‘If you scroll your phone now, you might count a hundred apps or more,’ Gadyatskaya says. ‘But how much do we know about the companies that create them? Can we trust them? Could they be stealing your data?’ Nowadays we have everything on our phones: our contacts, pictures and personal information. ‘A lot of these apps have access to your data and you have no idea what they do with this information.’

Computer systems are better at scanning software and giving a warning when something is not right. On a mobile phone, that’s a lot harder to control. ‘As cybersecurity experts, we try to identify the apps with malware in order to protect our devices in a better way.’ But that’s quite an impossible task as there exist millions of apps. ‘So we need to work on scalable solutions on how to distinguish between the malicious and trustable apps.’

Hard to define what malicious behavior

Machine learning techniques to detect malware already exist, but they aren’t perfect. ‘They can tell you when a sample contains malware, but they can’t tell you why exactly.’ That’s not surprising, as it is very hard to define what malicious behavior is. ‘What malware often does, is stealing personal data and sending it to an external server. But that is also what apps such as Facebook do.’

It’s almost impossible to write new software from scratch.

That grey area even makes it hard for a trained data analyst. ‘It is very difficult, but also what makes the research problem so interesting.’ To tackle the deficiencies of the existing machine learning, Olga and a team of experts are working on explainable AI solutions. ‘We want to find a way in which we can let the AI tell us not only which apps are malicious, but also why.’

Libraries for codes

Not only apps can contain malware, also the library codes for building software can be infected. ‘There is a very popular platform where programmers share code, named GitHub. It is a database for everything you need to build software. And it’s not for the small users alone, even the biggest companies that provide security services are on it.’ As software becomes more complicated all the time, it’s almost impossible to write new software from scratch. ‘So we need to use libraries and packages with the input of other producers.’

Gadyatskaya researched if certain on the platform also contain malware . ‘To check how safe the digital infrastructure of your company is, you can hire the service of pentesters, so called ‘legal hackers’. By trying to get in your systems, they can see where the vulnerabilities are and fix them. Leiden University also does that from time to time.’

Big news in the cybersecurity world

Manual hacking takes too much time nowadays, so these pen testers need a lot of tooling and software. ‘They need to look for proof-of-concept exploit codes to show the client that the vulnerability in their digital infrastructure is indeed exploitable. Some of these codes they have themselves, but others they need to get from other sources, for example, from GitHub. We found that among  50.000 repositors that share these exploit codes on GitHub, there is a significant fraction that share malicious exploit codes. These will then attack the pen testers.’ Gadyatskaya’s findings were big news in the cybersecurity world. ‘They were shared everywhere as a warning.’

We hope to become an internationally renowned security group.

To achieve more of these important results, Gadyatskaya and her colleagues are building a bigger security group in Leiden. ‘I started here 3 years ago and soon after Nele Mentens joined too. The group has now hired two more assistant professors. We are working our way up and hope to become an internationally renowned security group.’

Not only for boys

As a member of the RISE Junior board, Gadyatskaya hopes to  inspire more girls to also consider a study or career in cybersecurity. ‘You often see fewer women in my profession. It can be difficult for girls to discover that they like cybersecurity. When I talk with students about writing a thesis on cybersecurity or do an internship, they often think: ‘I’m not some kind of guy in a hoodie who can hack. This isn’t for me.’ After events and introductions, some students discover that it is actually a really dynamic field and that hacking can be very cool. And it’s not about hacking alone, the field needs people with very different sets of skills. I hope more girls will discover how interesting, diverse and fun this job is.’

Text: Inge van Dijck