Fujitsu develops tech to detect back-and-forth-type targeted email attacks in real time
ntttttttttttt
Fujitsu Limited and Fujitsu Laboratories Ltd have announced the development of technology that utilizes Fujitsu’s artificial intelligence technology to detect targeted email attacks aimed at specific organizations in real time.
n
In recent years, targeted attacks have become more sophisticated, with attackers cleverly camouflaging their contact as a work related matter, then attacking after gaining an employee’s trust. Such an attack makes it difficult to become aware of any suspicious activity.
n
Now, Fujitsu says it has developed a technology that detects targeted email attacks in real time by detecting suspicious behavior that is different from the normal activity patterns it has learned from the associations found in a collection of operational logs, including users’ everyday email habits and the websites they visit before and after using email.
n
With this technology, it is now possible to detect and receive alerts for only those emails that have a high degree of danger, without excessive detection for each suspicious email, even for back-and-forth type targeted email attacks that involve multiple email exchanges between user and attacker.
n
Furthermore, using this technology in tandem with other Fujitsu Laboratories’ technologies, security managers can now take proactive countermeasures in response to targeted email attacks, such as temporarily restricting high-risk email and web activities for people targeted by attacks. They can also restrict people and organizations connected to those people from a work-perspective.
n
This technology was developed in part with assistance from the Ministry of Internal Affairs and Communications through the Research and Development Regarding the Detection and Analysis of Cyber Attacks project.
n
Background
n
In recent years, targeted attacks against specific organizations have been increasing in sophistication. The attackers send repeated emails pretending to be customers of the targeted organization, or create traps on websites that users within the organization access frequently, attacking their vulnerabilities and trying to infect them with malware specialized for that organization. In addition, as targeted attacks use emails that are often sent repeatedly to multiple other users within an organization, organizations require ongoing countermeasures.nIssues
n
Targeted attack emails are written so as to be indistinguishable from legitimate inquiries from customers or other related parties, so the malware they use is individually written, and they are difficult for existing spam filters and anti-virus software to detect. It is particularly difficult to respond to exchanges where the attackers carry on emailing and pretending to be customers or other related people for a certain period, building trust before sending an email designed to infect them with malware.
n
About the Newly Developed Technology
n
Now, in an industry first, Fujitsu has developed a technology that learns from the associations in a string of operational logs, including users’ typical email habits and their website visits before and after using email, and detects suspicious back-and-forth type targeted email attacks in real time. This technology is made up of the two technologies detailed below.
nTechnology that correlates multiple operational user logs, starting with receipt of an emailn
Fujitsu has developed a technology that correlates a user’s unified operational log starting when they receive an email, including receipt of the email, reading the text of the email, clicking on a URL in the text and accessing the web page in a browser. By correlating operational logs for each person with whom the user exchanges email, including long-term strings of email exchanges and related website access, the system can identify, for example, whether downloads from a particular website occurred in the course of an exchange with a specific person.
nReal time anomaly detection technology through combined judgementn
In order to achieve real time detection of back-and-forth type targeted email attacks in which user and attacker exchange multiple emails, and as the operational log for all of a user’s actions over a long period is huge, Fujitsu developed an anomaly detection technology that extracts and combines only the operational log related to a string of emails, compressing it and then learning and comparing it to others to detect anomalies. This can condense the information volume required for anomaly detection to under one-tenth the overall volume, enabling high speed detection processing, even for targeted email attack exchanges that can typically span several days. This machine learning utilizes Fujitsu’s proprietary “Human Centric AI Zinrai” technology.
n
These technologies can detect a series of suspicious actions related to a targeted email attack exchange, and exclude unrelated actions, compared with previous technologies that detected individual anomalies in each email or web access. In an experimental testbed, Fujitsu demonstrated that this could reduce the number of events that trigger detection to under one-tenth of previous technologies.
tttttttntttntttntttttttttttt© Japan Todaynttttttttt