Research on new computer security methods is conducted by most developed countries. Now, everyone understands that fighting cyberattacks is as important to a state as mining for resources, supporting economy or conducting effective social policy. Each day, new technologies appear, and their vulnerabilities can be abused. Eventually, these "holes" are mended, but with every new technology the story repeats itself.

Recently, there was information in the media that IBM is working on a new project — they aim to create a cognitive computing service to fight cyberthreats. The system will make use the new experimental voice-assistant, Havyn, which will give specialists any necessary information. IBM's new system will not only report cyberthreats, but also offer possible solutions. According to its developers, the system's main advantage is that it will save time.

The tendency to using AI for fighting cyberthreats was reflected in Stuart Mcclure's (CEO of Cylance Company) speech at the World Economic Forum in Davos. The expert stated the necessity of changing the approach to cybersecurity towards using AI and machine learning methods. According to the company's representatives, using AI algorithms will prove most effective in fighting cyberthreats. As for machine learning, it will help create software that will analyze cyberattacks on-line so as to foresee them in the future.

So, does that mean that AI can become some "final solution"? Not really. Despite the large amounts of funding spent on AI, the question as to whether machine learning is really the next step in cybersecurity, or some fluke promoted by the media and companies, is brought up more and more often.

Then, what about Russian IT-industry?

ITMO University. Pavel Kuzmich

"In Russia, there are special units that work on countering cyberthreats, some are governmental, some private. Naturally, reacting to computer emergencies is one of the most important stages of preventing them in the future, as is the analysis of attacks, be they successful or not, that allows to assess the security level of a system and understand which kind of threats may endanger the system at each particular moment of its life cycle. We've been actively conducting research in this field at our Department and laboratory," comments Pavel Kuzmich, head of ITMO's Laboratory on Computer Forensics and Cybercrime Investigation.

Igor Zikratov, head of the Department of Secure Information Technologies, notes that the university's students actively participate in these projects. Some presented their results at the Congress of Young Scientists.

Preventing attacks on motherboard's firmware

Zahar Dementiev from ITMO's Department of Secure Information Technologies has been working on preventing attacks on a motherboard's firmware for more than six months already.

"Just think of it: you have a computer, it gets infected, but you can still format your hard drive, and thus solve the problem. Yet, there are programs that can infect the motherboard. We've conducted tests on several machines and found out that 25% were not protected from them. Point is, one can infect a computer in such a way that the virus will always remain in the firmware," — shares Zahar's tutor, Hanov Artur from ITMO's Department of Secure Information Technologies.

Motherboard. Credit: remont-notebook-rostov.ru

Nowadays, there is a range of software that is aimed at getting as deep into the system as possible and executing its code at highest priority. The operating system's core suits such goals, yet there are even more privileged operating modes (for instance, hypervisor and SMM). Theoretically speaking, malware can work from the hard drive, yet then it is easier for the anti-virus software to fight it. Firmware is a much better option, as malware gets several advantages: it does not depend on the operating system, survives after its re-installation and can interfere with booting. In his project, Zahar Demetiev analyzes the attack vectors and modern means to protecting the system. His main idea is to retool the hypervisor (a computer software, firmware, or hardware, which creates and runs virtual machines -- Ed.) for protecting the computer from attacks, including those on firmware.

The method's advantage is that it can be applied to most computers: to use it, the processor has to support hardware virtualization, and only very old models can't do that. Also, if any new vulnerabilities are discovered, updating hypervision is a lot easier than updating BIOS. Updates on BIOS can be made only by the manufacturer, and the service is available only to users with top computers.

Identifying DGA domains using neural networks

Andrei Abakumov, graduate of the Department of Secure Information Technologies and computer security specialist, works on the problem of identifying malicious domain names generated using Domain Generation Algorithm. These algorithms are used by viruses for defining the IP-addresses of controlling servers. Not only do the constantly changing names make developing blocking rules harder, it also complicates detection of command centers. As part of his project, ITMO's graduate analyzed the existing methods for identifying DGA-domains, many of which make use of machine learning, and proposed using a recurrent neural network. A recurrent network's architecture allows using previously analyzed information for analyzing present data. For his work, Andrei Abakumov uses the LSTM network model, which is now applied in many fields — speech recognition, processing natural languages and such. As a result, the developer designed a model that allows identifying DGA-domains and even exceeds the popular Random Forest algorithm in efficiency.

Computer emergencies and cyberattacks

Igor Pantukhin, tutor and PhD student from the Department of Secure Information Technologies, does research in the field of digital forensic science. A "computer emergency" is when someone hinders the normal operation of computer equipment. A good example of it is a classic virus attack. Igor Pantukhin focuses on subsequent audit. The number of information threats constantly grows, as well as the amounts of stored and processed data, thus, researching computer emergencies becomes all the more harder.

"At ITMO University, I research digital forensic science together with our Master's and Bachelor's students from the Department of Secure Information Technologies; we develop new methods and approaches, for instance, methods to researching computer emergencies based only on their attributes and their indications. They allow decreasing the computational complexity of research and makes identifying emergencies easier. The results of the research can be used in identifying the potential attacker and define his actions and methods," shares Igor Pantukhin.

The methods to researching computer incidents based on analyzing attributes and their indications works as follows: each file, process, or network packet has its distinctive features that have certain indications. Developers analyze only these attributes, not the data itself. This way, they can decrease the amount of data to be processed and hence the computational complexity.

Why use these attributes only? When analyzing computer emergencies, such information as who, when and how affected the file or process is what's important. It is stored in these attributes as their indications or a special database where information on changes made by legitimate users, viruses and the like is stored.

Yet, there are even more uses to these results, they can be used for creating new predictive systems for fighting cyberattacks, or optimizing the existing ones by integration. All of that contributes to preventing computer emergencies in the future and quickly responding to attacks.