Baidu President Ya-Qin Zhang Talks AI Security

As Chinese Internet giant Baidu has expanded from search to mobile apps, cloud services, and emerging business sectors like autonomous driving and voice assistants, it has correspondingly beefed up its research efforts, particularly in AI, to keep pace with growing security threats.

Remember the old days, when digital security meant scanning your PC once a week and occasionally downloading a patch? Cybersecurity has changed, and today covers a tremendous range of large-scale, unpredictable, and destructive threats. Last year’s WannaCry ransomware attack alone affected more than 200,000 computers in 150 countries, with total damage estimates ranging to the billions of dollars.

Security professionals are increasingly adopting artificial intelligence in their cybersecurity efforts. Capable of processing large volumes of data, AI-enabled systems excel in identifying and ameliorating threats. Approaches such as deep learning and reinforcement learning are believed to be the future of AI security.

image (14).png
A vehicle running on the Baidu Autonomous Driving Platform Apollo

Synced spoke with Baidu President Dr. Ya-Qin Zhang at the recent DEF CON hacker convention in Las Vegas. Dr. Zhang oversees the Baidu Security Division’s 1,200 employees. Their 2018 slogan is “AI Security.”

DEF CON is one of the world’s largest hacker conventions. It had never been held outside the US until this May, when Baidu brought DEF CON to Beijing to the delight of the more than 5,000 Chinese geeks, hackers, and scientists who attended.

Dr. Zhang spoke on today’s cybersecurity challenges and AI’s emerging role in the security domain. He also warned of the vulnerability of AI algorithms and how Baidu addresses the issue. Read on for more from our interview with Dr. Zhang. The interview has been edited for brevity and clarity.

There is strong concern internationally about increasingly sophisticated and damaging hacker breaches and exploitations such as EternalBlue, Wannacry, and DDoS attacks. What’s happening?

When an industry becomes enormous it also attracts a black market. In the past, people mainly used computers to search for information on the Internet, and so most viruses were aimed at PCs. But now the Internet has seeped into every aspect of our lives, for example as people use mobile devices on e-commerce websites. The security boundaries are expanding, and the black market will grow as well, bringing new and greater security challenges.

image (15).png
WannaCry screenshot

The threat of hackers using AI to create viruses or attacks is now being discussed at many security conferences.

AI has expanded the security boundaries to the IoT, cars, and various vertical fields. Now there are more things to attack, and some AI models and algorithms themselves may be vulnerable. There is also as you mention the real possibility of hackers using AI to attack. AI can recognize patterns in order to find ways to attack. Conversely, AI can also defend a system, by identifying data and making predictions that can be used to defend against attacks.

Viruses are no longer the major problem. We are more concerned now with how to predict and gauge the possibility of attacks. For example, from patterns in big data we want to identify where and when a DDoS attack might take place and then come up with a prevention solution before anyone actually launches the attack.

Security today extends far beyond cybersecurity and code security to include data security, payment security, financial security, physical security, and even security for personal security equipment.

Please tell us about the development of Baidu Security’s AI algorithms for large scale information security.

Baidu has an 18 year history. For the first decade we mainly focused on defending our own systems in order to keep our network and customers from being attacked. We then expanded our security scope to include our new mobile products.

Over the past two years Baidu has devoted most of its resources to AI security. We pay a lot of attention to data such as account information. There is also the security of AI systems such as our autonomous driving system Apollo and smart voice assistant DuerOS. We regularly conduct cybersecurity attack and defense simulations to improve our defences.

image (16).png
A Baidu smart speaker equipped with the DuerOS system. 

How about Baidu’s recent developments in network security?

We have established an intelligent edge security ecosystem called OASES which enables different Android versions to better defend against cyberattacks.

How do the US and Chinese cybersecurity industries compare?

I think China’s market is more challenging because it has a huge underground economy, not only in the cybersecurity industry, but also in telecommunications, payment, and finance. But I believe the problems in China will gradually be solved.

What role does deep learning play in cybersecurity?

AI took a leap forward with big data analysis over ten years ago. We can draw conclusions from a large amount of data by using machine learning, which has been widely deployed over the last two years. There have also been an increasing number of deep learning sessions at Black Hat security conferences. As long as we understand that AI is based on pattern recognition and classification of big data we can develop a better sense of what AI can do in the security industry.

Right now, AI still functions in a support role, but it may become a decision maker in the near future. A bigger challenge facing the industry is that AI models are complicated and so can themselves be vulnerable. For example there was research which showed that adding specific patterns to a stop sign with adhesive tape could trick an AI into recognizing it as a 60 MPH speed limit sign. Convolutional networks can be very sensitive to angles, position shifts, image size, etc. and so we need to add robustness to the algorithms.

image (17).png
Researchers from the University of Washington, University of Michigan, Stony Brook University, and UC Berkeley published a paper last year on how to hack self-driving cars using stickers on street signs.

The stop sign hack you mentioned involves adversarial samples, right?

Yes, but adversarial samples cannot be used for large-scale attacks. Our researchers are conducting attack and defense simulations and development to dig into this technology. Immediately after completing an attack simulation, we explore ways to defend against it.

Interestingly, after Apollo was open sourced, many security experts and white hats “attacked” our model while sharing the corresponding defense codes. This input helped the Apollo system became very robust. More than 50 percent of Apollo’s code is related to security.

Regarding expanding security boundaries, what are some emerging threats to cars?

A hacker could for example disable the brakes and ABS to take control of a car from the driver. Through GPS interference, hackers could change the vehicle’s displayed location or map information. They could also hack other vehicle information systems such as video. Last year a Chinese security research team was able to hack a Tesla Model X.

Traditional car manufacturers don’t really understand information security. For example there are security issues when the in-car operating system receives an OTA update. Internet companies may know how to safeguard the technology in their mobile phones, but self-driving cars’ safety requirements are stricter and involve personal safety.

DuerOS has now been installed on hundreds of millions of devices. Has this created any security issues?

Currently we have not seen any. But security and privacy issues, like I have always said, are our highest priority.

Can you tell us how you know Jeff Moss, and how you brought DEF CON to China?

I have a very good relationship with Jeff. Actually, the place where he grew up is just two blocks from my home in Seattle. Jeff and I had a great talk when we first met, sharing our views on the security industry. He told me he also hoped DEF CON and Blackhat could be held outside the United States, because cybersecurity is now a worldwide issue. So I proposed we hold the conference in China. We put in a lot of time and effort and eventually it came true.

Baidu is an ideal DEF CON partner because we are strong in emerging technologies. Also, we want to make friends. In the field of security, we are now working closely with companies like Alibaba, Tencent, Huawei and Xiaomi. We also support various attack and defence competitions. At my first DEF CON we sponsored a team called Blue-Lotus, the first Chinese team to qualify for the DEF CON CTF (Capture the Flag) final. Some of the hackers on that team have since joined Baidu.

image (18).png
DEF CON Founder Jeff Moss (Left), Ya-qin Zhang (Centre), and Baidu Security General Manager Jie Ma (Right) at DEF CON China this May.

This year China published a white paper on AI standardization, which includes information security and AI security. What are the implications of this for Baidu?

The white paper will allow everyone to build a consensus when faced with problems. Whether it is a security issue, an algorithm issue, or an industry implementation issue, we need to have a consensus, and Baidu is actively participating.

Where do you see the cybersecurity industry in the next three to five years?

At the age of AI, the boundaries of the entire security domain are expanding. Machine learning technology brings advantages but it has also weaknesses. The security industry needs to understand the characteristics of different systems. As I said, at first we had to secure PCs, and when mobile devices added features such as payments and transactions, we had to secure these. Now the Internet of Things is booming. As the Internet enters our physical world there will naturally be new challenges as well as new opportunities.

In this regard, I also believe there are too few interdisciplinary talents currently working in security, AI, and vertical industries. For example, autonomous driving will be one of the most complicated security challenge we face over the next five years. This sector involves various techniques in AI, computer vision, various sensors, deep learning, high-precision maps, self-positioning, big data, etc. It is difficult task considering vehicles need to take steps from perception to decision to action in order to make the most correct decisions in the shortest time. Therefore a security expert in autonomous driving should not only know about autonomous driving technologies, but also be very familiar with cars in general, and with all the relevant AI algorithms and security algorithms.

Journalist: Tony Peng | Editor: Michael Sarazen

0 comments on “Baidu President Ya-Qin Zhang Talks AI Security

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: