Offers expert level determinations, shorter evaluation times to minimize damage
KAWASAKI, Japan, Jan 22, 2019 – (JCN Newswire) –
Fujitsu Laboratories Ltd. has developed an AI technology that automatically
determines whether action needs to be taken in response to a cyberattack.
When a business network has been hit with a cyberattack, various security
appliances detect the attack on the network’s servers and devices.
Conventionally, an expert in cyberattack analysis then manually investigates
and checks the degree of threat, to determine whether action is needed to
minimize damage.
To secure the necessary training data needed to develop highly accurate AI
technology, Fujitsu Laboratories has now developed a technology that identifies
and extracts attack logs, which show the behavior of a cyberattack, from huge
amounts of operations logs. It also developed a technology that expands on the
small number of training data extracted in a manner that does not spoil attack
characteristics. This generates a sufficient amount of training data.
In simulations using these technologies, they achieved a match rate of about
95% in comparison with experts’ conclusions regarding the need for action, and
they did not miss any attack cases that required a response. The time necessary
to reach a conclusion was also shortened from several hours to several minutes.
By using these technologies, countermeasures can quickly be put in place for
cyberattacks that have been determined to require action, contributing to
business continuity and the prevention of loss. Details of these technologies
are being announced at the 36th Symposium on Cryptography and Information
Security (SCIS 2019), being held from Tuesday, January 22, to Friday, January
25, in Otsu city, Shiga prefecture, Japan.
Development Background
In recent years, the number of cyberattacks against business networks continues
to increase. With targeted attacks(1), which is a type of cyberattack, the
attacker uses clever techniques to embed malware(2) that can be controlled
remotely in an organization, and then remotely controls devices infected with
malware to conduct intelligence activities. In defense, when a company
discovers suspicious activities with such monitoring equipment as a security
appliance, a security expert manually investigates the attack, and takes time
to evaluate danger and risk, then determines the necessity to respond.
The decision to respond needs to be made carefully as the responses themselves
may have consequences. For example, attacked business devices may need to be
isolated, and the network reconstructed, resulting in operation stoppages that
impact businesses.
According to statistics from Japan’s Ministry of Economy, Trade and
Industry(3), by 2020 there will be a shortage of 193,000 security professionals
in Japan. That being said, AI-based automation is expected to rapidly determine
the necessity to respond to attack cases, making decisions on the same level as
an expert who has advanced knowledge and insight on attacks.
Issues
In order to develop an AI-based model to make determinations, the following
issues regarding training on attack information needed to be addressed:
1. The operations logs for normally functioning servers, devices, and network
equipment coexist with the attack operations logs, and both logs are
accumulated in great abundance. To conduct proper learning with AI, it is
necessary to identify the traces of targeted attacks from the large number of
logs. However, distinguishing between logs is difficult because intelligence
activities via targeted attacks utilize OS commands and other methods.
2. It is extremely difficult to extract attack operations logs from the huge
amounts of existing logs, while securing them in large quantities as training
data. For AI technologies, it is possible to increase the small amounts of
training data through procedures and conversions such as noise processing;
however, such simple processing of the training data of targeted attacks can
cause the attack characteristics to be lost, making data expansion difficult.
About the Newly Developed Technology
Fujitsu Laboratories has developed technologies to secure sufficient amounts of
training data related to targeted attacks required for the creation of highly
accurate, AI determination models. Features of the developed technologies are
outlined below:
1. Training data extraction technology
Based on the know-how Fujitsu has accumulated in its security-related business
and research, as well as from about seven years’ worth of actual attack
analysis data, Fujitsu Laboratories has built a database of attack patterns
that includes commands and parameters linked to intelligence activities of
targeted attacks. By using this database, users can accurately identify and
extract a series of intelligence activities from the vast amounts of logs.
2. Training data expansion technology
This technology generates simulations of new intelligence gathering
activities-a type of targeted attack-without losing attack characteristics. The
technology calculates attack levels and identifies the important commands of
intelligence activities in the extracted targeted attack, then converts the
parameters within the range existing in the attack pattern database. As a
result, it becomes possible to expand the training data fourfold.
Effects
Fujitsu Laboratories combined the newly developed technologies with its own
Deep Tensor AI technology, and ran evaluative testing on the determination
model that had been trained on the new training data. Run in a simulation using
about four months of data-12,000 items-the technologies made an approximate 95%
match with the findings that a security expert generated through manual
analysis, achieving a near equal determination of response necessity.
Furthermore, the technologies were field tested on STARDUST, the Cyber-attack
Enticement Platform(4) which is jointly operated with the National Institute of
Information and Communications Technology (NICT), using real cyberattacks
targeting companies. The technologies automatically determined the attack cases
requiring a response, thereby confirming their effectiveness.
With these AI technologies, determinations of the necessity of action, which
until now have taken an expert several hours to several days, can be
automatically made with high accuracy from tens of seconds to several minutes.
Furthermore, by combining these technologies with Fujitsu Laboratories’
high-speed forensic technology, which rapidly analyzes the whole picture of the
status of damage from a targeted attack, the response sequence, from attack
analysis to instructions for action, can be automated, enabling immediate
responses to cyberattacks and minimizing damage.
Future Plans
Fujitsu aims to make use of these technologies within its Managed Security
Services, as a response platform for cyberattacks.
(1) Targeted attack A cyberattack targeting a specific organization or
individual, to relentlessly steal information or destroy systems.
(2) Malware Malicious software.
(3) Statistics from Japan’s Ministry of Economy, Trade and Industry Study of
Recent Trends and Future Estimates Concerning IT Human Resources, published in
2016 by the Ministry of Economy, Trade and Industry (in Japanese).
(4) STARDUST, the Cyber-attack Enticement Platform a platform, which was
developed by the National Institute of Information and Communications
Technology (NICT), for the observation of cyberattacks. By enticing attackers
to an environment that elaborately simulates organizations such as government
and corporations, and observing over the long term the activities of attackers
without them noticing, the platform aims to reveal the detailed behavior of
attackers once they have penetrated an organization, to gather the information
needed to establish cyberattack countermeasures and responses.
About Fujitsu Laboratories
Founded in 1968 as a wholly owned subsidiary of Fujitsu Limited, Fujitsu
Laboratories Ltd. is one of the premier research centers in the world. With a
global network of laboratories in Japan, China, the United States and Europe,
the organization conducts a wide range of basic and applied research in the areas
of Next-generation Services, Computer Servers, Networks, Electronic Devices and
Advanced Materials. For more information, please see: http://www.fujitsu.com/jp/group/labs/en/.
About Fujitsu Ltd
Fujitsu is the leading Japanese information and communication technology (ICT)
company, offering a full range of technology products, solutions, and services.
Approximately 140,000 Fujitsu people support customers in more than 100
countries. We use our experience and the power of ICT to shape the future of
society with our customers. Fujitsu Limited (TSE: 6702) reported consolidated
revenues of 4.1 trillion yen (US $39 billion) for the fiscal year ended March
31, 2018.
For more information, please see www.fujitsu.com.