Job description
In recent years, machine learning (ML) solutions are increasingly being deployed in Security Operations Centres (SOCs) to enhance security coverage, and to reduce the number of missed attacks. Not only do these ML systems create many false positives, it is often very difficult to understand how they work in the first place. Moreover, the forensic analysis of incidents and incident response are largely manual procedures, leading to analyst burnout and ‘alert fatigue'.
The objective of this PhD project is to create ‘AI-assisted practitioners' for incident response by developing novel ML algorithms that reduce analyst workload and provide decision-making assistance. We propose to develop explainable ML algorithms that summarize large volumes of observable data (intrusion alerts, network & system logs) in order to discover contextually meaningful patterns from them. The student will explore multi-modal learning and generative AI to produce actionable explanations from these discovered patterns that are tailored to the operator's expertise. The evaluation of these algorithms will be done under closed-world and open-world settings. For the closed-world setting, a major challenge is the lack of suitable datasets to evaluate ML models. The student will set up a testbed together with our industry collaborators for the collection of intrusion alert datasets. For the open-world setting, the student will deploy these algorithms in real SOC environments in order to measure the extent of workload reduction experienced by security analysts. In doing so, we aim to develop technologies that are not only novel but also have real-world applications.
The PhD student will be embedded within the Semantics, Cybersecurity, and Services (SCS) group at University of Twente. The student will have the opportunity to participate in internships and/or collaboration with industry partners under the TUCCR initiative. The SCS group offers a stimulating, supportive, and diverse research environment, as well as plenty of opportunities for personal and professional growth.
Department
Digitalization brings many new opportunities for businesses and governments by fostering the development of innovative online services. However, this development also brings new challenges, notably in terms of intelligence, interoperability, security, and privacy. The mission of the Semantics, Cybersecurity and Services (SCS) group is to advance the development of innovative online services with improved quality through context-alignment and with reduced security and privacy threats.
SCS is part of the Twente University Centre for Cybersecurity Research (TUCCR), a public-private partnership where experts, professionals, entrepreneurs, researchers, and students from industry and knowledge partners collaborate to deliver talents, innovations, and know-how in the domain of cybersecurity. The mission of TUCCR is to strengthen the security and digital sovereignty of our society by performing top-level research on real-world data, systems, and network security challenges. To achieve significant societal impact, TUCCR combines technical, socio-economic, and ethical know-how and is equipped with state-of-the-art infrastructure, ranging from security labs, testbeds, and data lakes. Key outputs include innovation in the form of technologies, tools, minimum viable products, start-ups, top-tier scientific publications, as well as first-class graduates at Bachelor, Master, and PhD level. TUCCR’s founding partners are Betaalvereniging Nederland, BetterBe, Cisco, NCSC, NDIX, Northwave, SIDN, SURF, Thales, TNO, and the University of Twente.