Takeshi Okamoto

Towards an Immunity-Based System for Detecting Masqueraders

An immunity-based approach that utilizes multiple profiles for detecting masqueraders in UNIX-like systems has been developed and evaluated. The approach was independent of the profile construction method. Experimental results can be summarized as follows: 1) the present approach outperformed a number of previous approaches; 2) performance was almost independent of the number of accounts when the number of accounts exceeded 10; 3) the addition of profiles enhanced performance.

Framework of an immunity-based anomaly detection system for user behavior

This paper focuses on anomaly detection in user behavior. We present a review of our immunity-based anomaly detection system, and propose a framework of the immunity-based anomaly detection system with a new mechanism of diversity generation. In the framework, each computer on a LAN generates diverse agents, and the agents generated on each computer are shared with all other computers on the LAN. The sharing of agents contributes to their diversity. In addition, we propose an evaluation framework of immunity-based anomaly detection, which is capable of evaluating the differences in detection accuracy between internal and external malicious users.

Toward an Artificial Immune Server against Cyber Attacks

Our previously described framework for an artificial immune server protects servers on the Internet against cyber attacks. The prototype of this artificial immune server adaptively acquired immunity against cyber attacks that exploit server vulnerabilities. This study describes our implementation of mechanisms of protection against denial of service (DoS) attacks, and their incorporation into the prototype system. Performance tests showed that, once the prototype system learned a certain DoS attack, it was able to cause DoS due to false detections. To reduce these false detections, we examined detection performance using simulated machine learning techniques. Random forest and extra trees classifiers were able to determine almost the highest true negative rate, achieving compatibility between a higher true positive rate and a faster learning speed. These findings indicated that these classifiers are suitable for mission-critical servers where high availability, including a high true negative rate and fast learning speed, is required.

SecondDEP: Resilient Computing that Prevents Shellcode Execution in Cyber-Attacks☆

Abstract This paper proposes a novel method of preventing shellcode execution even if DEP is bypassed. The method prevents Windows APIs from calling on a data area by API hooking, based on evidence that shellcode is executed in a data area and that the shellcode calls Windows APIs. Performance tests indicated that all samples of shellcode provided by Metasploit Framework, as well asthe 18 most recent attacks using Metasploit Framework, can be detected. Comparison of this method with anti-virus products showed that this method prevented shellcode execution, whereas anti-virus products failed. Another test showed that the overhead of the method has little effect on the performance of computer operations.

Mechanism for Generating Immunity-Based Agents that Detect Masqueraders

A new mechanism for generating agents, modeled on the immune system, has been incorporated into our previous immunity-based system for detecting masqueraders. Akin to T cells in the thymus, the agents capable of recognizing self from nonself, or legitimate users from masqueraders, are positively selected, while those that cannot are annihilated. In our experiments, our new system was better than our previous system at detecting external masqueraders. We also discuss the diversity and specificity of the agents.

A cyber attack-resilient server inspired by biological diversity

This paper describes a novel cyber attack-resilient server inspired by the concept of biological diversity. The server consists of several virtual machines running different operating systems and different implementations of the same server protocol specification. This approach is based on the observation that not all implementations are affected by the same vulnerability, except for vulnerabilities in specifications and on shared libraries. A prototype system was built and tested to evaluate the continuity of the service. The results showed that, by exploiting a vulnerability, the prototype system could suppress downtime of the DNS service to less than 4xa0s without false positives.

Towards an immunity-based anomaly detection system for network traffic

We have applied our previous immunity-based system to anomaly detection for network traffic, and confirmed that our system outperformed the single-profile method. For internal masquerader detection, the missed alarm rate was 11.21% with no false alarms. For worm detection, four random-scanning worms and the simulated metaserver worm were detected with no missed alarms and no false alarms, while a simulated passive worm was detected with a missed alarm rate of 80.57%.

An analysis of a model of computer viruses spreading via electronic mail

In this paper we consider a model of the spread of computer viruses which can spread over a wide area in a short time by electronic mail. In addition to clarifying how a virus spreads, the purpose of this paper is to obtain new ideas about virus countermeasures. In this analysis of how a virus spreads, we use a simple mathematical model and simulations to clarify the changes over time of the number of infections, the relationship between the number of computer connections and the number of infections, the effects of suppressing virus spread by improving the level of user knowledge against viruses, and the effects of suppressing virus spread using antivirus software.

A worm filter based on the number of unacknowledged requests

We propose a new filter for preventing computer worms from spreading. The new worm filter limits the number of unacknowledged requests, rather than the rate of connections to new computers. Normal network traffic is analyzed to determine appropriate parameters for the worm filter. Performance evaluation showed that the worm filter stops not only high-speed worms in the wild, but also simulated slow-speed worms. Finally, the weaknesses of the worm filter is discussed.

Towards an immunity-based system for detecting masqueraders

This paper proposes an immunity-based system for detecting masqueraders in UNIX-like systems. The system is based on the specificity and diversity of the immune system. In other words, the immunity-based system has a user-specific agent for every user, and makes use of multiple profiles, not a single profile. The use of multiple profiles can lead to an improvement in masquerader detection accuracy. In fact, the immunity-based method outperforms other two methods which was the best detection performance in the previous works. In addition, we propose an evaluation framework for the immunity-based masquerader detection system. The evaluation framework is capable of evaluating the differences in detection accuracy between internal and external masqueraders.