PhD position on ‘Automated Detection of Security Vulnerabilities in Software’

We are offering a fully funded PhD position with a duration of four years for a motivated candidate eager to work at the intersection of cybersecurity, software engineering, and artificial intelligence.

About the project

Vulnerabilities in software products continue to be a major cybersecurity threat, enabling attackers to steal data, take over services, or disrupt critical infrastructure. Well-known examples are faulty memory management and injection attacks. While existing methods and tools for static and dynamic analysis are powerful for detecting vulnerabilities, they suffer from both theoretical and practical limitations. Their results are often plagued by false positives (reporting problems that are not real) and false negatives (missing real issues).

This PhD project aims to improve this situation. Our ultimate goal is to develop automated tools that support human analysts while minimizing the amounts of both false positives and false negatives. By combining static and dynamic analysis, using a balanced mix of AI with formal methods and testing techniques, we strive to make vulnerability detection more accurate, intelligent, explainable, and usable in practice. The project is cutting-edge research that has both scientific impact and practical application.

The PhD project is funded by the Open Universiteit, which is formally based in Heerlen. The project is supervised by a research team with strong expertise in the application of artificial intelligence for cybersecurity (prof. dr. Harald Vranken and dr. Mina Sheikhalishahi) as well as formal methods and software testing (prof. dr. Tanja Vos and dr. Tim Steenvoorden).

The PhD project will be carried out in close cooperation with the Digital Security group at Radboud University in Nijmegen. In daily practice, you will work as a PhD candidate in Nijmegen and interact with PhD candidates and staff of both Open Universiteit and Radboud University. Hence, you will benefit from the expertise of two respected universities.

Research challenges

Security vulnerabilities in software products can be detected by static analysis, where the source code is analysed without executing the software, and by dynamic analysis, where the software is executed and its runtime behaviour is analysed. There are many methods and tools available for both static and dynamic analysis. They are very powerful and widely applied, but they all suffer to some extend from both theoretical and practical limitations. These limitations cause that the analysis results can be either incomplete (due to false negatives, when actual vulnerabilities are not detected) or incorrect (due to false positives, when non-existing vulnerabilities are reported). False negatives that slip through are a security threat, while false positives hamper the usability of such tools. Current static analysis tools are configured to limit the amount of false positives, which comes at the cost of false negatives.

The main research challenge is to provide automated support to human analysts for assessing the correctness of the static analysis results. Providing automated support for weeding out false positives, not only improves usability, but also allows to reconfigure tool settings which can reduce false negatives and improve detection performance. To address this challenge, a mix of formal methods, AI methods, and testing methods can be applied in both static and dynamic analysis. For instance, formal methods can be applied to create abstract models to identify relevant paths in software code; AI methods can be applied to generate test cases for smart testing; testing methods can be applied to evaluate the dynamic behaviour.

Your role

As a PhD candidate, your main task is to conduct research and contribute to both scientific publications and practical tools with real-world relevance, which will lead to a PhD thesis. You will take courses or trainings to improve your knowledge and skills, collaborate closely with an enthusiastic project team with broad expertise, and interact with other PhD candidates and staff members at both Open Universiteit and Radboud University. You will also have the opportunity to contribute to teaching (up to 20% of your time).

We are looking for an enthusiastic and motivated candidate with:

• a MSc degree (or equivalent) in computer science or artificial intelligence, or a closely related field such as mathematics
• background in (or willingness to learn about): software engineering, software security, software testing, formal methods, and/or AI
• interest in research with practical relevance
• strong analytical and problem-solving skills
• ability to work independently as well as to collaborate in a team
• excellent communication skills in English (spoken and written)
• knowledge of Dutch is preferred, but not mandatory.

Salary

The salary is determined in accordance with salary scale P of Appendix A of the Collective Labour Agreement of Dutch Universities and ranges from € 3.059,-- gross per month upon commencement to € 3.881,-- gross per month in the fourth and final year, in case of full employment.

The PhD candidate will be appointed for a period of 15 months. The appointment will be extended to 4 years when progress and performance are good. A PhD training program is part of the agreement.

Station

Heerlen.

Flexible studying anywhere in the Netherlands and (Belgium) Flanders
The Open Universiteit is the part-time university in the Netherlands. Students follow personalised and activating academic distance education and disciplinary research is carried out within the various fields of science. Students can complete bachelor and master programmes, but also shorter programmes. The characteristics of education are openness, flexibility and quality (see www.ou.nl/rankings). The Open Universiteit has over 17,000 students and more than 850 employees. The OU has branches in the Netherlands and Belgium (see www.ou.nl/studiecentra). The main office is located in Heerlen.

The latest technologies and educational insights are applied both in the bachelor's and master's programmes and courses and in projects and programmes with partners. Nationally and internationally, the OU plays an important role in the innovation of higher education. Education is interwoven with research, which also ensures that the current state of science is incorporated. The Open Universiteit invests not only in disciplinary research in nine scientific fields, but also in research in a multidisciplinary programme: Innovating for resilience.

The faculty of Science is one of the six faculties of the Open Universiteit. Education, research and valorisation are the main tasks. The faculty offers academic bachelor and master programmes in the fields of Computer Science, Information Science, and Environmental Sciences, including a recently developed Artificial Intelligence master programme (started February 2022). The faculty’s research programme focuses on Innovating for Resilience. The faculty has Ph.D.-students who conduct research on various current topics within the research programme. As a result of the interdisciplinary focus on education and research, as well as the close link with practice, work at our faculty provides many innovative and challenging opportunities for entrepreneurial researchers.

Department of Computer Science
The Department of Computer Science is an ambitious and enthusiastic group of approximately 40 people (33 FTE), broadly focused on improving the impact of computers and computer science on society. The department’s research program “Towards high-quality and intelligent software” (2020–2025) consists of four research lines, focusing on:

1. Techniques for quality assurance of software systems
2. Software and computer system security, and privacy-by-design
3. Responsible artificial intelligence, including methods and applications of AI
4. Educational tools and computing education