“No software gives as much protection as a well-trained human”

Professor Johannes Kinder works with software security down to the level of home PCs. “Even computers that are used only for games and YouTube videos need protection. Banking transactions are by no means secure just because they run on a separate device,” the IT expert says. “Once malware has infected one computer in my home, it can easily spread to other devices – via a shared network drive, for instance. Because in principle, that is enough to open a data channel.”

Johannes Kinder took over as Chair of Programming Languages and Artificial Intelligence at LMU in April of last year. “You have to protect the whole system, not just one piece of hardware,” he says. After studying computer science at the Technical University of Munich (TUM), he earned his doctorate on the same subject at the Technical University of Darmstadt before working as a postdoctoral researcher at the École Polytechnique Fédérale de Lausanne.

His professorial career began at the Royal Holloway University of London, followed by a stint at the University of the Armed Forces’ CODE Research Institute in Munich.

“My research focuses on using automated methods to protect software,” he explains. “We develop systems to analyze software, understand its properties and purpose and guard it against attacks.” This work brings him into contact both with software that has unintentional security loopholes and with what is known as malware. The latter is developed specifically to allow hackers to gain control over third-party systems.

Treacherous diet apps

Kinder’s team write the programs, methods and algorithms to analyze the behavior of such software themselves. “This takes the form of static analyses, but also dynamic runtime monitoring. The human developer gives the program a kind of guideline specifying what is prohibited – sending certain data, for instance.”

At the same time, the researchers have lately attempted to use machine learning to help analyze how programs behave. To do so, [AI] is trained to recognize the characteristics of harmless and harmful software fully automatically. “At my chair, we do basic research with a practical focus: We develop methods on which tools can later be based.”

Right now, the team is testing for weaknesses in smart home devices, JavaScript packages for web infrastructures and common Android apps, for example. “A shopping list, say, can be read by virtually any other app – including harmless items, but also positioning data.” Kinder’s research also keeps an eye on diet apps that track people’s weight and health and, via inadvertent configuration errors, could give hackers access to sensitive data.

One current hot topic in this field of research, he says, is how programs can learn automatically and remain state-of-the-art in relation to malware. “It is not so easy, because malware changes quickly and does different things with every new operating system on the market.” It is not always enough to merely adapt the training data: In many cases, the IT expert adds, you have to modify the entire system architecture.

AI in antivirus programs

Nor has the question of whether humans or machines should primarily control this process yet been answered. True, AI can today do a lot of things independently, and many antivirus programs for PCs already feature elements of machine learning. However: “No software gives as much protection as well-trained human experts, because the latter can respond more flexibly to unforeseen security-critical situations,” Kinder explains. “That goes in particular for military security and for security issues in public healthcare, for example, both of which are exposed to very different but highly dynamic attack scenarios.”

Johannes Kinder hopes his research will enable him to cooperate with the numerous AI initiatives across LMU’s broad spectrum of disciplines. Even in teaching itself, however, the topic today commands growing importance. “When I studied computer science, there was only one lecture on the subject,” Kinder notes, adding that this has given way to a much wider approach – an approach that, in future, will have to take in every relevant aspect. Why? The professor puts it succinctly: “Because addressing security in programming lectures costs a lot less than somehow tacking it onto programs further down the line.”