Kohei Tatara

An intrusion detection system using alteration of data

Attacks against data in memory are one of the most serious threats these days. Although many detection systems have been proposed so far, most of them can detect only part of alteration. Some detection systems use canaries to detect alteration. However, if an execution code has bugs that enable attackers to read data in memory, the system could be bypassed by attackers who can guess canaries. To overcome the problems, we propose a system using alteration of data. Our proposed system detects illegal alteration with verifier for vulnerable data. Verifier is made before vulnerable data could be altered by attackers, and verifier is checked when the program uses the vulnerable data. Part of verifier is stored in kernel area to prevent attackers from reading data in user memory. Our approach can detect illegal alteration of arbitrary data in user memory. Our proposed system, moreover, does not have the problem systems using canaries have.

Analyzing Maximum Length of Instruction Sequence in Network Packets for Polymorphic Worm Detection

The importance of the method for finding out the worms that are made through the modification of parts of their original worms increases. It is difficult to detect these worms by comparing with the simple definition that past anti-virus software adapts. Moreover, if it is not an already-known worm, it is not possible to detect it. In this paper, we pay attention to the Toth et al.s method to extract the executable code included in the dataflows on the network and detect the attack by measuring the length of them. The importance of the method for finding out the worms that are made through the modification of parts of their original worms increases. It is difficult to detect these worms by comparing with the simple definition that past anti-virus software adapts. Moreover, if it is not an already- known worm, it is not possible to detect it. In this paper, we pay attention to the Toth et al.s method to extract the executable code included in the dataflows on the network and detect the attack by measuring the length of them. Then, we describe the problem of their method and how to solve it.Then, we describe the problem of their method and how to solve it.

A Signature Scheme Associated with Universal Re-signcryption

Today, with increasing deversity of network technologies, people have been likely to be interested in anonymity. The attacker might threaten anonymity of senders and receivers by confirming linkability between their sessions. Recently, Golle et al. proposed the re-encryption scheme applicable to Mix, called Universal Re-encryption. In this scheme, a ciphertext is supposed to be re-encrypted without public information corresponding to it. Moreover, only a subject that re-enctypts a ciphertext can know the correspondence of original ciphertext and it, and the computational complexity to break the unlinkability property is equal to the semantic secrecy. In this paper, we consider and improve the Universal Re-encryption scheme, and propose a scheme that can verify who transmit the message by adding the property of signature.

Polymorphic Worm Detection by Analyzing Maximum Length of Instruction Sequence in Network Packets

Intrusion detection system records worms signature, and detects the attack that lurks in traffic based on it. However, to detect the worm that corrects, and changes some oneself, a highly accurate detection technique for distinguishing the code that seems to be the worm included in traffic is requested. In this paper, we pay attention to the Toth et al.s method to extract the executable codeincluded in the data flows on the network and detect the attack by measuring the length of them. Then, we describe the problem of their method and how to solve it.

A probabilistic method for detecting anomalous program behavior

In this paper, we, as well as Eskin, Lee, Stolfo [7] propose a method of prediction model. In their method, the program was characterized with both the order and the kind of system calls. We focus on a non-sequential feature of system calls given from a program. We apply a Bayesian network to predicting the N-th system call from the sequence of system calls of the length N–1. In addition, we show that a correlation between several kinds of system calls can be expressed by using our method, and can characterize a program behavior.

Query Forwarding Algorithm Supporting Initiator Anonymity in GNUnet

Anonymity in peer-to-peer network means that it is difficult to associate a particular communication with a sender or a recipient. Recently, anonymous peer-to-peer framework, called GNUnet, was developed. A primary feature of GNUnet is resistance to traffic-analysis. However, Kugler analyzed a routing protocol in GNUnet, and pointed out traceability of initiator. In this paper, we propose an alternative routing protocol applicable in GNUnet, which is resistant to Kuglers shortcut attacks