Security Team's activities with the academic world
Hello, World, this is Yu-Lu “Chris” Liu, I am the Office Manager of the IT Security Engineering Office, the technical security team at Rakuten, Inc. (hereby Rakuten). I am also a member of Rakuten-CERT. I would like to share about our on-going activities with universities. We believe we are nourishing the next generation of security pioneers, and contributing to society while protecting Rakuten’s users.
Like all security teams in the world, we face several problems and incidents on a daily basis. These daily challenges range from zero day attacks to fraudulent misuse on our web and mobile applications. To protect all of Rakuten user’s personal information effectively, hiring the right people to join our team became a critical responsibility for managers. However, hiring security engineers is not an easy task, as we not only need to find people with high technical skill sets, these candidates must also be gifted hackers who possess ethical mindsets. After several discussions, we turned our attention to fostering talent at universities, as we already have several connections in the higher education sector.
My colleague in this endeavor is Professor Yoshihiro Kilho Shin from University of Hyogo Graduate School of Applied Informatics. Professor Shin also teaches in the Carnegie Mellon University Kobe MSIT-IS Dual Program. The opportunity to talk with students from two prestigious universities provides a huge benefit for us.
The idea of this cooperation scheme proposes that Rakuten will devote resources to provide monthly lectures to students and invite them to join Rakuten’s internship program. Additionally, Rakuten can provide potential research topics as part of the program’s curriculum. With the above activities, we can contribute to the nourishment of security savvy students, and leave valuable security research results to the community. This program has already proven its worth in our hiring procedure as we have already hired two previous student intern participants from this cooperation scheme after their graduation from Carnegie Mellon University.
Regarding the research topics, among all the challenges that we have on our list, we decided to tackle what we call the “fake site problem”. Since Professor Shin specializes in Machine Learning, we had great hope that this topic will be a very good starting point for our cooperation.
So what’s the fake site problem? From the initial launch of Rakuten Ichiba and other internet services till now, we have gained significant trust and recognition from our users. However, occasionally we discover people with malicious intent who misuse our brand name to host EC sites without any prior consent from Rakuten. These fraudulent online shops attempt to lure customers in purchasing goods from their “stores”, but in most cases nothing will ever be shipped to the victim, even if payment has already been completed. These are what we call “fake sites”. Because of the increasing occurrence of this threat, eliminating these websites to protect our users and brand image by working with security vendors , the Metropolitan Police Department and other stakeholders has become one of our top priorities.
After several discussions with Professor Shin, we came to the conclusion that if we identify the HTML structure of the fake site while utilizing the power of Support Vector Machine, we might be able to find patterns between a fake site and legitimate Rakuten sites. This might sound straight forward because HTML can be easily represented in a tree structure, however two major challenges exist. As HTML tends to be quite complicated, this might require very heavy computing power and extensive time while training the model. To solve that, after numerous trial-and-error attempts to prune nodes without losing any structural features, methodologies to simplify tree structures were found. Another challenge is that Support Vector Machine only takes vectors as inputs. To overcome this, Professor Shin took the advantages of the Kernel Mapping, which was invented and developed by himself and his colleagues, to encode the tree structures into vectors.
Apart from the above-mentioned challenges, this research also needed experimentation in various Tree Kernels to find the most suitable one for our purposes. After numerous experiments, Professor Shin and his team could identify good approaches which led to satisfying results.
After long term devotion beginning in 2015, the Rakuten security team made progressive contributions by providing special monthly lectures to students, which has positively affected our hiring procedure. We approached challenges in new ways by working with the academic world to tackle the fake site issue to satisfying results. Hopefully all of our efforts will make lasting contributions to the security community as a whole and create positive user-experiences for Rakuten customers.
Since an effective workflow has been established, our next task of cooperation research is clear. The next important topic for research will be how to automate and apply our fake site solution in a real-world setting. We, the IT Security Engineering Office, will provide our continuous support to protect our users, as well as increasing cooperation in the academic world.