Yukiko Yamaguchi

Malware Detection with Deep Neural Network Using Process Behavior

Increase of malware and advanced cyber-attacks are now becoming a serious problem. Unknown malware which has not determined by security vendors is often used in these attacks, and it is becoming difficult to protect terminals from their infection. Therefore, a countermeasure for after infection is required. There are some malware infection detection methods which focus on the traffic data comes from malware. However, it is difficult to perfectly detect infection only using traffic data because it imitates benign traffic. In this paper, we propose malware process detection method based on process behavior in possible infected terminals. In proposal, we investigated stepwise application of Deep Neural Networks to classify malware process. First, we train the Recurrent Neural Network (RNN) to extract features of process behavior. Second, we train the Convolutional Neural Network (CNN) to classify feature images which are generated by the extracted features from the trained RNN. The evaluation result in several image size by comparing the AUC of obtained ROC curves and we obtained AUC= 0:96 in best case.

Example-based speech intention understanding and its application to in-car spoken dialogue system

This paper proposes a method of speech intention understanding based on dialogue examples. The method uses a spoken dialogue corpus with intention tags to regard the intention of each input utterance as that of the sentence to which it is the most similar in the corpus. The degree of similarity is calculated according to the degree of correspondence in morphemes and dependencies between sentences, and it is weighted by the dialogue context information. An experiment on inference of utterance intentions using a large-scale in-car spoken dialogue corpus of CIAIR has shown 68.9% accuracy. Furthermore, we have developed a prototype system of in-car spoken dialogue processing for a restaurant retrieval task based on our method, and confirmed the feasiblity of the system.

An Adaptive Honeypot System to Capture IPv6 Address Scans

The vastness of IPv6 address space and rapid spread of its deployment attract us to usage of IPv6 network. Various types of devices, including embedded systems, are ready to use IPv6 addresses and some of them have already been connected directly to the Internet. Such situation entices attackers to change their strategies and choose the embedded systems as their targets. We have to deploy various types of honey pots on IPv6 network to trace his activities and infer his objective. Huge address space and wide variety of devices, however, suggest the limitation of conventional honey pots. In this paper, we propose a system that dynamically assigns an address to a honey pot by detecting an access to an unassigned address. We also present our strategy against IPv6 address scans by making honey pots collaborate each other.

Development of a Secure Traffic Analysis System to Trace Malicious Activities on Internal Networks

In contrast to conventional cyber attacks such as mass infection malware, targeted attacks take a long time to complete their mission. By using a dedicated malware for evading detection at the initial attack, an attacker quietly succeeds in setting up a front-line base in the target organization. Communication between the attacker and the base adopts popular protocols to hide its existence. Because conventional countermeasures deployed on the boundary between the Internet and the internal network will not work adequately, monitoring on the internal network becomes indispensable. In this paper, we propose an integrated sandbox system that deploys a secure and transparent proxy to analyze internal malicious network traffic. The adoption of software defined networking technology makes it possible to redirect any internal traffic from/to a suspicious host to the system for an examination of its insidiousness. When our system finds malicious activity, the traffic is blocked. If the malicious traffic is regarded as mandatory, e.g., For controlled delivery, the system works as a transparent proxy to bypass it. For benign traffic, the system works as a transparent proxy, as well. If binary programs are found in traffic, they are automatically extracted and submitted to a malware analysis module of the sandbox. In this way, we can safely identify the intention of the attackers without making them aware of our surveillance.

Construction and Analysis of a Multi-Layered In-car Spoken Dialogue Corpus

In this chapter, we will discuss the construction of the multi-layered in-car spoken dialogue corpus and the preliminary result of the analysis. We have developed the system specially built in a Data Collection Vehicle (DCV) which supports synchronous recording of multi-channel audio data from 16 microphones that can be placed in flexible positions, multi-channel video data from 3 cameras and the vehicle related data. Multimedia data has been collected for three sessions of spoken dialogue with different types of navigator in about 60-minute drive by each of 800 subjects. We have defined the Layered Intention Tag for the analysis of dialogue structure for each of speech unit. Then we have marked the tag to all of the dialogues for over 35,000 speech units. By using the dialogue sequence viewer we have developed, we can analyze the basic dialogue strategy of the human-navigator. We also report the preliminary analysis of the relation between the intention and linguistic phenomenon.

Malware classification method based on sequence of traffic flow

Network-based malware classification plays an important role in improving system security than system-based malware classification. The vast majority of malware needs a network activity in order to accomplish its purpose (e.g., downloading malware, connecting to a C&C server, etc.). Many malware classification approaches based on network behavior have thus been proposed. Nevertheless, they merely rely on either a request URL or payload for signature matching. To classify the network activity of malware, the patterns of network behavior must be understood and the changes in behavior observed. Therefore, the sequence of flows and their correlation caused by the malware should be analysed. In this paper, we present a novel malware classification method based on clustering of flow features and sequence alignment algorithms for computing sequence similarity, which represents network behavior of malware. We focus on analysing the sequence similarity between the sequence patterns of malware traffic flow generated by executing malware on the dynamic analysing system. We also performed an evaluation by using malware traffic collected from a real environment. On the basis of our experimental results, we identified the most appropriate method for classifying malware by similarity of network activity.

Unknown Attack Detection by Multistage One-Class SVM Focusing on Communication Interval

Cyber attacks have been more sophisticated. Existing countermeasures, e.g, Intrusion Detection System (IDS), cannot work well for detecting their existence. Although anomaly-based IDS is considered to be promising approach to detect unknown attacks, it still lacks the ability to distinguish sophisticated attacks from trivial known ones. Therefore, we applied multistage one-class Support Vector Machine (OC-SVM) to detect such serious attacks. At the first stage, two training data are retrieved from traffic archive. The one is used for training OC-SVM and then, attacks are obtained from the another. Also testing data from real network are examined by the same OC-SVM and attacks are extracted. The attacks from the traffic archive are used for training OC-SVM at the second stage and those from real network are analyzed. Finally, we can obtain unknown attacks which are not stored in archive.

A Countermeasure Recommendation System against Targeted Attacks with Preserving Continuity of Internal Networks

Recently, the sophistication of targeted cyber attacks makes conventional countermeasures useless to defend our network. Proper network design, i.e., Moderate segmentation and adequate access control, is one of the most effective countermeasures to prevent stealth activities of the attacks inside the network. By paying attention to the violation of the control, we can be aware of the existence of the attacks. In case that suspicious activities are found, we should adopt more strict design for further analysis and mitigation of damage. However, an organization must assume that its network administrators have full knowledge of its business and enough information of its network structure for selecting the most suitable design. This paper discusses a recommendation system to enhance the ability of a semi-automatic network design system previously proposed by us. Our new system evaluates on the viewpoint of two criteria, the effectiveness against malicious activities and the impact on business. The former takes the infection probability and hazardousness of communication into account and the latter considers the impact of the countermeasure which affects the organizations activities. By reviewing the candidate of the countermeasures with these criteria, the most suitable one to the organization can be selected.

ARIGUMA Code Analyzer: Efficient Variant Detection by Identifying Common Instruction Sequences in Malware Families

It is required in the first step of malware analysis to determine whether a given malware program is a variant of known ones. If it is surely not a variant, manual analysis against it is required. However, it is impossible to perform manual analysis, the cost of which is very high, over all the enormous number of newly found malware programs. An automatic and accurate malware program classification method should contribute to this situation. Existing methods suffer from such problems as the cost of calculating similarity between every pair of malware programs in a database, and the disability to precisely present the similarity and the difference between programs. In our approach, known malware programs are classified into families. A given malware program is determined to be a variant if it is classified into an existing family. Incremental clustering is then performed for the new one and the family, which reduces the cost of re-training and similarity calculation. Accurate comparison between programs is enabled by evaluating the difference between programs using the longest common subsequences (LCSs) of instructions. To reduce the amount of the costly calculation of LCSs, the numeric features of codes, such as cyclomatic complexity, the number of function calls and so on, are used to filter out dissimilar codes. Subsequences in the LCS of two codes are presented to malware analysts as the similarity between them, while those out of it are given as the difference. Experimental results show that this method can detect the name of APIs used in a malware which existing methods cannot, that it is useful to determine inserted codes which is used for generating variants to avoid pattern detection by anti-virus, and that it actually reduces the time to process malware programs without deteriorating the accuracy of classification.

Memory Complexity of Automated Trust Negotiation Strategies

Automated Trust Negotiation(ATN) has been proposed as a mechanism to establish mutual trust among strangers. Protocols and strategies to be used during ATN have also been studied. When considering the real world usage of ATN, there are many factors to be considered. One of the factors that has not been addressed by previous studies is the memory complexity of negotiation strategies. This paper analyses the memory complexities of previously proposed negotiation strategies and evaluates the average memory consumption through simulations using an ATN framework for web services. The experimental results revealed that memory complexity of Parsimonious strategy grows exponentially as the number of credentials increases, which is consistent with the theoretical analysis. As a solution, a method to reduce the memory consumption by exploiting the knowledge each entity has about the negotiation is presented. In addition, the paper presents a new criterion that enables the truncation of the negotiation to reduce the memory consumption in situations where the negotiation fails. Experiment results, which show the effectiveness of above methods in reducing the memory consumption, negotiation length are also presented.