Azqa Nadeem

ZI 2027, Zilverling, Faculty EEMCS,

University of Twente, Enschede,

The Netherlands

I am an Assistant Professor at University of Twente in the Semantics, Cybersecurity, and Services (SCS) group. My research focuses on explainable machine learning solutions for cyber security tasks such as incident response, malware analysis, and intrusion detection. My mission is to go beyond prediction probabilities, and extract semantically meaningful insights from ML models (especially under unsupervised settings with complex structured data).

Before joining UT, I was a PhD candidate/lecturer at TU Delft. During my PhD, I developed several explainable sequential machine learning tool-chains for automating cyber threat intelligence. These tool-chains extracted actionable insights from large volumes of cyber data in order to assist security analysts in understanding adversary behavior.

Next to research, I also spent 40% of my time developing and teaching cyber security lectures to BSc. (Computer Science and Engineering) students at TU Delft. I wrote about my teaching experience here, and the teaching material can be found under Cyber Security Lecture Series.

Outside of work, I love photography, painting, and traveling. I enjoy discussions about human psychology, divergent behavior, cats, imposter syndrome, and… well… cats.

Recent news

07-2024	Giving an invited talk at the International Workshop on Safety-Security Interaction (SENSEI).
04-2024	Successfully defended my PhD! #PhDone
02-2024	Presenting our alert-driven attack graph demo at Orange CyberDefense in Utrecht.
01-2024	I have an open vacancy for a PhD project. Interested? Get in touch!
01-2024	I’m thrilled to join the SCS group @ Uni. of Twente as assistant professor starting Jan ‘24!

Selected publications

SIGCSE

Cybersecurity as a Crosscutting Concept Across an Undergrad Computer
Science Curriculum: An Experience Report

Nadeem, Azqa

In Proceedings of the ACM SIGCSE Technical Symposium on Computer Science Education, 2024

Abstract PDF

Although many Computer Science (CS) programs offer cybersecurity courses, they are typically optional and placed at the periphery of the program. We advocate to integrate cybersecurity as a crosscutting concept in CS curricula, which is also consistent with latest cybersecurity curricular guidelines, e.g., CSEC2017. We describe our experience of implementing this crosscutting intervention across three undergraduate core CS courses at a leading technical university in Europe between 2018 and 2023, collectively educating over 2200 students. The security education was incorporated within CS courses using a partnership between the responsible course instructor and a security expert, i.e., the security expert (after consultation with course instructors) developed and taught lectures covering multiple CSEC2017 knowledge areas. This created a complex dynamic between three stakeholders: the course instructor, the security expert, and the students. We reflect on our intervention from the perspective of the three stakeholders – we conducted a post-course survey to collect student perceptions, and semi-supervised interviews with responsible course instructors and the security expert to gauge their experience. We found that while the students were extremely enthusiastic about the security content and retained its impact several years later, the misaligned incentives for the instructors and the security expert made it difficult to sustain this intervention without organizational support. By identifying limitations in our intervention, we suggest ideas for sustaining it.
EuroS&P

SoK: Explainable Machine Learning for Computer Security Applications

Nadeem, Azqa, Vos, Daniel, Cao, Clinton, Pajola, Luca, Dieck, Simon, Baumgartner, Robert, and Verwer, Sicco

In IEEE European Symposium on Security and Privacy (Euro S&P), 2023

Abstract PDF Code

Explainable Artificial Intelligence (XAI) is a promising solution to improve the transparency of machine learning (ML) pipelines. We systematize the increasingly growing (but fragmented) microcosm of studies that develop and utilize XAI methods for defensive and offensive cybersecurity tasks. We identify 3 cybersecurity stakeholders, i.e., model users, designers, and adversaries, that utilize XAI for 5 different objectives within an ML pipeline, namely 1) XAI-enabled decision support, 2) applied XAI for security tasks, 3) model verification via XAI, 4) explanation verification & robustness, and 5) offensive use of explanations. We further classify the literature w.r.t. the targeted security domain. Our analysis of the literature indicates that many of the XAI applications are designed with little understanding of how they might be integrated into analyst workflows – user studies for explanation evaluation are conducted in only 14% of the cases. The literature also rarely disentangles the role of the various stakeholders. Particularly, the role of the model designer is minimized within the security literature. To this end, we present an illustrative use case accentuating the role of model designers. We demonstrate cases where XAI can help in model verification and cases where it may lead to erroneous conclusions instead. The systematization and use case enable us to challenge several assumptions and present open problems that can help shape the future of XAI within cybersecurity.
ECML

SECLEDS: Sequence Clustering in Evolving Data Streams via Multiple Medoids
and Medoid Voting

Nadeem, Azqa, and Verwer, Sicco

In Proceedings of the European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases (ECML/PKDD), 2022

Abstract PDF Code Slides

Sequence clustering in a streaming environment is challenging because it is computationally expensive, and the sequences may evolve over time. K-medoids or Partitioning Around Medoids (PAM) is commonly used to cluster sequences since it supports alignment-based distances, and the k-centers being actual data items helps with cluster interpretability. However, offline k-medoids has no support for concept drift, while also being prohibitively expensive for clustering data streams. We therefore propose SECLEDS, a streaming variant of the k-medoids algorithm with constant memory footprint. SECLEDS has two unique properties: i) it uses multiple medoids per cluster, producing stable highquality clusters, and ii) it handles concept drift using an intuitive Medoid Voting scheme for approximating cluster distances. Unlike existing adaptive algorithms that create new clusters for new concepts, SECLEDS follows a fundamentally different approach, where the clusters themselves evolve with an evolving stream. Using real and synthetic datasets, we empirically demonstrate that SECLEDS produces high-quality clusters regardless of drift, stream size, data dimensionality, and number of clusters. We compare against three popular stream and batch clustering algorithms. The state-of-the-art BanditPAM is used as an offline benchmark. SECLEDS achieves comparable F1 score to BanditPAM while reducing the number of required distance computations by 83.7%. Importantly, SECLEDS outperforms all baselines by 138.7% when the stream contains drift. We also cluster real network traffic, and provide evidence that SECLEDS can support network bandwidths of up to 1.08 Gbps while using the (expensive) dynamic time warping distance.
TDSC

Alert-driven Attack Graph Generation using S-PDFA

Nadeem, Azqa, Verwer, Sicco, Moskal, Stephen, and Yang, Shanchieh J

In IEEE Transcations on Dependable and Secure Computing, 2021

Abstract PDF Code Slides

Ideal cyber threat intelligence (CTI) includes insights into attacker strategies that are specific to a network under observation. Such CTI currently requires extensive expert input for obtaining, assessing, and correlating system vulnerabilities into a graphical representation, often referred to as an attack graph (AG). Instead of deriving AGs based on system vulnerabilities, this work advocates the direct use of intrusion alerts. We propose SAGE, an explainable sequence learning pipeline that automatically constructs AGs from intrusion alerts without a priori expert knowledge. SAGE exploits the temporal and probabilistic dependence between alerts in a suffix-based probabilistic deterministic finite automaton (S-PDFA) — a model that brings infrequent severe alerts into the spotlight and summarizes paths leading to them. Attack graphs are extracted from the model on a per-victim, per-objective basis. SAGE is thoroughly evaluated on three open-source intrusion alert datasets collected through security testing competitions in order to analyze distributed multi-stage attacks. SAGE compresses over 330k alerts into 93 AGs that show how specific attacks transpired. The AGs are succinct, interpretable, and provide directly relevant insights into strategic differences and fingerprintable paths. They even show that attackers tend to follow shorter paths after they have discovered a longer one in 84.5% of the cases.