Vigilance still critical in highly encrypted networks

Despite vastly improved data and network security, universities remain attractive targets for cyber-criminals and are subject to ever more sophisticated cyber-attacks. An artificial intelligence (AI) driven security framework — operating on a high-security, high-bandwidth research network among hundreds of universities across Japan — shows how it is possible to detect and mitigate attacks before they become crises.

Keeping universities safe from cyber-attacks is a daunting task. The systems needed to robustly protect sensitive data about thousands of staff and students, as well as highly confidential research data, require significant investments in time and financial resources. To address this, Japan’s National Institute of Informatics (NII) in Tokyo has established cutting-edge information infrastructure in the form of the Science Information NETwork (SINET) — a free, highly secure link among more than 1,000 universities and research institutes that in its latest ‘SINET6’ iteration provides data transfer speeds of up to 400 gigabits per second.

Secure research collaboration

SINET was established in 1992 by NII with funding from the Japanese government to encourage the sharing of scientific information and to build thriving collaborative communities among researchers. SINET6, which became fully operational in 2022, is a high-speed, high-security network that provides a vital service for data-heavy fields such as life sciences and global climate modelling to enable sharing and distributed analysis of large datasets. The network is now regularly used for genetics, medical imaging and even analysis of particle physics collision data from the accelerators at CERN in Switzerland.

Unfortunately, such data sharing also attracts the attention of bad actors intent on stealing or corrupting important data or capturing personal data and identity information. Hiroki Takakura, director of the NII’s Center for Strategic Cyber Resilience Research and Development, is at the forefront of efforts to make Japanese academic and research institutions less vulnerable to cyber-attacks, and to build their ‘cyber-resilience’ so that research is not interrupted even if an attack occurs.

A core part of the NII’s role is in operating a security framework called NII Security Operation Collaboration Services (NII-SOCS), which analyses secure data communications among more than 100 national universities over SINET6 to detect high-risk cyber-attacks.

Encryption a double-edged sword

Somewhat ironically, one of the biggest challenges facing Takakura and his team comes from a feature that was designed to increase security — the encryption of data.

“Before encryption became the norm, we could easily identify the server that data had come from and reveal details about it,” says Takakura. “Today, however, more than 80% of data packets are encrypted, including those involved in most cyber-attacks, so we cannot ‘see’ the contents of any of the packets to check them.”

Takakura explains that the progressive enhancement of security like the secure ‘HTTPS’ protocol of most websites has resulted in the widespread adoption of encryption, which accelerated during the working-from-home boom of the COVID-19 pandemic.

However, decrypting every data packet to monitor for attacks would be unethical as well as extremely computationally intensive, so Takakura’s team set out to develop a method to spot attacks without relying on decryption.

“We can’t distinguish attacks from normal communications just by looking at them,” says Takakura, “but when we look at long-term traffic over one or two days, we find that the traffic patterns in cyber-attacks are slightly different from those in the traffic produced by human beings or by research machines such as telescopes.”

The critical role of artificial intelligence

The approach developed by the NII team uses machine learning models to analyse the statistics of data traffic and so spot unusual variances in parameters such as the average duration of data transfer sessions and the sizes of transmitted data packets. This allows the huge amount of encrypted traffic to be narrowed down to a small number of suspicious packets that can then be investigated in detail.

In their most recent study¹, Takakura’s team in collaboration with researchers from NEC used a desktop computer to analyse 17 million transmitted data packets. This analysis identified 194 suspicious encrypted packets for further analysis, which human experts subsequently confirmed to include 49 severe threats. The team plans to expand this approach on to large computing clusters that would be capable of screening right across large-bandwidth networks like SINET6.

Given these successes, it is not surprising that the NII’s research has caught the eye of those who would like to bring cyber-attackers to justice.

“We collaborate with various public agencies, including the police department and the Japanese government’s National Center of Incident Readiness and Strategy for Cybersecurity,” says Takakura. “They are very interested in our research, and we exchange knowledge and experience.” Several private companies have also expressed interest in using NII’s methods for data security.

Resilience a necessity

As well as detecting and preventing attacks, Takakura’s team hopes to develop new methods to mitigate the impact of cyber-attacks that breach the latest defensive technologies.

“Achieving complete prevention of all attacks is an ideal scenario, but it is not practical. If an attack gets through, and researchers have to stop all their activities to deal with it, then the attacker has fulfilled their objective,” Takakura says. “Two years ago, our centre was just called the Cybersecurity Center, but now we include the word ‘Resilience’ in the name to show that we want to reduce this impact. The basic concept is similar to a military campaign — we might be damaged, but our operations must continue.”

The team’s newest project addresses a problem that has become of great concern in Japan.

“In recent years, many hospitals in Japan have been affected by cyber-attacks, and had to stop their medical operations to deal with them,” says Takakura. “Some hospitals had to work without information systems for three months. We hope we can help hospitals to avoid such life-threatening situations.”

Cyber-attacks such as these can become big news stories. Takakura points to a case where an attack on a university happened on the weekend, but it was widely reported in the media before the relevant staff returned to work to deal with it. Systems should be sufficiently resilient that such a situation would never arise.

“In the future, every university should be able to identify, analyse and contain cyber-attacks and minimize any damage quickly, before it becomes a news story,” Takakura says. “But before that, our systems will help identify and prioritise high-risk attacks before they can cause significant damage.”