Research Topics for the China Scholarship Council Applications by Fabio Massacci
Scholarships Opportunities at Vrije Universiteit
- Full PhD students: selected Chinese students can enroll in designated doctoral (PhD) programmes of Vrije Universiteit Amsterdam provided that they engage in the programme for
no more than 48 months. If the selected Chinese students successfully complete the requirements of the designated program and defend their dissertation, they will be conferred a
degree by Vrije Universiteit Amsterdam.
- Sandwich/joint PhD students: selected Chinese students can enroll in designated research programmes of VU University and complete part of their doctorate, reaching from 6 to
24 months. The selected Chinese students are to return to their home institutions in China for their dissertation defense upon completion of their research at Vrije Universiteit
- Postdoctoral fellows: selected Chinese postdoctoral fellows can enroll in a Vrije Universiteit Amsterdam postdoctoral training programme for 3 to 12 months.
More information on the application process are available at VU China Scholarship WebPage
Interesting Research Topics
I’m interested in all topics of experimental cybersecurity, risk analysis and security economics. See my web page.
Particularly relevant and interesting topics would be
- Economics of Cybersecurity Software Certification. This theme is particularly relevant for a number of Chinese companies (most notably Huawei) which are subject to an
intense scrutiny over their software development process. See for example the UK NCSC Document. what is the most cost effective way to do so?
- Cybersecurity of Pandemics. There are gazillions of proposals for tracing apps. The empirical evidence is that if you look carefully at the data of
countries that claimed to have put that in place highly invasive contact tracing (e.g. South Korea and China), you find out that what really worked was protection of medical
staff (so that they won’t pass the infection to their vulnerable patients) and tracing of sick and known to be infected people rather than general contact tracing. People
invented all kind of schemes to eschew that. The key researcgh question is therefore what is
really useful, can we find a model for that?
- Vulnerability Prioritization for large enterprises. It is well known that the US NVD and the Chinese NVD have different prioritizations and
different time scales for vulnerabilities. You can of course spin all kind of conspiracy theories (choose your bad guy here) but I believe there are more mundane explanations
and these explanations could help us in providing better guidance to large enterprises.
- Evaluation of Machine Learning for Software Vulnerabilities. Several proposals for ML
abound on how to use that for finding vulnerabilities. The current trend is the following: paper X claims to have found out a better way to find vulnerabilities in software,
few months later paper Y shows that paper X overfitted. Lather, rinse and repeat. Neither Y nor X showed that the method really worked for developers. The key difference is
that when you use ML for computer vision it is immediate for a human to spot that they required a picture of a panda and the algorithm reported a gorilla. For vulnerabilities
this is not so simple…
In the realm of security economics I’m mostly interested in the notion of
- Malicious High Frequency Trading. This is an activity I started with Jing Nie (see below), but paused due to lack of time. Trading is by definition adversarial, but
we define a trading a malicious when a trader tries to actually exploit features of the implementation of the trading mechanism that would not otherwise work if trading was
perfect as the theory suggest. Front-running trying to exploits millisecond in optical cable speeds is actually a good example.
- Systemic Risks for Cyberinsurance. When developers use a library all applications that use that libraries become potentially vulnerable. If you buy cyberinsurance for
potential data losses of course the insurer must spread the risk across a diverse population. But software libraries are all the same. So what is the correct way of pricing that?
I’ve also worked in mechanisms for secure (crypto-based) distributed trading (See our FutureMEX paper) and if you are interested in that just let me know.
If you would be interested in another topic I haven’t though about, let me know. I like to be challenged.
If you are interested for references about me in China you might aks
- Associate Prof. Lin Liu, Tsinghua University
- Assistant Prof. Tong Li, Bejing University of Technology
- Assistant Prof. Jing Nie, School of Banking and Finance, University of International Business and Economics,
Contact me at firstname.lastname@example.org