Detecting the DNA of cyberattacks
A collaboration between Professor Pete Burnap and Airbus has led to a completely novel way of detecting and preventing malicious software.
When the WannaCry cyberattack hit the NHS in 2017 – causing widespread panic, confusion, and disruption – shockwaves were sent across the country.
It was a watershed moment.
Cyberattacks were no longer seen as a risk to our personal devices or data, but as an existential threat to our critical infrastructure which could have potentially devastating consequences.
In the space of just eight hours, more than 200,000 computers across 150 countries were attacked, with total damages ranging from hundreds of millions to billions of dollars.
In the UK, up to 70,000 devices across 42 NHS trusts were hit, including MRI scanners, blood-storage refrigerators and theatre equipment, with some trusts having to turn away non-critical emergencies and divert ambulances.
However, the attack could have been prevented, says Professor Pete Burnap, Professor of Data Science and Cybersecurity at the university’s School of Computer Science and Informatics.
Many of the organisations affected were running older versions of Windows systems on their computers, which weren’t fitted with an up-to-date patch, that would have stopped the attack.
Professor Burnap says it is these so-called “legacy systems” that worry him most about any future cyberattack.
“It happened once and so it can happen again at any time,” he explains. “The issue is that people are busy working on the frontline and there’s not enough budget for IT, so nobody is going around patching these systems. It’s a massive worry.
“If a nuclear power plant has a problem and is cyberattacked, you can’t turn it off and back on again. It’s controlling the nuclear reactor, so you’ve got to work out how to defend that while considering the risk at the same time. The only thing you can do is defend it live.”
An automated defence
The idea of creating a live, automated defence against cyberattacks has been the goal of Professor Burnap and his team for a long time.
Using the latest advances in artificial intelligence and machine learning, they’ve stepped away from the more traditional approach of identifying malicious software, or malware, using specific code signatures, to tracking its behaviour instead.
“Traditional antivirus software will, for example, look at the code structure of a piece of malware and say ‘yeah, that looks familiar’,” Professor Burnap explains. “But the problem is malware authors will just chop and change the code, so the next day the code looks different and is not detected by the antivirus software.”
As an example of how easy and common this is, Google’s malware repository is reported to see over one million new and unique malware variants every day.
“What we’re trying to do is rather than understand what a piece of malware looks like, we want to know how it behaves,” Professor Burnap explains. “So once it starts doing stuff on the system, like opening a port, creating a process, or downloading some data in a particular order, it will leave a fingerprint behind.
“And that’s when you can collect all of these markers to create a sort of DNA profile of a cyberattack based on how it behaves. This can then be used to determine whether something is malicious or not.”
Our unique approach
Approaching the problem like detectives at a crime scene is unique – there are no other groups in the world who are fighting cyberattacks with the same methodologies and tools – and, more importantly, it is extremely effective.
“At first, we needed to run a potential piece of malware through our detection tool for at least five minutes before we could build up a suitable DNA profile and determine whether it was malicious or not,” explains Professor Burnap.
“We then had a PhD student, Matilda Rhode, working on the project who implemented recurrent neural networks into the tool. So, rather than having to take all the data over five minutes, the neural networks can build sequences of data on a second-by-second basis and therefore make a very quick prediction of how the malware will behave further down the line.”
As a result, the team were able to detect malicious activity in malware with 98 percent accuracy after just four seconds of execution.
Innovation through collaboration
The success of the university’s malware detection tool can be largely attributed to a long and productive collaboration with Airbus – the world’s largest airline manufacturer.
With their interest piqued, following significant national media coverage of Professor Burnap’s work detecting malware spread across Twitter, in 2015, Airbus offered him a secondment to lead research with a focus on protecting their global IT and manufacturing network.
It was a relationship that flourished, not only leading to the development of the malware detection tool, but also a complete rethink of how large organisations manage risks in terms of cyber threats.
“Whilst at Airbus I managed to meet senior executives and various people who were responsible for institutional change, and that’s when we started doing some research with a view to how to protect their business systems,” says Professor Burnap.
“If you take a big company like Airbus, who have loads of different interconnected systems, if one of those systems goes down, what’s the impact on the others?
“Risk assessments at the time weren’t really able to cope with that, so we came up with a brand new risk methodology which was novel, in that rather than trying to determine what could go wrong with the system, we flipped it around and asked what needed to go right.”
Combining this risk assessment methodology with the malware detection tool, Airbus was provided with a unique, holistic system for both detecting potential attacks and assessing the impact on the business.
“The malware detection tool will feed into the risk model, identifying a potential attack on part of the system and then showing what the cascading impact will be,” Professor Burnap explains.
This system is now integrated in Airbus’ cybersecurity systems, which protect the confidential data and intellectual property of 134,000 employees, shielding key European infrastructure, with potential to save millions of pounds in recovery costs from future attacks.
The collaboration has since gone from strength to strength, with the launch of the Airbus Centre of Excellence in Cyber Security Analytics in October 2017, of which Professor Burnap is Director, following more than £2 million investment from Airbus.
Our Centre for Cybersecurity Research, within which the Airbus Centre is a core pillar of activity, was recognised by the Engineering and Physical Sciences Research Council (EPSRC) and the National Cybersecurity Centre as a UK Academic Centre of Excellence in Cyber Security Research (ACE-CSR).
The world has certainly changed a lot since Professor Burnap began coding as a child, in a small office in his dad’s garage.
He has seen tremendous advances in technology that have now become embedded in nearly every aspect of our lives. This, he states, is a potential issue.
“Back then cybersecurity wasn’t even a thing. It was called information assurance or information security and was all about the protection of information. Smartphones weren’t around or anything like that,” he says.
“As we now progress to more automated systems with the Internet of Things and driverless cars for example, where is the security going to be built in?
“We roll these technologies out because they provide a service to us, but we always then retrospectively try and solve cyber security problems. If we keep doing this, the same mistakes will be made over and over again.
“But if technology such as driverless cars were hacked, the consequences would be devastating and would have even bigger repercussions for things like green infrastructure and Net Zero.”
It is Professor Burnap’s hope that, armed with the tools and methodologies created at the university, businesses can get on the front foot to proactively guard against cyberattacks and avoid the overwhelming havoc that they inflict.
Innovation at Cardiff University
We have a thriving innovation culture and excel in connecting industry, business, and government with our academics, nurturing student entrepreneurship and championing grassroots business development.
- Javed, A. , Burnap, P. and Rana, O. 2019. Prediction of drive-by download attacks on Twitter. Information Processing and Management 56 (3), pp.1133-1145. (10.1016/j.ipm.2018.02.003)
- Rhode, M. , Burnap, P. and Jones, K. 2018. Early-stage malware prediction using recurrent neural networks. Computers and Security 77 , pp.578-594. (10.1016/j.cose.2018.05.010)
- Burnap, P. et al. 2018. Malware classification using self organising feature maps and machine activity data. Computers and Security 73 , pp.399-410. (10.1016/j.cose.2017.11.016)
- Burnap, P. et al. 2015. Real-time classification of malicious URLs on Twitter using Machine Activity Data. Presented at: IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM) Paris, France 25-27 August 2015. ACM