Behavior Analysis Technology for Human-Centric Security

Transcription

1 Fujitsu North America Technology Forum 2016 Behavior Analysis Technology for Human-Centric Security Hiroshi Tsuda Project Director, Privacy & Data Security Project Knowledge Processing Laboratory, Fujitsu Laboratories Ltd. February 16, 2016

2 Background: How information is leaked? 72% of the data leak are caused by Human missending , losing PC, etc. DDoS attacks, defects on IT systems Human Error 25% System Vulnerability 29% Insider Fraud or Cyberattack 47% Malicious Insider Targeted Attack Cf. IBM, 2015 Cost of Data Breach Study 1

3 Lessons from behavior of Fujitsu employee Missending Log of SHieldMailChecker SHieldMailChecker, Fujitsu standard tool for preventing missending Careless hours of missending # Open rate Simulated training of targeted Trial by over 600 persons of Fujitsu Lab. Sectional difference of open rate 2nd Training : 12%( mean ) error rate 1st Training : 32%( mean ) 時 5% 4% 3% 2% 1% 0% Limitation of uniform security policy 2 Department

4 Approach for proactive security measure 2. Psychological Analysis 3. Machine learning, Anomaly detection Potential Risk Dynamic Risk 2000 Internet users Psychological anaysis 250 user behavior employees control agent Log collection with anonymization anonymization Psychological Traits of victims Apply Answers to the questionnaire Correlate PC operation logs Behavioral characteristics related to risks Compare PC operation logs Visualization of user/organizational security risks Realtime anomaly detection Proactive security measure 1.User Behavior Capturing/Policy enforcement policy control 3

5 Security Risk Assessment Technology Demonstration Assess risks of fraud, unintentional data leak, and malware infection from behavior. (eg) People who has confidence in PC usage is vulnerable to unintentional data leak Please answer several questions Your vulnerability in ICT risks image image - How many s do you send? - Do you often cross road in red trafic signal? 4

6 Acceptability of behavior analysis from privacy point of view Is it acceptable for using user behavior analysis for security purpose? Person in charge of security solution (n=11) OK if used in PC OK Total(n=21) OK if anonymized What kind of threat is serious? Other (Spam, Phishing) DDoS attack (system glitch) Unintentional data leak APT attack Data leak by malicious insider From Fujitsu Forum Munich

7 Real time detection by combining the logs related to targeted s Detection of back-and-forth target as anomaly of users behavior sequence related with (Press Release on Jan. 21 st ) Reduce excess anomaly warning (false positive rate) to under 1/10. 1 st Targeted 2 nd return Exchange Web Access File upload /download From:A To:A From:B From:B To:B From:B Modeling From:C To B From:A From:B To:B To:C To:B To:B To:X Open link Unsupervised learning methods PST Link multiple log by users PC operation sequence From:D Redirect and download time Extract only the logs Related to the attacks Modeling Modeling 6 DTW Combined anomaly detection

8 [IT dashboard] detection of targeted Targeted has been detected by the real time anomaly detection technology from sequence Sales division 3 Sales division 2 Accounting division Sales division 1 Personnel division Development division 1 Development division 2 Development division 3 7

9 Summary Human-centric aspect is essential for security countermeasure because human is the most vulnerable part in information system. User behavior capturing + Psychological statistical analysis + Machine learning technology Privacy is a big problem to utilize user behavior data. For security purpose, it seems to be acceptable if anonymized or locally processed. For further detailed user behavior modeling, data such as face image, location, etc. may be required. See Relational Encryption demo! 8

10