Skip to main content

AI Creates False Documents That Fake Out Hackers

The algorithm hides sensitive information in a sea of decoys

Fox being deceived with decoy chickens.
Credit:

Thomas Fuchs

Hackers constantly improve at penetrating cyberdefenses to steal valuable documents. So some researchers propose using an artificial-intelligence algorithm to hopelessly confuse them, once they break in, by hiding the real deal amid a mountain of convincing fakes.

The algorithm, called Word Embedding–based Fake Online Repository Generation Engine (WE-FORGE), generates decoys of patents under development. But someday it could “create a lot of fake versions of every document that a company feels it needs to guard,” says its developer, Dartmouth College cybersecurity researcher V. S. Subrahmanian.

If hackers were after, say, the formula for a new drug, they would have to find the relevant needle in a haystack of fakes. This could mean checking each formula in detail—and perhaps investing in a few dead-end recipes. “The name of the game here is, ‘Make it harder,’” Subrahmanian explains. “‘Inflict pain on those stealing from you.’”


On supporting science journalism

If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.


Subrahmanian says he tackled this project after reading that companies are unaware of new kinds of cyberattacks for an average of 312 days after they begin. “The bad guy has almost a year to decamp with all our documents, all our intellectual property,” he says. “Even if you’re a Pfizer, that’s enough time to steal almost everything. It’s not just the crown jewels—it’s the crown jewels, and the jewels of the maid, and the watch of the secretary!

Counterfeit documents produced by WE-FORGE could also act as hidden “trip wires,” says Rachel Tobac, CEO of cybersecurity consultancy SocialProof Security. For example, an enticing file might alert security when accessed. Companies have typically used human-created fakes for this strategy. “But now if this AI is able to do that for us, then we can create a lot of new documents that are believable for an attacker—without having to do more work,” says Tobac, who was not involved in the project.

The system produces convincing decoys by searching through a document for keywords. For each one it finds, it calculates a list of related concepts and replaces the original term with one chosen at random. The process can produce dozens of documents that contain no proprietary information but still look plausible. Subrahmanian and his team asked computer science and chemistry graduate students to evaluate real and fake patents from their respective fields, and the humans found the WE-FORGE-generated documents highly believable. The results appeared in the Association for Computing Machinery’s Transactions on Management Information Systems.

WE-FORGE might eventually expand its scope, but Subrahmanian notes that a document recommending a course of action, for instance, would be much more complex than a technical formula. Still, both he and Tobac think this research will attract commercial interest. “I could definitely see an organization leveraging this type of product,” Tobac says. “If this ... creates believable decoys without releasing sensitive details within those decoys, then I think you’ve got a huge win there.”

Sophie Bushwick is tech editor at Scientific American. She runs the daily technology news coverage for the website, writes about everything from artificial intelligence to jumping robots for both digital and print publication, records YouTube and TikTok videos and hosts the podcast Tech, Quickly. Bushwick also makes frequent appearances on radio shows such as Science Friday and television networks, including CBS, MSNBC and National Geographic. She has more than a decade of experience as a science journalist based in New York City and previously worked at outlets such as Popular Science,Discover and Gizmodo. Follow Bushwick on X (formerly Twitter) @sophiebushwick

More by Sophie Bushwick
Scientific American Magazine Vol 325 Issue 1This article was originally published with the title “Too Much Information” in Scientific American Magazine Vol. 325 No. 1 (), p. 18
doi:10.1038/scientificamerican0721-18a