| Budget Amount *help |
¥6,920,000 (Direct Cost: ¥6,200,000、Indirect Cost: ¥720,000)
Fiscal Year 2007: ¥3,120,000 (Direct Cost: ¥2,400,000、Indirect Cost: ¥720,000)
Fiscal Year 2006: ¥3,800,000 (Direct Cost: ¥3,800,000)
|
|---|
| Research Abstract |
We developed a traceback system of malicious accesses of the Internet base on the similarity of communication data of network flows. In order to protect privacy of communication, we proposed a new modeling method to evaluate the similarity of communication data. Our proposed modeling method express a network flow, which is a TCP connection, with a 256-dimensional vector which consists of the occurrence probabilities of 8-bit codes. Since this modeling method id irreversible data translation, the privacy of communication data can ne protected. By using this modeling, we can evaluate the similarities of communication flows. If we have a 256-dimensioncal vector extracted from a network worm flow, we can detect the same kind of worm flow by evaluating the similarity between the vector and vector of newly observed flow because the vector of a same kind of network worm is very similar each other. Consequently, we developed a high accurate modeling method to identify flows which have similar
… More
contents.
We also developed a distributed worm detection system which can detect network worms of which the detection signatures have not generated. The proposed detection system has Global Detector and Local Detectors. If multiple similar flows are observed at a Local Detector in a short term, the Local Detector judges that this emergence of similar flows can be occurred by network worm activities, and send the mean 256-dimensional vector of the similar flows to the Global Detector. In order to detect malicious accesses occurrence, Global Detector evaluate the similarity among the vectors sent from the Local Detectors. If the manner, our proposed detection system can detect malicious network activities without signatures made in advance.
Based on the similarities of vectors, a new traceback system which can discover the point of release of a new malicious access have been proposed. To find the point of release of a malicious access, the traceback system keeps three elements: detection time when a malicious flow was observed, src IP of the flow and the 256-dimensional vector of the flow. By communicating the three elements and evaluating the similarity, the traceback system can find the point of release of the malicious flow. Less
|
