SYS-CON MEDIA Authors: Pat Romanski, Sean Houghton, Glenn Rossman, Ignacio M. Llorente, Xenia von Wedel

News Feed Item

Fujitsu Develops Technology to Quickly Detect Latent Malware Activity in Internal Networks

Protects organizations by identifying infected machines before data breaches occur


Tokyo, Apr 15, 2014 - (JCN Newswire) - Fujitsu Laboratories Ltd. today announced that it has developed technology that quickly detects latent malware activity in a network. This technology monitors an internal network to protect against advanced persistent threats (APT) on specific companies or individuals, an increasingly common problem.

APT employ malicious programs known as malware which cannot always be detected by ordinary antivirus software, so security measures that protect the entryways to internal networks are limited. In addition, with malware infections, it is often the case that the attackers, through remotely controlled operations that are disguised in the flow of ordinary communications from outside the network, can carry out hidden activities for long periods of time. This makes it difficult to discover the problem at the exit points of internal networks, such as through unauthorized intrusion-detection systems.

As a method to detect the activity of malware designed to remotely control a terminal, Fujitsu Laboratories focused on the typical communications patterns of latent malware activity within a company's network. The company developed technology to analyze and detect the relationships between multiple communications from outside and within the network. Fujitsu Laboratories then developed technology for the high-speed detection of malware in real time that would work using general-purpose servers. Actual application of this method had been a problematic issue to overcome.

In a connected network of approximately 2000 devices, Fujitsu Laboratories tested and verified that the technology could detect simulated malware activity. This technology makes it possible to quickly detect the latent activity of APT malware in an internal network and protect against data breaches before they occur.

Background

In recent years there has been a surge in increasingly sophisticated APT against specific organizations and individuals for the purpose of stealing information. In APT, the target is thoroughly studied in advance, and the attack is persistently carried out through such methods as email messages disguised as regular business communications. It is not always possible for ordinary antivirus software to distinguish between regular software and software used in an attack, so it is difficult to fully protect an internal network from being infiltrated by malware.

To protect against such sophisticated malware activity, in addition to the conventional security protections used at the entry and exit points of internal networks, it is necessary to employ protection methods that focus inside internal networks.

Issues

The most common type of malware today is known as a Remote Access Trojan (RAT)(1). With a RAT, the intruder outside a network remotely operates an infected PC within a network to collect internal data, disguising activities as routine business communications such as sending or receiving emails. The RAT infiltrates the network in advance through an email message or other means, but does not immediately begin the processing associated with the attack. Afterwards, when the attack begins, the content of the communications does not contain malware itself, and the traffic associated with the remote operations is almost always encrypted. This activity is difficult to discover using conventional antivirus software or unauthorized intrusion-detection systems.

By analyzing the types of communications flowing over a network and the related communications that precede or follow them, it is possible to detect latent activity within a network that is characteristic of a RAT, the remote-control type malware. Fujitsu Laboratories conducted research and development on ways to monitor choke points, which are the gateways attackers use in such attacks.

This method, however, requires significant processing time as it is necessary to identify, within a huge stream of work-related traffic, the communications associated with an attack, and then confirm the links between multiple communications. At the same time, to apply this method within a company, it is necessary to configure the detection function to each network domain in the smallest units possible, and, ideally, to use few CPU or memory computing resources.

About the New Technology

By focusing on the communications patterns seen in all latent activity of RATs within an internal network, and by analyzing the relationships between intranet communications, Fujitsu Laboratories developed technology for the high-speed detection of latent activity of RATs within an internal network. This technology enables the choke point monitoring method to be performed at high speeds, and makes it practical to perform with network devices that operate using limited computing resources.

The following two diagnostic technologies were developed to enable the efficient identification of attack-related communications traffic an infected PC sends to its target (Figure 2).

1. Specific domain diagnostic

To determine whether a given communication is associated with an attack, it had been necessary to perform a detailed analysis of the content of the communication, but now Fujitsu Laboratories has developed a highly precise way to diagnose attack-related communication while reducing the processing load required for analysis. This diagnostic method uses only the relationship between data on the specific domains for multiple communications and the communication sequence.

2. Screening diagnostic
To extract, from an enormous volume of communications, the multiple communications that comprise an attack requires significant processing time. Fujitsu Laboratories has now developed a way to efficiently detect multiple suspicious communications by managing a screening process in which the processing procedures of an attack and communication information are compared in order to screen at each stage of an attack.

The use of these diagnostic technologies enabled an approximately 30-fold increase in the volume of communications that were able to be processed for detection without sacrificing detection performance.

In a connected network environment of approximately 2000 devices on which a large volume of work-related communications was flowing, this technology was verified and evaluated while recreating the latent activity of a RAT. The result was complete detection of the RAT's attack communications, which represented 0.0001% of the overall communication packet volume, with no spillover, even with a Gigabit-class communication line. Moreover, no work-related communications were falsely detected as attack-related communications.

Results

By building this technology into networking equipment and distributively configuring on a local network, it is possible to monitor malicious traffic flowing over a network and detect APT malware, which is difficult to do with firewalls or antivirus software, before data is leaked.

Future Plans

Fujitsu Laboratories will proceed with R&D on malware detection technologies with the aim of commercializing this technology during fiscal 2014.

Notes:

(1) Remote Access Trojan (RAT):

A malicious software program that infiltrates a local network disguised as a benign program and that can be remotely controlled by outside attackers.

About Fujitsu Limited

Fujitsu is the leading Japanese information and communication technology (ICT) company offering a full range of technology products, solutions and services. Approximately 170,000 Fujitsu people support customers in more than 100 countries. We use our experience and the power of ICT to shape the future of society with our customers. Fujitsu Limited (TSE: 6702) reported consolidated revenues of 4.4 trillion yen (US$47 billion) for the fiscal year ended March 31, 2013 For more information, please see www.fujitsu.com.



Source: Fujitsu Limited

Contact:
Fujitsu Limited
Public and Investor Relations
www.fujitsu.com/global/news/contacts/
+81-3-3215-5259


Copyright 2014 JCN Newswire. All rights reserved. www.japancorp.net

More Stories By JCN Newswire

Copyright 2008 JCN Newswire. All rights reserved. Republication or redistribution of JCN Newswire content is expressly prohibited without the prior written consent of JCN Newswire. JCN Newswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
AppZero has announced that its award-winning application migration software is now fully qualified within the Microsoft Azure Certified program. AppZero has undergone extensive technical evaluation with Microsoft Corp., earning its designation as Microsoft Azure Certified. As a result of AppZero's work with Microsoft, customers are able to easily find, purchase and deploy AppZero from the Azure Marketplace. With just a few clicks, users have an Azure-based solution for moving applications to the...
SYS-CON Media announced today that Aruna Ravichandran, VP of Marketing, Application Performance Management and DevOps at CA Technologies, has joined DevOps Journal’s authors. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. DevOps Journal brings valuable information to DevOps professionals who are transforming the way enterprise IT is done. Aruna's inaugural article "Four Essential Cultural Hacks for DevOps Newbies" discusses how to demonstrate the...
“In the past year we've seen a lot of stabilization of WebRTC. You can now use it in production with a far greater degree of certainty. A lot of the real developments in the past year have been in things like the data channel, which will enable a whole new type of application," explained Peter Dunkley, Technical Director at Acision, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
The move in recent years to cloud computing services and architectures has added significant pace to the application development and deployment environment. When enterprise IT can spin up large computing instances in just minutes, developers can also design and deploy in small time frames that were unimaginable a few years ago. The consequent move toward lean, agile, and fast development leads to the need for the development and operations sides to work very closely together. Thus, DevOps become...
"Our premise is Docker is not enough. That's not a bad thing - we actually love Docker. At ActiveState all our products are based on open source technology and Docker is an up-and-coming piece of open source technology," explained Bart Copeland, President & CEO of ActiveState Software, in this SYS-CON.tv interview at DevOps Summit at Cloud Expo®, held Nov 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
The cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating and one of the biggest obstacles facing public cloud computing is security. In his session at 15th Cloud Expo, Jeff Aliber, a global marketing executive at Verizon, discussed how the best place for web security is in the cloud. Benefits include: Functions as the first layer of defense Easy operation –CNAME change Implement an integrated solution Best architecture for addressing network-l...
“We help people build clusters, in the classical sense of the cluster. We help people put a full stack on top of every single one of those machines. We do the full bare metal install," explained Greg Bruno, Vice President of Engineering and co-founder of StackIQ, in this SYS-CON.tv interview at 15th Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Verizon Enterprise Solutions is simplifying the cloud-purchasing experience for its clients, with the launch of Verizon Cloud Marketplace, a key foundational component of the company's robust ecosystem of enterprise-class technologies. The online storefront will initially feature pre-built cloud-based services from AppDynamics, Hitachi Data Systems, Juniper Networks, PfSense and Tervela. Available globally to enterprises using Verizon Cloud, Verizon Cloud Marketplace provides a one-stop shop fo...
SYS-CON Events announced today that Windstream, a leading provider of advanced network and cloud communications, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Windstream (Nasdaq: WIN), a FORTUNE 500 and S&P 500 company, is a leading provider of advanced network communications, including cloud computing and managed services, to businesses nationwide. The company also offers broadband, p...
The Internet of Things is not new. Historically, smart businesses have used its basic concept of leveraging data to drive better decision making and have capitalized on those insights to realize additional revenue opportunities. So, what has changed to make the Internet of Things one of the hottest topics in tech? In his session at @ThingsExpo, Chris Gray, Director, Embedded and Internet of Things, discussed the underlying factors that are driving the economics of intelligent systems. Discover ...

ARMONK, N.Y., Nov. 20, 2014 /PRNewswire/ --  IBM (NYSE: IBM) today announced that it is bringing a greater level of control, security and flexibility to cloud-based application development and delivery with a single-tenant version of Bluemix, IBM's

SYS-CON Events announced today that IDenticard will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. IDenticard™ is the security division of Brady Corp (NYSE: BRC), a $1.5 billion manufacturer of identification products. We have small-company values with the strength and stability of a major corporation. IDenticard offers local sales, support and service to our customers across the United States and Canada...
SYS-CON Events announced today that AIC, a leading provider of OEM/ODM server and storage solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. AIC is a leading provider of both standard OTS, off-the-shelf, and OEM/ODM server and storage solutions. With expert in-house design capabilities, validation, manufacturing and production, AIC's broad selection of products are highly flexible and are conf...
Leysin American School is an exclusive, private boarding school located in Leysin, Switzerland. Leysin selected an OpenStack-powered, private cloud as a service to manage multiple applications and provide development environments for students across the institution. Seeking to meet rigid data sovereignty and data integrity requirements while offering flexible, on-demand cloud resources to users, Leysin identified OpenStack as the clear choice to round out the school's cloud strategy. Additional...
DevOps Summit 2015 New York, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that it is now accepting Keynote Proposals. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete...