JR Tokyo - (8 minutes JR Yamanote Line) - JR Tamachi
23th CSEC Group Meeting Program
(1) Shellcode Analysis Intrusion Detection Method
Takayoshi Hojo (National Police Agency) Hideo Sakuma (NTT Information Sharing Platform Labora-tories) Fumiyuki Tanemo (NTT Information Sharing Platform Labora-tories)
The importance of the Internet increases, and so does the damage caused by illegal access . Most security attacks such as system takeover exploit a security flaw called buffer overflow. To detect such attacks on the network, many IDS (Intrusion Detection Systems) use a matching method, which compares the data segment of each network packet with a list of signatures. Each signature defines a specific packet pattern in a known security attack. However, such matching method cannot detect attacks exploiting unknown buffer overflow problems. In order to defend against unknown buffer overflow attacks , we present a new detection strategy which detects illegal access by analyzing data segment of network packet as a machine language code and validating code by executing it in a virtual machine. We also present the evaluation results of our method.
(2) Secure Efficient Logging Architecture for Forensic Computing
Nobutaka KAWAGUCHI (Department of Instrumentation(Information), Faculty of Science and Technology, Keio University) Reina MIYAJI (Department of Instrumentation(Information), Faculty of Science and Technology, Keio University) Naohiro OBATA (Department of Instrumentation(Information), Faculty of Science and Technology, Keio University) Hiroshi SHIGENO (Department of Instrumentation(Information), Faculty of Science and Technology, Keio University) Kenichi OKADA (Department of Instrumentation(Information), Faculty of Science and Technology, Keio University)
In forensic computing, highly reliable operation of logs is required. In this paper, we propose a secure and efficient logging architecture to operate the logs. In the architecture, operation is divided into following sections, generation, signing, preservation and analysis. Discrete organizations take charge of each operation. Finally, we describe secure and efficient methods to encrypt, compute MAC, sign the logs in each organization.
(3) NIDS for eliminating false positive and detecting unknown DoS attacks
NIDS (Network Intrusion Detection System) is a software program for detecting many kinds of attacks including BOF (Buffer Overflow) exploitations, Dos (Denial of Service) attacks, scanning and so on. Most of NIDS are based on stored signatures, which are stored in a "signature" database with written any attacks in the text style where the system compares the packets against its signature entries. However the signature based approach makes many false positive. In this paper, we have developed the NIDS in the dual way of cluster analysis and training by the neural network. First, we have created a new concept of this NIDS and verified that it could find some DoS attacks. Then, we have discovered the unified parameter set for detecting many attacks. Based on the result of the experiments for detecting DoS and scanning attacks, the proposed approach provides a near-perfect detection and successfully reduces the false positive rate.
(4) Packet filtering using DNS responses against worm propagation
Packet filtering using DNS responses that permits outgoing packets to resolved IP addresses and limits all the other outgoing packets to unresolved IP addresses by the "virus throttle" method has been proposed and simulated. The simulation result has shown that the packet filtering makes delay time and time to stop worm propagation smaller than the virus throttle. Furthermore, the packet filtering enables to connect to only the resolved IP addresses even if a computer is infected with a worm.
(5) Dynamic Access Control for Operating System Kernel
Takashi HORIE (Research and Development Headquarters, NTT DATA CORPORATION) Kei MASUMOTO (Research and Development Headquarters, NTT DATA CORPORATION) Yosuke MIYAMOTO (Research and Development Headquarters, NTT DATA CORPORATION) Toshiharu HARADA (Research and Development Headquarters, NTT DATA CORPORATION) Kazuo TANAKA (Research and Development Headquarters, NTT DATA CORPORATION)
In recent years, security enhanced OS such as SELinux has been focused on. Some access control extensions are implemented in its OS kernel. Security enhanced OS has several security functions such as MAC, TE, RBAC, and its security intensity is improved. But some problems with the field use of it can be pointed out. They are the lack of flexibility on writing access control rules for it, the risk that is caused by the efficiency of security administrator role during runtime of the system, and disability on dealing with illegal access reactively. In this paper, we proposed SELinux based extensions and implementations those enabled intrusion detection and dynamic access control.
(7) A simple and effective method to protect personal information --- data storage system and data entry system ---
In general, one's personal information includes various items. As each item itself is not important, we propose a method that we treat items to separate each other in data storage and data entry systems. We need the relation between items, but the relation should not be resolved easily. To achieve this relation, we adopt a block cipher to connect items. This method will be a simple and effective method to protect personal information. This method can be applied to various data such as company's accounting data.
(8) An algorithm for the reverse enumerative encoding/decoding
We can use the combination of an unidirectional recording media and an AUED code to detect any falsification of data in prepaid cards. As AUED (all-unidirectional-error-detecting) code, Schalkwijk's enumerative code, Knuth's balanced code and Berger code are known. The reverse enumerative code is derived from enumerating reversely in the enumerative code. In this paper, an algorithm for the reverse enumerative encoding/decoding is shown. This algorithm is simple and easily understandable. This algorithm with additional one step will be an algorithm for the enumerative encoding/decoding.
(10) A Proposal of Secure Group Communication for Wireless Sensor Networks
Niwat Thepvilojanapong::Yoshito Tobe (Institute of Industrial Science, University of Tokyo) Kaoru Sezaki (Graduate School of Engineering, Tokyo Denki University)
We propose a secure group communication protocol for wireless sensor networks. Sensor network we consider consists of a large number of wireless sensors randomly distributed in an interesting area and a small number of base stations connected to wired network. To exploit inherent characteristic of wireless communication, sensor nodes are classified into three types according to capability to communicate with the base station. Logical hierarchy is then created for bidirectional communication between base station and sensor nodes, i.e., gathering and disseminating data. Based on a combination of symmetric key encryption and public-key encryption algorithm, both base station and sensor nodes can confidentially communicate and authenticate communicating party. We also propose a method to manage tree and keys when members join or leave from the group to achieve robustness of protocol.
(11) A study of a Distributed Storage System using redundancy storage for the access control
Hitoshi HIRANO (Dept. of Computer Science, National Defense Academy) Yasuhiro NAKAMURA (Dept. of Computer Science, National Defense Academy)
Distributed Storage System  is proposed as a one of network file sharing system for a small peer to peer network environment. The method divides a target file into small segments, add some header information to each segment and distribute them to the network. This paper proposes additional scheme that enables to control the accessibility by expanding the header attribute of segments. To prevent elimination of a segment, error correction code is applied to data segments. Moreover, this paper indicates a special point that must be considered when implementing a fault tolerance capability to this system. This method equalizes the deviation of each storage usage rate on the network, and as results, implementation of Distributed Storage System with fault tolerance and publicity control will be achieved independent of other storages.
(12) PKI S/W Architecture for Mobile Phone Using Removal Encryption Token
Takeshi Yoneda (Mitsubishi Electric Corporation, Information Technology R&D Center) Tetsuo Nakakawaji (Mitsubishi Electric Corporation, Information Technology R&D Center)
Online services by mobile phone such as online banking and online shopping, which require user authentication, have become popular. On the other hand, cash cards and credit cards are now being replaced by smart cards which have strong user authentication function using PKI technology. If mobile phones can use smart cards, mobile phone users can access online services easily and safely provided by smart card service providers. So in this paper, a PKI S/W architecture for mobile phone using removable encryption token such as smart cards and USB tokens is proposed. By developing a prototype system based on the architecture, the mobile phone S/W implementation feasibility is confirmed.
(13) Introduction of User Authentication and Access Control Mechanism into JXTA Network
XUANHOA TRAN (The Graduate School of Information Systems, University of Electro-Communications) KENJI SUGIHARA (The Graduate School of Information Systems, University of Electro-Communications) TSUTOMU YOSHINAGA (The Graduate School of Information Systems, University of Electro-Communications) MASAHIRO SOWA (The Graduate School of Information Systems, University of Electro-Communications)
JXTA is a set of open, generalized Peer-to-Peer (P2P) protocol that allows any connected devices on the network to communicate and collaborate as peers. This paper presents a mechanism for user authentication and access control in the JXTA network and its implementation. We introduce a management mechanism that allows clients and service providers to connect and communicate securely by accessing to a management peer. Clients can join a secured virtual group from which they can download trusted services.
(14) A high-speed group key generation algorithm with authentication
The complexity of a group key become higher together with the scale of a group. By adding the authentication function to the group key system, the protocol become more complex. In this talk, we propose efficient group key protocols having authentication ability even when the number of group member changes time by time. Moreover the secureness of the protocol is shown under a certain condition.
(15) Authentication of postal matters with public key signatures using 2-D barcode
Takayoshi Suzuki (Tokyo University of Technology Matsushita Lab.) Ryuya Uda (Tokyo University of Technology Matsushita Lab.) Masahito Ito (Tokyo University of Technology Matsushita Lab.) Satoshi Ichimura (Tokyo University of Technology Matsushita Lab.) Kazuya Tago (Tokyo University of Technology Matsushita Lab.) Tohru Hoshi (Tokyo University of Technology Matsushita Lab.) Yutaka Matsushita (Tokyo University of Technology Matsushita Lab.)
Now it is difficult to authenticate a sender of a postal matter. In some cases holography printing is used, but it is costs a lot of money. Something like holography printing can be available by using only some special printers. We took notice of digital signature that used to authenticate IC card. It can also be used to authenticate a sender of postal matter. We propose the safe use of the post using QR code that includes so much data expressed on paper.
(16) Program Birthmark Scheme using Static Analysis of Java Bytecode
Kazuhide FUKUSHIMA (Graduate School of Information Science and Electrical Engineering) Toshihiro TABATA (Faculty of Information Science and Electrical Engineering) Kouichi SAKURAI (Faculty of Information Science and Electrical Engineering)
This paper examines program birthmark scheme for Java in order to detect illegal thefts of Java classfile. Tamada et al. propsed birthmark scheme based on initial value assignments, the sequence of method call, and the inheritance structure. We show that the birthmarks based on initial value assignments and the inheritance structer can be modified easily. In addition, we proposed a birthmark scheme using automata.