Suguru Yamaguchi

A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability

Cross-site scripting (XSS) attacks target Web sites with cookie-based session management, resulting in the leakage of privacy information. Although several server-side countermeasures for XSS attacks do exist, such techniques have not been applied in a universal manner, because of their deployment overhead and the poor understanding of XSS problems. This paper proposes a client-side system that automatically detects XSS vulnerability by manipulating either request or server response. The system also shares the indication of vulnerability via a central repository. The purpose of the proposed system is twofold: to protect users from XSS attacks, and to warn the Web servers with XSS vulnerabilities.

Path selection using active measurement in multi-homed wireless networks

The mobile Internet is built upon a number of different wireless access networks with widely varying features in terms of coverage area, bandwidth, packet loss, and delay. To move across these different networks smoothly, issues associated with the changing features need to be addressed. In this paper, a path selection method for the coverage overlap area is proposed in which the mobile host actively measures the round trip time (RTT) and bottleneck bandwidth for each path and a path is selected based on four rules.

Trust-Based VoIP Spam Detection Based on Call Duration and Human Relationships

Spam over Internet Telephony (SPIT) will become a serious threat in the near future because of the growing number of Voice over IP (VoIP) users. Due to the real-time processing requirements of voice communication, SPIT is more difficult to filter than email spam. We propose a trust-based mechanism that uses the duration of calls between users to distinguish legitimate callers and spammers. The trust value is adjustable according to the calling behavior. We also propose a trust inference mechanism in order to calculate a trust value for an unknown caller to a callee. Realistic simulation results show that our approaches are effective at discriminating spam calls from legitimate calls.

Performance evaluations of DCCP for bursty traffic in real-time applications

The Datagram Congestion Control Protocol (DCCP) has been proposed as a transport protocol which supports real-time traffic using window-based flow control. We investigate the DCCP performance for various traffic flows, focusing on how DCCP flows affect TCP flows and vice versa. Through those simulations, we examine an unfair bandwidth distribution problem caused by the incompatibility of DCCP with the fast recovery algorithm of TCP.

DBS : a powerful tool for TCP performance evaluations

Network performance measurement tools, mainly used for TCP performance evaluations, have serious problems that their applications are limited to single point-to-point configuration and only the mean throughput for long term are measurable. Their major drawback is that they cover only a subset of the entire TCP functions and small variations of network systems. In this paper, we proposed a TCP performance measurement tool called DBS (Distributed Benchmark System) which is aiming to give performance index with multi-point configuration and also in order to measure changes of throughput. It measures the performance of entire TCP functions in various operational environments. Experiments had been conducted using DBS to measure TCP end- to-end performance with various kinds of networks such as both LANs including FDDI, ATM, and HIPPI over ATM networks, and WANs including VSAT satellite channels. In short, DBS has the capability of both measuring and analyzing TCP performance more in details. Through these measurements, DBS unveiled details of TCP performance which cannot be realized by other existing tools.

An implementation of a hierarchical IP traceback architecture

The IP traceback technique detects sources of attack nodes and the paths traversed by anonymous DDoS (distributed denial of service) flows with spoofed source addresses. We propose a hierarchical IP traceback architecture, which decomposes the Internet-wide traceback procedure into inter-domain traceback and intradomain traceback. Our proposed method is different from existing approaches in that our method is independent from a single IP traceback mechanism, and domain decomposition is based on existing operational models of the Internet. Moreover, it has the capability of being used for not only the IPv4 network, but also the IPv6 network.

Introducing Role-Based Access Control to a Secure Virtual Machine Monitor: Security Policy Enforcement Mechanism for Distributed Computers

In recent years, as the data processed by governmental or commercial organizations increases, cases involving information leak have risen. It is difficult to control information on many distributed end-point computers using conventional security mechanisms. Therefore, we have been proposed a novel secure VMM (Virtual Machine Monitor) architecture which is used as a foundation of security policy enforcement on distributed computers. This paper especially introduces Role-based Access Control (RBAC) to the ID management framework in a secure VMM system. Our proposal will reduce costs for distributed policies updates. Proposed RBAC mechanism employs attribute certificates (ACs) to handle userpsilas roles. This paper shows design and prototype implementation based on PKI-based ID card and proven open source VMM software, QEMU.

Sender-initiated multicast forwarding scheme

We propose a sender-initiated multicast (SIM), specifically designed for small group communications such as teleconferencing and file distribution. Contrary to traditional IP multicast, SIM reduces the cost of allocating a global multicast address by attaching receiver addresses to the packet header. SIM routers route packets according to these addresses; therefore, the cost of the control traffic between routers can be lessened by applying the existing unicast routing table. The key feature of SIM is its preset mode, which uses SIM forwarding information base (FIB) entries on routers to achieve cost-efficient packet forwarding. Another feature is an automatically created SIM tunnel, which provides the ability to maintain SIM FIB only on routers that act as multicast branching points. We describe the SIM mechanism in detail, and present results evaluated through simulations. We show how SIM can achieve low cost in maintaining state information, cost-efficient packet forwarding, and incremental deployment.

SOSCast: Location Estimation of Immobilized Persons through SOS Message Propagation

This paper proposes the design of SOS Cast, an application that will assist the search for immobilized persons in a disaster area. When a catastrophic disaster such as an earthquake or tsunami occurs, people may be injured and trapped in damaged buildings and debris. Note that a prompt rescue operation during the first 72 hours is critical in saving many lives. However, it is difficult for immobilized persons to ask for help because conventional communication services such as cellular phone networks are quite likely to be severely damaged. In a particular affected area, the SOS Cast propagates SOS messages from immobilized persons through a direct communication between smart phones. By collecting these SOS messages, rescuers can estimate the locations of the immobilized persons and view it on their smart phones. We have shown in our preliminary experiment within a residential area that SOS Cast is capable of estimating the location of an immobilized person based on the collected SOS messages.

Using SOS message propagation to estimate the location of immobilized persons

This demonstration presents SOSCast, an application that will assist the search for immobilized persons in a disaster area. When a catastrophic disaster such as an earthquake or tsunami occurs, people may be immobilized because of an injury or become trapped in buildings and debris. However, in such a situation, since conventional communication services are likely to be severely damaged, it would be difficult for immobilized persons to ask for rescue using their mobile phones. As a solution, we present SOSCast, which propagates SOS messages through direct communication between smartphones most especially inside the disaster area. By collecting these SOS messages, rescuers can estimate the locations of people who need help using the application. In this demonstration, we will show our prototype implementation of the SOSCast for SOS message processing and its map function to estimate the location of immobilized persons.