PhD topic: Securing Future Networked Infrastructures through Dynamic Normal Behaviour Profiling

Since its inception, the Internet has been inherently insecure. Over the years, much progress has been made in the areas of information encryption and authentication. However, infrastructure and resource protection against anomalous and attack behaviour are still major open challenges. This is exacerbated further by the advent of Cloud Computing where resources are collocated over virtualised data centre infrastructures, and the number and magnitude of security threats are amplified.

Current techniques for statistical, network-wide anomaly detection are offline and static, relying on the classical Machine Learning paradigm of collecting a corpus of training data with which to train the system. There is thus no ability to adapt to changing network and traffic characteristics without collecting a new corpus and re-training the system. Assumptions as to the characteristics of the data are crude: assuming measured features are independent through a Naïve Bayes classifier, or that projections that maximise the variance within the features (PCA) will naturally reveal anomalies. Moreover, there currently is no framework for profiling the evolving normal behaviour of networked infrastructures and be able to identify anomalies as deviations from such normality.

The overarching objective of this PhD project is to design a network-wide anomaly detection framework that will be able to operate on (and integrate) partial data, work in short timescales, and detect previously unseen anomalies. The work will bridge machine learning with experimental systems research, and will evaluate the devised mechanisms over real-world virtualised networked environments and traffic workloads.

The student will use recent developments in statistical ML to develop flexible probabilistic models that can capture the rapidly evolving view of the network. For example, Dirichlet Process priors for mixture models that allow new clusters to emerge as new behaviours are observed.

On the systems side, the student will develop traffic monitoring, accounting, and analysis modules that will be distributed and deployed on-demand across the network to then synthesise information and construct network-wide traffic views in order to allow characteristics learnt at one point in the network to be used elsewhere.

The research will be jointly supervised by academics from the Embedded Networked and Distributed Systems (ENDS) and the Inference Dynamics and Interaction (IDI) groups at the School of Computing Science, and will be conducted as part of the Networked Systems Research Laboratory. The student will be given access to actual Internet traffic traces, and a state-of-the-art virtualised testbed with fully programmable platforms at all software and hardware layers to experiment with.

The work will spread across some very vibrant and cross-disciplinary research areas, and the student will be equipped with highly demanded skills in Machine Learning, CyberSecurity and next generation network architectures.


Competitive scholarships are available for UK/EU students (and a very limited number for students from elsewhere).

Contact Dr Dimitrios Pezaros if you want to discuss the above PhD project further.

Details of how to apply can be found on the Postgraduate research opportunities page.