Distributed Network anomaly Detection using Multiresolutional Observables

• Project/Area Number: 20300023
• Research Category: Grant-in-Aid for Scientific Research (B)
• Allocation Type: Single-year Grants
• Section: 一般
• Research Field: Computer system/Network
• Research Institution: Tohoku University
• Principal Investigator: NEMOTO Yoshiaki 東北大学, 大学院・情報科学研究科, 理事 (60005527)
• Co-Investigator(Kenkyū-buntansha): WAIZUMI Yuji 東北大学, 大学院・情報科学研究科, 准教授 (90333872) ; TSUNODA Hiroshi 東北工業大学, 工学部・情報通信工学科, 講師 (30400302)
• Project Period (FY): 2008 – 2010
• Project Status: Completed (Fiscal Year 2010)
• Budget Amount: ¥8,970,000 (Direct Cost: ¥6,900,000、Indirect Cost: ¥2,070,000); Fiscal Year 2010: ¥2,600,000 (Direct Cost: ¥2,000,000、Indirect Cost: ¥600,000); Fiscal Year 2009: ¥1,820,000 (Direct Cost: ¥1,400,000、Indirect Cost: ¥420,000); Fiscal Year 2008: ¥4,550,000 (Direct Cost: ¥3,500,000、Indirect Cost: ¥1,050,000)
• Keywords: 情報システム / セキュア / ネットワーク / 異常検知 / 処理時間推定 / 異常原因特定 / 不正利用ソフトウエア / 相関係数発生確率行列 / ホスト単位観測 / 順位相関係数

Research Abstract

A network anomaly detection system has been developed. This system can achieve high detection accuracy by using feature values extracted with plural algorithms from network flows of which packets are aggregated based on their IP addresses and port numbers. The system can higher detection rate with feature values collected from distributed observation points.

Research Products

• [Journal Article] Network Application Identification Based on Communication Characteristics of Application Messages (2011)
  • Author(s): Y. Waizumi、 Y. Tsukabe, 、H. Tsunoda, Y. Nemoto、K. Tanaka
  • Journal Title: Journal of Communication And Computer Volume: No.8 Pages: 111-119
  • Peer Reviewed
• [Journal Article] Network Application Identification Based on Communication Characteristics of Application Messages (2011)
  • Author(s): Y.Waizumi, Y.Tsukabe, H.Tsunoda, Y.Nemoto, K.Tanaka
  • Journal Title: Journal of Communication And Computer Volume: 2
  • Peer Reviewed
• [Journal Article] メッセージの遷移パターンに基づくネットワークアプリケーション識別システムの試作 (2010)
  • Author(s): 和泉勇治、阿部康一、根元義章
  • Journal Title: 電子情報通信学会論文誌D Volume: J93-D Pages: 2257-2267
  • NAID: 110007730883
  • Peer Reviewed
• [Journal Article] Combating against internet worms in large-scale networks : an autonomic signature-based solution (2009)
  • Author(s): K. Simkhada, T. Taleb, Y. Waizumi, A. Jamalipour, Y. Nemoto
  • Journal Title: SECURITY AND COMMUNICATION NETWORKS Pages: 11-28
  • Peer Reviewed
• [Journal Article] Network Application Identification Based on Communication characteristics of Application Messages (2009)
  • Author(s): Y.Waizumi, Y.Tsukabe, H.Tsunoda, Y.Nemoto
  • Journal Title: Proc.of WCSET 2009 60 Pages: 708-713
  • Peer Reviewed
• [Journal Article] A New Traffic Pattern Matching for DDoS Traceback Using In dependent Component Analysis (2009)
  • Author(s): Y.Waizumi, T.Sato, Y.Nemoto
  • Journal Title: Proc.of WCSET 2009 60 Pages: 701-707
  • Peer Reviewed
• [Journal Article] Combating against internet worms in large-scale networks : an autonomic signature-based solution (2009)
  • Author(s): K. Simkhada, T. Taleb, Y. Waizumi, A. Jamalipour, Y. Nemoto
  • Journal Title: SECURITY AND COMMUNICATION NETWORKS 2 Pages: 11-28
  • Peer Reviewed
• [Journal Article] Detecting Dodos attacks by a simple response packet confirmation mechanism (2008)
  • Author(s): H. Tsunoda, K. Ohta, A. Yamamoto, N. Ansari, Y. Waizumi, Y. Nemoto
  • Journal Title: Computer Communications Volume: No.3 Pages: 3299-3306
  • Peer Reviewed
• [Journal Article] Detecting DRDoS attacks by a simple response packet confirmation mechanism (2008)
  • Author(s): H. Tsunoda, K. Ohta, A. Yamamoto, N. Ansari, Y. Waizumi, Y. Nemoto
  • Journal Title: Computer Communications 31 Pages: 3299-3306
  • Peer Reviewed
• [Journal Article] A Reliable Network Application Identification Based on Transition Pattern of Payload Length (2008)
  • Author(s): S. Yagi, Y. Waizumi, H. Tsunoda, Y. Nemoto
  • Journal Title: IEEE Globecom 2008 (CDROM)
  • Peer Reviewed
• [Journal Article] Network Application Identification Using Transition Pattern of Payload Length (2008)
  • Author(s): S. Yagi, Y. Waizumi, H. Tsunoda, A. Jamalipour, N. Kato, Y. Nemoto
  • Journal Title: IEEE WCNC 2008 (CDROM)
  • Peer Reviewed
• [Presentation] 複数の携帯回線を利用した画像転送システムの試作 (2010)
  • Author(s): 和泉勇治、角田裕、根元義章, 他
  • Organizer: 電子情報通信学会通信方式研究会
  • Place of Presentation: 奥入瀬渓流ホテル(青森)
  • Year and Date: 2010-04-27
• [Presentation] Network Application Identification Based on Communication characteristics of Application Messages (2009)
  • Author(s): Y. Waizumi, Y. Tsukabe, H. Tsunoda, and Y. Nemoto
  • Organizer: Proc. of WCSET 2009
  • Place of Presentation: Bangkok、タイ
  • Year and Date: 2009-12-26
• [Presentation] A New Traffic Pattern Match-ing for DDoS Traceback Using Inde pendent Component Analysis (2009)
  • Author(s): Y. Waizumi, T. Sato, and Y. Nemoto
  • Organizer: Proc. of WCSET 2009
  • Place of Presentation: Bangkok、タイ
  • Year and Date: 2009-12-26
• [Presentation] A Reliable Network Application Identification Based on Transition Pattern of Payload Length (2008)
  • Author(s): S. Yagi, Y. Waizumi, H. Tsunoda, Y. Nemoto
  • Organizer: Proc. of IEEE Globecom 2008
  • Place of Presentation: New Orleans, 米国
  • Year and Date: 2008-12-02
• [Presentation] Network Application Ident-ification Using Transition Pattern of Payload Length (2008)
  • Author(s): S. Yagi, Y. Waizumi, H. Tsunoda, A. Jamalipour, N. Kato, Y. Nemoto
  • Organizer: IEEE WCNC 2008
  • Place of Presentation: Las Vegas 、米国
  • Year and Date: 2008-04-02
• [Patent(Industrial Property Rights)] ネットワーク異常検知方法および異常検知システム (2011)
  • Inventor(s): 和泉勇治、角田裕、根元義章
  • Industrial Property Rights Holder: 東北大学
  • Filing Date: 2011-02-10
• [Patent(Industrial Property Rights)] Network Failure Detection Method and Network Failure Detection (2008)
  • Inventor(s): Yuji Waizumi, Hitoshi Tsunoda, Yoshiaki Nemoto
  • Industrial Property Rights Holder: Tohoku University
  • Filing Date: 2008-05-08