Ali Dehghantanha

Ali Dehghantanha
Associate Professor, Tier 2 Canada Research Chair in Cybersecurity and Threat Intelligence
Phone number: 
Reynolds 3326

For the most recent bio please refer to:

Dr. Ali Dehghantanha is mostly interested in interdisciplinary research projects especially in digital forensics and artificial intelligence. His primary research goals are currently directed toward building AI agents for active threat hunting in Internet of Things (IoT), Industrial Internet of Things (IIoT) and Internet of Battlefield of Things (IoBT). He is interested in using multi-view and multi-kernel learning systems to achieve a global view of emerging cyber threats. Building adversarial learning models to support anti-forensics and anti-anti-forensics activities is another active area in his research agenda.

Moreover, he is interested in technical research in cyber forensics (malware analysing, big-data investigation, SDN forensics, IoT investigation) cybercrime (criminology and policy research), anti (online) money laundering and counter terrorism financing, and privacy issues in digital forensics!

He has projects for almost all backgrounds/interests but obviously having experience in cyber security, forensics or AI would be a huge advantage. He is planning to extend his research in the following areas:

  • AI-based decision support systems for cyber threat hunting: Cyber threat hunting is about detecting remnant of attackers’ activities that bypassed all passive network and data protection mechanisms before they meet their objectives (from Exploitation to Actions on Objectives stage of the Cyber Kill Chain model). Cyber defence and protection mechanisms are only good in thwarting risk of script kiddies and stand-alone hackers but are of little use against funded (i.e. state sponsored) hacking teams. Once an organisation is in the target list of an Advanced Persistent Threat (APT) actor, the APT actor is not giving up until bypassing all layers of passive defence mechanisms. Upon having a foothold in the target network, attackers tend to only use normal administrative tools to install their tools on as many nodes in the target network as possible and setup C2 connections to achieve their objectives. This would make finding attackers who bypassed passive detection and prevention mechanisms significantly difficult. Active AI agents can be used to support threat hunters and forensics investigators in finding remnants of residual adversaries in an enterprise in a timely manner.
  • Adversarial machine learning for building anti-forensics and anti-anti forensics systems: Machine learning algorithms are developed for stationary environments. However, intelligent and adaptive adversaries can carefully craft input data to always bypass AI-based cyber security systems. Therefore, direct utilisation of machine learning algorithms would provide limited benefit in cyber security domain. In adversarial machine learning we try to first identify potential vulnerabilities of machine learning algorithms during learning and classification and build attacks that correspond to detected vulnerabilities (anti-forensics). Afterwards, we are building countermeasures to improve security of machine learning algorithms (anti-anti-forensics).
  • Multi-view and multi-kernel learning systems to achieve a global view of emerging cyber threats: an increasing number of AI agents are deployed to assist security analysts and forensics investigators in detection and prevention of cyber-attacks. Each of these AI agents may use its own machine learning algorithm and monitor a specific aspect of an attack. Multi-view and multi-kernel learning techniques can be used to merge different views of different machine learning algorithms and achieve a more accurate and global view of an enterprise cyber security posture.
  • Smart cyber-deception systems: Honeypots, honeynets and honeytokens have been used for many years by security researchers but their deployment was very marginal in real enterprise networks. An enterprise does not see enough values (in compare with cost) in deploying honeypots especially as detecting a honeypot is not very difficult for an experienced attacker i.e. by looking at the pattern and volume of communications between different nodes in the network. AI can be used in creating honeypots that closely mimic activities of real nodes in a network, making it very difficult for an attacker to detect a honeypot without a direct engagement.
  • Internet of Things (IoT) Forensics (good for those with computer networks skills/interests): With the fast integration of computation and networking in all physical process and development of lots of smart-contexts, the spectrum of devices that can be investigated is extensive. A range of devices and protocols from PDAs and mobile devices to automobiles, sensors, and robots which are interconnected pervasively! The examination of these devices is a crucial component in future legal, governmental, and business investigations. Therefore, we need models and frameworks that for forensically sound collection, preservation, analysis and documentation of evidences in these environments.
  • Privacy Respecting Digital Investigation: the forensics investigation requirements are usually in direct conflict with the privacy right of those whose actions are being investigated. At the same time, once the private data is exposed it is impossible to ‘undo’ its exposure effects should the suspect is found innocent! Therefore, there is a growing interest in the development of forensic investigation frameworks that respect privacy of the involved entities whiles only need-to-know data are exposed to the forensic investigator!
  • Applications of Game-Theory in Digital Forensics and Analysing Cyber Warfare Attack: Similar to classical wars, cyber wars are actually the battle of strategies! Analysing these strategies would not only help cyber-warriors to define smarter strategies but helping cyber-defenders to wisely defend their assets. Game-theory may have a good potential in modelling and analysing cyber warfare and assist cyber warriors in choosing the most efficient strategies.
  • Anti money laundering and counter terrorism financing: There is very little understanding on how cyber underground economy is working and how they can be used to feed cyber terrorism. Researching on cyber money laundering and counter terrorism financing would help in better understanding of cyber underground economy which in turn assists development of proper strategies, policies and procedures to reduce and mitigate these risks.

My research is focused on cybersecurity, cyber threat intelligence and digital forensics. I recently received a position at Tier 2 Canada Research Chair in Cybersecurity and Threat Intelligence along with EU Marie-Curie Fellow Alumni position in digital forensics. I have done various studies on Machine Learning-based systems for attack identification and analysis in the internet of things (IoT) and Industrial Control Systems (ICS). For anyone who is interested in my area of research, am constantly looking for students to fill PhD and Postdoctoral positions. 

At the graduate level, I teach the following courses:

CIS*6530: Cyber Threat Intelligence and Adversarial Risk Analysis

CIS*6580: Security Monitoring and Cyber Threat Hunting