Authors: Davy Preuveneers and Koen Vranckaert / KU Leuven
The DistriNet research group of KU Leuven has a long track-record in cybersecurity, presenting several novel attacks and defenses to improve the security posture of systems, software and network infrastructures. An important line of research includes the use of machine learning and deep learning, both from an offensive and defensive point of view, as illustrated below.
A recent example of how we used AI to defeat security solutions was presented at Euro S&P 2022 [1]. In this work, we explored the ecosystem of captchas. A captcha is a way of figuring out whether a website visitor is a human or a machine, and this technique is often used to detect bots or other abuse traffic on a website. More specifically, we investigated Google’s reCAPTCHA v3 which has the same objective but without causing any user friction (e.g. recognizing text or images). Using reinforcement learning and leveraging the reCAPTCHA scores, we built models that simulated human-like web browsing behavior that were able to evade reCAPTCHA’s detection.
Another line of research within DistriNet on the use of AI to improve defensive solutions is our ongoing work on biometric and behaviometric authentication. These security applications typically leverage deep learning (DL) models to extract biometric templates during the enrollment and the actual authentication. As an example, in [2], we explored gait authentication with inertial measurement unit (IMU) sensors as a behavioral authentication scheme, and used a.o. temporal convolutional networks (TCN), as shown in the figure below, to extract these templates as well as novel schemes to protect these templates. Other ongoing research tracks are robustness of biometric pipelines against adversarial perturbations, and assessing the strengths and limitations of prominent robustness methods in light of facial authentication, both from a security and privacy perspective. We additionally research the benefits and challenges of deep learning in other cybersecurity applications, such as malware and network intrusion detection.
The KU Leuven Centre for IT & IP Law (CiTiP) likewise has a solid track record as a law and ethics partner of research consortia. CiTIP is renowned for its expertise in the areas of artificial intelligence & autonomous systems, data protection and privacy, eHealth & Pharma, Ethics and Law, Intellectual Property, Media & Telecommunications and (Cyber)Security.
CiTiP’s research and dissemination activities contain a wide range of cybersecurity-related topics. In one study performed at the request of the Belgian Ministry of Economic Affairs, CiTiP provided a mapping of the legal regimes applicable to the use of artificial intelligence and provided recommendations on how to implement them into Belgium’s applicable law [3]. CiTiP researchers have also published multi-disciplinary publications on Artificial Intelligence and the Law [4].
The above-mentioned research will complement the findings on the technical side of the KINAITICS equation and will ensure that the solutions will fit with European Union legislation and European legal, ethical and societal values.
[1] Tsingenopoulos, I., Preuveneers, D., Desmet, L., & Joosen, W. (2022, June). Captcha me if you can: Imitation Games with Reinforcement Learning. In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P) (pp. 719-735). IEEE.
[2] Van hamme, T., Rúa, E. A., Preuveneers, D., & Joosen, W. (2021). On the security of biometrics and fuzzy commitment cryptosystems: A study on gait authentication. IEEE Transactions on Information Forensics and Security, 16, 5211-5224.
[3] Amankwah, J.; De Bruyne, J.; de Streel, A.; Gils, T.; Hof, D.; Jacquemin, H.; Lognoul, M.; Ruelle, V.; Stroobants, N.; Vanherpe, J.: Van Schoubroek, C.; Valcke, P.; Vranckaert, K., Study on Potential Policy Measures to Promote the update and the Use of AI in Belgium in Specific Economic Domains. Part 1: Gap Analysis + Part 2: Comparative Legal Analysis, Online report for the Federal Public Service Economy, 2022.
[4] De Bruyne, J. and Vanleenhove, C. (eds.), Artificial Intelligence and the Law, Intersentia, 2023, 668p.