Project Offerings

The network security group is always searching for top undergraduate and masters students. By doing your undergraduate or masters project in our group, you'll have the opportunity to influence the design of the SCION future Internet architecture. Projects vary in length and scope, but generally focus on theoretical and practical aspects of SCION or SCION-based systems including (but not limited to) the topics listed below. Please contact us at to discuss thesis, projects, and internship opportunities.

General Topic Areas
Based on students' background and interests, we will create a custom project in one or more of the following areas. All of the following projects have theoretical and practical aspects, and each project can be tweaked to vary between theory and practice.

Design of path selection and path quality prediction algorithms. This project can be done in collaboration with Open Systems, in residence at Open Systems for a starting date after June 2017. SCION allows clients to pick path segments to construct end-to-end paths. These paths are currently constructed based on simple metrics such as total path length or segment lifetime. This project will design algorithms to construct paths based on more sophisticated metrics (e.g., path cost, route diversity, latency). As SCION grows, the number of segments will grow, requiring highly efficient algorithms to quickly build paths.

SCION high-availability system on Open Systems Linux environment. This project can be done in collaboration with Open Systems, in residence at Open Systems for a starting date after June 2017. Open System operates hundreds of network probes throughout the Internet. How can these probes make use of the SCION secure communication infrastructure to obtain highly available communication, in case some network links fail or in case an adversary actively attempts to prevent communication (e.g., by mounting DDoS or prefix hijacking attacks)? Could anonymous communication mechanisms further help with achieving higher levels of availability to avoid traffic targeting?

Stealth scanning detector, regular scanning detector. This project can be done in collaboration with Open Systems, in residence at Open Systems for a starting date after June 2017. Stealth scanning detector (project to be completed at, or in collaboration with Open Systems). Open System operates hundreds of network probes throughout the Internet. Some adversaries attempt to perform covert network scanning, e.g., through stealth scanning or very low-rate scanning. How can we effectively and efficiently detect such scanning attacks? Can we detect the risk profile of a corporation based on the observed scanning behavior?

QUIC multipath (jointly supervised by Adrian Perrig and Brian Trammell). QUIC is a new transport protocol (using UDP) to speed up web page downloads as compared to TCP. QUIC with multipath communication can achieve even faster transmissions, and may also provide additional security properties such as DDoS resilience. The goal of the project is to enable QUIC to make use of SCION multipath connections.

Secure Bitcoin network communication (jointly supervised by Adrian Perrig and Prof. Laurent Vanbever (ITET)). The Bitcoin network can be attacked through network-level and routing attacks. Design a mechanism so that Bitcoin miners can make use of the SCION infrastructure to obtain highly reliable communication.

Next-generation network monitoring tools. Design protocols and applications to monitor and control (e.g., IDS, firewalls, visualization) network traffic at a large scale. Other aspects include user-facing display (e.g., as a browser extension) of network information such as network path or destination.

DDoS defense with SIBRA. How would SIBRA's resource allocation be performed? How would an edge router perform flow admission control and resource allocation on a per-domain basis? How would a server make use of SIBRA to defend against a real-world DDoS attack? How could an email provider make use of SIBRA (e.g., ProtonMail), in particular study if few clients make use of SCION/SIBRA.

Anonymous communication. Incremental deployment: how could a corporation leverage HORNET to hide their web searches from a web service even though that web service does not deploy HORNET? How could the ISPs be incentivized to deploy given regulatory requirements for assisting law enforcement?

Accountable and Private Network Architecture. Accountability and Privacy are conflicting properties that are desirable in Internet Architectures. We have proposed an architecture, APNA, that attempts to balance between the two properties by enlisting ISPs as accountability agents and privacy brokers. As a design principle, we believe the network should only provide the basic building blocks to protect the identity of the host at the network layer and that protocols at higher layers (e.g., transport layer) should provide stronger privacy properties (e.g., resiliency against timing analysis). In this model, a user would choose an appropriate transport protocol based on his/her privacy requirements. The goal of the project is three-folds: 1) Extend the current Linux Kernel implementation of APNA to implement a reliable transport protocol (e.g., TCP), 2) Analyze privacy requirements that users may have, and design privacy-preserving functionalities that can be added onto transport protocols. One will also need to consider/evaluate the consequences of introducing the proposed privacy functionalities into the existing transport protocols. 3) Implement the proposed transport protocols.

Pricing aspects. Given SCION's flexibility, identify viable economic deployment models for Internet Service Providers (ISPs). For example, selling guaranteed-bandwidth paths at a higher cost than best-effort paths. How can prices be determined? How quickly is pricing information disseminated? How can we avoid oscillations or fluctuations of flows? This multi-faceted problem space offers many interesting practical and theoretical challenges.

Public Key Infrastructures. Projects related to trust management at a global scale. For example, how to prevent attacks on roots of trust, how to efficiently update keys and certificates, and how to recover from key compromises. How could we structure a PKI for individuals to enable secure email communication?

Efficient implementations. Develop high-performance implementations of SCION infrastructure and services, possibly in low-level code. Also investigate the possibility of specialized networking stacks for higher performance. This project requires knowledge and passion for low-level kernel and/or assembly language programming.

Software verification. The design methods and tools to verify code correctness and adherence to specifications.

Privacy-preserving DNS. Complementary to our anonymity and PKI projects, design and implement a SCION-based DNS system that is scalable, secure, efficient, and does not leak private information.

Multi-path communication. Theoretical and implementation aspects of multi-path communication on SCION. Design of efficient congestion controls, kernel-level implementation, API for applications. Design mechanisms to automatically select paths based on type of traffic.

Quantum-crypto resilient secure routing. There has been renewed interest to construct secure routing systems based on purely symmetric functions, to avoid using public-key cryptographic systems that would be vulnerable to quantum computers. Given the regularity of the beaconing process and the structure of the routing system, SCION would be quite amenable to such an approach. To prepare to work in this direction, you can take a look at the following papers: BIBA, HORS, SPV, and Efficient Security Mechanisms for Routing Protocols.

SCION on Android. While SCION is currently being developed for servers, desktops, and routers, our goal is to eventually port the SCION codebase to various other platforms. This project aims to give Android devices the ability to connect to SCION-enabled services.

Content-centric network architecture. Information-Centric Networking (ICN) or Content-Centric Networking (CCN) architectures optimize the fetching of content objects. Since the majority of traffic on the current Internet is due to downloading of videos, a ICN/CCN architecture would reduce the total network overhead by serving frequently accessed objects from local caches. An interesting research challenge is to study how such an architecture can be efficiently implemented in a future Internet architecture. Content integrity and access privacy are two additional interesting security challenges in this context.


Lukas Widmer. High-speed continuous Bloom filter. Bachelor's thesis, October 2015. Advisors: Chen Chen and Dr. Adrian Perrig.

Michael Kurth. Fast mixing strategy at the network layer. Bachelor's thesis, September 2015. Advisors: Chen Chen and Dr. Adrian Perrig.

Dominik Roos. Implementation of Per-Flow Stateless Monitoring in Future Internet Architectures. Bachelor's thesis, September 2015. Advisors: Cristina Basescu, Yao Zhang, Dr. Pawel Szalachowski, and Dr. Adrian Perrig.

Lukas Limacher. Source meta-information authentication along adaptive network paths for policy enforcement. Masters thesis, August 2015. Advisors: Cristina Basescu and Dr. Adrian Perrig in collaboration with Open Systems AG.

Anton Ovchinnikov. Future Internet Architecture Testbed Management System. Masters thesis, August 2015. Advisors: Dr. Jean-Yves Le Boudec (EPFL), Dr. Pawel Szalachowski, and Dr. Adrian Perrig.

Pragnya Alatur. Implementation of a Stateless SDN Data Plane. Bachelor's thesis, August 2015. Advisors: Tae-Ho Lee, Christos Pappas, and Dr. Adrian Perrig.

Samuel Steffen. A Secure PKI Environment for Private Key Storage. Bachelor's thesis, July 2015. Advisors: Stephanos Matsumoto and Dr. Adrian Perrig.

Daniele E. Asoni. Secure High-Speed Anonymity Systems on Future Internet Architectures. Master's thesis, May 2015. Advisors: Dr. David Barrera and Dr. Adrian Perrig. Awarded the 2015 Information Security Society of Switzerland (ISSS) Excellence Award!

Lionel Bruchez. Highly Available and Reliable Name and Path Lookups in Future Internet Architectures. Master's thesis, April 2015. Advisors: Dr. David Barrera and Dr. Adrian Perrig.

Laurent Chuat. Efficient and Secure Gossip Protocols Based on Network Traffic. Master's thesis, October 2014. Advisors: Dr. Pawel Szalachowski, and Dr. Adrian Perrig.

Lin Chen. Accountable Key Infrastructure - Implementation. Master's thesis, June 2014. Advisors: Dr. Jean-Pierre Hubaux (EPFL), Dr. Pawel Szalachowski, and Dr. Adrian Perrig.

Lorenzo Baesso. Prototype of the Accountable Key Infrastructure. Master's thesis, May 2014. Advisors: Dr. Pawel Szalachowski, and Dr. Adrian Perrig. Awarded the 2014 Information Security Society of Switzerland (ISSS) Excellence Award!