A researcher fighting against unknown cyber attacks
"If you know your enemies and know yourself, you will not be imperiled in a hundred battles."
In recent years cyber attacks have become more diversified and sophisticated, and have broadened from attacks on information systems to attacks on social systems. Automated Security Intelligence has made it possible to detect unknown cyber attacks that were impossible to detect before by totally rethinking conventional security measures. Koji Kida has been at the forefront of the development of this revolutionary new technology as the leader of a development team made up of researchers from many different specialties. We asked him about what led to this research, the original ideas, and any problems that the team faced during development.
How to cope with unknown cyber attacks
--First, tell us the background about developing new technology to cope with cyber attacks.
Kida: In recent years cyber attacks have become more diversified and sophisticated. As more things become connected to networks with the advancement of the Internet of Things (IoT), targets will broaden from the information systems of companies and public organizations to social systems and critical infrastructure.
Up until now security measures included firewalls and mechanisms to analyze attack methods and patterns. These days new attacks are occurring with greater frequency, rendering security measures effective for ever-shorter periods. With today's security measures, attackers and defenders are playing a game of cat-and-mouse with information and technology.
Recent attacks are also causing greater damage. To counter this, in addition to conventional security measures that involve treating the symptoms of an attack, we must devise security measures that can cope with new, never-seen-before attacks. With the methods that we have been using it was impossible to detect unknown attacks, so it is very important that we come up with countermeasures to cope with these types of attacks now.
--What was the trigger that led to the development of new technology allowing you to create unknown attack countermeasures?
Kida: In order to develop new technology that would lead to the creation of countermeasures for unknown attacks, basically we had to rethink the concepts and mechanisms for conventional security measures. So, we focused on NEC's Failure Sign Detection System.
This system uses technology to detect abnormalities from data collected by sensors, and is actually in use at power plants. Using this technology as the foundation, we started a project to apply it to cyber security in 2012.
Detecting system operations that are different from "normal"
--Can you explain the newly developed Self-learning Automated Security Intelligence technology in an easy to understand way?
Kida: To put it simply, with this technology the system itself notices when there is a behavior that is not "normal," and judges that something abnormal is occurring. In internal networks and similar systems, the system itself monitors "normal" states and learns what is normal behavior. Then, when a behavior that is "not normal" is detected, the behavior is analyzed in real time to determine if it might be a cyber attack, and the administrator is notified.
Whether a behavior is normal or not is determined based on a number of points, such as the relationships between processes and files. For instance, log files are usually added to, but cyber attackers often falsify log files so that they do not leave any trace of the attack. When this "not normal" behavior of falsification occurs, the system determines that it might be a cyber attack. This monitoring is executed by software called an agent that is installed on each PC. This monitoring data is collected and analyzed by the server in order to determine whether countermeasures are required.
--How did you start developing the new technology?
Kida: I joined the project in August of 2013. We wondered if we could come up with cyber security measures based on the aforementioned concept (the idea shown in the illustration). In order to determine feasibility, we described our concept to the information system departments in the company and held discussion with them.
The reaction was very positive, "It would be incredible if we could make a system that continuously monitored the immense number of PCs operating within the NEC Group. We will give you our full cooperation with regard to operational data and locations for experiments, so we really hope you will take up this challenge." The problems that were suggested during the discussions were the operations monitoring workload and efforts required on the part of system administrators. After listening to what our internal information systems departments had to say, we realized that the most important part of development would be how much we could automate operations monitoring.
Looking at conventional security measures from a different angle
--How was this completely new technology created?
Kida: From April of 2014 we started full-fledged research with a staff of about eight people. We did not use any knowledge or know-how from conventional security measures. Instead, we used a totally different approach, looking at different concepts and mechanisms that would allow mechanical and mathematical detection of cyber attacks. Our initial development team did not include any security specialists.
We had specialists from many different fields in our team. Apart from monitoring software development specialists, our team also included database experts to determine how to process the monitored data, data-mining specialists to analyze the data, and GUI specialists to design the interface, since the final decisions would have to be made by humans. All of their skills and knowledge were used in developing this technology. When we were ready to think about commercializing the technology, which was in December of 2015, we announced to the press that we had developed an original technology that could be used to cope with unknown cyber attacks.
--What role did you play, Mr. Kida, in developing the new technology?
Kida: I am a software specialist, but my role in this project was to keep the team organized and focused as the team leader. I was not directly involved in developing the software. Rather, as the person responsible for the team I had to decide on methodologies, and organize the development while holding discussions with the individual researchers. In other words, my work was more like a project manager responsible for overall management.