Showing papers by "Hiroki Takakura published in 2014"

Unknown Attack Detection by Multistage One-Class SVM Focusing on Communication Interval

Abstract: Cyber attacks have been more sophisticated. Existing countermeasures, e.g, Intrusion Detection System (IDS), cannot work well for detecting their existence. Although anomaly-based IDS is considered to be promising approach to detect unknown attacks, it still lacks the ability to distinguish sophisticated attacks from trivial known ones. Therefore, we applied multistage one-class Support Vector Machine (OC-SVM) to detect such serious attacks. At the first stage, two training data are retrieved from traffic archive. The one is used for training OC-SVM and then, attacks are obtained from the another. Also testing data from real network are examined by the same OC-SVM and attacks are extracted. The attacks from the traffic archive are used for training OC-SVM at the second stage and those from real network are analyzed. Finally, we can obtain unknown attacks which are not stored in archive.

Development of a Secure Traffic Analysis System to Trace Malicious Activities on Internal Networks

Abstract: In contrast to conventional cyber attacks such as mass infection malware, targeted attacks take a long time to complete their mission. By using a dedicated malware for evading detection at the initial attack, an attacker quietly succeeds in setting up a front-line base in the target organization. Communication between the attacker and the base adopts popular protocols to hide its existence. Because conventional countermeasures deployed on the boundary between the Internet and the internal network will not work adequately, monitoring on the internal network becomes indispensable. In this paper, we propose an integrated sandbox system that deploys a secure and transparent proxy to analyze internal malicious network traffic. The adoption of software defined networking technology makes it possible to redirect any internal traffic from/to a suspicious host to the system for an examination of its insidiousness. When our system finds malicious activity, the traffic is blocked. If the malicious traffic is regarded as mandatory, e.g., For controlled delivery, the system works as a transparent proxy to bypass it. For benign traffic, the system works as a transparent proxy, as well. If binary programs are found in traffic, they are automatically extracted and submitted to a malware analysis module of the sandbox. In this way, we can safely identify the intention of the attackers without making them aware of our surveillance.

A Countermeasure Recommendation System against Targeted Attacks with Preserving Continuity of Internal Networks

Abstract: Recently, the sophistication of targeted cyber attacks makes conventional countermeasures useless to defend our network. Proper network design, i.e., Moderate segmentation and adequate access control, is one of the most effective countermeasures to prevent stealth activities of the attacks inside the network. By paying attention to the violation of the control, we can be aware of the existence of the attacks. In case that suspicious activities are found, we should adopt more strict design for further analysis and mitigation of damage. However, an organization must assume that its network administrators have full knowledge of its business and enough information of its network structure for selecting the most suitable design. This paper discusses a recommendation system to enhance the ability of a semi-automatic network design system previously proposed by us. Our new system evaluates on the viewpoint of two criteria, the effectiveness against malicious activities and the impact on business. The former takes the infection probability and hazardousness of communication into account and the latter considers the impact of the countermeasure which affects the organization's activities. By reviewing the candidate of the countermeasures with these criteria, the most suitable one to the organization can be selected.

Deep context photo searching

Abstract: A user can search for photographs or videos and deep linking rules may be applied to images to discern images that might be desired by the user that otherwise would not be returned using conventional photo categorization and metadata searching.