Cyber Security research theme

Title: Hybrid outlier clustering method using a novel dataset in intrusion detection systems.

Director of Studies: Dr Djamel Djenouri
Supervisor: Professor Phil Legg

Title: Securing IoT systems using emerging blockchain variants, decentralised identity and proof of location.

Abstract: This research proposes a novel blockchain consensus algorithm, PoLBFT, which combines Proof of Location and Practical Byzantine Fault Tolerance to enhance the security of IoT systems. The study examines the inherent insecurity of IoT environments and the limitations of existing centralized solutions, categorizing key security challenges into Privacy, Invulnerability, and Trust. To address these, a decentralized architecture is proposed, leveraging blockchain technologies selected through an evaluation of emerging frameworks. The PoLBFT algorithm is designed to meet the resource constraints of IoT devices while improving the security and efficiency of traditional blockchain consensus methods.

Director of Studies: Dr Djamel Djenouri
Supervisor: Dr Essam Ghadafi (Newcastle University)

Title: Graph-based group anomaly detection in IoT with deep learning.

Director of Studies: Dr Djamel Djenouri
Supervisor: Dr Zeinab Rezaeifar

Title: Micro-, meso-, and macro-level detection of Advanced Persistent Threats (APT) in industrial cyber-physical systems: A focus on living-off-the-land techniques.

Abstract: Attacks on industrial Cyber-Physical Systems (CPS) can cause severe and irreversible real-world consequences, as demonstrated by incidents such as the Ukraine power grid attacks. Detecting cyber-physical threats remains challenging, particularly when adversaries employ Living-off-the-Land (LOTL) techniques that abuse legitimate tools, protocols, and system functions to evade conventional security controls. This thesis addresses the problem of detecting stealthy, multi-stage LOTL-based Advanced Persistent Threats (APT) in industrial CPS environments. To enable safe, repeatable, and realistic experimentation, this research develops a set of simulation-based cyber-physical testbeds and proposes a multi-level detection framework that integrates evidence across process, network, and host domains. Unlike conventional detection approaches that analyse these domains independently, this thesis introduces a unified two-level decision fusion strategy that correlates heterogeneous cyber and physical evidence under conditions of partial observability. The proposed detection framework operates across three analytical levels. At the micro-level, an interpretable supervised deep learning anomaly detection method performs multi-class classification of CPS process states, enabling detection of control manipulation beyond conventional binary and rule-based approaches. At the meso-level, a risk-based unsupervised learning approach identifies high-risk OPC UA write operations capable of directly manipulating physical processes, while an interpretable point-based scoring mechanism aggregates heterogeneous host telemetry into time-bounded anomaly scores to amplify weak and low-and-slow attack signals. At the macro-level, a two-level decision fusion process correlates heterogeneous evidence across time and domains: the first fusion layer integrates process and network anomalies, and the second incorporates host anomalies to enhance situational awareness even when individual alerts are weak or ambiguous. Literature revealed significant challenges in accessing facilities that support cyber-physical experimentation, and the scarcity of representative APT datasets. These challenges motivated this research to investigate the design and implementation of simulation-based testbeds for the safe and repeatable simulation of multi-stage LOTL-based attacks, and the development and evaluation of detection strategies (RQ1). The experimental results on two case studies related to quality-checking and pick-and-place processes demonstrate that process- and network-level anomalies provide reliable confirmation of physical manipulation in CPS, but are limited in their ability to provide early warning, whereas host-level anomalies offer earlier indicators of cyber-initiated intrusion (RQ2 - RQ3). By fusing heterogeneous evidence across process, network, and host domains, the proposed decision fusion mechanism significantly improves detection robustness, timeliness, interpretability, and situational awareness compared to single-layer detection approaches (RQ4). The framework functions as an additional analytical layer that complements existing security architectures. It provides a practical and extensible foundation for human-in-the-loop CPS security operations under industrial constraints, supporting earlier and more interpretable detection of cyber actions that escalate into physical consequences. The findings contribute to CPS security research by establishing a cross-domain decision fusion framework under partial observability, highlighting the necessity of risk-aware and interpretable analytics for human-in-the-loop operations, and informing governance and industrial practice by demonstrating the importance of continuous cross-domain monitoring as a complement to preventive-centric security mechanisms in industrial CPS environments.

Director of Studies: Professor Phil Legg
Supervisors: Dr Thomas Win (Sunderland University), Dr Zeinab Rezaeifar and Professor Zaheer Khan

Title: Privacy preservation of LLMs in IoT device security.

Director of Studies: Dr Djamel Djenouri
Supervisor: Dr Majid Mumtaz

Title: Investigation of limited resource virtualisation security: Understanding and mitigating against open software vulnerabilities.

Director of Studies: Professor Phil Legg
Supervisor: Dr Sarfraz Brohi

Title: Security aware adaptive offloading for resource-constrained UAV systems using homomorphic encryption.

Director of Studies: Dr Ahmad Salman
Supervisors: Dr Amina Hamoud (School of Engineering, UWE Bristol) and Dr Sarfraz Brohi

Title: Securing robotics in practice: Developer workflows, system architecture, and the ROS2 ecosystem.

Abstract: Secure systems emerge from the intersection of technology, theoretical understanding, and engineering practice, therefore security systems research must fundamentally account for these three areas and their interactions. This research targets real world developer workflows and the tools they use to improve the security posture of robotics applications that are developed by companies and research organisations with constrained resources, limited in their abilities or proclivities to apply formal modelling and verification techniques. In doing so, it will contribute practical and realistic solutions that can be adopted by engineering communities, that are constructive to the cultures and the processes that have found widespread success within those communities and robotics ecosystem.

The project focuses on distributed robotic systems built on the ROS2 (Robotics Operative System 2) middleware, where security risks often emerge from architectural and discovery-level design decisions rather than from isolated software defects, and the design philosophy of enabling quick integration and prototyping at the expense of formal modelling has contributed to its popularity as a research and industry tool. This research proceeds from the position that architecture encodes and constrains practice, therefore careful examination of the pedagogical and epistemological structures implicit in the technology is of paramount importance to the design of appropriate interventions for improving security outcomes. Co-constitutive to the ROS2 system are the developer attitudes, priorities and mental models that determine what methods, approaches and abstractions are adopted and considered useful. Therefore, foundational to this research will be careful and extensive evaluation of developer workflow realities through inductive user studies, involving surveys and semi-structured interviews with professionals who develop and deploy software for robotics and autonomous systems.

The overarching aim of this research is to enable secure-by-design development of robotics and cyber-physical systems by introducing systematic, architecture-level methods for reasoning about security properties early in the design lifecycle.

Director of Studies: Dr Nathan Renney
Supervisor: Dr Dan Withey (Bristol Robotics Laboratory)

Title: System-level vulnerability and security analysis of closed-loop implantable medical devices.

Director of Studies: Professor Phil Legg
Supervisor: Dr Thomas Draper (Healthtech Hub)

Title: A defence model for large language models (LLMs) against multi-turn jailbreak attacks.

Director of Studies: Dr Nathan Duran
Supervisor: Dr Faiza Medjek and Professor Phil Legg

Title: Rust binary analysis framework (RBAF): A hybrid LLVM-IR based approach for effective decomposition of Rust-based binaries.

Abstract: As the cybersecurity landscape continues to evolve, attackers are increasingly exploiting Rust's cross-platform capabilities and unique features to create highly resilient malware. New emerging variants written in different languages can keep causing challenges as well, such as Zig. Recovering high-level type information from binaries is crucial for security analysis, vulnerability discovery, and legacy system maintenance. However, compilation often strips away symbols and type information, making it more difficult to analyse Rust-based malware. This study aims to bridge the research gap by exploring promising analysis strategies for Rust-based malware and providing information on the unique challenges posed by this emerging threat.

Director of Studies: Dr Benedict Gaster
Supervisors: Dr Nathan Renny and Professor Phil Legg

DPhil title: Federated learning: An analysis into the balance of machine learning and security.

Director of Studies: Professor Phil Legg
Supervisor: Professor Jim Smith

An EPSRC-funded project under the EU CHISTER-ERA framework in collaboration with Universidad de Murcia, SIEMENS Mobility Limited, Austrian Institute of Technology. The project will develop solutions for privacy-preserving machine learning through secure management of data’s lifecycle in general distributed systems, with a focus on IoT and resource constrained networks that address two use cases: smart buildings and smart healthcare. (March 2024 – February 2027)

An Innovate UK-funded project under the KTP framework working with Service Robotics Limited, in collaboration with the School of Computing and Creative Technologies and the School of Social Sciences. The project will develop secure advanced AI enhancements to the GenieConnect robotic healthcare assistant developed by Service Robotics Limited to support proactive and preventative care models. (2025 – 2026)

A NCSC-funded project led by UWE Bristol in collaboration with Universities of Bristol, Exeter and Plymouth, to design and develop a range of novel and engaging teaching materials for cyber security education, including information risk card games, game-based learning techniques, raspberry pi and micro-bit activities, digital forensics cases, and wireless penetration testing. The project facilitated a series of regional workshops led by each partner University to engage with over 100 school teachers across the South West region, as well as showcasing the teaching activities at the NCSC UK Education Ecosystem conference. (2023 – 2024)

A DSTL-funded project in collaboration with Trimetis and Frazer Nash Consultancy that explores training capabilities for military cyber protect teams and how human and machine-based decision support systems can assist for analysing and acting to protect hostile cyber environments. (January 2023 -October 2023)

A DSTL-funded project in collaboration with Trimetis and Frazer Nash Consultancy that explores human reporting mechanisms for suspicious behaviour, and how human reporting can be processed and coupled with machine observable attributes, to provide proactive security for organisations. (January 2023 - October 2023)

A UKRI Innovate UK-funded project, in collaboration with Synalogik Innovations Ltd, as well as Cardiff University and the University of Reading, to explore improving both the production and analysis of the SARs process, resulting in more efficient capability to investigate and respond to cyber crime and financial crime activity. (September 2022 - March 2024)

A DSTL-funded project in collaboration with Trimetis, PA Consulting and QunetiQ. Within this project, we conducted a deep dive investigation into current and future considerations of how AI should be utilised in military, security, and defensive operations, including incident response and training activities. This project served as part of the ongoing "Autonomous Resilience in Cyber Defence" programme that DSTL operate. (2022)

CAVForth, funded by both UKRI Innovate UK and the Government Centre for Connected Autonomous Vehicles (CCAV), in collaboration with the Bristol Robotics Laboratory, Fusion Processing, and Stagecoach, developed a fully autonomous bus service in Scotland. The CSRC Cyber Security team contributed towards the cyber security assessment of this project, to ensure that safe and secure mechanisms are in place for vehicle operations. (2020-2022)