Interview with Research Team of Professors Park, Jong Hyuk and Lee, Chang Hoon from Department of Computer Science and Engineering
In June 2017, Internet Nayana, an internet hosting company, was infected by a variant of the Erebus ransomware. Overall, 153 servers were encrypted, 3,400 websites were affected, and the approximate 1.3 billion KRW demanded by the hacker had to be paid. Nowadays, cyber-attacks are so advanced that by the time they are detected, the damage is already uncontrollable and solutions are extremely difficult to find. It is like mending the barn after the horse is stolen.
A group of people have come forward to solve this problem. Researchers from the Department of Computer Science and Engineering of Seoul National University of Science and Technology (SeoulTech) have been designing forecast and preemptive action technology against current advanced persistent threats (APTs). We interviewed the research team, which now handles essential cyber-security missions not only in Korea, but in the entire world.
1. The “Security Dream” research team started by planning research on deep learning-based cyber-attack prediction and preemptive action technology. Please briefly introduce the team that is leading this innovative research.
▲ This research team is SeoulTech's strongest Avengers Dream Team. It is composed of two professors and ten Korean and overseas researchers on Master’s and doctorial courses from the Ubiquitous Computing and Security (UCS) Lab (Advisor: Professor Park, Jong Hyuk) and the Cryptography and Information Security (CIS) Lab (Advisor: Professor Lee, Chang Hoon), who hope to become global leaders in the field of information security.
The principal researcher, Professor Park, Jong Hyuk, has actively participated in research cooperation activities as a chief or associate editor for prominent international academic journals and as a chief on the organizing committee or program committee of authoritative international conferences. In particular, Professor Park has been actively pursuing academic exchange and joint research with prominent scholars in the fields of ubiquitous computing, security, IoT security, and cloud security. Moreover, he has published numerous articles in excellent international journals (SCI level) and conferences, including some of the world's top 1% journals. Joint researcher Professor Lee, Chang Hoon is an expert in encryption and cyber-security who designed the Korean standard code SEED-256 and the hash function ARIRANG, and who has analyzed and decrypted many international codes. In addition, he received an award from the Ministry of Science, ICT and Future Planning for his excellent accomplishments in the development of computer emergency counteraction technologies, as well as the cyber-security research article award from the National Intelligence Service, the excellent award in the national code contest, and the excellent award in digital forensics.
2. The research project was initiated in response to existing technologies’ limitations to handle current APTs. Please explain the intellectual threats of concern.
▲ APTs refer to the threats caused by cyber-attacks, which are gradually progressing. In the past, cyber-threats were local, temporary attacks based on simple patterns and tools, such as general malicious codes or viruses. By contrast, the new cyber-threats are long-term ones based on new attacks and behavioral patterns that have never been reported before.
Most conventional cyber-attack counteraction systems use fragmentary indicators of specific attacking behaviors and patterns, including a specific source code included in a file, a file’s attempt to access a specific directory domain, or the specific IP address of a file-transferring network user that is the same as the one that performed a malicious behavior in the past. These indicators are used to decide whether a file is malicious or normal. However, these systems are very vulnerable to new types of attacks whose patterns have not been reported before. In addition, many recent cyber-attacks have been based on malicious codes that are not in the form of a file, called “fileless malware.” This type of cyber-attack cannot be defended against by conventional counteraction systems.
3. What is the principle of the new detection model that is expected to solve these problems?
▲ The existing cyber-attack detection systems are only able to identify a certain attacking behavior, or to simply recognize a pattern. Therefore, they present technical limitations in detecting or blocking new types of cyber-attacks, which are becoming more sophisticated. With the present research project, our goal is to build a system that can respond to advanced cyber-attacks. We propose a fundamental counteraction system that recognizes the behaviors and patterns of cyber-attacks through abstractive expressions of cyber-attacks and behaviors.
The series of roles and behavioral modes of source codes and the presence of a code that may be used to perform an abnormal behavior are expressed in a form similar to a high-level language. We use an expression system that can express not the information allowing to identify a certain behavior but the specific behavior itself, and that describes the purposes and means of the behavior. As the abstractive expression of cyber-attacks makes it possible to detect cyber-attacks in a macroscopic manner and is therefore applicable to various platforms, it is highly efficient to respond to cyber-attacks and allows the rapid counteraction of similar or new cyber-attack patterns.
4. The core of the research may seem to be generating shrewd reactions before a huge loss by combining the detection and analysis of abnormal cyber-behavior with “deep learning.” If the detection platform is operated with the goal to prevent and block damage in advance, is there any risk of detecting not only cyber-attacks but also normal behaviors as threats?
▲ The best countermeasure against cyber-attacks is to foresee the attack. Deep learning allows us to predict the occurrence of a cyber-attack using accumulated data. All computer emergency prediction and counteraction technologies consider both the false negative rate and the true positive rate, and are designed to minimize the false negative rate. Of course, wrong detection or prediction may occur. However, these problems will be greatly minimized as more data are accumulated and the detection and prediction accuracies increase. In addition, to minimize the risk of incorrect detection, the process of determination of a threatening behavior will consider both the similarity with a malicious behavior and the difference from a normal behavior.
5. Please describe the short-term and long-term effects that the success of the project may bring.
▲ Modern society is very sensitive to cyber-attacks, as it relies on advanced IT technologies. Although the technologies to respond to cyber-attacks are gradually improving, a single attack to a current network may cause huge damage. Therefore, in order to prevent any attack, technologies should be developed not just to respond to attacks, but also to predict them in advance.
From a short-term perspective, these technologies may minimize the damage to society caused by cyber-attacks. For example, the various circulation paths of the malicious code of the recent ransomware attack caused huge damage in the private sector. In addition, anyone can produce various patterns of ransomware using a ransomware production tool. The results of the present research project will use abstractive expressions of a variety of ransomwares and malicious codes to allow comprehensive and integral counteractions. Our system will allow us to respond to actual cyber-attacks efficiently.
From a long-term perspective, our study may be an attempt to pre-occupy the cyber-threat prediction market. While numerous security companies around the world feel the need to develop threat prediction technologies and to provide prediction technologies to offer various security solutions, these technologies are still in their infancy in terms of accuracy and efficiency. If the results of our cyber-threat prediction study yield excellent accuracy and efficiency, we will pioneer technologies in the global security market and be able to make significant contributions to Korea’s market leadership as a strong security technology country.
APTs are not limited to cyber-security vulnerabilities in Korea. In 2010, Iran was shamed, as 58.85% of the country’s computers and the essential servers at Iranian power plants were infected by Stuxnet, a worm virus. As in this example, cyber-security vulnerabilities have been evidenced in many parts of the world. Therefore, the research conducted by SeoulTech's research team from the Department of Computer Science and Engineering is truly a project designed to meet international needs. The team will set a watchman to fix the barb before the horse is stolen. The operation of a predictive security system based on deep learning can not only alleviate anxieties about various threats, but can also prevent cyber-attacks at their sources. This is why this research project is so significant. The team’s future works now draw more attention than ever.
Written by Jeong, Seo-jin, a public relations agent of SeoulTech