The researcher who wants to detect cyberattacks in time
Researchers in cybersecurity
Most organisations have a complex IT environment, one that can also be vulnerable to attack. But testing an environment in the real world is both resource-intensive and expensive. Mathias Ekstedt, professor at the Department of Network and Systems Engineering at KTH Royal Institute of Technology, has devoted his research to building environments, known as digital twins, where attack simulations are performed.
"By modelling system configurations, we can then generate possible attack paths. We can also do analyses that identify the easy ways to get into the system environment," he says.
Closing vulnerabilities and protecting against cyberattacks is high on the agenda for both businesses and governments. There are many ways to carry out a cyber attack and it is very difficult to map and know all the ways of attack that exist and how they can be realised in a specific system environment. One way to get a better overview is to build a digital twin, which is a model of reality, and analyse the reality in the digital twin. Thanks to the digital twin that Mathias Ekstedt has built, he can also learn more about the existing attack paths.
"We can create digital attackers and let them attack the digital twin and study the emerging patterns, which we can look for in the logs available in the real system environment. And you can do the reverse, studying logs from attacks in one environment and translating these into twin attackers and then learning good defence strategies."
Practising different attack scenarios
A project is currently underway at KTH's Centre for Cyber Defence and Information Security (CDIS) together with the Swedish Defence Research Agency (FOI), which will involve exercises on various attack scenarios.
"FOI has a training environment where you can set up real environments and carry out attacks. Typically, it is used to train cybersecurity personnel to identify and defend against FOI attackers. Now, we will do the same, but let an AI provide the defence. This AI agent will first be trained in our digital twin over the system environment implemented in FOI's lab," says Mathias Ekstedt.
An important goal of the research study is to build a simulation infrastructure that can be used to train capabilities.
"Having a digital twin that can simulate cyber attacks addresses a major problem in the security world, where the data behind the attacks that are carried out is typically not available. With the digital twin, we can produce an infinite amount of attacker data. For an AI defender to make good decisions, it needs to have seen a large number of attack scenarios, both common and uncommon. And many more than we hope anyone needs to be exposed to in real life. If it works, there is great potential to solve the challenges that exist in the world of cybersecurity," says Mathias Ekstedt.