PhD position on ‘Automated Detection of Security Vulnerabilities in Software’

We are offering a fully funded PhD position with a duration of four years for a motivated candidate eager to work at the intersection of cybersecurity, software engineering, and artificial intelligence.

About the project

Vulnerabilities in software products continue to be a major cybersecurity threat, enabling attackers to steal data, take over services, or disrupt critical infrastructure. Well-known examples are faulty memory management and injection attacks. While existing methods and tools for static and dynamic analysis are powerful for detecting vulnerabilities, they suffer from both theoretical and practical limitations. Their results are often plagued by false positives (reporting problems that are not real) and false negatives (missing real issues).

This PhD project aims to improve this situation. Our ultimate goal is to develop automated tools that support human analysts while minimizing the amounts of both false positives and false negatives. By combining static and dynamic analysis, using a balanced mix of AI with formal methods and testing techniques, we strive to make vulnerability detection more accurate, intelligent, explainable, and usable in practice. The project is cutting-edge research that has both scientific impact and practical application.

The PhD project is funded by the Open Universiteit, which is formally based in Heerlen. The project is supervised by a research team with strong expertise in the application of artificial intelligence for cybersecurity (prof. dr. Harald Vranken and dr. Mina Sheikhalishahi) as well as formal methods and software testing (prof. dr. Tanja Vos and dr. Tim Steenvoorden).

The PhD project will be carried out in close cooperation with the Digital Security group at Radboud University in Nijmegen. In daily practice, you will work as a PhD candidate in Nijmegen and interact with PhD candidates and staff of both Open Universiteit and Radboud University. Hence, you will benefit from the expertise of two respected universities.

Research challenges

Security vulnerabilities in software products can be detected by static analysis, where the source code is analysed without executing the software, and by dynamic analysis, where the software is executed and its runtime behaviour is analysed. There are many methods and tools available for both static and dynamic analysis. They are very powerful and widely applied, but they all suffer to some extend from both theoretical and practical limitations. These limitations cause that the analysis results can be either incomplete (due to false negatives, when actual vulnerabilities are not detected) or incorrect (due to false positives, when non-existing vulnerabilities are reported). False negatives that slip through are a security threat, while false positives hamper the usability of such tools. Current static analysis tools are configured to limit the amount of false positives, which comes at the cost of false negatives.

The main research challenge is to provide automated support to human analysts for assessing the correctness of the static analysis results. Providing automated support for weeding out false positives, not only improves usability, but also allows to reconfigure tool settings which can reduce false negatives and improve detection performance. To address this challenge, a mix of formal methods, AI methods, and testing methods can be applied in both static and dynamic analysis. For instance, formal methods can be applied to create abstract models to identify relevant paths in software code; AI methods can be applied to generate test cases for smart testing; testing methods can be applied to evaluate the dynamic behaviour.

Your role

As a PhD candidate, your main task is to conduct research and contribute to both scientific publications and practical tools with real-world relevance, which will lead to a PhD thesis. You will take courses or trainings to improve your knowledge and skills, collaborate closely with an enthusiastic project team with broad expertise, and interact with other PhD candidates and staff members at both Open Universiteit and Radboud University. You will also have the opportunity to contribute to teaching (up to 20% of your time).