Research Profile

I am a PhD student at the Security research group where I focus on the intersection of automation, intrusion detection, and incident response. Under the supervision of Luca Allodi and Emmanuele Zambon, my research combines several topics from the Security and Machine Learning (ML) domains. More concretely, I analyze the Network Intrusion Detection problem space to better understand shortcomings of current Intrusion Detection Systems (IDS). I firmly believe that enhanced domain knowledge will eventually lead to more effective solutions. While these topics form the technical core of my work, I keep a close eye on stakeholder requirements from the application domain to ensure conducted research eventually results in practical solutions to open issues and promote increased network security. Adoption of state-of-the-art research could provide increased digital resilience. I believe providing a meaningful contribution to our society is imperative.

Picture of Koen Teuwen
Koen Teuwen


DOI: 10.1109/BigData59044.2023.10386708


Cyber threat attribution can play an important role in increasing resilience against digital threats. Recent research focuses on automating the threat attribution process and on integrating it with other efforts, such as threat hunting. To support increasing automation of the cyber threat attribution process, this paper proposes a modular architecture as an alternative to current monolithic automated approaches. The modular architecture can utilize opinion pools to combine the output of concrete attributors. The proposed solution increases the tractability of the threat attribution problem and offers increased usability and interpretability, as opposed to monolithic alternatives. In addition, a Pairing Aggregator is proposed as an aggregation method that forms pairs of attributors based on distinct features to produce intermediary results before finally producing a single Probability Mass Function (PMF) as output. The Pairing Aggregator sequentially applies both the logarithmic opinion pool and the linear opinion pool. An experimental validation suggests that the modular approach does not result in decreased performance and can even enhance precision and recall compared to monolithic alternatives. The results also suggest that the Pairing Aggregator can improve precision over the linear and logarithmic opinion pools. Furthermore, the improved k-accuracy in the experiment suggests that forensic experts can leverage the resulting PMF during their manual attribution processes to enhance their efficiency.


Intrusion Detection Laboratory


As a Teaching-Assistance (TA), I help organize the Intrusion Detection Laboratory since 2022, which was the first edition of the course. The course covers the two major intrusion detection paradigms, being misuse-based (signature-based) and anomaly-based detection. As part of the course, student groups each organize a laboratory for other students in which they guide them through and share their expertise on a case study they worked out in the weeks before. For these laboratories, we have prepared several datasets covering a variety of monitoring settings. Through these different datasets students gain exerpience with intrusion detection following the different paradigms in IT, ICS, Windows, and Linux environments.

Student Projects

I also supervises several masters students during their graduation project together with my supervisors. In case you are interested in one of the research topics outlined on this page and would like to do a project together, please reach out.

Academic Background

I started my academic studies in 2017 at Eindhoven University of Technology (TU/e) where I studied Computer Science & Engineering. During my studies I was active at GEWIS where I took an interest in web development. After obtaining my bachelor degree cum laude, I continued my studies in Eindhoven with the Information Security Technology master program, during which I also attended courses at Radboud University in Nijmegen. my masters thesis combined several topics related to intrusion detection and response, which finally resulted in my MSc thesis titled Automating Generation of Cyber Threat Intelligence Content through Threat Attribution of Botnet Incidents. After successfully completing my masters, I commenced as a PhD candidate at the Security research group (SEC), which is part of the department of Mathematics and Computer Science (M&CS).



Controllable, Accountable, Transparent: the Responsible Internet

The CATRIN project aims at making the internet a better place by providing more control to its users. The project group envisions that increased controlability can be enforced through increased transparancy regarding the routing of internet packets. Since transparancy alone can not be sufficient to enforce controlability for users, mechanisms should be introduced to encourage stakeholders to participate in the Responsible Internet. You can read more about the CATRIN project on the project website or on the NWO project page.

Open Source

Throughout the years, I managed to experience several open-source projects, which I support greatly. Some I experienced merely as a user, others as a core developer. The most important project, which I think deserves your attention is gewisweb, which establishes the website of GEWIS, which is the study assocation of the department of Mathematics & Computer Science of the Eindhoven University of Technology. During my time as a member of the committees maintaining the website, it has gone through a great number of rewrites, redesigns, and upgrades. I think it is a great experience to maintain legacy projects and upgrade them from unsupported (and insecure) PHP versions to a more easily maintainable codebase that can last many more years. Other projects that deserve an honorable mention are Suricata and Zeek since these play an instrumental role during my PhD.