Kenji Ohira

A comprehensive approach to detect unknown attacks via intrusion detection alerts

Intrusion detection system(IDS) has played an important role as a device to defend our networks from cyber attacks. However, since it still suffers from detecting an unknown attack, i.e., 0-day attack, the ultimate challenge in intrusion detection field is how we can exactly identify such an attack. This paper presents a novel approach that is quite different from the traditional detection models based on raw traffic data. The proposed method can extract unknown activities from IDS alerts by applying data mining technique.We evaluated our method over the log data of IDS that is deployed in Kyoto University, and our experimental results show that it can extract unknown(or under development) attacks from IDS alerts by assigning a score to them that reflects how anomalous they are, and visualizing the scored alerts.

A Clustering Method for Improving Performance of Anomaly-Based Intrusion Detection System

Intrusion detection system (IDS) has played a central role as an appliance to effectively defend our crucial computer systems or networks against attackers on the Internet. The most widely deployed and commercially available methods for intrusion detection employ signature-based detection. However, they cannot detect unknown intrusions intrinsically which are not matched to the signatures, and their methods consume huge amounts of cost and time to acquire the signatures. In order to cope with the problems, many researchers have proposed various kinds of methods that are based on unsupervised learning techniques. Although they enable one to construct intrusion detection model with low cost and effort, and have capability to detect unforeseen attacks, they still have mainly two problems in intrusion detection: a low detection rate and a high false positive rate. In this paper, we present a new clustering method to improve the detection rate while maintaining a low false positive rate. We evaluated our method using KDD Cup 1999 data set. Evaluation results show that superiority of our approach to other existing algorithms reported in the literature.

An Adaptive Honeypot System to Capture IPv6 Address Scans

The vastness of IPv6 address space and rapid spread of its deployment attract us to usage of IPv6 network. Various types of devices, including embedded systems, are ready to use IPv6 addresses and some of them have already been connected directly to the Internet. Such situation entices attackers to change their strategies and choose the embedded systems as their targets. We have to deploy various types of honey pots on IPv6 network to trace his activities and infer his objective. Huge address space and wide variety of devices, however, suggest the limitation of conventional honey pots. In this paper, we propose a system that dynamically assigns an address to a honey pot by detecting an access to an unassigned address. We also present our strategy against IPv6 address scans by making honey pots collaborate each other.

Security analysis on public wireless internet service models

A new service model of public wireless Internet access, called autonomous distributed public wireless Internet access, is presented. In the service model any volunteer with broadband Internet access lines can provide his access points for public service without any fear of malicious use. A user of such service is assumed to have his own account on a authentication server at home in the Internet, and all the Internet access through any of those access points can be treated as if it is from the home. In this paper, we present how the autonomous distributed Internet access services can be securely provided with the combinations of two aspects: treatment of authentication transactions at access points and data path of communication transaction.

Performance evaluation of an OpenFlow-based mirroring switch on a laptop/raspberry Pi

This paper describes an implementation and performance evaluation of an OpenFlow-based laptop mirroring switch. We confirm that we can build a mirroring switch which can forward traffic faster than 200 Mbps with only an inexpensive laptop PC and USB 3.0 gigabit Ethernet adapters. If we use a Raspberry Pi as substitute for a laptop PC, we can build a 30 Mbps or faster switch.

Host-Centric Site-Exit Router Selection in IPv6 Site Multihoming Environment

Site-multihoming is an architecture which brings the benefit of reliability and load-sharing in a small scale network like a home network by connecting multiple ISPs (Internet Service Providers). In the discussion of IETF Multi6 Working Group, multihoming by multi-PA (Provider Aggregatable) addressing became rough consensus as the architecture for IPv6 site-multihoming. However, issues on multi-PA addressing, like how a host selects the source IP address for each packet or how to cope with ingress filtering by ISP, remain not discussed. In this paper, we propose a new routing architecture for site-multihoming, based on the idea of host-centric multihoming by Huitema et al. Host-centric multihoming has a difficulty in deployment as it essentially needs source address dependent routing. In our architecture, 1) Site-internal routes and site-external routes are distinguished. A packet that goes out of the site is routed to the site-exit router associated with the source IP address, while a packet that goes to a host in the site is routed based on the destination address. 2) Site-external routes are limited to the default routes (::/0) associated with the PA addresses only. This architecture simplifies the intra-site routing but still fully has the advantage of host-centric multihoming that a host in a site can select an ISP through which a packet from the host goes, namely, source address selection by a sender host decides the path of the packet. We have also implemented a dynamic source address dependent routing protocol for our architecture and have confirmed the effectiveness of it.

Loosely Trusted Yet Secure Roaming Architecture for Public Wireless Internet Service

The demand of providing ones network bandwidth for another such as a business partner or a guest in a form like a so-called free wireless Internet access is rising. However, in some countries like Japan, the law concerning the responsibility of Internet service providers requires not only ISPs who operate roaming service but also anyone who provide access to the Internet to identify an illicit user when requested. Otherwise he himself may be treated as the illicit user. In this paper, we first categorize conventional roaming models and consider trust relationships in roaming. Conventional roaming models assume trust between a connectivity provider and an authenticator. Most measures are against abuse of a mobile user or a fake user as an attacker. Based on the consideration, we propose an autonomous distributed model account management architecture. With this architecture, when an illicit use occurs, every concerned party can find who do it even in the case that not only a mobile user but also a connectivity provider and/or an authenticator may do it. This is possible if a connectivity provider allows only traffics of some well known secure authentication protocols and user data which are authenticated with them to go through his network. This proposal makes it possible for a connectivity provider to provide access for a mobile user securely as easy as a free wireless access without trust with any authenticator

Improving Document Availability in Storage

This paper provides a case study of improving availability for searching documents in an academic facility. Every day some documents are needed for our business and academic activities in the Center for Administration of Information Technology (AIT) in Tokushima University. AIT has been employing and operating Information Security Management System (ISMS) since 2014. ISMS requires to maintain Confidentiality, Integrity and Availability. Particularly, AIT places importance on Availability. However, time-consuming is a problem to find documents in the daily operation. A case study was conducted to put a full-text search engine in the facility, considering the objective and efficiency about finding documents in the file-server. In the process, it was found out that document freshness is important to academic office workers for their job. Then, the effectiveness of a score of TF-IDF with document freshness was assessed. Therefore, availability for finding documents was significantly improved using a full-text search engine with document freshness.

Research on Integrated Authentication Using Passwordless Authentication Method

Currently, authentication methods using ID and password are widely used and fulfilled central roles in various information systems and services. Our university also uses ID and password for authentication of most services. However, passwords have various problems such as reuse, phishing and leakage. This research is a practical experiment in order to implement an integrated authentication system without password. Shibboleth is introduced to our university, providing capabilities of web single sign-on and attribute exchange framework for organizational services. The Fast IDentity Online (FIDO) is adopted into Shibboleth as an external authentication, to realize passwordless authentication. Furthermore, we held a feasibility test of an integrated authentication system without password, and considered problems of the passwordless authentication method using FIDO.

A route navigation system for reducing risk of traffic accidents

We develop a navigation system considering traffic accident risk. After putting the start and goal points by a user, the system suggests a detour; a better route contains low risk against traffic accidents. Users can also contribute to register risk values to the dangerous points. We define cost functions to generate reasonable and safer route paths within the given geometrical area. The system was evaluated by examinees with field tests, then marginal reputations from them.