Master’s thesis internship position

Misuse detection for cloud services

Ref. 2020_014

Project description

There is a continued trend for organizations to move their business applications to the cloud. Using cloud services (such as databases, storage, analytics) offers many advantages: (1) New applications can be deployed very fast and their operational costs are more predictable; (2) additional cloud resources can be added on demand, offering scalability and easy-to-implement redundancy of the deployed business applications; (3) the cloud service provider takes care of the maintenance of standard software packages that business applications rely on, relieving application owners from this task. These are just a few reasons why cloud services find wide adoption.

Despite of all the efforts by the cloud service providers to guarantee secure and uninterrupted operation, cloud services are also prone to attacks. The issues are not much different from traditional on-prem services. For example, there could be some intrinsic software vulnerability that gets exploited, or applications could be misconfigured, rendering them vulnerable to attacks.

An important difference between on-prem and cloud services is that cloud services are standardized to a certain extent and hence are expected to show some regular runtime behavior. This creates new possibilities to further secure them.

The objective of this project is to develop a behavior-based misuse detection system for selected cloud services. By monitoring the activities of a cloud service and its users, indicators of normal behavior can be determined and used to model the normal behavior of the service and the user interactions. The analysis can cover a single instance of a cloud service but also multiple instances of the same service which may provide additional insight and help to create a more accurate model.

A main advantage of a behavior-based misuse detection system is that it focuses on the known good behavior of an application. Deviations from the learned model are considered suspicious and trigger further investigation. Therefore, the detection system does not have to rely on the description of potential attack patterns.

For this project, access to cloud services running real business applications is provided. Being able to run experiments in a production environment represents a unique opportunity and is a key differentiator of this project.

If you are motivated to work in a highly motivated research team on a challenging real-world problem, you are most welcome to apply for this position.


  1. Become familiar with some selected cloud services
  2. Identify a set of observables based on which the behavior of a service and its users can be monitored
  3. Develop a method to learn the — ideally — regular behavior of the cloud services and ways to detect deviations from the learned behavior
  4. Implement the method
  5. Conduct experiments in a realistic setting of business applications running in a cloud environment

Your profile

We are seeking candidates with a strong interest in computer security and cloud technology. Very good skills in artificial intelligence / machine learning are required to work on this demanding project. A working knowledge of the fundamentals of data science and operating systems are a plus, as well as good analytics and programming skills (Python, Matlab, and/or Java).

While the project is ideally carried out by a Master’s level student, the scope of the project can be flexibly adapted so that undergraduate students writing a bachelor thesis or doing a semester project are also welcome to apply.


IBM is committed to diversity at the workplace. With us you will find an open, multicultural environment. Excellent flexible working arrangements enable all genders to strike the desired balance between their professional development and their personal lives.