PhD position on Real-Time Detection of DNS Abuse, from Reactive to Proactive

Malicious actors increasingly abuse the Domain Name System (DNS) by registering new domains for phishing, malware distribution, and other cybercriminal activities.
The speed and volume of these registrations pose a persistent challenge for defenders, who are often forced into a reactive cycle, not to mention that they cause a large waste of resources
that impact the sustainability of the DNS. By the time a malicious domain is flagged by threat intelligence feeds, damage has often already occurred, exposing the limitations of current
detection timelines.

This reactive posture is worsened by a visibility gap in the DNS ecosystem. A lack of transparency in registration data, coupled with the short-lived nature of many malicious domains,
leaves defenders blind to early-stage abuse. Adversaries exploit this opacity to avoid attribution and disrupt detection workflows, often discarding domains within hours of activation.
This project aims to close this gap by developing methods to identify malicious domains closer to their inception, as soon as indicators of compromise surface. Building on our prior work using public data sources such as Certificate Transparency (CT) logs, the Ph.D. candidate will design and implement techniques to flag suspicious registrations in near real-time, helping shift the response model from reactive to proactive. The goal is to increase transparency and
trust in the DNS namespace.

Key research activities will include applying machine learning and graph-based techniques to uncover patterns indicative of malicious behavior in early DNS, TLS, and infrastructure signals;
building large-scale, real-time measurement systems; developing models to assess the risk of new domains before harm occurs; and validating these approaches against community and industry
benchmarks. The work combines network measurements, data science, and systems security, with an emphasis on reproducibility and real-world impact.

This research builds on existing collaborations with national and international partners, including leading research institutes, threat intelligence providers, and public recursive resolvers.

• A Master's Degree in Computer Science, Electrical Engineering or a closely related discipline;
• Good communication skills and an excellent command of English;
• A strong computer networking background, excellent coding skills and willingness to work

with real-world production deployments;

• Creative thinker with analytical and problem-solving abilities;
• A high degree of responsibility and independence, while collaborating with close colleagues,

researchers and other staff.

• Experience with streaming infrastructure (e.g., Apache Kafka, ActiveMQ), real-time data

processing frameworks (such as Apache Flink or Spark Streaming), and machine learning
is considered a strong asset.

The candidate will join the Design and Analysis of Communication Systems DACS group at the University of Twente, under the supervision of Dr. ir. Raffaele Sommese, Dr. Antonia Affinito, and Prof. Dr. Anna Sperotto.

Are you interested in this position? Please send your application via the 'Apply now' button below before February 16, 2026, and include:

• A detailed CV (resume);
• a motivational letter, including an explanation of your motivation for this PhD position and

for this project;

• An academic transcript of B.Sc. (if applicable) and M.Sc. education;

For enquiries, please contact: Dr. Raffaele Sommese (r.sommese@utwente.nl), Dr. Antonia Affinito (a.affinito@utwente.nl), or Dr. Anna Sperotto (a.sperotto@utwente.nl). For applying, please use this official platform: email applications will not be considered.

Screening is part of the selection process.