Post doctoral position in Distributed, Explainable and Robust Anomaly Detection - 2 years

Organisation/Company Télécom SudParis Department TELECOM SUDPARIS Research Field Computer science Researcher Profile First Stage Researcher (R1) Positions PhD Positions Country France Application Deadline 31 Aug 2025 - 00:00 (Europe/Paris) Type of Contract Temporary Job Status Full-time Hours Per Week 40 Offer Starting Date 1 Sep 2025 Is the job funded through the EU Research Framework Programme? Not funded by a EU programme Is the Job related to staff position within a Research Infrastructure? No

ABOUT TELECOM SUDPARIS

Telecom SudParis is a public graduate school for engineering, which has been recognized on the highest level in the domain of digital technology. The quality of its courses is founded on the scientific excellence of its faculty and on teaching techniques that emphasize project management, innovation and intercultural understanding. Telecom SudParis is part of the Institut Mines-Telecom, the number one group of engineering schools in France, under the supervision of the Minister for Industry. Telecom SudParis with Ecole Polytechnique, ENSTA Paris, ENSAE Paris, ENPC and Telecom Paris are co-founders of the Institut Polytechnique de Paris, an institute of Science and Technology with an international vocation.Vidéo présentation de Télécom SudParis

MISSIONS:

Applications are increasingly exposed through Web interfaces to human users or through APIs to machines. In case they are badly designed, they may represent priority targets for attackers and lead to severe economical loss. It is thus necessary to develop API management solutions that integrate security by design. However, even when users are authenticated using a secure method, it cannot prevent malicious actions from compromised users. We then propose to detect attack behaviours from API or Web portal users. In particular, anomaly detection to secure APIs is an emerging research domain. Little concrete data is available to precisely characterize attacks. Therefore, a reasonable approach focusses on data about what is known, that is, legitimate user requests. But, these requests are sensitive as they are often human-generated and may contain secrets. And even if we would obtain such data, we may not prevent data poisoning that would perturb the training of an anomaly detector. It becomes crucial to understand what we want to represent and distinguish legitimate behaviours so as to produce a robust representation that an attacker could not imitate. Finally, learning on a dataset tends to overfit, and comes with additional challenges such as adversarial attacks or concept drift, that may induce classification errors. Many approaches may help in reducing errors such as incremental learning, privacy-preserving distributed learning (such as Federated Learning), contrastive learning, as well as other approaches such as Open Set Recognition.

ACTIVITIES:

In order to respect users’ privacy, we exploit a Federated Learning approach and delegate data collection and local detection to the API’s clients. We propose an approach robust to adversarial attacks, to minimize false positives, which can drastically occur in an environment with numerous requests. We also consider using adversarial ML, explainable AI and Open Set Learning to reduce false positives. These methods are more or less costly and induce delays that may hinder Federated Learning.

• Thus, in a first prototype, we will carry out off-line analysis, as can be done in legacy intrusion detection systems, where alerts are treated by a Security Incident and Event Management (SIEM).
• In a second use case, we will optimise the learning pipeline in order to reduce delay and propose a near-real-time detection, which enables reaction. The reaction will be more precise if we are able to learn new attack classes.

To evaluate the relevance and feasibility of the federated (even, contrastive) learning approach, we will rely on typical detection performance metrics but also evaluate the induced distributed deployment costs (scalability), and privacy threats to end users.

Level of training and / or experience required:

• PhD or Doctorat for less than 3 years

Essential skills, knowledge and experience:

• Experience in machine-learning based cybersecurity, in particular, intrusion detection
• Skills in Federated Learning
• English written and spoken

Advantageous skills, knowledge and experience:

• Skills in Adversarial Attacks
• Skills in explainable AI
• Skills in Open Set Learning
• Skills in Contrastive Learning
• Skills in Concep Drift

Abilities and skills:

• Rigor
• Autonomy
• Teamwork

Research Field Computer science

• Nature of the contract: Temporary contract / 24 months
• Category and profession of the position: II - P, Post-doctoral
• To apply, please send us a CV, a cover letter
• Location of the position : Palaiseau (France)
• The positions offered for recruitment are open to all with, on request, accommodations for candidates with disabilities

Working conditions: Teleworking possible, restaurant and cafeteria on site, accessibility by public transport (with employer's participation) or close to main roads, staff association and sports association on campus