Cybersecurity Research Institute TOP日本語

Research Team

The cybersecurity research is not just a field of computer science, but a comprehensive field that involves everything in the society from hardware to software, legal, and human factor. Cybersecurity Laboratory promotes R&D by building a team of researchers with diverse backgrounds, including AI technologies, network technologies, hardware technologies, psychology, and sociology, in addition to researchers specializing in cybersecurity. We also aim to become a global research center by establishing a wide range of cooperative research relationships with universities and private companies in Japan and overseas.

“Be Practical” is our top priority. To conduct practical R&D that follows changes in cyberattack trends, it is essential to have systems to collect actual cyberattack data continuously on a large scale. The Research Team works on R&D on many kinds of cyberattack observation technologies as well as automatic analysis and countermeasure technologies that utilize large-scale aggregated cyber-attack-related information. Moreover, to contribute to identifying security issues and countermeasures for newly emerging technologies in society, the research team is conducting R&D on security verification technology capable of dealing with emerging technologies, such as new communication devices, connected cars, and 5G/Beyond 5G networks. We also promote usable security research to address user security and privacy issues arising from human-computer interaction.


NICTER: Cyber attack observation and analysis system

Integrated system based on large-scale darknet monitoring, automatic malware analysis, and its correlation

Real-time visualization of cyber attacks with NICTER

NICTER (Network Incident Analysis Center for Tactical Emergency Response) is an integrated system for real-time observation and analysis of indiscriminate attacks* on the Internet. Since 2005, NICTER has collaborated with numerous organizations both in Japan and overseas to distribute sensors to monitor darknets in realtime. A darknet is a set of globally announced unused IP addresses. Because there is no computer connected to a darknet, communication (packets) should not actually arrive under the normal usage of the internet. However, in reality, many packets arrive in darknets: scan packets from a computer infected with malware searching for the next infection destination, spoofed packets bouncing back from a server to darknet (called backscatter), or internet-wide scan packets from those research organizations collecting data about internet-connected hosts and their open ports or services running etc. NICTER now operates a global darknet monitoring network of about 300,000 addresses.

By analyzing the data collected by NICTER, we can identify new malware outbreaks, attack activities targeting new vulnerabilities, the distribution of infected devices, attack trends, etc. In addition, NICTER automatically analyzes collected malware samples to identify attack patterns. By correlating the attack patterns with darknet data, NICTER identifies which malware is responsible for the observed attack activities. The results of NICTER observations and analysis are shared with the government and related organizations for their countermeasures, and some of the results are also made publicly available on the NICTERWEB.

* Attack activities that do not target specific organizations but indiscriminately spread to a large number of devices.


AI technology to generate valuable information from cybersecurity big data

Integration of security big data collected by NICT and AI technology

In recent years, the Internet has faced various cyber threats, including ransomware and the hijacking of IoT devices by botnets. To respond to these threats when there are not enough security experts, it is necessary to promote the automation of security operations in addition to training additional human resources. The Cybersecurity Laboratory contributes to the advancement of this automation by applying various types of artificial intelligence (AI) technologies centered on machine learning to collected security big data and converting the advanced know-how of security operators into systems. In the cybersecurity field, datasets (accumulated data) provide a competitive edge to research and development. Machine learning is technology that learns and analyzes large amounts of data, so it is important to collect large quantities of high-quality data for this purpose. In this respect, we have an advantage because we have data collected by using many systems, including NICTER.

We are studying how this accumulated data can be used for analysis and automation using machine learning. As one example of research themes, we are conducting an R&D project to develop a hybrid analysis platform technology that will automatically issue comprehensive security reports and significantly reduce the burden on operators. As an example of the benefits of this technology, it will allow us to automatically detect the occurrence of new malware activities, determine its identity, and collect, integrate, and post analysis of the behavior and coding of the malware, vulnerabilities exploited, and other detailed reports on the malware in real time. We also aim to realize an explainable system that enables humans to understand and trust the results of AI output and utilize them in security operations. Since AI technology and cybersecurity technology originally developed from different communities, effectively integrating the technologies of both domains is laborious and time-consuming. However, if we can achieve a broad fusion between the two, then it would lead to great advances in the automation of security.

STARDUST: Large-scale deceptive environment for luring APT adversaries

Large-scale analysis platform for observing targeted attacks on a parallel network that mimics a real organization

Conceptual diagram of the STARDUST system

In a targeted attack, the adversary uses computers infected with malware as stepping stones from which to seek to penetrate the target organization. Usually, detailed information on targeted attacks is not provided by the affected companies or organizations, making it difficult to understand the actual situation of targeted attacks and to derive appropriate countermeasures. The conventional approach, which involves simply analyzing the malware program, doesn’t provide a complete picture of the activities of the actual adversary, the person at the core of the attack. To overcome this issue, the Cybersecurity Laboratory pursues research and development on a large-scale analysis platform for observing targeted attacks on a parallel network that mimics a real organization, called STARDUST.

STARDUST automatically creates parallel-world networks that mimic in precise detail the ICT environment of an organization that acts as bait for an adversary. The malware used by a targeted attack is executed on a personal computer (PC) within the parallel-world network to establish an actual connection with the C2 server, thereby luring the adversary. To persuade the adversary to stay as long as possible, STARDUST is equipped with a function for simulating various activities: creating documents, using email, adding bookmarks to web browsers, and setting user information. This function gives the adversary the impression that the parallel-world network is in actual use. Additionally, using a “wormhole,” a connection is established with the C2 server via the real-world network of the organization targeted by the adversary. These actions convince the adversary that the attack was successful. Traces left behind by an adversary while searching the PCs of the parallel-world network can be acquired through communications within the PC or over the network. High stealth methods have been adopted for STARDUST to ensure that the adversary remains unaware that they are being watched. The acquired data can be referenced in realtime via the web interface. It's also possible to operate each PC on the basis of the acquired data while monitoring is underway.

CURE: Cybersecurity Universal REpository

Platform for gathering, analyzing, and connecting heterogeneous security big data

Visualization of relationship between open source intelligence and security alerts in an organization

To get a full picture of cyber attacks, it is necessary to aggregate a wide variety of cybersecurity-related information, including malicious traffic data, malware analysis results, and security reports published by external organizations, and analyze them from multiple perspectives. The Cybersecurity Laboratory works on R&D for a large-scale platform called CURE (Cybersecurity Universal REpository), which enables aggregation of heterogeneous security-related data and their correlation.

CURE reveals hidden mechanisms of cyber attacks through analysis in security big data and aims to create security intelligence that effectively contributes to security operations for organizations. CURE has an in-memory database to process vast amounts of information at high speed, and messaging between the various databases and CURE is implemented on the basis of the Pub/Sub (Publish/Subscribe) model. This architecture enables high performance and high scalability. CURE also has multiple information layers. The “Artifact Layer (Observation Layer)” is responsible for observational information related to cyberattacks, such as IP addresses, domain names, file hashes, and email addresses. The “Semantics Layer” relates cyberattack analysis information such as news and security blog articles to artifacts through natural language processing. The “Enricher” is a data enrichment mechanism that provides additional information to the data stored in the CURE. It enables us to analyze, for example, IP addresses that exhibit similar malicious behavior by detecting and automatically linking them together. For example, Enricher can be used to detect IP addresses with similar malicious behavior and automatically tie them together for analysis.

We will continue to aggregate security-related information in CURE, as well as research and develop analytical techniques that enable large-scale data linkage, cross-sectional analysis, and semantics.

WarpDrive: Web-based Attack Response with Practical and Deployable Research InitiatiVE

Countermeasures to web-based attacks based on a user participation approach

Widget screen of Tachikoma SA updated to the "Ghost in the Shell SAC_2045" series.
©Shirow Masamune, Production I.G / Kodansha, Ghost in the Shell 2045 Production Committee

A web-based attack such as a drive-by download attack, in which users are infected with malware by browsing malicious or compromised websites, is one of the major threats on the Web. Since Web-based attacks start with a user’s access to a malicious or compromised Web site and are only directed at users who visit the Web site, it is difficult to ascertain the actual situation through passive cyber attack monitoring methods such as darknet monitoring.

To address this issue, the Cybersecurity Laboratory promotes the WarpDrive (Web-based Attack Response with Practical and Deployable Research InitiatiVE) project to realize large-scale observation of web-based attacks with user participation. To increase the incentive for users to install our sensors, WarpDrive has teamed up with the “Ghost in the Shell SAC_2045” anime series and has developed a “Tachikoma Security Agent (Tachikoma SA)” for PCs and “Tachikoma Security Agent Mobile (Tachikoma Mobile)” for smart phones with web access observation, analysis, detection, warning, and blocking functions that can be applied to user environments. Users who install Tachikoma SA and Tachikoma Mobile can use dedicated widget screens and applications to reduce the risk of web-based attacks by blocking suspicious web access. Users’ web access information is aggregated and analyzed in a non-personally identifiable form to help detect new malicious websites.

5G/Beyond 5G security

Risk analysis and verification techniques for new network environments

5G network model and attack surfaces

With the growth in the commercial use of 5G (fifth generation mobile network), networks with the features of “high-speed and high-capacity,” “ultra-low latency,” and “massive device connectivity” are becoming popular. 5G networks are expected to connect a wide variety of devices and enable a range of services such as automated driving, telemedicine, smart agriculture, smart factories, and high-definition video production. However, the introduction of new technologies raises concerns about new security threats that have not been anticipated in previous environments.

The Cybersecurity Laboratory was commissioned by the Ministry of Internal Affairs and Communications (MIC) to conduct “Research and Study for Securing Security in 5G Networks” in 2020, jointly with KDDI, NTT DoCoMo, NEC, and others, to build a test bed for security verification of 5G networks. The 5G security team has developed a 5G testbed in the laboratory that includes a 5G core network using the open source software “OpenAirInterface” and “free5GC” and a wireless access network using Software Defined Radio (SDR) equipment. Using the testbed, we are conducting risk analysis for the 5G network environment and verification of mitigation techniques. Our findings have been published as “5G Security Guidelines” by the MIC in Japan. In the future, we will also conduct security verification for newly introduced 5G technologies such as network slicing, MEC, and PTP. We will continue our R&D on risk analysis and verification technologies for 5G and Beyond 5G networks and contribute to the construction of a vendor- and carrier-neutral evaluation and verification environment and the sharing of knowledge by taking advantage of NICT's neutrality.

Low-layer security

Security verification technologies for supply chain risks

Hardware security analysis via chip analysis

With the proliferation of IoT devices and the rise of supply chain risks, it is becoming increasingly important to develop technologies for testing devices. Such technologies could verify whether a given device has unwanted functions including vulnerabilities or intentionally embedded backdoors, where backdoors means an unwanted program or process that can be penetrated from the outside. The Low-layer Security team works on R&D on security technologies for low layers of the structure of devices covering hardware, firmware, kernel modules, FPGAs (Field-Programmable Gate Arrays), IC chips, and sensors.

The security technologies we develop aim to identify chips that are vulnerable through physical access by actually opening IoT devices, backdoors embedded in firmware, and unwanted functions implemented in FPGAs designed on the basis of specifications. We have also developed NEMIANA, a software verification system for firmware and software running on FPGA boards, as a technology utilizing FPGAs. NEMENIA has been released as OSS (Open-Source Software). We also develop other security verification technologies that can be applied to a wide variety of devices including wearable devices, connected cars, and other new devices that are becoming popular in society. A technology of ours can verify, for example, whether a device can incorrectly recognize invalid data intentionally generated from physical sensors.

By promoting these R&D activities, NICT aims to contribute to reducing supply chain risks with countermeasures using national technologies. For example, we are developing a verification system that conducts comprehensive verification when unwanted functions could be embedded in a certain device.

Usable security

Discovering and solving security issues in the relationship between humans (users) and computers

Examples of security issues arising from human (user) and computer system interaction

Human factors must be considered in cybersecurity, as any security technology may not reach its full potential if it is misused or misunderstood. There is one research field, “usable security,” for preventing security and privacy threats arising from the interaction of humans (users) with computer systems without compromising effectiveness, efficiency, and satisfaction for users. The Cybersecurity Laboratory promotes R&D activities in usable security.

Even among humans, there are a variety of security and privacy issues depending on their position, situation, and role. For example, users may consent to an app download without understanding the privacy policy, or there may be inconvenience in security authentication for the physically challenged. There are other challenges in developing secure products. Services and systems are implemented through programming by developers (programmers), but if developers do not properly implement not only the original functionality and purpose of the service (functional requirements) but also security and other functions (non-functional requirements), vulnerable services will be created. Prior research has shown that, in many cases, vulnerabilities are created by developers using low-quality code samples posted on Q&A sites for developers on the Internet. Therefore, it is important to provide developers with an easy-to-use and secure way to develop their products. We also conduct R&D on effective security alert methods to encourage users to take appropriate security measures and on nudges to encourage users to change their behavior in the desired direction.

The usable security team aims to establish technologies that combines high usability and security by addressing security issues from various aspects related to humans.

back to page top