Shinichiro Kubota

DNS Based Spam Bots Detection in a University

We carried out an entropy study on the DNS query traffic from the outside of a university campus network to the top domain DNS server when querying about reverse resolution on the PC room terminals through April 1st, 2007 to April 30th, 2008. The following interesting results are given: (1) In January 17th, 2008, the DNS query traffic is mainly dominated by several specific IP addresses as their query keywords. (2) We carried out forensic analysis on the PC room terminals in which IP addresses are found in the several specific keywords and it is concluded that the PCs become spam bots when inserting USB based key disk storage.

Detection of Kaminsky DNS Cache Poisoning Attack

We statistically investigated the total inbound standard DNS resolution traffic from the Internet to the top domain DNS server in a university campus network through January 1st to December 31st, 2010. The following results are obtained: (1) We found five Kaminsky DNS Cache Poisoning (Kaminsky) attacks in observation of rapid decrease in the unique source IP address based entropy of the DNS query request packet traffic and significant increase in the unique DNS query keyword based one. (2) Also, we found nine Kaminsky attacks in the score changes for detection method using the calculated restricted Damerau-Levenshtein distance (restricted edit distance) between the observed current query keyword and the last one by employing both threshold ranges through 1 to 40. Therefore, it has a possibility that the restricted Damerau-Levenshtein distance based detection technology can detect the Kaminsky attacks.

Trends in Host Search Attack in DNS Query Request Packet Traffic

We statistically investigated the total PTR resource record (RR) based DNS query request packet traffic from the Internet to the top domain DNS server in a university campus network through January 1st to December 31st, 2011. The obtained results are: (1) We found twelve host search (HS) attacks in the scores for detection method using the calculated Euclidean distances between the observed IP address and the last observed IP address in the DNS query keywords by employing both threshold ranges of 1.0-2.0 (consecutive) and 150.2-210.4 (random). However, we found nineteen HS attacks in the scores using the calculated cosine distance between the DNS query IP addresses (threshold ranges of 0.75-0.83 and 0.9-1.0). (3) In the newly found HS attacks, we observed that the source IP addresses of the HS attack DNS query packets are distributed. Therefore, it can be concluded that the cosine distance based detection technology has a possibility to detect the source IP address-distributed host search attack.

SSH Dictionary Attack and DNS Reverse Resolution Traffic in Campus Network

We performed statistical analysis on the total PTR resource record (RR) based DNS query packet traffic from a university campus network to the top domain DNS server through March 14th, 2009, when the network servers in the campus network were under inbound SSH dictionary attack. The interesting results are obtained, as follows: (1) the network servers, especially, they have a function of SSH services, generated the significant PTR RR based DNS query request packet traffic through 07:30-08:30 in March 14th, 2009, (2) we calculated sample variance for the DNS query request packet traffic, and (3) the variance can change in a sharp manner through 07:30-08:30. From these results, it is clearly concluded that we can detect the inbound SSH dictionary attack to the network server by only observing the variance of the total PTR RR based DNS query request packet traffic from the network servers in the campus network.

An Authentication Method Independent of Tap Operation on the Touchscreen of a Mobile Device

At the present time, mobile devices such as tablet-type PCs and smart phones have widely penetrated into our daily lives. Therefore, an authentication method that prevents shoulder surfing is needed. We are investigating a new user authentication method for mobile devices that uses surface electromyogram (s-EMG) signals, not screen touching. The s-EMG signals, which are generated by the electrical activity of muscle fibers during contraction, are detected over the skin surface. Muscle movement can be differentiated by analyzing the s-EMG. In this paper, a series of experiments was carried out to investigate the prospect of an authentication method using s-EMGs. Specifically, several gestures of the wrist were introduced, and the s-EMGs generated for each motion pattern were measured. We compared the s-EMG patterns generated by each subject with the patterns generated by other subjects. As a result, it was found that each subject has similar patterns that are different from those of other subjects. Thus, sEMGs can be used to confirm one’s identification for authenticating passwords on touchscreen devices.

Detection of host search activity in PTR resource record based DNS query packet traffic

We statistically investigated the total PTR resource record (RR) based DNS query request packet traffic from the Internet to the top domain DNS server in a university campus network through January 1st to December 31st, 2009. The obtained results are: (1) We observed fourteen host search (HS) activities in which we can observe rapid decreases in the unique source IP address based entropy of the inbound PTR RR based the DNS query packet traffic and significant increases in the unique DNS query keyword based one. (2) We found the consecutive and random IP address based queries in the PTR RR based DNS query request packet traffic through the days of January 8th and 21st, 2009, respectively. Also (3), we calculated Euclidean distances between the observed IP address and the last observed IP address as the DNS query keywords and we detected two kinds of HS activities by employing both threshold ranges of 1.0–2.0 and 150.2–210.4, respectively. Therefore, these results show that we can detect the HS activity by calculating the Euclidean distances between the currently- and the last-observed IP addresses in the inbound PTR RR based DNS query request packet traffic.

Web-based time schedule system for multiple LMSs on the SSO/portal environment

We developed a web-based time schedule system as an important feature of the university portal along with our universitys long-term ICT (Information and Communication Technologies) plan. By using the system, students and professors can get their own course timetable in collaboration with the Student Information System (SIS). Each course name on the timetable is linked to the corresponding course page on the Learning Management System (LMS) through the Single Sign-On (SSO). The system is adapted to multiple LMSs which can be selected by the course professor. In order to widely cooperate with other systems, the system is designed by using global standards (IMS Enterprise, JSR-168 Portlet, etc.) and open source software (uPortal, CAS, JSF, Hibernate, etc.) as possible as we can. This paper shows the major functions, the measured use of the portal and the time schedule system over eight months, and the implementation especially for supporting multiple LMSs, syllabus and grade books.

Analytical calculations of four-neutrino oscillations in matter

Abstract. We analytically derive the transition probabilities for four-neutrino oscillations in matter. The time-evolution operator giving the neutrino oscillations is expressed by a finite sum of terms up to the third power of the Hamiltonian in a matrix form, using the Cayley-Hamilton theorem. The result of the computation for the probabilities in some mass patterns tells us that it is actually difficult to observe the resonance between one of the three active neutrinos and the fourth (sterile) neutrino near the earth, even if the fourth neutrino exists.

On applying support vector machines to a user authentication method using surface electromyogram signals

At present, mobile devices such as tablet-type PCs and smart phones have widely penetrated into our daily lives. Therefore, an authentication method that prevents shoulder surfing is needed. We are investigating a new user authentication method for mobile devices that uses surface electromyogram (s-EMG) signals, not screen touching. The s-EMG signals, which are detected over the skin surface, are generated by the electrical activity of muscle fibers during contraction. Muscle movement can be differentiated by analyzing the s-EMG. Taking advantage of the characteristics, we proposed a method that uses a list of gestures as a password in the previous study. In this paper, we introduced support vector machines (SVM) for improvement of the method of identifying gestures. A series of experiments was carried out to evaluate the performance of the SVM based method as a gesture classifier and we also discussed its security.

TORSION DEPENDENCE OF THE COVARIANT TAYLOR EXPANSION IN RIEMANN-CARTAN SPACE

We clarify the dependence on the torsion tensor of all coefficients in the covariant Taylor expansion of the HMDS coefficient in the heat kernel for the fermion of spin in Riemann-Cartan space. The dependence on the torsion tensor of the quantities in the expansion coefficients is determined by the matrices in the quantities, except for that of the matrix potential X itself. The quantities with matrices contain the torsion tensor only in a peculiar form, and the others are independent of the torsion tensor.