Post doctoral in Visualisation for explainability of intrusion detection systems

Job description

About Telecom SudParis :

Telecom SudParis is a public graduate school for engineering, which has been recognized on the highest level in the domain of digital technology. The quality of its courses is founded on the scientific excellence of its faculty and on teaching techniques that emphasize project management, innovation and intercultural understanding. Telecom SudParis is part of the Institut Mines-Telecom, the number one group of engineering schools in France, under the supervision of the Minister for Industry. Telecom SudParis with Ecole Polytechnique, ENSTA Paris, ENSAE Paris and Telecom Paris are co-founders of the Institut Polytechnique de Paris, an institute of Science and Technology with an international vocation.

Its assets include: a personalized course, varied opportunities, the no.3 incubator in France, an ICT research center, an international campus shared with Institut Mines-Telecom Business School and over 60 student societies and clubs.

About Institut Mines-Télécom :

The Institut Mines-Télécom (IMT) is a public establishment dedicated to higher education and research for innovation in the fields of engineering and digital technology. Constantly listening to the economic world, IMT combines strong academic and scientific legitimacy, proximity to companies and a unique position on the major transformations of the 21st century: digital, energy, industrial and educational century. Its activities are deployed within the Mines and Telecom Grandes Ecoles under the supervision of the Minister in charge of Industry and Electronic Communications, two subsidiaries and associated partners or under agreement. IMT is a founding member of the Alliance Industrie du Futur. It is doubly labeled Carnot for the quality of its partnership research.


Behavioural approaches based on machine learning generate many false positives. In particular, when deep learning methods are used, false positives are difficult to explain, as deep learning is often considered a black box that is difficult to interpret. However, there are many tools available to correlate the influence of learning characteristics on detection results. These tools make it possible to explain a posteriori a model that is difficult or impossible to interpret.

The early detection of certain events causing intrusions will allow operators to predict the emergence of attacks and prevent or mitigate them more quickly. The ability to correlate and aggregate a large number of heterogeneous events at different levels (characteristics, causality, temporality) will also allow operators to focus their attention on the most important or relevant events, allowing for more efficient processing, scaling up.

In this project, we aim to assist a human operator in decision making and incident response. Our visualisation approaches will allow 1) characterising anomalies to process them more accurately/efficiently or even anticipate them, by knowing the events or parameters that generated them; 2) aggregating and correlating anomalies in order to reduce the workload, by knowing the temporal or causal links; 3) explaining detection errors by a posteriori analysis of the samples.


There are many tools for visualising model characteristics, the best known of which allow correlation to be carried out, making it possible to reduce the number of these characteristics, but also to evaluate their influence (principal component analysis, linear discriminant analysis, t-SNE algorithm). Combining these different approaches (statistical and visual) should make it possible to better understand behavioural approaches in deep learning and to exploit them for cases where the intrusions are sometimes more discrete.

More recent approaches such as SHAP will make it possible to determine the elements of an alert or an anomaly that gave rise to its (mis)classification. Attention mechanisms can also be used to highlight certain causal, correlational or influential relationships.

The results of this project will provide an explainable framework for behavioural detectors based on deep learning in order to augment the different learning phases (from data collection, to the validation of a model representative of normal data, to the representation of data as robust features and the training of the detection model).

Job requirements

Level of training and / or experience required

  • PhD or Doctorat for less than 3 years

Essential skills, knowledge and experience

  • Experience in modelling and/or simulation
  • Knowledge of modelling languages and formalisms
  • Knowledge of virtualisation and network security

Advantageous skills, knowledge and experience

  • Digital Twin Experience

Abilities and skills

  • Rigour
  • Autonomy
  • Teamwork


  • Application deadline: February 28th, 2023
  • Nature of the contract: 18-month renewable fixed-term contract
  • Category and profession of the position: II - P, Post-doctoral
  • To apply, please send us a CV, a cover letter and a summary of your doctoral thesis
  • Location of the position : Palaiseau (France)
  • The positions offered for recruitment are open to all with, on request, accommodations for candidates with disabilities
  • Working conditions: Teleworking possible, restaurant and cafeteria on site, accessibility by public transport (with employer's participation) or close to main roads, staff association and sports association on campus