In recent years, machine learning (ML) solutions are increasingly being deployed in Security Operations Centres (SOCs) to enhance security coverage, and to reduce the number of missed attacks. Not only do these ML systems create many false positives, it is often very difficult to understand how they work in the first place. Moreover, the forensic analysis of incidents and incident response are largely manual procedures, leading to analyst burnout and ‘alert fatigue'.

The objective of this PhD project is to create ‘AI-assisted practitioners' for incident response by developing novel ML algorithms that reduce analyst workload and provide decision-making assistance. We propose to develop explainable ML algorithms that summarize large volumes of observable data (intrusion alerts, network & system logs) in order to discover contextually meaningful patterns from them. The student will explore multi-modal learning and generative AI to produce actionable explanations from these discovered patterns that are tailored to the operator's expertise. The evaluation of these algorithms will be done under closed-world and open-world settings. For the closed-world setting, a major challenge is the lack of suitable datasets to evaluate ML models. The student will set up a testbed together with our industry collaborators for the collection of intrusion alert datasets. For the open-world setting, the student will deploy these algorithms in real SOC environments in order to measure the extent of workload reduction experienced by security analysts. In doing so, we aim to develop technologies that are not only novel but also have real-world applications.

The PhD student will be embedded within the Semantics, Cybersecurity, and Services (SCS) group at University of Twente. The student will have the opportunity to participate in internships and/or collaboration with industry partners under the TUCCR initiative. The SCS group offers a stimulating, supportive, and diverse research environment, as well as plenty of opportunities for personal and professional growth.

• You are a highly motivated and enthusiastic researcher, aspiring to do world-class research and have real-world impact.
• You have a MSc degree with excellent grades in computer science, or similar; Applications from students who are about to finish their MSc degree studies will be considered as well.
• You are interested in the domain of cybersecurity and have a solid background in systems security and/or data science/artificial intelligence; Some industrial experience in a cybersecurity role and prior experience with writing scientific papers are of additional advantage.
• You know your way around UNIX/Linux systems and can code in Python.
• You are curious and interested in learning how things work and how to make them better.
• You have a creative mind-set and excellent analytical and communication skills.
• You have good team spirit and like to work in an interdisciplinary and internationally oriented environment.
• You are proficient in English.

• As a PhD candidate at UT, you will be appointed to a full-time position for four years, with a qualifier in the first year, within a very stimulating and exciting scientific environment;
• The University offers a dynamic ecosystem with enthusiastic colleagues;
• Your salary and associated conditions are in accordance with the collective labour agreement for Dutch universities (CAO-NU);
• You will receive a gross monthly salary ranging from € 2.770,- (first year) to € 3.539,- (fourth year);
• There are excellent benefits including a holiday allowance of 8% of the gross annual salary, an end-of-year bonus of 8.3%, and a solid pension scheme;
• The flexibility to work (partially) from home;
• A minimum of 232 leave hours in case of full-time employment based on a formal workweek of 38 hours. A full-time employment in practice means 40 hours a week, therefore resulting in 96 extra leave hours on an annual basis;
• Free access to sports facilities on campus;
• A family-friendly institution that offers parental leave (both paid and unpaid);
• You will have a training programme as part of the Twente Graduate School where you and your supervisors will determine a plan for a suitable education and supervision;
• We encourage a high degree of responsibility and independence, while collaborating with close colleagues, researchers and other staff.

Digitalization brings many new opportunities for businesses and governments by fostering the development of innovative online services. However, this development also brings new challenges, notably in terms of intelligence, interoperability, security, and privacy. The mission of the Semantics, Cybersecurity and Services (SCS) group is to advance the development of innovative online services with improved quality through context-alignment and with reduced security and privacy threats.

SCS is part of the Twente University Centre for Cybersecurity Research (TUCCR), a public-private partnership where experts, professionals, entrepreneurs, researchers, and students from industry and knowledge partners collaborate to deliver talents, innovations, and know-how in the domain of cybersecurity. The mission of TUCCR is to strengthen the security and digital sovereignty of our society by performing top-level research on real-world data, systems, and network security challenges. To achieve significant societal impact, TUCCR combines technical, socio-economic, and ethical know-how and is equipped with state-of-the-art infrastructure, ranging from security labs, testbeds, and data lakes. Key outputs include innovation in the form of technologies, tools, minimum viable products, start-ups, top-tier scientific publications, as well as first-class graduates at Bachelor, Master, and PhD level. TUCCR’s founding partners are Betaalvereniging Nederland, BetterBe, Cisco, NCSC, NDIX, Northwave, SIDN, SURF, Thales, TNO, and the University of Twente.