Hackers constantly improve at penetrating cyberdefenses to steal valuable documents. So some researchers propose using an artificial-intelligence algorithm to hopelessly confuse them, once they break in, by hiding the real deal amid a mountain of convincing fakes.
The algorithm, called Word Embedding–based Fake Online Repository Generation Engine (WE-FORGE), generates decoys of patents under development. But someday it could “create a lot of fake versions of every document that a company feels it needs to guard,” says its developer, Dartmouth College cybersecurity researcher V. S. Subrahmanian.
If hackers were after, say, the formula for a new drug, they would have to find the relevant needle in a haystack of fakes. This could mean checking each formula in detail—and perhaps investing in a few dead-end recipes. “The name of the game here is, ‘Make it harder,’” Subrahmanian explains. “‘Inflict pain on those stealing from you.’”
Subrahmanian says he tackled this project after reading that companies are unaware of new kinds of cyberattacks for an average of 312 days after they begin. “The bad guy has almost a year to decamp with all our documents, all our intellectual property,” he says. “Even if you’re a Pfizer, that’s enough time to steal almost everything. It’s not just the crown jewels—it’s the crown jewels, and the jewels of the maid, and the watch of the secretary!
Counterfeit documents produced by WE-FORGE could also act as hidden “trip wires,” says Rachel Tobac, CEO of cybersecurity consultancy SocialProof Security. For example, an enticing file might alert security when accessed. Companies have typically used human-created fakes for this strategy. “But now if this AI is able to do that for us, then we can create a lot of new documents that are believable for an attacker—without having to do more work,” says Tobac, who was not involved in the project.
The system produces convincing decoys by searching through a document for keywords. For each one it finds, it calculates a list of related concepts and replaces the original term with one chosen at random. The process can produce dozens of documents that contain no proprietary information but still look plausible. Subrahmanian and his team asked computer science and chemistry graduate students to evaluate real and fake patents from their respective fields, and the humans found the WE-FORGE-generated documents highly believable. The results appeared in the Association for Computing Machinery’s Transactions on Management Information Systems.
WE-FORGE might eventually expand its scope, but Subrahmanian notes that a document recommending a course of action, for instance, would be much more complex than a technical formula. Still, both he and Tobac think this research will attract commercial interest. “I could definitely see an organization leveraging this type of product,” Tobac says. “If this ... creates believable decoys without releasing sensitive details within those decoys, then I think you’ve got a huge win there.”