Development of Sensor Systems to Trace and Detect Unknown Cyber Attacks

• Project/Area Number: 23300025
• Research Category: Grant-in-Aid for Scientific Research (B)
• Allocation Type: Single-year Grants
• Section: 一般
• Research Field: Computer system/Network
• Research Institution: National Institute of Informatics (2015); Nagoya University
• Principal Investigator: Hiroki Takakura 国立情報学研究所, アーキテクチャ科学研究系, 教授 (70281144)
• Research Collaborator: ARAKI Shohei ; FUCHIGAMI Satoshi ; FUKUSHIMA Tatsuya ; HASEGAWA Hirokazu ; HIRONO Soshi ; HIRUTA Sohei ; Song Jungsuk ; KISHIMOTO Kazuya ; KITAGAWA Naoya ; LIM Hyoyoung ; SATO Masaaki ; YANASE Shun ; ZHONG Yang
• Project Period (FY): 2011-04-01 – 2016-03-31
• Project Status: Completed (Fiscal Year 2015)
• Budget Amount: ¥19,240,000 (Direct Cost: ¥14,800,000、Indirect Cost: ¥4,440,000); Fiscal Year 2015: ¥3,640,000 (Direct Cost: ¥2,800,000、Indirect Cost: ¥840,000); Fiscal Year 2014: ¥4,290,000 (Direct Cost: ¥3,300,000、Indirect Cost: ¥990,000); Fiscal Year 2013: ¥3,640,000 (Direct Cost: ¥2,800,000、Indirect Cost: ¥840,000); Fiscal Year 2012: ¥4,290,000 (Direct Cost: ¥3,300,000、Indirect Cost: ¥990,000); Fiscal Year 2011: ¥3,380,000 (Direct Cost: ¥2,600,000、Indirect Cost: ¥780,000)
• Keywords: サイバーセキュリティ / 攻撃検知 / 未知攻撃 / 機械学習 / Fuzzy hashing / SVM / ハニーポット / マルウェア検知 / サイバー攻撃対策 / 未知攻撃対策 / 標的型攻撃対策 / 標的型攻撃 / ゼロデイ攻撃 / トラフィック解析 / 情報セキュリティ / サイバー攻撃 / データマイニング / セキュア・ネットワーク / ネットワーク / インターネット高度化

Outline of Final Research Achievements

This research has developed IPv6 based honeypots by which the attacks various types of devices including IoT ones were observed. SVM based algorithm has been proposed to identify suspicious traffics. For detecting communication caused by malwares among the suspicious traffic, Fuzzy hashing based algorithm has also been developed. Because it is impossible to prepare clean teacher data for machine learning algorithms in advance, i.e., sets of completely clean sessions and those of completely malicious sessions, these algorithms can be utilized without teacher data.
These techniques were evaluated by real environment or benchmark data obtained from the real networks. As results, their feasibility was confirmed.

Research Products

• [Journal Article] 標的型攻撃に対するインシデント対応支援システム (2016)
  • Author(s): 長谷川皓一, 山口由紀子, 嶋田創, 高倉弘喜
  • Journal Title: 情報処理学会論文誌 Volume: 57 Pages: 836-848
  • NAID: 170000130896
  • Peer Reviewed
• [Journal Article] Unknown Attack Detection by Multistage One-Class SVM Focusing on Communication Interval (2014)
  • Author(s): Shohei Araki, Yukiko Yamaguchi, Hajime Shimada and Hiroki Takakura
  • Journal Title: The 2014 Cybersecurity Data Mining Competition and Workshop, Neural Information Processing Lecture Notes in Computer Science, Vol.8836, pp.325-332, Oct. 2014. Volume: 8836 Pages: 325-332
  • DOI: 10.1007/978-3-319-12643-2_40
  • ISBN: 9783319126425, 9783319126432
  • Peer Reviewed / Acknowledgement Compliant
• [Journal Article] Development of a Secure Traffic Analysis System to Trace Malicious Activities on Internal Networks (2014)
  • Author(s): Soshi Hirono, Yukiko Yamaguchi, Hajime Shimada, Hiroki Takakura
  • Journal Title: The 38th Annual International Computers, Software and Applications Conference (COMPSAC2014) Volume: 1 Pages: 305-310
  • DOI: 10.1109/compsac.2014.41
  • Peer Reviewed / Acknowledgement Compliant
• [Journal Article] A Countermeasure Recommendation System against Targeted Attacks with Preserving Continuity of Internal Networks (2014)
  • Author(s): Hirokazu Hasegawa, Yukiko Yamaguchi, Hajime Shimada, Hiroki Takakura
  • Journal Title: The 38th Annual International Computers, Software and Applications Conference (COMPSAC2014) Volume: 1 Pages: 400-405
  • DOI: 10.1109/compsac.2014.63
  • Peer Reviewed / Acknowledgement Compliant
• [Journal Article] 通信挙動の特異性を利用したspam送信ホスト検出システムの開発 (2014)
  • Author(s): 北川直哉, 高倉弘喜, 鈴木常彦
  • Journal Title: 電子情報通信学会論文誌D Volume: Vol.J97-D, No.5
  • Peer Reviewed
• [Journal Article] ARIGUMA Code Analyzer: Efficient Variant Detection by Identifying Common Instruction Sequences in Malware Families (2013)
  • Author(s): Yang Zhong, Hirofumi Yamaki, Yukiko Yamaguchi, Hiroki Takakura
  • Journal Title: COMPSAC 2013 Volume: なし
  • Peer Reviewed
• [Journal Article] 再送動作のリアルタイム検出によるspam判別手法の実装と評価 (2013)
  • Author(s): 北川直哉, 高倉弘喜, 鈴木常彦
  • Journal Title: 電子情報通信学会論文誌D Volume: J96-D Pages: 552-561
  • NAID: 110009593023
  • Peer Reviewed
• [Journal Article] An Advanced Security Event Visualization Method for Identifying Real Cyber Attacks (2013)
  • Author(s): Jungsuk Song, Takayuki Itoh, GilHa Park, Hiroki Takakura
  • Journal Title: Applied Mathematics & Information Sciences Volume: なし
  • Peer Reviewed
• [Journal Article] A Malware Classification Method based on Similarity of Function Structure (2012)
  • Author(s): Yang Zhong, Hirofumi Yamaki and Hiroki Takakura
  • Journal Title: The 3rd Workshop on Network Technologies for Security, Administration and Protection Volume: なし Pages: 256-261
  • DOI: 10.1109/saint.2012.48
  • Peer Reviewed
• [Journal Article] Unknown Attacks Detection Using Feature Extraction from Anomaly-based IDS Alerts (2012)
  • Author(s): Masaaki Sato, Hirofumi Yamaki and Hiroki Takakura
  • Journal Title: The 3rd Workshop on Network Technologies for Security, Administration and Protection Volume: なし Pages: 273-277
  • DOI: 10.1109/saint.2012.51
  • Peer Reviewed
• [Journal Article] An adaptive honeypot system to capture IPv6 address scans (2012)
  • Author(s): Kazuya Kishimoto, Kenji Ohira, Yukiko Yamaguchi, Hirofumi Yamaki, Hiroki Takakura
  • Journal Title: 2012 ASE International Conference on Cyber Security Volume: なし
  • Peer Reviewed
• [Journal Article] An Anti-spam Method Via Real-time Retransmission Detection (2012)
  • Author(s): Naoya KITAGAWA, Hiroki TAKAKURA, Tsunehiko SUZUKI
  • Journal Title: The 18th IEEE International Conference on Networks Volume: なし
  • Peer Reviewed
• [Journal Article] Unknown Attacks Detection Using Feature Extraction from Anomaly-based IDS Alerts (2012)
  • Author(s): Masaaki Sato, Hirofumi Yamaki, Hiroki Takakura
  • Journal Title: 3rd Workshop on Network Technologies for Security, Administration and Protection (NETSAP2012) Volume: (採録決定)
  • Peer Reviewed
• [Journal Article] A Malware Classification Method based on Similarity of Function Structure (2012)
  • Author(s): Yang Zhong, Hirofumi Yamaki, Hiroki Takakura
  • Journal Title: The Third Workshop on Network Technologies for Security, Administration and Protection Volume: (採録決定)
  • Peer Reviewed
• [Journal Article] A Grid-Based Clustering for Low-Overhead Anomaly Intrusion Detection (2011)
  • Author(s): Zhong Yang, Hirofumi Yamaki, Hiroki Takakura
  • Journal Title: The Fifth International Conference on Network and System Security (NSS2011) Pages: 17-24
  • DOI: 10.1109/icnss.2011.6059955
  • Peer Reviewed
• [Journal Article] Improving Performance of Anomaly-based IDS by Combining Multiple Classifiers (2011)
  • Author(s): Kazuya Kishimoto, Hirofumi Yamaki, Hiroki Takakura
  • Journal Title: 2nd Workshop on Network Technologies for Security, Administration and Protection (NETSAP2011) Pages: 366-371
  • DOI: 10.1109/saint.2011.70
  • Peer Reviewed
• [Presentation] An Automated ACL Generation System for Secure Internal Network (2016)
  • Author(s): Hirokazu Hasegawa, Yukiko Yamaguchi, Hajime Shimada, Hiroki Takakura,
  • Organizer: The 6th Workshop on Network Technologies for Security, Administration and Protection
  • Place of Presentation: Atlanta, USA
  • Year and Date: 2016-06-10
  • Int'l Joint Research
• [Presentation] An Incident Response Support System Based on Seriousness of Infection (2016)
  • Author(s): Hirokazu Hasegawa, Yukiko Yamaguchi, Hajime Shimada, Hiroki Takakura,
  • Organizer: The 30th International Conference on Information Networking
  • Place of Presentation: Kota Kinabalu, Malaysia
  • Year and Date: 2016-01-13
  • Int'l Joint Research
• [Presentation] Evaluation on Malware Classification by Combining Traffic Analysis and Fuzzy Hashing of Malware Binary (2015)
  • Author(s): Sohei Hiruta, Yukiko Yamaguchi, Hajime Shimada, Hiroki Takakura
  • Organizer: The 2015 International Conference on Security and Management
  • Place of Presentation: Las Vegas, USA
  • Year and Date: 2015-07-27
  • Int'l Joint Research
• [Presentation] Detecting Malicious Inputs of Web Application Parameters using Character Class Sequences (2015)
  • Author(s): Yang ZHONG, Hiroshi ASAKURA, Hiroki TAKAKURA, Yoshihito OSHIMA
  • Organizer: The 39th Annual International Computers, Software and Applications Conference
  • Place of Presentation: Taichung, Taiwan
  • Year and Date: 2015-07-01
  • Int'l Joint Research
• [Presentation] Malware Classification Method Based on Sequence of Traffic Flow (2015)
  • Author(s): Hyoyoung Lim, Yukiko Yamaguchi, Hajime Shimada, Hiroki Takakura
  • Organizer: 1st International Conference on Informaiton Systems Security and Privacy, Feb. 2015
  • Place of Presentation: Angers, Loire Valley, France
  • Year and Date: 2015-02-09 – 2015-02-11
• [Presentation] Network Access Control by FPGA-Based Network Switch using HW/SW Cooperated IDS (2014)
  • Author(s): Shun Yanase, Hajime Shimada, Yukiko Yamaguchi, Hiroki Takakura
  • Organizer: Technical Committee on Internet Architecture (IA)
  • Place of Presentation: Chiang Mai, Thailand
  • Year and Date: 2014-11-05 – 2014-11-06
• [Presentation] ネットワークトラフィックフローにおけるシーケンスパターンに基づくマルウェア分類手法 (2014)
  • Author(s): 林孝英、山口由紀子、嶋田創、高倉弘喜
  • Organizer: Computer Security Symposium 2014
  • Place of Presentation: 札幌
  • Year and Date: 2014-10-22 – 2014-10-24
• [Presentation] HW/SW協調によるアノマリ検知の高速化のためのFPGA部実装 (2014)
  • Author(s): 柳瀬駿, 嶋田創, 山口由紀子, 高倉弘喜
  • Organizer: 第66回CSEC・第10回SPT合同研究発表会
  • Place of Presentation: 函館
  • Year and Date: 2014-07-03 – 2014-07-04
• [Presentation] 自動ネットワーク構成システムにおける管理ポリシー記述手法の実装 (2014)
  • Author(s): 塩田実里, 山口由紀子, 嶋田創, 高倉弘喜
  • Organizer: インターネットアーキテクチャ研究会（IA）
  • Place of Presentation: 神戸
  • Year and Date: 2014-06-05 – 2014-06-06
• [Presentation] A Countermeasure Recommendation System against Targeted Attacks with Preserving Continuity of Internal Networks (2014)
  • Author(s): Hirokazu Hasegawa，Yukiko Yamaguchi，Hajime Shimada，Hiroki Takakura
  • Organizer: The 38th Annual International Computers, Software and Applications Conference
  • Place of Presentation: Vasteras, Sweden
• [Presentation] Development of a Secure Traffic Analysis System to Trace Malicious Activities on Internal Networks (2014)
  • Author(s): Soushi Hirono, Yukiko Yamaguchi，Hajime Shimada，Hiroki Takakura
  • Organizer: The 38th Annual International Computers, Software and Applications Conference
  • Place of Presentation: Vasteras, Sweden
• [Presentation] ARIGUMA Code Analyzer: Efficient Variant Detection by Identifying Common Instruction Sequences in Malware Families (2013)
  • Author(s): Yang Zhong, Hirofumi Yamaki, Yukiko Yamaguchi, Hiroki Takakura
  • Organizer: The 37th Annual International Computers, Software and Applications Conference
  • Place of Presentation: 京都
• [Presentation] New Detection Technologies to Mitigate Damage of Targeted Attacks (2013)
  • Author(s): Hiroki Takakura
  • Organizer: The 6th International Workshop on Data Mining and Cybersercurity
  • Place of Presentation: Daegu, Korea
  • Invited
• [Presentation] 組織内部攻撃に対するリスク緩和のためのネットワーク設計支援システムの提案 (2012)
  • Author(s): 長谷川皓一, 新 麗, 加藤雅彦, 山口由紀子, 八槇博史, 高倉弘喜
  • Organizer: 信学技報
  • Place of Presentation: 広島県
• [Presentation] A lightweight method to discriminate spamming hosts by periodically changing DNS response (2012)
  • Author(s): Naoya Kitagawa, Hiroki Takakura, Tsunehiko Suzuki
  • Organizer: 信学技報
  • Place of Presentation: タイ
• [Presentation] Transparent Server Migration between Datacenters by Utilizing OpenFlow (2012)
  • Author(s): Tatsuya Fukushima, Hirofumi Yamaki, Yukiko Yamaguchi, Hiroki Takakura
  • Organizer: 信学技報
  • Place of Presentation: タイ
• [Presentation] OpenFlowを用いた広域サーバマイグレーション (2012)
  • Author(s): 福島達也, 八槇博史, 山口由紀子, 高倉弘喜
  • Organizer: FIT2012 第11回情報科学技術フォーラム
  • Place of Presentation: 東京都
• [Presentation] マルウェアのオペコードに着目した高速な分類手法 (2012)
  • Author(s): 鐘揚, 八槇博史, 山口由紀子, 高倉弘喜
  • Organizer: 信学技報
  • Place of Presentation: 東京都
• [Presentation] 深刻化するサイバー攻撃の現状とその背景 ～国内の事例と海外の事例にみるAPT対応の違いと今後の方向性～ (2012)
  • Author(s): 高倉弘喜
  • Organizer: Interop2012
  • Place of Presentation: 千葉県
  • Invited
• [Presentation] 新たなタイプの攻撃を背景とした、セキュリティ設計対策モデル (2011)
  • Author(s): 高倉弘喜
  • Organizer: オープンソースカンファレンス2011
  • Place of Presentation: 札幌
  • Year and Date: 2011-06-11
• [Book] 情報セキュリティの基礎(未来へつなぐデジタルシリーズ2) (2011)
  • Author(s): 石井夏生利、高倉弘喜, 他
  • Total Pages: 240
  • Publisher: 共立出版