services built upon UDP increase the need for automated mitigation mechanisms that react to attacks without prior knowledge of the actual application protocols used. With the flexibility that software-defined networks offer, we developed a new approach for defending against DRDoS attacks; it not only protects against arbitrary DRDoS attacks but is also transparent for the attack target and can be used without assistance of the target host operator. The approach provides a robust mitigation system which is protocol-agnostic and effective in the defense against DRDoS attacks.

Betreuung von Abschlussarbeiten

Gerne übernehme ich die Betreuung von Bachelor-, Master- und Diplomarbeiten aus dem Themenfeld meiner Forschungsinteressen. Themenvorschläge finden sich unter Abschlußarbeiten. Eigene Vorschläge sind herzlich willkommen.


Übungen zu Vorlesungen

(Pro-)Seminare, Praktika und Projektmodule

Stephan Kleber, M. Sc.

Stephan Kleber, M. Sc.
Stephan Kleber, M. Sc.

Mercedes-Benz Tech Innovation

externer Doktorand
Institut für Verteilte Systeme
Universität Ulm
Albert-Einstein-Allee 11
89081 Ulm

Vereinbart bitte per Email einen Termin mit mir