Nataliya Mykhaylova, winner of a student competition to find new ways of thwarting cyber criminals, has devised a novel model.

Cybersecurity is a big concern for nearly every industry. But for the banking sector, that concern is paramount and the arms race to stay ahead of digital criminals requires innovative thinking. That’s why the London-based SWIFT Institute, set up by the Society for Worldwide Interbank Financial Telecommunications to enable cross-learning between academics and bankers,  issued a challenge to teams of Canadian university students to come up with new ideas.

The winner, Team Pulse OS, devised a process that allows for reliable early detection by analyzing the unique power-use signatures on mobile devices. Team leader Nataliya Mykhaylova, who is pursuing a doctorate in chemical engineering at the University of Toronto, discussed her project with Knowledge at Wharton following her win at the October 2017 competition. Peter Ware, director of the SWIFT Institute also joined the conversation about cybersecurity.

An edited version of the transcript follows.

Knowledge at Wharton: What prompted the SWIFT Institute to devise this competition?

Peter Ware: We launched the SWIFT Institute Student Challenge last year primarily to engage with students. Part of what the institute does is give research grants to academics. We’ve been dealing with academics for about five years now, so we wanted to go beyond that and try and tap into some young, upcoming, engaging minds.

We linked this specific challenge to a conference that we held in Toronto called Sibos. We thought that we would focus primarily on students at Canadian universities. Before the challenge started, we went to the Canadian banking community and asked, “what is at the forefront of your minds? What is keeping you awake at night that we can try and help you solve?” Unsurprisingly, it was cyber. They helped to find the idea of trying to protect a bank’s channels to its customers from cyber attacks. That’s the challenge that we put to students.

Knowledge at Wharton: Nataliya, why did you want to be a part of this competition?

Nataliya Mykhaylova: I was excited to hear about this competition because cybersecurity was something that is really big on everybody’s mind. A lot of the attacks right now are undetected. I have been kind of researching this field from the hardware side. Doing my Ph.D. at the University of Toronto, I was testing different devices and got lots of ideas about how this could be prevented on a hardware level. I was really excited by this competition and thought I would submit my ideas.

Knowledge at Wharton: Tell us more about your winning idea.

Mykhaylova: You hear on the news all of these companies that have an issue with cybersecurity. What I noticed when looking through those cases is that there is a lot of effort being put into preventing the attacks, which is understandable. But I noticed there is not quite as much attention being spent on detecting those things early. In fact, only 30% of the cyber security attacks are detected in-house. This is a huge problem. There are lots of creative ways in which those attacks happen, and we need better systems to detect them at the edge or before they have a chance to spread.

“There are lots of creative ways in which cyber attacks happen, and we need better systems to detect them at the edge or before they have a chance to spread” –Nataliya Mykhaylova

When I was doing my Ph.D., I was assembling and testing different devices, different sensors. I discovered there is this pattern that you can detect and correct through artificial intelligence models. And you can actually detect the changes in those patterns very early. For example, if the system is compromised even in the early stages, those performance signatures — like heat, CPU, other patterns — change very quickly. You are able to differentiate them from the normal operations of the system. Basically, an attack would leave a series of breadcrumbs as they are compromising the system, so you can detect them before it has really a chance to spread. This was an interesting discovery. This is something that inspired this idea going forward.

Knowledge at Wharton: Do you give consideration to the fact that so much banking is done on mobile devices?

Mykhaylova: Yes. The interesting aspect of the system is that it can work across different types of devices. We are checking up on our accounts on our mobile devices all the time — our  laptops, our desktops. You have to have a system that works effectively throughout interfaces so we can detect things before they have a chance to spread through the banking channels. Part of this system is going down to the very low level, to the hardware level.

With each new version of these devices, they have better and better ICs, the integrated circuits that go into those devices. A lot of them are now able to use features that allow us to run machine-learning models in real time to be able to detect changes in the operation of the systems.

This is a very interesting area, and I feel that it’s been unexplored. This is something that we have been doing, and realizing that there is a lot of opportunity to explore those parts of the system. Because this is something that is much harder for the cyber attackers to fake, they cannot really change the hardware patterns as easily as they would be able to change the software that is running on the system and to hide their traces.

Again, this is something that can be deployed running across the devices, so this makes it very powerful to be able to run the script on your cellphone, on your tablet, on your laptops.

Knowledge at Wharton: Peter, what is the significance of what she is describing?

Ware: It’s something that is very useful, and quite advanced and different from what I think a lot of banks have been looking at. A lot of the ideas that came from other teams in the challenge were all very good ideas. They were dealing with things such as four-factor authentication, voice and facial recognition. But this was a very unique approach from Nataliya, the idea of looking at pattern or usage recognition on our devices. It’s a novel approach. It’s something that, hopefully, banks can take forward and try to implement.

Knowledge at Wharton: Has there already been a reaction from banking institutions to the ideas generated by this contest?

Ware: It was actually the banks that voted on Nataliya to be the winner. We had a panel of four judges, which included some bankers from within Canada and some fintech experts, and we did audience voting online as well. It was the banking community itself that voted on the winner. There was also a lot of engagement among the banks and Nataliya and the other team members. A lot of these ideas are going to be taken forward, I am sure.

Knowledge at Wharton: Is there any possibility that some of those institutions will get involved in developing this idea?

Ware: That is something that would happen directly between the banks and Nataliya, so it is something that we are trying to foster. We are trying to foster that engagement and contact between the banks and the students. What happens next is something that is on a direct relationship between the two of them.

Knowledge at Wharton: Nataliya, can your idea be adapted and applied to sectors beyond banking?

Mykhaylova: I am really interested in potentially scaling this solution. I am passionate about cybersecurity, and I think banking is a great place to start. But I feel like every day we have new channels through which we interact with the world, and we have new devices in our homes through which we interact. We have IoT devices [internet of things], we talk to Alexa and so on. They are really easy channels for attackers to get into our system. I think we can make pretty much any channel more secure.

We have already started conversations with some banks in Canada as well as internationally, so I am very fortunate to have been part of the Sibos competition. But there is a lot of interest I received from the IoT technology sector, which is developing these devices that we all have in our homes now. I am quite excited about the interest and potential scalability of this.

Knowledge at Wharton: The SWIFT Institute will have its 2018 conference in Sydney, Australia. Do you plan to stick with cybersecurity as the theme?

“I am passionate about cybersecurity, and I think banking is a great place to start.” –Nataliya Mykhaylova

Ware: We are going to run the Student Challenge again, but we will come up with a different idea. We’ve gone to the Australian banking community and explained the concept of the challenge to them. There is a great deal of excitement there. They are in the midst of coming up with the idea that is relevant to their community. At this point, we don’t know what the idea is. We have already contacted 43 universities across Australia to explain what Sibos is, what the SWIFT Institute is and the idea behind the challenge. There is a great deal of interest from universities.

Knowledge at Wharton: What are the next steps for you, Nataliya?

Mykhaylova: Our goal right now is to test this system on all of the possible use cases, finalize the models and launch it through a few partner banking institutions to really showcase the benefits that it could provide.

As I mentioned, it can be run on any system, it’s fairly low cost and fast to set up, it’s an easy solution to implement, and it could have a higher return on investments for banks. We are looking to finalize the model and launch it by next year.

Knowledge at Wharton: Banks operate on different systems. Was that a challenge for you in the process of developing this concept?

Mykhaylova: Yes. Banks have all of the infrastructure right now for various types of divisions and for most internal interactions between the employees as well as with the customers. That was one of the biggest aspects that we wanted to incorporate into this solution so that we could deploy a system at scale to detect issues before they have a chance to spread through the network, which I think is one of the biggest concerns with the recent cases of companies being compromised.

Ware: Even within a single bank, they have multiple systems. There are so many different mergers and takeovers that have happened over the decades, and they all have these legacy systems that they try and put together. The idea of Nataliya having something that could be relatively easy to implement is going to be music to the banks’ ears. It’s a great initiative.

Knowledge at Wharton: Do you have to consult with, in this case, the Canadian government for implementation?

Mykhaylova: To some extent. Currently, this system can be operated across a number of different devices and trained on a number of different systems. Right now we are starting kind of small, really validating on very focused case scenarios. But later as it expands, I do feel that it would be important to involve the government because cybersecurity is going to be key for all of our operations. It would be important to think about it on a larger scale.

Knowledge at Wharton: As banks have retreated from some places, a vast number of areas are becoming unbanked, and there is a tremendous increase in financial inclusion with some of the fintechs entering the spaces. Is the cybersecurity solution that Nataliya has proposed relevant to those kinds of entities as well?

Ware: I think it is. You’re absolutely right that the more fintechs open up their systems and create new systems to provide banking services to anyone and everyone around the world, it’s creating more opportunities for cyber attacks. A lot of those smaller fintech companies are not as well regulated, if they’re regulated at all, compared to the banks.

The security they put in place might not be as good as what the banks have in place. Nataliya’s idea could be very relevant to them, and I think it’s absolutely necessary that a lot of those fintech companies try to adopt as stringent security measures as possible.

“The people perpetuating cyberattacks actually operate as a business. They buy and sell information from and to each other.” –Peter Ware

Knowledge at Wharton: Financial institutions may be hesitant to partner with each other, but sharing information would help ensure everyone has a high level of cybersecurity. Do you agree?

Ware: Absolutely. Looking at how banks can share information is something that we have explored from a research perspective. Banks do share cyber-threat information with each other anyway, but we’re always looking for ways on how that can be improved.

The people perpetuating cyber attacks actually operate as a business. They buy and sell information from and to each other. From a protection point of view, the banks are increasingly starting to think along those lines as well. The same would be true for any other industry.

Knowledge at Wharton: Another concern for consumers is the speed in which the information from a breach is relayed to the public. Many within the IT community say time is needed to understand what happened. From that perspective, maybe Nataliya’s solution would speed up this process.

Ware: Exactly. The earlier that those threats can be detected, the more time that banks and anyone else would have to be able to react to it.

Mykhaylova: It takes an average of 98 days to detect an attack, sometimes after years. This is very crazy that we still have to spend so much time detecting those things. Part of the reason is that it is also becoming harder and harder to detect. There are new types of malware, new types of zero-day attacks and other threats that are becoming more and more common. So, it’s important to have systems that don’t need to be signature-based, that can detect those kinds of attacks without any prior knowledge of the threat. This is where our system excels, and it can detect patterns in an unsupervised manner. You don’t need to build up those signature libraries ahead of time.

Knowledge at Wharton: Do you think we will get to a point where potential break-ins are done and figured out in real time?

Mykhaylova: Yes, so that is the goal. Our system runs in real time, continuously tracking things, categorizing them and evaluating how risky they are. I think that is key to be able to do that in real time.