Research

My research interests intersect Cyber Security, Machine Learning and Visual Analytics. In particular, I am interested in how we can use Machine Learning for Cyber Security, whilst ensuring that learning algorithms are robust to adversaries (e.g., "insider" threats, or those who can craft adversarial inputs). I'm also interested in how interactive ML can be used with visualisation to better facilitate cyber security analysts, creating a greater collaborative effort between human and machine analysis. Lastly, I have recently been interested in how ML can be used for cyber security defence, including the dynamic generation of deception networks, and the use of federated learning for increased privacy preservation in machine learning across distributed networks. My research has been successfully funded from a variety of external sources including UK Government and UK-based SMEs. Publication details are available on Google Scholar and my full academic profile. Example software and datasets can be found in the Resources section below.

Selected Projects

SCOUT: Fully automated enhanced risk assessment engine

How can machine learning be used to form greater understanding of complex and incomplete data attributes related to cyber crime, anti-money laundering, and counter-terrorism financing?
Collaboration with Synalogik Ltd.
Funded by InnovateUK. (2020-2021)
More details

CAVForth Cyber Security

What are the cyber security issues related to connected autonomous vehicles, and how can we mitigate against these in provided a fully-automated public transport service?
Collaboration with Fusion Processing Ltd. and the Bristol Robotics Laboratory.
Funded by Centre for Connected Autonomous Vehicles and InnovateUK. (2020-2021)
More details

HASTE: Human-centric active-learning for decision support in threat exploration

How can machine learning help us to understand human decision making processes? How do we incorporate human knowledge with machine learning? How do humans explore and interact with machine learning processes?
Funded by the DSTL Defence and Security Accelerator (DASA). (2018)

RicherPicture: Automated network defence through business and threat-led machine learning

How can we better understand, and better protect, our organisational situation awareness through business and threat-led machine learning?
Collaboration with Cyber Security Oxford.
Funded by the Defence Science and Technology Laboratory (DSTL). (2015-2017)

ePSA: Enhanced Cyber Security through Personal Situational Awareness

How can we enhance our understanding and control of what information our devices are sharing out, and to whom they may be sharing?
Funded by UWE Vice Chancellor's Early Career Researcher Award (2015-2016)

Visualising the Insider Threat

How can visual analytics support and relay human intution back into machine learning detection tools?
Funded by UWE Faculty of Environment and Technology (2015-2016)

Research Supervision

A transferable and AI-enabled software security framework
Sadegh Bamohabbat Chafjiri (PhD candidate), 2022
Funded by UWE College of Art, Technology and Environment
Recent cyber security incidents (e.g., “Wannacry”), caused by software vulnerabilities, showcased the necessity of proactive program analysis. Vulnerability discovery methodologies aim to identify software weaknesses by analysing software, either statically or dynamically. These weaknesses can be leveraged by an attacker who aims to access and/or compromise systems without authorisation. During the 90s, a novel vulnerability detection method for UNIX systems called “fuzzing” was proposed. Fuzzers are systems that feed assessed code with invalid data (generating random input) aiming to discover new vulnerabilities. Fuzz testing is considered as one of the most important techniques for discovering zero-day vulnerabilities and it is rapidly growing in popularity among the cyber security community. This research project aims to investigate the feasibility and effectiveness of a transferable framework that will be able to leverage Machine Learning to efficiently perform fuzz testing in various systems.

Cyber Security Analytics in Telecommunications systems: Managing security and service in complex real-time 5G networks
James Barrett (PhD candidate), 2022
Funded by Ribbon Communications Ltd. and UWE Partnership PhD scheme
Our digital society is dependent on complex dynamic telecommunications systems that support our activities and interactions, with increasingly more devices being connected and communicating each day. Managing these systems is a challenging task with time critical needs to provide real-time functionality to services – including healthcare, transport, finance, socialising, and other forms of interaction. Analysts need to ensure that networks are functional, from physical layers through to networking and application layers. At the same time, analysts need to identify and mitigate against threats which can materialise as denial-of-service attacks, targeted sabotage of users, or leaks of confidentiality. In recent years, machine learning techniques have been applied to manage service level provisions, and yet security threats continue to challenge this domain. A major challenge in this domain is to establish cyber situational awareness, in terms of the current landscape and the anticipated future events, and how to effectively integrate human-machine collaboration to best utilise machine learning approaches whilst enabling analysts to best home in on contextual aspects of security threats, all the while doing so in a real-time manner that causes little or no disruption to the end-user service. This research will explore the current trends of machine learning and communication networks, recognising the role of ML as an enabler of cyber security but also as introducing another potential attack vector. In this manner, analysts need to determine how best to collaborate with the system, to identify what should be automated, what should be human-assisted, and what should be human-led investigation. Fundamentally, the challenge is to inform real-time decision making and actions of how the underlying network configuration performs ensuring both service and security, and the implications of this on the end users.

Methods for improving Robustness against Adversarial Machine Learning Attacks
Andrew McCarthy (PhD candidate), 2019
Funded by Techmodal Ltd. and UWE Partnership PhD scheme
Machine learning systems are improving the efficiency of real-world tasks including in the cyber-security domain; however, Machine Learning models are susceptible to adversarial attacks, indeed an arms race exists between adversaries and defenders. We have accepted the benefits of these systems without fully considering their vulnerabilities. resulting in vulnerable machine learning models currently deployed in adversarial environments. For example, intrusion detection systems that are relied upon to accurately discern between malicious and benign traffic can be fooled into allowing malware onto our networks. This thesis tackles the urgent problem of improving the robustness of machine learning models against adversarial attacks, enabling safer deployment of machine learning models in adversarial and more critical domains. The logical output of this research are countermeasures to defend against adversarial examples. My original contributions to knowledge are: a Systematization of knowledge for adversarial machine learning in an intrusion detection domain, a generalizable approach for assessing the vulnerability and robustness of features for stream based intrusion detection systems, a constraint-based method of generating functionality-preserving adversarial examples in an intrusion detection domain. Novel defences against adversarial examples: Feature Selection using Recursive Feature Elimination, Hierarchical classification. A primary focus of this work is how adversarial attacks against a machine learning classifier can translate to non-visual domains, such as cyber security, where an attacker may exploit weaknesses in an intrusion detection system classifier, enabling an intrusion to masquerade as benign traffic. Systems that can be easily fooled are of limited use in critical areas such as cybersecurity. In future even more sophisticated adversarial attacks could be used by ransomware and malware authors to evade detection by machine learning Intrusion Detection Systems. We advocate for more robust models and experiments in this Thesis use Python code and python libaries: the CleverHans API, and the Adversarial Robustness Toolkit libaries to generate adversarial examples, and HiClass to facilitate Hierrchical Classification. focusing on intrusion detection case-studies. An adversarial arms race is playing out in intrusion detection systems. Every time we improve defences, adversaries, find new ways to breach our networks. Currently one of the most critical holes in our defences are adversarial examples. This thesis aims to examine the problem of robustness against adversarial examples for neural networks, helping to enable the deployment of neural networks in more critical domains.

Creating Machine Intelligence with Intelligent Interactive Visualisation
Sinclair-Emmanuel Smith (PhD candidate)
Funded by Montvieux Ltd. and UWE Partnership PhD scheme

I also have responsibility of supervising staff DPhil research activity.

Research Resources

PhishVis

Node-link Python Flask application for assessing email activity, which was used to demonstrate the propagation of a spearphishing 'blue button' campaign. Please Note: The software download DOES NOT contain the original dataset - please email to request access.
Download the Open Access Paper.
Download the Software.
Watch the video.

HASTE

Interactive learning tool that brings together object detection, semantics and positional information, and incorporates eye-tracking and mouse activity capture to identify human reasoning process.
Watch the video.
Software available from GitLab - please email to request access.

ActiVAte

Visual Analytics in Active Machine Learning.
Download the Open Access Paper.
Software available from GitLab - please email to request access.

InsiderThreatVis

Tool that combines iPCA and radial activity visualisation to identify malicious users.
Download the Open Access Paper.
Download the CMU CERT Insider Threat Dataset.
Watch the video.
Software available from GitLab - please email to request access.

Interactive PCA

An example Python Flask application for Interactive Principal Component Analysis (PCA).
Download the Software.