Photo of a man coding at computer

Fighting the cybersecurity battle

National Science Foundation funds Case Western Reserve team working to stop data breaches, protect customer information

A pair of Case Western Reserve University computer researchers want to develop a better defense against big data breaches—and the National Science Foundation (NSF) is intrigued enough to support their efforts. 

Xusheng Xiao and Yinghui Wu, assistant professors in the Department of Computer and Data Sciences at the Case School of Engineering, received a three-year, $500,000 NSF grant to investigate the viability of their approach to build a better defense system.

They’re working on teaching computer networks to adapt to future breaches by learning details of previously unknown past criminal invasions into the system. These stealth attacks can be discovered hidden in vast system-audit logs kept by every computer operating system. 

These system-audit logs (sometimes called monitoring logs or activity logs) reveal every single action on a computer, resulting in a storehouse of sometimes millions of lines of data that the human eye would have trouble deciphering. 

Xusheng Xiao

“The operating system has the answers, but they’ve just been buried in the monitoring log,” Xiao said. “Think of it like what a security camera does: It produces recordings for an entire 24 hours, but you only need and want to see the time period of the break-ins, and just before, so you can see the bad guys as they arrive. We’re doing the same thing by reviewing the system-audit logs.”

While other research teams—both academic and private—are also working to solve the problem of large databases being hacked, Xiao said their approach is unique.

First of all, it uses an automated algorithm that can filter out in real time the tens of thousands of “regular” actions of a computer and isolate the unusual ones.

Second, their algorithm goes a step further by asking “what if?” and “why?” questions of the system in addition to “what” and “where” information gleaned from existing searches.

“We’re designing a smart algorithm that traces the reasons for the appearance of certain files in the logs,” Wu said. “This has not been done before.”

Mining the monitoring log

Yinghui Wu

Data breaches have been big news as they’ve occurred at a dizzying pace in recent years: From the Target data breach of 2014, which resulted in the theft of personal information of 70 million customers, to the hack of as many as 1 billion Yahoo accounts in 2016 to the long and growing list of lesser breaches in 2020

But these incidents are not, or rarely, the failure of the traditional anti-virus software most of us have on our personal computers or even a gap in the heftier versions installed by institutions. Viruses, in fact, often reveal and implicate the less skillful attacker, experts like Xiao and Wu say.

Instead, these thefts are the work of hackers who secretly navigate an individual computer’s files, enter into the network and slowly remove sensitive data that can compromise the identity or financial well-being of millions of customers.

“Right now, people have the impression that if they install antivirus software that they are OK,” Xiao said. “But hackers are looking for other vulnerabilities, like if you’re using an old version of Windows.”

Then, he said, the cyber criminals buy a tool on the black market to skirt past the older Windows software. And, once inside, they start copying a limited number of files each day, so that the person or company doesn’t even know they are there.

The system being designed at Case Western Reserve would notice that entry and help build defenses against it, Wu said.

They hope to someday turn their real-time monitoring system into a marketable product for corporations, data security companies and possibly individuals.

For more information, contact Mike Scott at

This article was originally published Dec. 14, 2020.