Hiroaki Hazeyama

Zoned federation of game servers: a peer-to-peer approach to scalable multi-player online games

Todays Multi-player Online Games (MOGs) are challenged by infrastructure requirements, because of their server-centric nature. Peer-to-peer networks are an interesting alternative, if they can implement the set of functions that are traditionally performed by centralized authoritative servers. In this paper, we propose a zoned federation model to adapt MOG to peer-to-peer networks. In this model, zoning layer is inserted between the game program and peer-to-peer networks. We introduce the concept of zone and zone owner to MOG. Zone is some part of the whole game world, and zone owner is an authoritative server of a specific zone. According to the demands of the game program, each node actively changes its role to zone owner and works in the same way as a centralized authoritative server. By dividing the whole game world into several zones, workloads of the centralized authoritative game server can be distributed to a federation of nodes. We have implemented the zoned federation model, and evaluate it with a prototypical multi-player game. Evaluation results indicate that our proposed approach is applicable to small and medium-sized MOGs, where the number of nodes is less than 500.

An evaluation of machine learning-based methods for detection of phishing sites

In this paper, we present the performance of machine learning-based methods for detection of phishing sites. We employ 9 machine learning techniques including AdaBoost, Bagging, Support Vector Machines, Classification and Regression Trees, Logistic Regression, Random Forests, Neural Networks, Naive Bayes, and Bayesian Additive Regression Trees. We let these machine learning techniques combine heuristics, and also let machine learning-based detection methods distinguish phishing sites from others. We analyze our dataset, which is composed of 1,500 phishing sites and 1,500 legitimate sites, classify them using the machine learning-based detection methods, and measure the performance. In our evaluation, we used f1 measure, error rate, and Area Under the ROC Curve (AUC) as performance metrics along with our requirements for detection methods. The highest f1 measure is 0.8581, the lowest error rate is 14.15%, and the highest AUC is 0.9342, all of which are observed in the case of AdaBoost. We also observe that 7 out of 9 machine learning-based detection methods outperform the traditional detection method.

Enabling secure multitenancy in cloud computing: Challenges and approaches

Cloud computing provides a multitenant feature that enables an IT asset to host multiple tenants, improving its utilization rate. The feature provides economic benefits to both users and service providers since it reduces the management cost and thus lowers the subscription price. Many users are, however, reluctant to subscribe to cloud computing services due to security concerns. To advance deployment of cloud computing, techniques enabling secure multitenancy, especially resource isolation techniques, need to be advanced further. Difficulty lies in the fact that the techniques range and cross various technical domains, and it is difficult to get the big picture. To cope with that, this paper introduces technical layers and categories, with which it identifies and structures technical issues on enabling multitenancy by conducting a survey. Based on the survey result, this paper discusses technical maturity of multitenant cloud computing from the standpoint of security and the needs for developing both technical and operational security toward the development and wide deployment of multitenant cloud computing.

SPS: a simple filtering algorithm to thwart phishing attacks

In this paper, we explain that by only applying a simple filtering algorithm into various proxy systems, almost all phishing attacks can be blocked without loss of convenience to the user. We propose a system based on a simple filtering algorithm which we call the Sanitizing Proxy System (SPS). The key idea of SPS is that Web phishing attack can be immunized by removing part of the content that traps novice users into entering their personal information. Also, since SPS sanitizes all HTTP responses from suspicious URLs with warning messages, novice users will realize that they are browsing phishing sites. The SPS filtering algorithm is very simple and can be described in roughly 20 steps, and can also be built in any proxy system, such as a server solution, a personal firewall or a browser plug-in. By using SPS with a transparent proxy server, novice users will be protected from almost all Web phishing attacks even if novice users misbehave. With a deployment model, robustness and evaluation, we discuss the feasibility of SPS in today’s network operations.

Adaptive Bloom Filter: A Space-Efficient Counting Algorithm for Unpredictable Network Traffic

The Bloom Filter (BF), a space-and-time-efficient hash-coding method, is used as one of the fundamental modules in several network processing algorithms and applications such as route lookups, cache hits, packet classification, per-flow state management or network monitoring. BF is a simple space-efficient randomized data structure used to represent a data set in order to support membership queries. However, BF generates false positives, and cannot count the number of distinct elements. A counting Bloom Filter (CBF) can count the number of distinct elements, but CBF needs more space than BF. We propose an alternative data structure of CBF, and we called this structure an Adaptive Bloom Filter (ABF). Although ABF uses the same-sized bit-vector used in BF, the number of hash functions employed by ABF is dynamically changed to record the number of appearances of a each key element. Considering the hash collisions, the multiplicity of a each key element on ABF can be estimated from the number of hash functions used to decode the membership of the each key element. Although ABF can realize the same functionality as CBF, ABF requires the same memory size as BF. We describe the construction of ABF and IABF (Improved ABF), and provide a mathematical analysis and simulation using Zipfs distribution. Finally, we show that ABF can be used for an unpredictable data set such as real network traffic.

An Autonomous Architecture for Inter-Domain Traceback across the Borders of Network Operation

The difficulties of achieving an inter-domain traceback architecture come from the issues of overcoming network operation boundaries, especially the leakage of sensitive information, the violation of the administrative permission and the cooperation among Autonomous Systems (ASes). We have proposed InterTrack in [11] as an interconnection architecture for different traceback systems and other Denial of Service (DoS) attack countermeasures. In this paper, we argue that only disclosing AS status to others can reconstruct the reverse AS path of an attack without the leakage of sensitive information or the violation of the administrative permission. Comparing our architecture with other traceback architectures, we also discuss the feasibility of our autonomous traceback architecture.

Experiences in emulating 10K AS topology with massive VM multiplexing

New technologies that will be introduced to the Internet should be practically tested for effectiveness and for side effects. A realistic environment that simulates the Internet is needed to experimentally test such technologies, which will be widely deployed on the Internet. To support experimentation in a realistic, Internet-like environment, we are now trying to construct an Internet on a testbed. We describe our method of constructing an Internet-like environment on the testbed using a virtualization technology and estimation of the inter-AS network on StarBED with Xen and our prototype system. We stably constructed a 10,000-AS network using 150 testbed nodes and estimated its performance and feasibility.

Detecting methods of virus email based on mail header and encoding anomaly

In this paper, we try to develop a machine learning-based virus email detection method. The key feature of this paper is employing Mail Header and Encoding Anomaly(MHEA) [1]. MHEA is capable to distinguish virus emails from normal emails, and is composed of only 5 variables, which are obtained from particular email header fields. Generating signature from MHEA is easier than generating signature by analyzing a virus code, therefore, we feature MHEA as signature to distinguish virus emails. At first, we refine the element of MHEA by association analysis with our email dataset which is composed of 4,130 virus emails and 2,508 normal emails. The results indicate that the one element of MHEA should not be used to generate MHEA. Next, we explore a way to apply MHEA into detection methods against virus emails. Our proposed method is a hybrid of matching signature from MHEA (signature-based detection) and detecting with AdaBoost (anomaly detection). Our preliminary evaluation shows that f1 measure is 0.9928 and error rate is 0.75% in the case of our hybrid method, which outperforms other types of detection methods.

Oblivious DDoS mitigation with locator/ID separation protocol

The need to keep an attacker oblivious of an attack mitigation effort is a very important component of a defense against denial of services (DoS) and distributed denial of services (DDoS) attacks because it helps to dissuade attackers from changing their attack patterns. Conceptually, DDoS mitigation can be achieved by two components. The first is a decoy server that provides a service function or receives attack traffic as a substitute for a legitimate server. The second is a decoy network that restricts attack traffic to the peripheries of a network, or which reroutes attack traffic to decoy servers. In this paper, we propose the use of a two-stage map table extension Locator/ID Separation Protocol (LISP) to realize a decoy network. We also describe and demonstrate how LISP can be used to implement an oblivious DDoS mitigation mechanism by adding a simple extension on the LISP MapServer. Together with decoy servers, this method can terminate DDoS traffic on the ingress end of an LISP-enabled network. We verified the effectiveness of our proposed mechanism through simulated DDoS attacks on a simple network topology. Our evaluation results indicate that the mechanism could be activated within a few seconds, and that the attack traffic can be terminated without incurring overhead on the MapServer.

Building Better Unsupervised Anomaly Detector with S-Transform

Unsupervised anomaly detection is most widely applicable due to capabilities of detecting known and novel anomalies without prior knowledge. In this paper, we propose an unsupervised anomaly detection method based on time-frequency analysis. We firstly use S-Transform to reveal the frequency characteristics of a network signal. Secondly, heuristics are used for anomaly detection. We evaluate performance of our method on MAWI and DARPA datasets. Furthermore, we compare the results with an unsupervised Wavelet Transform-based anomaly detection method. The results indicate that our method achieves better detection performance compared with the Wavelet Transform-based method.