Huawei Artificial Intelligence for Cyber-Security Research Team

About us

An applied research team that exploits AI/ML techniques for threat detection

The Huawei Artificial Intelligence for Cyber-Security (AI4Sec) Research Team is responsible for the research and results of AI-based next-generation threat detection capabilities required for Huawei’s core security technologies. Our current projects are focused on detection of sophisticated threats via graphs analysis, clustering of user’s behaviors for detecting anomalies, ML-based malware analysis and detection, and automatic cyber-threat intelligence extraction.

News
  • [05/2021] 1st Huawei Innovation Workshop on Artificial Intelligence for Cyber-Security

    We are pleased to lunch the inaugural edition of the "1st Huawei Innovation Workshop on Artificial Intelligence for Cyber-Security". The workshop will take place (virtually) on 23rd July 2021 (9AM-5PM CEST), and will be jointly organized by the Huawei AI4Sec Research Team (Munich Research Center) and Huawei Datacom. More info are available at https://ai4sec.net/IW2021.


  • [06/2021] We have three new openings!

    Read more at Careers.
Research Areas
Malware Analysis and Detection with Machine Learning

With statistics showing an average of 350,000 new malicious programs (malware) released on the wild on a daily basis, it is important to provide organizations with efficient and advanced techniques able to analyse and detect various strains of malware.

With this line of research, we are currently focusing on the usage of machine learning for detecting and thwarting malware anti-analysis techniques and on employing neural networks on malware traces for efficient malware classification. We are also exploring techniques for efficient signature generation and behavioral pattern extraction for malware attribution. With this line of research we are continuing our existing work in static and dynamic malware detection and malware family classification, extending our analysis to more sophisticated and zero-day malware.
Peer Group Analysis

Traditional Network Behavior Anomaly Detection (NBAD) systems model a network's normal behavior via a per-host or a per-network approach. The per-host model provides high recall, however, it typically suffers from noise and false alarms. On the other hand, the per-network model is more robust at the expense of lower recall.

To address these issues, User and Entity Behavior analytics (UEBA) solutions baseline the behaviors of users and entities across Time and Peer Group axes. A Peer Group makes alerts more informative and easier to investigate by providing additional contextual information. Since UBEA solutions generally employ unsupervised learning, where there is no labeled training data, understanding the context of anomalies is the key for detecting them. In this research direction, we focus on using machine learning for creating users’ Peer Groups from heterogeneous data sources and designing peer-based models for detecting security compromises, like malicious insiders, that most traditional security tools fail to see.
Detection of Cryptocurrency Mining

At the end of 2017, the cryptocurrency market reached a market capitalization of over $600 billion. However, the potential financial gains are attracting not only investors but also malicious actors. Illicit cryptocurrency mining has become one of the prevalent methods for monetization of computer security incidents. In this attack, victims' computing resources are abused to mine cryptocurrency for the benefit of attackers.

To address this threat, we use machine learning for detecting illicit cryptocurrency mining in network traffic. Our solution utilizes a novel feature extraction mechanism and is designed to be content-agnostic, resistant to obfuscation (e.g., encryption) and easy to adopt and integrate in any environment.
GLAAD: Graph Learning-based Advanced Attack Detection System

Advanced attacks consist of unknown and partially untraceable actions across multiple network entities, which make widely used single point solutions conceptually incapable of reconstructing the complete attack story. Sophisticated attackers attempt to cover but unavoidably do leave traces that end up in the midst of huge amounts of network traffic data and tens of millions of logs produced by organization-level IT networks daily. Despite considerable technological advancement and algorithmic maturation of combined rule-, statistics- and machine learning-based threat detection systems, SOC analysts are still challenged by overwhelming amounts of false positives and the lack of an overall system that uncovers hidden traces and reconstruct the complete and individual attack story with high precision and recall.

We are building GLAAD: A system capable of detecting novel and advanced attacks targeting large-scale heterogeneous networks or entities therein in near-to-real time. The system is designed to detect unknown threats and reconstruct attacks that are performed by Advanced Persistent Threats (APTs) or other sophisticated threat actors using zero-day exploits, novel malware, and stealthy procedures.

Based on dynamic heterogeneous graph representation learning of the network, GLAAD incorporates a plurality of components that monitor, learn and analyze the behavior of entities and whole parts of the network at various scales. The complete attack story, which potentially includes multiple steps such as initial compromise, reconnaissance, command and control, lateral movement or data exfiltration, is reconstructed from various indicators ranging from statistical anomalies over machine learning-based predictions and suspicious events to known-to-be-malicious actions. Once released, the system will be integrated into Huawei HiSec Insight and other security products.
Comprehension of cybersecurity threat reports

Cybersecurity Threat Intelligence is a model of the cybersecurity threat landscape, comprising an ontology of entities and their interrelations. It represents an essential tool for defenders to become aware of relevant threats, timely and comprehensively.

The vast majority of CTI data is produced by well-known vendors using automated sensors. Nevertheless, a tiny amount, manually authored by security experts and published as threat reports, tends to be comparatively much more informative, and thus valuable. This is because threat reports usually describe the latest and most relevant threats, and situate these threats within a wider context. Furthermore, differently than automated CTI feeds, threat reports present more than just operational data, i.e., indicators of compromise (IOCs), e.g., IP addresses, domain names, file hashes, etc. They present tactical and strategic data in the form of Tactics (why?), Techniques (what?) and Procedures (how?) (TTPs), giving the defender a high-level perspective on ongoing and emerging threats.

The main hurdle to start using threat reports as CTI sources today is that they are not machine-readable, as opposed to their automated counterparts. The content of threat reports, i.e., natural text, tables and images, does not lend itself to simple automated extraction approaches.

Our vision of automated CTI extraction from threat reports is an artificial system strongly adapted to seamlessly cooperate with humans: it understands reports written by human security experts, produces output comprehensible to human threat analysts (and machines, of course), and in the process learns from the feedback of its human operators. To this end, we combine our cross-domain expertise in cybersecurity, natural language processing (NLP) and machine learning. The outcome is an improved security posture of our customers, and a steady stream of hard problems which represent a joy to our research and development team to solve every day.
NERRS: Network Entity Risk Ranking System

In enterprise- and organization-level IT networks, a continuously increasing amount of security-related alerts are triggered daily by detection modules which are implemented at various security system levels and use network traffic, host and application logs and events from security appliances as input. In order not to miss real incidents (true positives), alert-raising detection modules must be tuned conservatively. That means, alerts must be raised even if there is a low level of certainty that an actual security threat has been detected. The consequence is the common problem of high false positive rates, which makes manual inspection of security alerts increasingly challenging.

The goal of the NERRS project is to help operators prioritize network entities and alerts to investigate by assigning continuously updated risk scores and ranks to network entities based on all logs, events and alerts generated by the underlying network and security components. Entities with a higher risk score indicate a higher security threat.

NERRS learns baseline behaviors and computes multi-dimensional anomaly tensors representing behavioral deviations. Via unsupervised ML-based peer group clustering, the system accounts for activities of related entities in the network. If a host acts strangely not only relative to its history but also compared to its peers on a specific day, it will be assigned a higher anomaly score. Moreover, NERRS learns group behavior and how much each entity “normally” deviates from other group members’ activities in order to detect behavioral outliers more accurately.
Collaborations

Collaboration with the Chair of Network Architectures and Services from the Department of Informatics at Technical University of Munich (TUM)

Mass Entity Modelling based on TLS-Encrypted Traffic Analysis

Within the scope of the Joint Lab, which is a collaboration framework established by the Munich Research Center of Huawei and the Technical University of Munich (TUM), AI4Sec is collaborating closely with the Chair of Network Architectures and Services (NET) from the Department of Informatics (IN) at TUM on the topic of Mass Entity Modelling based on TLS-Encrypted Traffic Analysis. The objective of the project is to design and develop a framework capable of actively, efficiently and autonomously scanning the Internet in various ways, analyzing the resulting TLS fingerprints and extracting information that allows the system to draw security-relevant conclusions about the scanned entities.

Project team
Lead: Prof. Dr.-Ing. Georg Carle (NET IN TUM), Tan Jing (Huawei AI4Sec)
Staff: NET IN TUM: Patrick Sattler, Markus Sosnowski, Johannes Zirngibl

Huawei AI4Sec: Claas Grohnfeldt, Michele Russo, Daniele Sgandurra, Nedim Šrndic

Open positions
  • We are looking for a Cyber-Security Researcher in Binary Analysis. This is a full-time, permanent position. As a member of the AI4Sec Research Team, you will be performing applied research aimed at developing novel methods for analyzing malware binaries aimed at extracting control-flow graphs and behavioral signatures also in presence of packed or evasive malware. More information and the application are available here.


  • We are looking for a Cyber-Security Researcher in Malware Analysis and Detection. This is a full-time, permanent position. As a member of the AI4Sec Research Team, you will be performing applied research aimed at analyzing advanced malware and developing novel methods for their detection and mitigation. More information and the application are available here.


  • We are looking for an looking for an enthusiastic and motivated Intern in NLP for Threat Intelligence. This is a full-time position for 6 months. Ideally, you already have in-depth knowledge programming with NLP, ML or knowledge graph libraries. Under the supervision of our internal scientists, you will support our research focused on mining and comprehension of Cyber Threat Intelligence (CTI). More information and application are available here.


  • [CLOSED] We are looking for an enthusiastic and motivated Intern in Malware Analysis and Detection. This is a full-time position for 6 months. Ideally, you already have first hands-on experience and knowledge in cybersecurity and machine learning (ML). In collaboration with AI4Sec team members, you will support our research focused on improving ML-based dynamic analysis of known and unknown malware.


  • Various Positions

    We regularly advertise positions in our team: therefore, we suggest interested candidates to check this page regularly for future opportunities. We are particularly interested in talented PhD candidates and interns. In both cases, ideal candidates should have background, or being strongly interested, in the topics of malware analysis, network/computer security, and threat intelligence. It is also recommended candidates to have a strong interest in machine learning and be passionate about performing research in real environments. To inquiry availability of PhD positions, please send us (see contacts above):

    • (i) your updated CV (including transcripts of all exams and link to your MSc thesis);
    • (ii) a 1-page research statement (preferably on the research topics of AI4Sec),
    • (ii) and two contact persons who could act as reference.

    Candidates for internships would have to be enrolled in an MSc or PhD in Computer Science (or any related field), and would be expected to write their thesis in the topic of Cyber Security. Ideal candidates for internships should also have a good publication history and should be willing to perform development and evaluation of prototypes in real-world environments.
Huawei's Munich Research Center

AI4Sec Research Team is located within Huawei's Munich Research Center. Huawei's Munich Research Center is responsible for advanced technology research, architectural development, design and strategic engineering of Huawei's products. Career opportunities at Huawei's Munich Research Center are available at this page.

Responsive image

Team

Daniele Sgandurra photo Tan Jing photo Claas Grohnfeldt photo Anonymous photo Adrian Chirita photo Nedim Šrndić photo Michele Russo photo Tu Nguyen photo Mohammad Zeeshan photo


Interns

Marco Brotto photo

Contact

daniele DOT sgandurra AT huawei DOT com
susan DOT tan AT huawei DOT com