Effective detection of various kinds of cyberattacks using histogram database technology

• Project/Area Number: 25330131
• Research Category: Grant-in-Aid for Scientific Research (C)
• Allocation Type: Multi-year Fund
• Section: 一般
• Research Field: Multimedia database
• Research Institution: Kyushu University
• Principal Investigator: Feng Yaokai 九州大学, システム情報科学研究科(研究院, 助教 (60363389)
• Project Period (FY): 2013-04-01 – 2016-03-31
• Project Status: Completed (Fiscal Year 2015)
• Budget Amount: ¥4,810,000 (Direct Cost: ¥3,700,000、Indirect Cost: ¥1,110,000); Fiscal Year 2015: ¥1,170,000 (Direct Cost: ¥900,000、Indirect Cost: ¥270,000); Fiscal Year 2014: ¥1,170,000 (Direct Cost: ¥900,000、Indirect Cost: ¥270,000); Fiscal Year 2013: ¥2,470,000 (Direct Cost: ¥1,900,000、Indirect Cost: ¥570,000)
• Keywords: 分散型攻撃 / 挙動に基づく異常検知 / サイバーセキュリティ / ポートスキャン攻撃 / DRDoS攻撃 / DNS amp 攻撃 / DDoS攻撃 / C&C 通信 / ポートスキャン / Behavior mode / behavior-based detection / Frequency distribution / Learning algorithm / Cyber attacks / Distributed attacks / Port scan attacks / 挙動に基づいた検知 / 評価関数

Outline of Final Research Achievements

1) For detecting many kinds of cyber attacks, features and machine learning algorithms were tested and their detection performance was verified. Specifically, DRDoS attacks, DNS amp attacks, the sign of DDoS attacks.　2) Histogram construction method was investigated by further detailed analysis of the behavior of the cyber attacks that have been collected. The performance was also demonstrated.　　3) In order to dynamically and rapidly construct histogram in real time from large, multidimensional packet datasets was invesitgated.
To accomplish an effective and rapid abnormality detection system, it is necessary to construct dynamically a moving histogram at high speed. We developed a method to incrementally construct histograms.

Research Products

• [Journal Article] 挙動に基づくポートスキャン検知の自動化に向けた学習アルゴリズムの提案とその性能評価 (2015)
  • Author(s): 王サン, フォン ヤオカイ, 川本 淳平, 堀 彰良, 櫻井 幸一
  • Journal Title: 情報処理学会論文誌 Volume: 56(9) Pages: 1770-1781
  • Peer Reviewed / Acknowledgement Compliant
• [Presentation] ランダムフォレストを用いたボットネットの検出 (2016)
  • Author(s): 呂 良, フォン ヤオカイ, 川本 淳平, 櫻井 幸一
  • Organizer: 電子情報通信学会総合大会2016
  • Place of Presentation: 福岡
  • Year and Date: 2016-03-16
• [Presentation] 機械学習を利用したDRDoS攻撃検知の提案とその性能実証 (2016)
  • Author(s): 高 宇軒, フォン ヤオカイ, 川本 淳平, 櫻井 幸一
  • Organizer: 第33回 暗号と情報セキュリティシンポジウム(SCIS2016)
  • Place of Presentation: 熊本
  • Year and Date: 2016-01-22
• [Presentation] 挙動に基づくDNSアンプ攻撃の検知 (2015)
  • Author(s): 蔡龍洙, フォン ヤオカイ, 川本 淳平, 櫻井 幸一
  • Organizer: コンピュータセキュリティシンポジウム2015 (CSS2015)
  • Place of Presentation: 長崎
  • Year and Date: 2015-10-23
• [Presentation] パケットマーキングとロギングを用いたサイバー攻撃に対するトレースバック (2015)
  • Author(s): 李 鵬飛, フォン ヤオカイ, 川本 淳平, 櫻井 幸一
  • Organizer: コンピュータセキュリティシンポジウム2015 (CSS2015)
  • Place of Presentation: 長崎
  • Year and Date: 2015-10-23
• [Presentation] 挙動に基づく検知手法に向けてパラメータなしの学習アルゴリズムの提案と検証 (2015)
  • Author(s): 王サン, フォン ヤオカイ, 川本 淳平, 堀 良彰, 櫻井 幸一
  • Organizer: 第67回電気関係学会九州支部連合大会講演論文
  • Place of Presentation: 鹿児島大学
  • Year and Date: 2015-09-18 – 2015-09-19
• [Presentation] A Proposal for Detecting Distributed Cyber-Attacks Using Automatic Thresholding (2015)
  • Author(s): Yaokai Feng, Yoshiaki Hori, Kouichi Sakurai
  • Organizer: the 10th Asia Conference on information security
  • Place of Presentation: Taiwan
  • Year and Date: 2015-05-26
  • Int'l Joint Research
• [Presentation] A Behavior-based Engine for Detecting Distributed Internet Attacks and its Performance Investigation (2015)
  • Author(s): フォン ヤオカイ, 堀良彰, 櫻井 幸一
  • Organizer: 第32回 暗号と情報セキュリティシンポジウム(SCIS2015) ,2015.01.20.
  • Place of Presentation: 小倉市（福岡県）
  • Year and Date: 2015-01-21 – 2015-01-25
• [Presentation] 挙動に基づくポートスキャン検知手法に向けたパラメータなしの学習アルゴリズムの提案とその性能評価 (2015)
  • Author(s): 王サン, フォン ヤオカイ, 川本 淳平, 堀良彰, 櫻井 幸一
  • Organizer: 第32回 暗号と情報セキュリティシンポジウム(SCIS2015) ,2015.01.20.
  • Place of Presentation: 小倉市（福岡県）
  • Year and Date: 2015-01-21 – 2015-01-25
• [Presentation] An Approach for Detecting Distributed Cyber-Attacks (2015)
  • Author(s): Yaokai Feng, Yoshiaki Hori, Kouichi Sakurai
  • Organizer: The 8th Workshop WAIS2015
  • Place of Presentation: ソウル
  • Year and Date: 2015-01-08 – 2015-01-09
• [Presentation] A Learning Algorithm for the Threshold in Behavior-based PortScan Detection and Its Evaluation (2015)
  • Author(s): Can Wang, Yaokai Feng, Junpei Kawamoto, Yoshiaki Hori, Kouichi Sakurai
  • Organizer: The 8th Workshop WAIS2015
  • Place of Presentation: ソウル
  • Year and Date: 2015-01-08 – 2015-01-09
• [Presentation] A Parameterless Learning Algorithm for Behavior-Based Attack Detection (2014)
  • Author(s): Can Wang, Yaokai Feng, Junpei Kawamoto, Yoshiaki Hori, Kouichi Sakurai
  • Organizer: 9th Asia Conference on information security
  • Place of Presentation: 武漢（中国）
  • Year and Date: 2014-09-24 – 2014-09-26
• [Presentation] 挙動に基づく分散型攻撃の検知案の再考 (2014)
  • Author(s): フォン ヤオカイ
  • Organizer: 31回 暗号と情報セキュリティシンポジウム(SCIS2014)
  • Place of Presentation: 鹿児島市
• [Presentation] ポートのアクセス数分布によるポートスキャン検知 (2014)
  • Author(s): Can Wang, フォン ヤオカイ
  • Organizer: 31回 暗号と情報セキュリティシンポジウム(SCIS2014)
  • Place of Presentation: 鹿児島市
• [Presentation] A Behavior-Based Port Scan Detection by the Distribution Diagram of Accessed Ports (2014)
  • Author(s): Can Wang, Yaokai Feng
  • Organizer: The Seventh Workshop among Asian Information Security Labs (WAIS2014)
  • Place of Presentation: 上海（中国）