Masahiko Tomoishi

Web server access trend analysis based on the Poisson distribution

To determine the amount of computational resources such as CPU power, memory, and network bandwidth to be assigned to web servers, it is useful to capture daily access data. These can be captured in advance from access logs. Moreover, to determine thresholds for detecting attacks such as distributed denial of service, where the rate of access varies significantly, it is important to know usual access trends for a given server. In this paper, we propose a method for capturing patterns of access to web servers by analyzing access logs. Instead of directly analyzing the periodicity of access using Fourier transforms, we analyze access trends based on an abstract model where only changes to access frequency are captured. This abstract model, constructed by determining whether access frequency follows a Poisson distribution, is simpler than the original access log and is specialized as it only contains information about access frequency changes. Therefore, it is easy to capture access trends based on this model. We analyzed two access logs using our method, the logs of the web servers at Saskatchewan University and those of the National Aeronautics and Space Administration. We confirmed that our method can be used to capture several characteristic access trends.

Enhancement of VPN Authentication Using GPS Information with Geo-Privacy Protection

VPN (Virtual Private Network) technology is well used for remote access to the internal server in order to mitigate intrusion attacks and data breaches. In the current VPN technologies, PKI (Public Key Infrastructure) based certificate authentication and user ID/Password authentication are well used. However, in case of password leakage and lost of mobile devices, those authentication methods cannot effectively prevent the malicious accesses. In this paper, we propose an enhancement method of VPN authentication using GPS (Global Positioning System) information with geo-privacy protection. In this method, the GPS information of the client is used for VPN authentication without leaking the raw GPS coordinates of the client. Specifically, the hash values of GPS coordinate ranges will be registered on the VPN authentication server in order to protect the user geo-privacy. By using the proposed method, the remote access via VPN tunnel can be controlled within all designated areas so that the risk of intrusion attacks can be mitigated significantly. We achieved the GPS coordinates in our lab for one month and checked their hit rates in the GPS coordinate ranges achieved from the Google Maps. The results showed about 99.29% and 92.96% hit rates in the latitude and longitude respectively which are acceptable for real operation.

Design of a Concealed File System Adapted for Mobile Devices Based on GPS Information

The Internet Security Threat Report by Symantec announced that the number of data breaches increased 23 percent in 2014 and the causes by theft or loss of devices reached to 21 percent. Carrying mobile devices with business data and private information is indispensable for humans social activities nowadays and unexpected data breach is one of the severe ongoing issues in cyber security. In this paper, we propose a concealed file system adapted for mobile devices based on GPS (Global Positioning System) information which is only mountable in the designated area. Differs from conventional encryption technologies, the proposed file system can be completely isolated from the viruses and attacks outside the designated area. Moreover, instead of the GPS information of the designated area, the encrypted hash value will be stored in mobile devices for the privacy concerns. We statistically analyzed the GPS information logged in our lab and defined an algorithm for deciding the designated area without leaking the GPS information. Based on the algorithm, we evaluated the proposed file system using Veracrypt by adding the hash of GPS information indicating the designated area as one of the attributes for mounting authentication. As a result, we confirmed that the proposed file system was mounted with about 91% success rate within average in the designated area even with noise interference.

Web server performance enhancement by suppressing network traffic for high performance client

In a high performance computer network system especially that has high-speed networks, an imbalance problem occurs in terms of that network performance is significantly higher than computer capacity. The problem deteriorates performance of the entire system by ineffectively overloading application servers by few high performance clients. In this paper, we present performance analysis and validation of a web server and confirm the possibility of transparent performance enhancement for a high performance computer network system by only changing the configuration of network facilities such as switches and routers. We constructed a local experimental web system and reproduced several cases in which the problem occurred and confirmed that it is possible to solve the problem by only suppressing network traffic on the communication lines for high performance clients. By practically using the network traffic control method it is expectable to provide best performance of application systems in a high-speed network environment in the future.

Evolutional tableau method for temporal logic specifications

Presents a new consistency checking method for temporal logic specifications. The new method verifies the consistency of a whole specification by using a tableau graph constructed from tableau graphs obtained in the verifications of partial specifications. The new method is applicable not only to on-the-fly verification but also to compositional verification. On-the-fly verification is verification that proceeds as a specification is evolved; compositional verification is verification constructed by merging modular verifications. By verifying a specification at each step of its refinement, we can make the specification evolution process efficient. A tableau graph constructed by a traditional tableau method does not suit reuse. The traditional tableau method has two phases: a tableau graph construction phase and an eventuality checking phase. It is difficult to reflect the results of the eventuality checking on the tableau graph because there is no suitable substructure which can store the results. For that reason, it is necessary to check eventuality formulae repeatedly on the reuse of the tableau graphs. A new tableau graph introduced in this paper has a new structure and is obtained by piling up tableau graphs of subformulae. In this new structure, the checked results of eventuality checking are encoded. Therefore, all the results of the verification in each step can be reused for constructing the verification for a whole specification.

An In-depth Concealed File System with GPS Authentication Adaptable for Multiple Locations

Security threats from cyber attacks never stop threatening humans social activities. Even though, carrying mobile devices with confidential data is still popular among people without constraint due to business needs and usability. In this paper, we propose an in-depth concealed file system with GPS authentication adaptable for multiple locations in order to mitigate data breaches and file destructions on mobile devices. The proposed file system has in-depth layout and is mountable only when the mobile device is in the designated areas using GPS authentication. Different security policies can be set for each layer and data can be separately stored in each layer based on the confidentiality. Moreover, usability is considered as high priority and an automatic mounting feature is also introduced since people cannot be bordered to run the program a lot times. We implemented a 2-layer prototype system with combination of GPS only authentication (lightweight) and collaborated authentication (mobile device and smart phone). According to the preliminary evaluation results, we confirmed that the proposed in-depth concealed file system can contribute to mitigate the risk of data breaches and destructions on mobile devices.

A Secure and Lightweight IoT Device Remote Monitoring and Control Mechanism Using DNS

Many reports predicted that the number of connected IoT (Internet of Things) devices will reach to billions in the next several years, accordingly, how to securely and effectively manage, monitor and control them becomes a critical problem. In conventional IoT solutions, direct SSL/TLS based HTTP connections to IoT devices with high overhead are required and encryption is not considered due to low computing capability and memory capacity of IoT devices. In this paper, we propose an integrated mechanism using DNS (Domain Name System) to accomplish the objective. In the proposed mechanism, names or IDs of IoT devices are managed by DNS server and the monitoring and control are conducted by the collaboration of DNS name resolution, DNS dynamic update and DNS zone transfer. Considering the security and privacy protection, the status and control command for IoT devices described in the corresponding DNS TXT records will be encrypted and TSIG (Transaction SIGnatures) will be used for authentication to restrict the clients allowed to monitor and control the IoT devices.

Cache Function Activation on a Client Based DNSSEC Validation and Alert System by Multithreading

Domain Name System (DNS) is one of the most important services of the Internet since most communications normally begin with domain name resolutions provided by DNS. However, DNS has vulnerability against some kind of attacks such as DNS spoofing, DNS cache poisoning, and so on. DNSSEC is an security extension of DNS to provide secure name resolution services by using digital signature based on public key cryptography. However, there are several problems with DNSSEC such as failing resolution in case of validation failure, increasing the load of DNS full resolver, and so on. To mitigate these problems, we proposed a Client Based DNSSEC Validation System. This system performs DNSSEC validation on the client, and in case of validation failure, it forwards the failed response and alerts the user to the fact. However, this system has a problem that it inactivates the cache function of validation library so that it always performs DNSSEC validation even for the same query. In this paper, we report how to solve this problem by multithreading of DNSSEC validation system.

An advanced client based DNSSEC validation and preliminary evaluations toward realization

DNSSEC (Domain Name System Security Extensions) is designed to provide security functions for the current DNS protocol. However, DNSSEC yet has low deployment rate in the Internet due to its heavy workload on DNS full resolvers and high administrative cost. Furthermore, DNSSEC does not cover the last one mile in name resolution: between the DNS full resolver and client. In order to provide complete DNSSEC service between authoritative zone servers and clients, a new DNSSEC validation mechanism with acceptable workload on DNS full resolver and client is required. In this paper, we propose an advanced client based DNSSEC validation mechanism and compare the DNSSEC performance between DNS full resolver and client based on evaluations in a local experimental network. By validating DNSSEC on each client, the proposed mechanism can reduce the workload of DNS full resolvers and also can provide secure name resolution for each client. According to the results of preliminary evaluations we confirmed that it is possible to reduce the workload of DNS full resolver by transferring the DNSSEC validation process to clients with acceptable extra workload. More importantly, the benefit of DNSSEC can be extended to clients with secure name resolution service.

Design of UNIX System for the Prevention of Damage Propagation by Intrusion and Its Implementation Based on 4.4BSD

On usual UNIX systems, a privileged user of root is allowed to acquire any users authority without authentication process. If an intruder obtains the root privilege by taking advantage of systems security hole, he can abuse network reachability of any user of the system to break into other sites. Thus we present a new system design where the authority of users is protected from root by introducing a new user substitution mechanism. However, even if we introduce the new mechanism, on usual UNIX systems, the intruder can get the authority using many other methods for root. We implement the new user substitution mechanism and the mechanisms which prevent the intruder from using such methods in FreeBSD-4.2, and confirm that the system design is effective.