Chautaari: Tell us about Cybersecurity.
Dhilung: Cybersecurity is basically the art and science of attack and defense in the cyber world. To build a secure system, one must first thoroughly understand the possible attacks. So it involves a lot of getting-into-the-attacker’s-mindset exercises. The interesting challenge is that the same technology that we plan to use for our defenses can be used by the bad guys to craft, automate, and scale their attacks.
A more academic term for cybersecurity is “computer security” and the research in this area revolves around exploring the attack and defense scenarios. These scenarios range from attacks on individual PCs and mobile phones to enterprise and military networks, social networks, user and data privacy, cryptocurrency, variety of hardware devices including transportation and medical life-supporting devices. There are mainly two areas of focus in security research typically known as “theory” and “system”. The first one works on the mathematical foundations of computer security, while the second one focuses on developing innovative security systems and methods.
As the computer technology gets more tightly integrated into the inner workings of the society, the impact of the attacks become amplified. Attacks may include visible disruptions of service or invisible algorithmic deceptions that indirectly manipulate social views, for example by automated astroturfing. The problem of mass surveillance is real. The possibility of mounting these attacks from any part of the connected world makes the problem even more challenging, while making it lucrative to adversarial state actors.
C: There is a lot of hype around Cybersecurity. How is that going to be translated into academia and research ?
D: I think the hype around Cybersecurity is mainly due to the recent revelation of state run mass surveillance, high profile data breaches, state sponsored sophisticated malware attacks, and compromised social and political communications. These are the things the security community had predicted and warned us for a long time. However, the increased media coverage has definitely helped increase cybersecurity awareness in the general public.
Advanced attacks are possible because of our increasing dependence on technology. For example, attacks such as ransomware would not have worked otherwise. In the recent years, we have seen a rapid rise in organized cybercrime creating a large underground economy. And as a result, we encounter hundreds of thousands of new malware samples daily, massive botnets and malware campaigns, sophisticated targeted attacks and APT attacks, industrial espionage, and even fake news-as-a-service offerings. Increasing adoption of wearables and IOT devices, smart home technology and autonomous cars creates new security challenges. Yet another recently emerging threat relates to the algorithms, machine learning, and artificial intelligence that today’s technology is highly depended on. It is not the sci fi scenario where computers suddenly become self aware, but a rather realistic threat known as “adversarial machine learning” where an adversary remotely learns about the internal machine learning model and tweaks it to their desired form or finds blind spots in the model and weaponizes them.
The security research community is rapidly growing along with the ever expanding threat landscape. At the same time, there is an increased interest from the funding agencies providing ample resources to perform cutting-edge research in this area. The recent DARPA Cyber Grand Challenge with nearly $4 million in prizes is a good example. This competition challenged researchers to develop fully automated system that can find flaws in unknown software, fix its own copy, and develop exploits based on this flaw to attack other competing systems. Our hacking team Shellphish, mainly composed of UCSB students, was able to score the third place. The message here is that the cybersecurity research can be both fun as well as rewarding.
C: Tell us about your cybersecurity journey:
D: I was a biology major and the only reason I was interested in computer was because I liked playing games and wanted to develop my own. Gradually, I started to see computer as a very powerful tool but at the same time a very dumb one. Dumb in a sense that if you tell it to delete itself, it would happily do it. This vulnerable aspect intrigued me. I remember spending countless hours poking around the operating system internals and trying to understand exactly how they work. I think I got seriously into computer security after I first learned to write rootkits. Rootkit is an advance offensive technique that alters the core operating system and makes certain resources, such as files, invisible to the normal programs. Later, I was fortunate enough to explore my interest in computer security through Fulbright Science & Technology PhD program.
During my PhD, I was interested in a particular type of “smart” malware. Usually, when we analyze malware samples, we run them in a sandbox, which is an isolated environment, and try to observe their behavior. Interestingly, these “smart” malware, also known as evasive malware, would detect that they are being analyzed and would stop showing their malicious behavior. It is like a disease that would suppress its symptoms when it detects that its victim is in a hospital. I researched different novel techniques of evasive malware analysis and performed in-depth study of evasive techniques used by malware, which became the main body of my dissertation.
C: Tell us about a time you had serious doubts about your own ability in this field and how you overcame that.
D: There is an interesting PhD Comics episode about grad student’s motivation level, which I can relate to. It starts with a high level of blissful optimism, and at some time it hits the lows when you realize you’ve been here for many years. PhD is a marathon where one mostly walks alone. There were many days when I’d be returning from a long day of work (lab) and the sun would be just starting to rise. Managing expectations of myself was a challenge. However, having very supportive supervisors, socially vibrant lab culture at UCSB Seclab, and family like housemates made my years much easier. Having an always sunny beach within 5 minutes walk from the lab that I frequented also helped a lot.
C: Tell us about your experience coming up with an innovative idea and realizing it as a product.
D: One of the recent research projects that I am proud of is the “Watson for Cybersecurity” project at IBM Research. This is a project where we bring cognitive capability (artificial intelligence), into the cybersecurity threat investigation. We first built a large security knowledge graph, which is a repository of security knowledge extracted from various sources including content available only in the natural language form such as threat reports. We then developed algorithms to perform cognitive exploration of knowledge graph for autonomous investigation of the cybersecurity threats. I got the chance to work on the project from the very early conceptual phase to the final product release. Along the way I was able to make major contributions to the different aspects of the project including the algorithms and the knowledge graph architecture.
C: If you were in admission committee, what qualities would you look into a prospective graduate candidate?
D: Their background knowledge and experience in the topic is obviously the first thing I would consider. Second factor I’d look for is a story of perseverance. Roadblocks are inevitable in grad school and persistence is the key to overcome them. The third factor would be their intellectual curiosity or their willingness to learn.
C: What is the difference between pursuing Masters vs. Phd in cybersecurity?
D: Typically, a Masters student works on a smaller subset of a bigger problem and usually the intent is to be better prepared for the job market. PhD is about embracing the bigger problem, research it for years and distill down a unique solution that nobody has found before.
C: How can undergraduate students and the students who are in gap year prepare themselves for pursuing graduate studies in cyber security?
D: There is a large amount of content in the Internet to familiarize yourself into the area. I recommend playing CTF competitions and reading write ups about the individual challenges. I think it is the most fun way of getting a hands-on experience in cybersecurity. One good resources for finding more CTFs is ctftime.org.
C: Can you list 5 universities you recommend exploring.
D: Seclab at UCSB
CyLab at CMU
C: Can you recommend 3 resources for people looking to get into your field (these can be job portals, networking groups, listservs, magazines, colleges — anything)?
D: Get your hands dirty: Checkout the CTF calendar , sign up for some of them and have fun! You can start with picoCTF. Checkout past writeups (solutions). Checkout recent publications from the top security conferences. One can usually find the full paper via Google Scholar by searching the title of the paper. Hangout at Hacker News.
C: What is the best career advice you have ever received?
D: While I was getting comfortable with a Software Engineering job and was simply thinking of a Masters, my cousin encouraged me to challenge myself and apply for the Fulbright PhD program. I believe that the advice was the best career advice I have ever received.
C: The career advice you wished you received in your twenties.
D: This is going to be a technical one — pick up some scripting language (e.g., python, bash), master it early on, and use it as much as possible. You will buy so much time back over the long run by quickly solving problems and automating many of your everyday tasks.
C: Opportunities and responsibilities of merging your identities as a technology worker, Nepali national and a global citizen?
D: I grew up in a remote village without roads and electricity, spent many summer months ploughing rice fields before finishing my high school, and started learning computer basics only at the age of 17. My current research in Cognitive Cybersecurity to fight against global cyber criminals seems so detached from my upbringing. However, the basic principles and values I learned from my parents and teachers during my formative years have been the key forces to push me this far. I have a big responsibility to give back and I am constantly looking at opportunities to utilize my area of specialization to do so. Unfortunately, it has been a challenge. Recently, I got an opportunity to provide mentorship for the “Medical Drone” project, an initiative by Mahabir Pun which aims to provide urgent medical supply using autonomous drones to remote areas of Nepal, such as the one where I grew up. The team is composed of many young technology students and I hope this initiative will also help cultivate a “research culture” in Nepal among the young generation.
Dhilung Kirat is a Research Scientist at IBM Research working with the Cognitive Cybersecurity Intelligence group. His research revolves around areas of computer security, in particular malware analysis and security analytics.
Dhilung received his PhD in Computer Science from University of California, Santa Barbara, advised by Professors Giovanni Vigna and Christopher Kruegel. He was a recipient of Fulbright Science and Technology PhD Scholarship. He has helped organize international hacking competition iCTF for multiple years and participated in others as a member of the Shellphish hacker group.
Dhilung is from Bhojpur, Nepal, where he finished his SLC from Arun Ma. Vi., Dingla. He completed his +2 from Birat Science Campus, Biratnagar, and BE in Computer Engineering from IOE Pulchowk Campus, Kathmandu.
He is also passionate about landscape photography and usually travels carrying several kilos of his gears sometimes encroaching his wife’s luggage space. His photographs have been published by BBC, World Wildlife, UN Environment, and others.
Dhilung was recently featured as an exemplary millennial IBM scientist revolutionizing cyber security operations from idea to product.