Secure software systems

Imperial College London is recognised as one of the UK's leading universities in cyber security research

Imperial has a vibrant cyber security community which includes 18 academics from the Department of Computing, Department of Mathematics, and the Department of Electronic and Electrical Engineering. 

Our research focuses on the Engineering and Design of Secure and Resilient systems. Over the last five years, our academics graduated over 29 PhD students, and currently over 28 students are working towards their PhD on related topics. Our research groups published well over 150 peer-reviewed papers on relevant topics and have helped secure funding worth more than £90,000,000 out of which more than £30,000,000 are directly allocated to Imperial. Our funding comprises a mixture of long-term support of research through programme grants and research fellowships, 3-year research projects and smaller grants such as industrial, SPRITE+ awards and technology transfer funding. Whilst around 54.8% (34/62) of the funded projects comes from EPSRC (~47% (£)), we have a strong presence in the European space and in the Defence area. Also, 29% (18/62) of the grants were funded by Industry (~11% (£)) including Amazon, Meta, Google, Huawei, Intel, DSO Labs (Singapore), and Microsoft Research; and most projects involve collaboration with industry. 

Broadly, we group our research activities in four research themes that concern (i) software security and the use of formal methods; (ii) systems security; (iii) security and resilience of cyber-physical systems; (iv) network analysis, anomaly detection and security operations; (v) privacy. 

Below we describe each of those thematic areas and give some examples of our activities: 

1. Software security and the use of formal methods. Our work has focused on formal techniques for characterising and verifying the system behaviour at design time, and the development of reliable programming models and program analysis methods. These activities resulted in impactful outcomes: for example, we develop and maintain KLEE (, a state-of-the-art open-source symbolic execution engine, which has a large number of users from both academia and industry, and has enabled a wide range of applications, including the automatic detection of bugs and security vulnerabilities. Our academics found startups such as GraphicsFuzz, a software testing platform for graphics shader compilers which was acquired by Google in 2018. Activity in this area has also received support by Google Chrome Security. 

2. Operating Systems Security. We work on making systems more secure, including traditional operating systems as well as mobile, distributed and web systems, across both their software and hardware interfaces. We develop inference algorithms and model adversarial capabilities which helped us uncover design issues in popular operating systems affecting billions of users. We work on strengthening the security of those systems by developing security mechanisms for confidential computing, capability-based, mandatory and discretionary access control systems among others. 

3. Security and Resilience of Cyber-Physical Systems: We develop techniques to build understanding of the risks to cyber-physical systems and how their integrity and availability can be maintained even when they have been partially compromised. A broad number of challenges are being addressed across different projects including detecting malicious data injections, security and privacy in IoT and mobile environments, measuring security, identifying critical components and optimal portfolios of cyber controls, investigating the vulnerability of sensor-enabled machine learning algorithms and how to mitigate adversarial attacks. For example, Imperial-led Art Connect/DigiPorts project developed low-cost, secure IoT technology. This technology is groundbreaking: it was used in a pilot project with IMDA (Singapore), ICC and C4DTI aimed to test the hypothesis that paper-based documents can be replaced by electronic trade documents which can bring the cost of a transaction down by 75%. The pilot was a success and was described as “the world’s first quantum-secure cross-border electronic trade document transaction, delivering a verifiable, secure, and legally recognisable solution for future digital trade transactions” taking a “significant step forward in the journey to fully digital international trade will make international trade cheaper, simpler, faster and more sustainable” (source).  

4. Network analysis, anomaly detection and security operations: Our work in this area includes statistical techniques for building predictive models of normal and adversarial behaviour and techniques for continuous risk assessment. Activity in this area resulted among others in IoTrim an open-source solution to IoT security and privacy monitoring on home gateways. The work not only led to tier-1 papers in prestigious security and privacy venues (ACM Internet Measurement Conference, Privacy Enhancing Technologies Symposium, IEEE Symposium on Security and Privacy), it led to industrial awards such as the award for the Top 5 spots in the Telekom Challenge amongst 180 startup teams around the world, InnovateUK Cyber Security Academic Startup Accelerator Programme (CyberASAP) grant (£75K), EPSRC PETRAS ISPEF Fund, Privacy Preserving IoT Security Management (PRISM, £100K), and an EPSRC Impact Acceleration Award to develop IoTrim (£100K).  

5. Privacy. We develop better techniques to safely use and share data at scale. This involves empirically testing the robustness of privacy-preserving mechanisms by developing and carrying out attacks against anonymous systems, protocols, datasets, or machine learning models. These attacks then inform the development of future practical and theoretical privacy foundations. For example, an Imperial group found perceptual hashing, the algorithm at the heart of client-side scanning proposal from major mobile technology providers, to be both a) easy to by-pass and b) able to do a lot more than expected. They then showed how the latest deep learning-based methods were equally susceptible to the attack. In a second line of work, they showed how perceptual hashing algorithms can be modified to include a hidden second purpose, for instance performing targeted facial recognition. These results were published at top computer security and privacy venues and reproduced on the Web. We have been actively involved in informing the government on the sharp limits of client-side scanning.  


Our capability is continuously strengthened and developed through the addition of new faculty and expansion to novel areas such as private and measurable human-centred IoT, safety and security of machine learning and artificial intelligence systems, human factors in security and privacy, confidential computing at the cloud and at the edge. 

We aim to (a) develop novel technologies and solutions, (b) expand our research programme through internal and external collaborations, (c) inform the national and international policy and regulatory cyber security environment, (d) exchange with and transfer knowledge to industry and academic stakeholders, and (e) educate and train the current and future cyber security workforce.  

These pages summarise, our academic membership, and a few of our activities. Imperial has been recognized as an Academic Centre of Excellence in Cyber Security Research (ACE-CSR) continuously since the inception of the scheme in 2012. If you would like to collaborate with us or simply get in touch with us, please contact Imperial’s ACE-CSR Director Dr Soteris Demetriou.