The University of Twente invites applications for a PhD position focused on the real-time detection of DNS abuse, aiming to shift the paradigm from reactive to proactive security. Malicious actors increasingly exploit the Domain Name System (DNS) by registering domains for phishing, malware distribution, and other cybercriminal activities. The rapid pace and high volume of these registrations challenge defenders, often resulting in delayed detection and significant resource waste that impacts DNS sustainability.

Current threat intelligence feeds typically flag malicious domains only after damage has occurred, highlighting the limitations of reactive detection timelines. The project addresses the visibility gap in the DNS ecosystem, where a lack of transparency in registration data and the short-lived nature of malicious domains hinder early-stage abuse detection. Adversaries exploit this opacity to avoid attribution and disrupt workflows, frequently discarding domains within hours of activation.

This PhD research aims to develop innovative methods to identify malicious domains at their inception, leveraging public data sources such as Certificate Transparency (CT) logs. The successful candidate will design and implement techniques to flag suspicious registrations in near real-time, helping to increase transparency and trust in the DNS namespace. Key research activities include applying machine learning and graph-based techniques to uncover patterns of malicious behavior in early DNS, TLS, and infrastructure signals; building large-scale, real-time measurement systems; developing risk assessment models for new domains; and validating these approaches against community and industry benchmarks.

The project combines network measurements, data science, and systems security, with a strong emphasis on reproducibility and real-world impact. The research builds on collaborations with national and international partners, including leading research institutes, threat intelligence providers, and public recursive resolvers. The candidate will join the Design and Analysis of Communication Systems (DACS) group at the University of Twente, supervised by Dr. ir. Raffaele Sommese, Dr. Antonia Affinito, and Prof. Dr. Anna Sperotto.

The faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS) at the University of Twente is renowned for its contributions to Information and Communication Technology (ICT), working closely with industrial partners and researchers both in the Netherlands and abroad. Research is conducted within multidisciplinary UT institutes such as Mesa+ Institute, TechMed Centre, and Digital Society Institute.

Applicants should hold a relevant MSc degree (e.g., Computer Science, Information Technology, or related field) and have a strong background in network security, data science, or machine learning. To apply, submit your application via the official University of Twente careers platform before February 16, 2026, including a detailed CV, motivational letter, and academic transcripts. For enquiries, contact Dr. Raffaele Sommese, Dr. Antonia Affinito, or Prof. Dr. Anna Sperotto. Email applications will not be considered; screening is part of the selection process.