Ruo Ando

MindYourPrivacy: Design and implementation of a visualization system for third-party Web tracking

Third-party Web tracking is a serious privacy issue. Advertisement sites and social networking sites stealthily collect users Web browsing history for purposes such as targeted advertising or predicting trends. Unfortunately, very few Internet users realize this, and their privacy has been infringed upon because they have no means of recognizing the situation. In this paper we present the design and implementation of a system called MindYourPrivacy that visualizes third-party Web tracking and clarifies the entities threatening users privacy. The implementation adopts deep packet inspection, DNS-SOA-record-based categorization, and HTTP-referred graphical analysis to visualize collectors of Web browsing histories without device dependency. To demonstrate the effectiveness of our proof-of-concept implementation, we conducted an experiment in an IT technology camp, where 129 attendees discussed IT technologies for four days, The experiments results revealed that visualizing Web tracking effectively influences users perception of privacy. Analysis of the user data we collected at the camp also revealed that MCODE clustering and some features derived from graph theory are useful for detecting advertising sites that potentially collect user information by Web tracking for their own purposes.

Practical network traffic analysis in P2P environment

Recent statistical studies on telecommunication networks outline that peer-to-peer (P2P) file-sharing is keeping increasing and it now contributes about 50–80% of the overall Internet traffic [1]. Moreover, more and more network applications such as streaming media, internet telephony, and instant messaging are taking a form of P2P telecommunication. The bandwidth intensive nature of P2P applications suggests that P2P traffic can have significant impact on the underlying network. Therefore, analyzing and characterizing this kind of traffic is an essential step to develop workload models towards efficient amelioration in network traffic engineering and capacity planning. In this paper, we first introduce an adaptive system for handy P2P trace capturing and analysis. By using virtualization technology, the system can efficiently organize limited resources to build a reliable and tractable network that supports adjustable experimental study and practical performance tuning. Then the proposed system is applied to traffic characterization of File Sharing P2P (FSP2P) applications. To avoid excessive computing cost of payload information inspection, we proposed a more light-weighted analytical scheme which makes use of meta features extracted from packet headers. With carefully selected system parameters, we show that satisfactory prediction accuracy on differentiating FSP2P applications from ordinary network applications could be achieved with acceptable computing costs. The proposed scheme supports performance tuning between monitoring cost and the system response time, which enables its adaption to network environments with different specifications.

Automated Log Analysis of Infected Windows OS Using Mechanized Reasoning

Malware (Malicious Software) of Windows OS has become more sophisticated. To take some countermeasures for recent infection, more intelligent and automated system log analysis is necessary. In this paper we propose an automated log analysis of infected Windows OS using mechanized reasoning. We apply automated deduction system for gathering events of malware and extract the behavior of infection over large scale system logs. In experiment, we cope with four kinds of resolution strategies to detect the malicious behavior. It is shown that automation of analyzing system logs is possible for detecting actual malicious software.

Parallel analysis for lightweight network incident detection using nonlinear adaptive systems

The rapid increasing of security incidents imposes a great burden on Internet users and system administrators. In this paper we discuss a parallel analysis for lightweight network incident detection using nonlinear adaptive systems. We run AID (anomaly intrusion detection) and MID (misuse intrusion detection) systems in parallel. Two detectors generate binary output misuse = {YES/NO} and anomaly = {YES/NO}. Then, we can determine whether we need to perform network or security operation. We apply clustering algorithm for AID and classification algorithm for MID. The nonlinear adaptive system is trained for running MID and AID in parallel. Proposed parallel system is more lightweight and simple to operate even if the number of incident patterns is increased. Experimental results in the case where false positive is frequently caused show that our method is functional with a recognition rate of attacks less than 10%, while finding the anomaly status. Also, performance evaluation show that proposed system can work with reasonable CPU utilization compared with conventional serial search based system.

A Lightweight Access Log Filter of Windows OS Using Simple Debug Register Manipulation

Recently, leveraging hypervisor for inspecting Windows OS which is called as VM instospection has been proposed. In this paper, we propose a thin debugging layer to provide several solutions for current VM instrospection. First, out-of-the box monitoring has not been develoed for monitoring complicated event such as registry access of Windows OS. Second, logging inside guest OS is resource-intensive and therefore detactable. Third, shared memory should be prepared for notifying events which makes the system so complicated. To solve these problems, we emdded a simple debug register manipulation inside guest VM and modify its handler of hypervisor. In proposed system, we only change a few generic and debug register to cope with highly frequent events without allocating memory and generating file I/O. As a result, resource utilization of CPU, memory and I/O can be drastically reduced compared with commodity logging software inside Windows OS. In experiment, we have shown the result of tracking registry access of malware running on Windos OS. It is shown that proposed system can achive the same function of ProcMon of Windows OS with reasonable resource utilization. Particularly, we have achieved more than 84% of memory usage and 97% of disk access reduction compared with the case of using ProcMon.

Faster parameter detection of polymorphic viral code using hot list strategy

Polymorphic viral code with encrypted payload and obfuscated decipher routine is hard to detect by generic signature scan. In this paper we propose a faster parameter detection of polymorphic viral code using hot list strategy. Parameter detection is formulated as solving SAT problem using resolution and substitution by FoL (First order Logic) theorem prover. To make parameter detection faster, we discuss one of ATP (Automated Theorem Proving) strategies, called hot list. Experiment shows that with proper selection of hot list, we can make reasoning process faster with reduction rate of generated clauses from 60% to 80%.

Automated reduction of attack surface using call graph enumeration

There have been many research efforts on detecting vulnerability such as model checking and formal method. However, according to Rices theorem, checking whether a program contains vulnerable code by static checking is undecidable in general. In this paper, we propose a method of attack surface reduction using enumeration of call graph. Proposal system is divided into two steps: enumerating edge E[Function Fi, Function Fi+1] and constructing call graph by recursive search of [E1, E2, En]. Proposed method enables us to find the sum of paths of which leaf node is vulnerable function VF. Also, root node RF of call graph is part of program which is open to attacker. Therefore, call graph [VF, RF] can be eliminated according the situation where the program is running. We apply proposal method to the real programs (Xen) and extracts the attack surface of CVE-2013-4371. These vulnerabilities are classified into two class: use-after-free and assertion failure. Also, numerical result is shown in searching attack surface of Xen with different search depth of constructing call graph.

A fast kernel on hierarchial tree structures and its application to windows application behavior analysis

System calls have been proved to be important evidence for analyzing the behavior of running applications. However, application behavior analyzers which investigate the majority of system calls usually suffer from severe system performance deterioration or frequent system crashes. In the presented study, a light weighted analyzer is approached by two avenues. On the one hand, the computation load to monitor the system calls are considerably reduced by limiting the target functions to two specific groups: file accesses and Windows Registry accesses. On the other hand, analytical accuracy is achieved by deep inspection into the string parameters of the function calls, where the proximity of the programs are evaluated by the newly proposed kernel functions. The efficacy of the proposed approach is evaluated on real world datasets with promising results reported.