How to Effectively Combat Large-Scale Cyberattacks: AI Technology That Automatically Detects Malware

AI That Automatically Determines Whether Countermeasures are Required After Detecting Suspicious Malware Activity

In recent years, the number of cyberattacks targeting companies, organizations, and individuals has been increasing. Among them, "targeted cyberattacks," which target specific companies, organizations, or individuals to persistently attempt to leak valuable information or crash entire systems, are becoming a major threat.

In targeted attacks, the attacker utilizes sophisticated methods to send malware that enables remote control to the internal networks of companies and organizations, and remotely operate the infected PCs or devices to confidential information. Companies and organizations have implemented various security measures to defend against these attacks. These measures involve detecting suspicious malware activity, after which a security expert manually investigates and confirms whether the activity is a threat. This process of determining whether countermeasures are necessary is time-consuming.

If too much time is spent dealing with a series of malware attacks, there may not be enough time to take countermeasures. Furthermore, in the event of a cyberattack, if the entire process, which includes "preparation," "detection & analysis," "containment eradication & recovery" and "post-incident activity," is dependent on the manual work of security experts, it may be difficult to respond rapidly.

Figure : In order to successfully counter cyberattacks, it is crucial to maintain a rapid cycle of &quo;preparation,&quo; &quo;detection & analysis,&quo; &quo;containement eradication and recovery&quo; and &quo;post-incident activity.&quo;

In order to successfully counter cyberattacks, it is crucial to maintain a rapid cycle of "preparation," "detection & analysis," "containement eradication and recovery" and "post-incident activity."

When deploying countermeasures against malware, the compromised device, such as a PC, must be cut off from the network, but in order to determine whether a countermeasure is needed, careful judgment must be made. However, in Japan, there is a lack of expert engineers (security personnel) who are capable of making these advanced judgments. According to "the Study of Recent Trends and Future Estimates Concerning IT Human Resources" released by the Ministry of Economy, Trade and Industry (METI) in 2016, by the year 2020, it is estimated that there will be a shortage of security personnel by about 193,000 people.

As a solution to these problems, Fujitsu and Fujitsu Laboratories have developed technology that uses AI (artificial intelligence) that is as accurate as human security experts to automatically determine whether countermeasures are necessary when suspicious malware activity is detected.

How the AI Determines "Whether Suspicious Activity Is a Cyberattack Threat"

There were several challenges that emerged during the development of this AI technology. The first challenge was how to enable AI to learn what activities are those of malware, and "whether it could potentially damage the network or devices of a company or organization."

In servers, terminals, and network devices, there are mixed records of normal operation and malware attacks, with massive amounts of accumulated data. In order to enable AI to properly judge "whether a certain activity is a malware attack," records of malicious activities must be accurately selected out of a massive collection of activity records, and cause AI to learn it.

Another challenge is "the amount" of data that AI must learn. The amount of cyberattack data is small to begin with, so the small amounts of learning data are processed to create imitation data in order to expand the amount of data used for learning. However, learning data of targeted cyberattacks may lose its malicious characteristics with simple processing, making expansion difficult.

Quadrupled the Amount of Learning Data Using "Deep Tensor"

To address these challenges, Fujitsu Laboratories has developed "a technology to extract learning data," which accurately extracts learning data from cyberattack records, and "a technology to expand learning data," which secures a sufficient amount of learning data related to targeted cyberattacks.

With the technology to accurately extract learning data, "an attack pattern database" comprising about seven years' worth of cyberattack analysis data was built based on the know-how cultivated through Fujitsu Laboratories' research and past experience in the security-related business. Based on attack records, the attributes and degrees of threat of the attacks are determined while searching for highly correlated records, and then a series of cyberattack records are extracted. By using this kind of database, it is possible to accurately specify and extract a series of attempts to steal information from a massive database of records.

With the technology to expand learning data, the attack patterns of the extracted targeted cyberattacks are fully analyzed based on a graph made up of data that identify a series of connections (relations) between attacks and other activities, after which "Deep Tensor," Fujitsu's AI technology that derives new knowledge, is used. For each attack pattern, a series of connections between attacks and other activities are analyzed. By partially changing the elements that compose attack patterns, the learning data of those attack patterns can be expanded four-fold without losing its malicious capacity.

Figure : A subspecies of attacks is created by partially changing the elements, such as by changing the file names that are written in by cyberattack activities.

A subspecies of attacks is created by partially changing the elements, such as by changing the file names that are written in by cyberattack activities.

Judgment That Took a Few Hours to a Few Days Shortened to Less Than a Minute to Several Minutes

Fujitsu Laboratories carried out an experiment to assess the judgment model that learned attack patterns using the newly created learning data. A simulation was run using the data of nearly 12,000 cases over the course of about four months. As a result, a consistency rate of about 95% was achieved compared to the results of manual analysis by security experts, with 0% of cases being overlooked that require countermeasures.

Furthermore, a demonstration experiment was conducted using actual cyberattacks that targeted companies that were collected with the cyberattack luring system "STARDUST," which is operated by the National Institute of Information and Communications Technology (NICT). As a result, the effectiveness of automatic judgment using AI technology to determine whether countermeasures were necessary in the event of attacks was verified. In addition, with the technology that was developed this time, the determination on whether countermeasures are required, which took several hours to several days by security experts, can be automatically determined with a high degree of accuracy in less than a minute to a few minutes.

Fujitsu Laboratories hopes that by combining this technology with "the high-speed forensic technology" that quickly analyzes the full scope of damage inflicted by targeted cyberattacks, the combined technologies can automate the series of responses from analyzing attacks to instructing countermeasures, and help respond immediately to cyberattacks and minimize damages.

Aiming to Achieve a Safe and Secure World by Protecting People's Livelihoods from Cyberattacks

In recent years, an increasing number of "supply chain attacks" have been observed, which target not only major corporations, but also their affiliated companies, partners, and individual employees to eventually reach the companies and organizations that are their primary target. In other words, targeted cyberattacks can decide to target anyone.

Furthermore, if a company or organization receives a targeted cyberattack and valuable information is breached, it may lead to a loss of social trust in the company. In addition, what may start as crimes targeting individuals committed without any serious intent tend to gradually evolve into more serious and sophisticated attacks, such as economic crimes and organized crimes targeting organizations, crucial infrastructure and government institutions.

By utilizing the technology developed by Fujitsu, measures can be taken immediately against cyberattacks that are determined to require countermeasures, preventing damage to companies and organizations and allowing business to continue uninterrupted. It can also be a foundation that supports the safety and security of many people's every day and their livelihoods.

Fujitsu is considering applying this technology as a countermeasure platform for cyberattacks to be used in managed security services. We have also established "the Security Meister Certification System" that helps discover and train experts with advanced knowledge in security technology. Fujitsu aims to achieve a safe and secure future while supporting our customers' ICT operations.