Yasuo Okabe

Toward a more practical unsupervised anomaly detection system

During the last decade, various machine learning and data mining techniques have been applied to Intrusion Detection Systems (IDSs) which have played an important role in defending critical computer systems and networks from cyber attacks. Unsupervised anomaly detection techniques have received a particularly great amount of attention because they enable construction of intrusion detection models without using labeled training data (i.e., with instances preclassified as being or not being an attack) in an automated manner and offer intrinsic ability to detect unknown attacks; i.e., 0-day attacks. Despite the advantages, it is still not easy to deploy them into a real network environment because they require several parameters during their building process, and thus IDS operators and managers suffer from tuning and optimizing the required parameters based on changes of their network characteristics. In this paper, we propose a new anomaly detection method by which we can automatically tune and optimize the values of parameters without predefining them. We evaluated the proposed method over real traffic data obtained from Kyoto University honeypots. The experimental results show that the performance of the proposed method is superior to that of the previous one.

Cooperation of Intelligent Honeypots to Detect Unknown Malicious Codes

Honeypot is one of the most popular tools to decoy attackers into our network, and to capture lots of information about the activity of malicious attackers. By tracing and analyzing collected traffic data, we can find out unknown malicious codes under an experimental stage before some codes become hazardous to an application. Although many honeypots have been proposed, there is a common problem that they can be detected easily by malicious attackers. This is very important in success or failure of honeypots because if once an attacker notices that he/she is working on a honeypot, we can no longer observe his/her malicious activities. In this paper, we propose two types of honeypot to collect unforeseen exploit codes automatically while maintaining their concealment against malicious attackers; cooperation based active honeypot and self-protection type honeypot. We have evaluated the proposed honeypots which are deployed in Kyoto University, and showed that they have capability to collect some unknown malicious codes.

Reliable Streaming Transmission Using PR-SCTP

Combination of RTP and UDP is commonly used in real-time video streaming, today. In fear of packet loss, FEC may be used to recover the lost packet data in RTP. But there is a limit in the tolerance to a burst packet loss. We propose to transmit real-time video streams that have tolerance to a burst packet loss by combining RTP with PR-SCTP. By retransmission within the range of the delay restriction specified by PR-SCTP while doing buffering, the tolerance to a burst packet loss can be improved in exchange for some delay.We have implemented the proposed method as a translator of RTP in consideration of interoperability with the existing application implemented with RTP/UDP. And we artificially caused the burst-packet loss as an experiment in the translator and evaluate the outcome of an experiment.

Single backup table schemes for shortest-path routing

We introduce a new recovery scheme that needs only one extra backup routing table for networks employing shortest-path routing. By precomputing this backup table, the network recovers from any single link failure immediately after the failure occurs. To compute the backup routing table for this scheme, we use an almost linear time algorithm to solve the {r, v}-problem, which is a variation of the best swap problem presented by Nardelli et al. We further show that the same solution can be computed in exactly linear time if the underlying graph is unweighted.

A comprehensive approach to detect unknown attacks via intrusion detection alerts

Intrusion detection system(IDS) has played an important role as a device to defend our networks from cyber attacks. However, since it still suffers from detecting an unknown attack, i.e., 0-day attack, the ultimate challenge in intrusion detection field is how we can exactly identify such an attack. This paper presents a novel approach that is quite different from the traditional detection models based on raw traffic data. The proposed method can extract unknown activities from IDS alerts by applying data mining technique.We evaluated our method over the log data of IDS that is deployed in Kyoto University, and our experimental results show that it can extract unknown(or under development) attacks from IDS alerts by assigning a score to them that reflects how anomalous they are, and visualizing the scored alerts.

A Privacy-Secure Content Trading System for Small Content Providers Using Semi-Blind Digital Watermarking

A privacy-secure content trading system based on semi-blind fingerprinting which provides privacy-secure content trading as secure as blind fingerprinting at feasible processing cost with sufficient robustness is evaluated in this paper. This system assures both a content provider and a purchaser of a fair trading which is effective in a market where purchasers deal with a number of small or not so reliable content providers. We have implemented the system in which a useful tool should be provided for the market by amending inherent defects of conventional methods. In the basic models of conventional fingerprinting, the users security is guaranteed only under the premise that a content provider was perfectly trustworthy. Such premise makes a system unpractical. In order to cope with the problem, various fingerprinting schemes have been proposed in which cryptography technique utilized in order to protect users privacy. However, these are found to be unpractical due to the heavy computation cost and insufficient robustness of watermarking against manipulations. The semi-blind fingerprinting fulfills the need for both feasibility and robustness by altering encryption into the one with image decomposition that could blind an image to be unrecognizable. Image decomposition and a customized embedding algorithm are implemented to a web-based system, whose perceptual condition of decomposed images and robustness of watermark has been evaluated.

A packet-in message filtering mechanism for protection of control plane in openflow networks

Protecting control planes in networking hardware from high rate packets is a critical issue for networks under operation. One common approach for conventional networking hardware is to offload expensive functions onto hard-wired offload engines as ASICs. OpenFlow networks are expected to provide greater network control flexibility by an open interface to the packet-forwarding plane and by centralized controllers. In OpenFlow networks, the approach for conventional networking hardware alone is inadequate because it restricts a certain amount of flexibility that OpenFlow is expected to provide. Therefore, we need a generic control plane protection mechanism in OpenFlow switches as a last resort. In this paper, we propose a mechanism to filter out Packet-In messages without dropping important ones for network control. Our proposed mechanism works simply. Switches record the values of packet header fields before sending Packet-In messages, which are specified by the controllers in advance, and filter out packets that have the same values as the recorded ones. We implemented and evaluated the proposed mechanism on a prototype software switch, concluding that it dramatically reduces CPU loads in the switches and passes important Packet-In messages for network control.

Quality-aware energy routing toward on-demand home energy networking: (Position paper)

An on-demand electric power supply architecture in home based on quality-aware routing is proposed. In the architecture power sources and powered devices send quality parameters by which they supply or consume electric power. The network itself chooses best matching of a source and a device, and makes reservation of a path by RSVP-based QoS routing mechanism. In this paper the basic concepts and the overview of the proposed architecture is described.

High-Performance Intrusion Detection Using OptiGrid Clustering and Grid-Based Labelling

This research aims to construct a high-performance anomaly based intrusion detection system. Most of past studies of anomaly based IDS adopt k-means based clustering, this paper points out that the following reasons cause performance degradation of k-means based clustering when it is deployed in real traffic environment. First, k-means based algorithms have weakness for high dimensional data. Second, in spite of non-hyper spherical distribution of normal traffic in a feature space, these algorithms can only create hyper spherical clusters. Furthermore, unsophisticated algorithms to label clusters cannot achieve high detection performance. In order to solve these issues, this paper proposes a modification of OptiGrid clustering and a cluster labelling algorithm using grids. OptiGrid has robust ability to high dimensional data. Our labelling algorithm divides the feature space into grids and labels clusters using the density of grids. The combination of these two algorithms enables a system to extract the feature of traffic data and classifies the data as attack or normal correctly. We have implemented our system and confirmed efficiency of our system by utilizing both KDDCUP1999 data sets and Kyoto 2006+ data sets.

A Clustering Method for Improving Performance of Anomaly-Based Intrusion Detection System

Intrusion detection system (IDS) has played a central role as an appliance to effectively defend our crucial computer systems or networks against attackers on the Internet. The most widely deployed and commercially available methods for intrusion detection employ signature-based detection. However, they cannot detect unknown intrusions intrinsically which are not matched to the signatures, and their methods consume huge amounts of cost and time to acquire the signatures. In order to cope with the problems, many researchers have proposed various kinds of methods that are based on unsupervised learning techniques. Although they enable one to construct intrusion detection model with low cost and effort, and have capability to detect unforeseen attacks, they still have mainly two problems in intrusion detection: a low detection rate and a high false positive rate. In this paper, we present a new clustering method to improve the detection rate while maintaining a low false positive rate. We evaluated our method using KDD Cup 1999 data set. Evaluation results show that superiority of our approach to other existing algorithms reported in the literature.