Malicious actors increasingly abuse the Domain Name System (DNS) by registering new domains for phishing, malware distribution, and other cybercriminal activities.
The speed and volume of these registrations pose a persistent challenge for defenders, who are often forced into a reactive cycle, not to mention that they cause a large waste of resources
that impact the sustainability of the DNS. By the time a malicious domain is flagged by threat intelligence feeds, damage has often already occurred, exposing the limitations of current
detection timelines.
This reactive posture is worsened by a visibility gap in the DNS ecosystem. A lack of transparency in registration data, coupled with the short-lived nature of many malicious domains,
leaves defenders blind to early-stage abuse. Adversaries exploit this opacity to avoid attribution and disrupt detection workflows, often discarding domains within hours of activation.
This project aims to close this gap by developing methods to identify malicious domains closer to their inception, as soon as indicators of compromise surface. Building on our prior work using public data sources such as Certificate Transparency (CT) logs, the Ph.D. candidate will design and implement techniques to flag suspicious registrations in near real-time, helping shift the response model from reactive to proactive. The goal is to increase transparency and
trust in the DNS namespace.
Key research activities will include applying machine learning and graph-based techniques to uncover patterns indicative of malicious behavior in early DNS, TLS, and infrastructure signals;
building large-scale, real-time measurement systems; developing models to assess the risk of new domains before harm occurs; and validating these approaches against community and industry
benchmarks. The work combines network measurements, data science, and systems security, with an emphasis on reproducibility and real-world impact.
This research builds on existing collaborations with national and international partners, including leading research institutes, threat intelligence providers, and public recursive resolvers.
Information and application
Are you interested in this position? Please send your application via the 'Apply now' button below before February 16, 2026, and include:
- A detailed CV (resume);
- a motivational letter, including an explanation of your motivation for this PhD position and
for this project;
- An academic transcript of B.Sc. (if applicable) and M.Sc. education;
For enquiries, please contact: Dr. Raffaele Sommese (r.sommese@utwente.nl), Dr. Antonia Affinito (a.affinito@utwente.nl), or Dr. Anna Sperotto (a.sperotto@utwente.nl). For applying, please use this official platform: email applications will not be considered.
Screening is part of the selection process.
About the department
The candidate will join the Design and Analysis of Communication Systems DACS group at the University of Twente, under the supervision of Dr. ir. Raffaele Sommese, Dr. Antonia Affinito, and Prof. Dr. Anna Sperotto.
About the organisation
The faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS) uses mathematics, electronics and computer technology to contribute to the development of Information and Communication Technology (ICT). With ICT present in almost every device and product we use nowadays, we embrace our role as contributors to a broad range of societal activities and as pioneers of tomorrow's digital society. As part of a tech university that aims to shape society, individuals and connections, our faculty works together intensively with industrial partners and researchers in the Netherlands and abroad, and conducts extensive research for external commissioning parties and funders. Our research has a high profile both in the Netherlands and internationally. It has been accommodated in three multidisciplinary UT research institutes: Mesa+ Institute, TechMed Centre and Digital Society Institute.
Want to know more?
