Yuji Waizumi

Detecting DRDoS attacks by a simple response packet confirmation mechanism

In this paper, we propose a simple and robust method to detect Distributed Reflective Denial of Service (DRDoS) attacks. In DRDoS attacks, the victim is bombarded by reflected response packets from legitimate hosts, and thus it is difficult to distinguish attack packets from legitimate packets. We focus on the fact that the types of packets used for DRDoS are limited and predictable. Hence, the proposed method monitors only limited pairs of requests and responses, and confirms the validity of the received response packets based on the request-response relationship. Therefore, the proposed method does not need complicated state management such as the stateful inspection method, and thus the detection mechanism becomes simple. We also analyze the complexity of the proposed method, and show that the proposed method requires low processing cost as compared with the conventional method. Through experiments using a real networking environment, we demonstrate that the proposed method can accurately detect DRDoS packets at a low cost.

Combating against internet worms in large-scale networks: an autonomic signature-based solution

In this paper, we propose a signature-based hierarchical email worm detection (SHEWD) system to detect e-mail worms in large-scale networks. The proposed system detects novel worms and instantly generates their signatures. This feature helps to check the spread of any kind of worm—known or unknown. We envision a two-layer hierarchical architecture comprising local security managers (LSMs), metropolitan security managers (MSM), and a global security manager (GSM). Local managers collect suspicious flows and hand them to metropolitan managers. Metropolitan managers then use cluster analysis to sort worms from the suspicious flows. The sorted worms are used to generate the worm signature which is relayed to the global manager and then to all the collaborating networks. A separate scheme is proposed to automatically select suitable values of the system parameters. This parameter selection procedure takes into account the current network state and the threat level of the ongoing attack. The performance of the whole system is investigated using real network traffic with traces of worms. Experimental results demonstrate that the proposed scheme is capable to accurately detect email worms during the early phase of their propagations. Copyright

A Multi-Stage Network Anomaly Detection Method for Improving Efficiency and Accuracy

Because of an explosive growth of the intrusions, necessity of anomaly-based Intrusion Detection Systems (IDSs) which are capable of detecting novel attacks, is increasing. Among those systems, flow-based detection systems which use a series of packets exchanged between two terminals as a unit of observation, have an advantage of being able to detect anomaly which is included in only some specific sessions. However, in large-scale networks where a large number of communications takes place, analyzing every flow is not practical. On the other hand, a timeslot-based detection systems need not to prepare a number of buffers although it is difficult to specify anomaly communications. In this paper, we propose a multi-stage anomaly detection system which is combination of timeslot-based and flow-based detectors. The proposed system can reduce the number of flows which need to be subjected to flow-based analysis but yet exhibits high detection accuracy. Through experiments using data set, we present the effectiveness of the proposed method.

An Efficient Signature-Based Approach for Automatic Detection of Internet Worms over Large-Scale Networks

Internet Worms pose a serious threat to todays Internet. Signature matching is an important approach to detect worms. However, as most signature development processes are manual, they require significant time. They are thus not efficient in reducing the damage worms may cause. In this paper, an efficient signature-based method is proposed for automatic detection of worms over large-scale networks. In the proposed system, detection is performed in a hierarchical manner. Security managers of local networks collect worm-like or suspicious flows and handle these flows to high-hierarchy metropolitan managers. In response, the latter use this information to generate robust signature. The global manager which lies on top of the hierarchy, multicasts the signature to local managers via metropolitan managers. This enables local managers to detect worms that try to penetrate into their networks. The proposed system is evaluated using an off-line real network traffic that contains traces of worms. Experimental results indicate that the proposed system exhibits high detection rates with low false alarm rates.

A Prioritized Retransmission Mechanism for Reliable and Efficient Delivery of Syslog Messages

Logs generated by operating systems and application programs provide important information to a network administrator. Logs are used for various purposes including security management, audit, and forensics of intranet. To use logs for such purposes, it is important that logs are reliably retrieved from hosts in the intranet. But thesyslog protocol which is widely used for network logging does not meet this requirement.Thus, the use of TCP for improving the reliability is being standardized at the IETF.However, TCP is not effective for providing the reliability in terms of cost and delay.In this paper, we examine the issues and requirements of network logging based on experiments in a real network environment and point out problems of TCP.Then we propose an efficient mechanism for the reliable delivery of syslog messages and validate its effectiveness thorough NS-2 simulations.

Differencing worm flows and normal flows for automatic generation of worm signatures

Internet worms pose a serious threat to networks. Most current intrusion detection systems (IDSs) take signature matching approach to detect worms. Given the fact that most signatures are developed manually, generating new signatures for each variant of a worm incurs significant overhead. In this paper, we propose a difference-based scheme which differences worm flows and normal flows to generate robust worm signatures. The proposed scheme is based on two observational facts - worm flows contain several invariant portions in their payloads, and core worm codes do not exist in normal flows. It uses samples of worm flows detected by available means to extract common tokens. It then differences the set of these tokens with those of normal flows and generates signature candidates. By using such signatures within enterprises, out of reach of worm writers, the possibility of being tricked by worm writers can be reduced. We evaluate the proposed scheme using real network traffic traces that contains worms. Experiment results show that the proposed scheme exhibits high detection rate with low false positives.

Development of a WLAN based monitoring system for group activity measurement in real-time

In recent years, there has been a rise in epidemiological evidence suggesting the health benefits of a physically active lifestyle. However, it is not always easy for individuals to personally recognize the optimal conditions for exercise and physical activity. Wearable acceleration-based pedometers have become widely used in estimating the amount of physical activity, and to a limited ex tent, providing information regarding exercise intensity, but they have never been used to assess adaptation to exercise. In order to realize simultaneous activity monitoring for multiple users exercising outdoors, we developed a prototype wireless local area net work (WLAN) based system. In our system, a WLAN is deployed outside, and a user wearing a smart phone and monitoring device exercises freely within the coverage area of the wireless network. By doing so, the developed system is able to monitor the activity of each user and measures various parameters including those related to exercise adaptation. In a demonstration experiment, the developed system was evaluated and used to monitor users enjoying a Nordic walk, after which users were immediately able to receive their exercise report. In this paper, we discuss the requirements and issues in developing an activity monitoring system and report the findings we obtained through the demonstration experiment.

Network Application Identification Using Transition Pattern of Payload Length

In recent years, information leakage through the Internet has become a new social problem. Many information leakage incidents are caused by illegal applications such as peer-to-peer (P2P) file sharing software. To prevent information leakage, early detection and blocking of the traffic exchanged by illegal applications is strongly required. In this paper, we propose a method for application discrimination of monitored traffic based on the transition pattern of payload length during start up phase of the communication. The proposed method does not need port numbers, which can be spoofed easily. Through experiments using real network traffic, we show that the proposed method can quickly and accurately discriminate applications.

Distributed Early Worm Detection Based on Payload Histograms

Epidemic worms has become a social problem owing to their potency in paralyzing the Internet, thus affecting our way of life. Recent researches have pointed out that epidemic worms can propagate similar payloads rapidly. It was shown that it is possible to evaluate similarities between these payloads in terms of a 256-dimensional vector based on histograms of the appearance frequencies of 256 character codes. This observation has also been confirmed by our earlier works. However, this method, if applied to flows from only one network, which means a network managed by an independent organization, is prone to a high rate of false positives in cases such as when normal emails are sent through a mailing list. To overcome this problem, we propose a new scheme which checks for any similarity between flows detected at several IDSs in a distributed environment. The proposed scheme is based on the fact that normal payloads propagating from different networks are different, whereas in the case of epidemic worms payloads even propagated through different networks but generated by the same worm exhibit similarity. We have demonstrated the effectiveness of the proposed scheme through extensive experiments using real network traffic that contains worms.

Bayesian Image Segmentations by Potts Prior and Loopy Belief Propagation

This paper presents a Bayesian image segmentation model based on Potts prior and loopy belief propagation. The proposed Bayesian model involves several terms, including the pairwise interactions of Potts models, and the average vectors and covariant matrices of Gauss distributions in color image modeling. These terms are often referred to as hyperparameters in statistical machine learning theory. In order to determine these hyperparameters, we propose a new scheme for hyperparameter estimation based on conditional maximization of entropy in the Potts prior. The algorithm is given based on loopy belief propagation. In addition, we compare our conditional maximum entropy framework with the conventional maximum likelihood framework, and also clarify how the first order phase transitions in LBPs for Potts models influence our hyperparameter estimation procedures.