Q & A WITH XIE XUPING (SHIUHPYNG WINSTON SHIEH): CAN COMPUTER MODELS PREDICT MALWARE BEHAVIOR?
/鍙版咕鍥界珛浜ら€氬ぇ瀛﹁阿缁钩鏁欐巿搴旈個鏉ユ垜闄㈠鏈搴�
Date of Publication: 03.09.17. March 09, 2017/ 鍙戝竷浜庯細2017-03-09
Editor & Translator: Rosie YU Rizhen/ 缂栬瘧锛氫綑鏃ヨ嚮
Taiwan National Chiao Tung University, Professor Xie was invited to the Department of Cyberspace Security CSEE as a special guest for three days. One of the event was the 鈥淎uto-Constructing Malware Behavior Profilers鈥� report at Hunan University CSEE Room 542.
The report meeting was chaired by Professor PENG Fei, director of the Department of Cyberspace Security, and hosted by Professor HU Yupeng. The main direction of Professor Xie academic curriculum, discipline development plan and related research were discussed. Xie encourages open discussion all the way during the whole report. Teachers and cyberspace security department students are presented. They exchange and share their teaching experience at the seminar with Prof. Xie. Professor Xie also gives academic research plan of young teachers in the future. He would love to put forward more for detailed guidance and recommendations, and proposed many opinions of his own.
NCTU computing science professor XIE Xuping is on a mission to fight back against these lethal outbreaks using his weapon of choice: profilers.
Shiuhpyng Winston Shieh, an IEEE Fellow, ACM Distinguished Scientist, and Distinguished Professor of Chinese Institute of Electrical Engineers. Recently, He received IEEE Reliability Society Engineer of The Year Award and NCTU Distinguished Teaching Award. His research interests include system penetration and protection, malware behavior analysis, network and system security.
Rosie sat down at the report with professor Xie and other teachers to find out more about the evolution of computer viruses, the perils of logical key resistance, and profiler鈥檚 role in predicting threats.
What is your research focus?
I鈥檓 primarily interested in understanding the development of intuitive detection鈥攅verything from the internet virus attack and defense, all the way to prevent the spread of malware through popular operating systems.
A great deal of my expertise lies in constructing models鈥擨 build mathematical models and develop computational algorithms to look at virus, or how an threat unfolds over time. Ultimately, I鈥檓 looking for the best intervention to control these malwares, especially in low-resource settings where virus tend to spread rapidly.
How do you tackle threat problem?
First, I write down a model and then I see how closely the trends recapitulate the actual trends that we鈥檝e observed in the past. By matching the past, we can have a reasonable idea of what the future is going to hold. That鈥檚 mostly at the population level. At the college level, a lot of the questions center on the emergence of changes of keys and, in particular, the changes that confer resistance to anti-virus software, which is a big public problem.
What鈥檚 the biggest challenge?
We鈥檝e been trying to control these virus and malware with anti-virus software products, but now computer keys are developing resistance, in large part due to the secrecy of backward induction. And like we can see those changes in the genome, where genetic mutations lead to resistance.
Where are cyberspace attacks most common? Is globalization a trigger?
Virus are more prevalent in concentrated populations, but given that we have a globally connected world, we鈥檙e not just addressing this problem 鈥渙ver there,鈥� it鈥檚 also potentially a threat everywhere.
I don鈥檛 think it鈥檚 right to think about it as a local problem in one particular region, because we鈥檙e basically becoming one big village.
At our University in Taiwan, we opened a college specifically to tackle Cyberspace malware problems which is called the Capture the Flag (CTF) College. The name is funny because we want to be the terminator of black hackers, so we chose the last zodiac animal of pig (Hai) and named it as the 鈥淗ai Ke Academy鈥�.
Can we ever completely stop the spread? How would you describe the dynamic between humanity and hacker behaviors?
At the moment, we鈥檙e engaged in an arms race with these hackers. We鈥檙e making new profilers and the hackers are trying to find new ways to get around them. I think, ultimately, we need to find a different approach. I don鈥檛 know what it鈥檚 going to be, but I think some other approach will be necessary if we鈥檙e going to address the problem in a more sustainable way.
One of the ideas that鈥檚 been debated is, perhaps, instead of trying to eradicate the malware with auto-constructing malware behavior profilers, we could direct the evolution of these malware agents to be more benign, say more white side hackers to solve the problem. If we can never get rid of the flu, perhaps we can make it more like the common cold, instead of being an intense infection.
"That鈥檚 one of the big challenges in the field 鈥� how do we know when the next big threat is going to come?" Professor Xie uses computational modeling to track and predict the spread of computer virus.
What鈥檚 your role in Advanced Persistent Threat (APT) Challenge?
I see my role as helping to predict the outcomes of these different interventions. We don鈥檛 have a crystal ball, so the best we can do is understand what happened in the past, understand what鈥檚 happening now, and try to make the best guess at what鈥檚 going to happen in the future.
That鈥檚 what the computational methods that I鈥檝e developed try to do. I write computer code to implement these ideas, and test them on real data.
Why do some viruses really manage to take hold, seemingly all of a sudden?
Much of it has to do with how well they are adapted to the Windows Operating System, some are to the Mac Operating System. To give an example of the virus: it was around for a while, but up until recently it didn鈥檛 seem to create any problems for your computer, but now we strongly suspect that it鈥檚 causing computer defects.
What I think is at play here is that the virus has adapted to the file (some in word documents, links or even PDFs) in a way that we couldn鈥檛 have predicted. It鈥檚 a very hard to predict which of the many viruses that we have today will be the next big threat.
We didn鈥檛 predict those famous attacks; they鈥檙e all surprises. That鈥檚 one of the big challenges in the field鈥攈ow do we know when the next big threat is going to come?
Of course, from the point of view of the virus鈥攁nd arguably this is what we all cares about鈥攊t is preventing advanced persistent threat (APT) passing on its control flow analysis code to the next generation. It must be somehow advantageous to the virus to be causing the thing that it鈥檚 causing in order to be able to reproduce further.
What are the pros to living in the age of big data?
I think we live at a time where the positive development is that we have more and more data on these keys and better and better ability to make sense of this data using the types of methods that my colleagues and I develop.
I do believe that in the long run new solutions are going to emerge from the collaboration of people like myself鈥攚ho do the modeling and analysis鈥攁nd computer scientist, engineers, public security authorities, ministries, governments, non-profits and maybe even software companies.
Contact Prof. Shieh at ssp@cs.nctu.edu.tw
