33th CSEC Group Meeting

May 12, 2006

University of Tsukuba (Tsukuba)


33th CSEC Group Meeting Program
(1) Efficient Key Distribution System Using Communication Probability
Tetsuo Funayama (Information Services lnternational-Dentsu,Ltd.)
Sho Imamura (Graduate School of Systems and Information Engineering, University of Tsukuba)
Eiji Okamoto (Graduate School of Systems and Information Engineering, University of Tsukuba)

A large organization has various working groups and they are sometimes overlapped. Conversation in a group has to be secret usually for people outside or even for people in the organization. Encryption is a technique for secrecy, but key has to be changed every session. This paper proposes an efficient key distribution system using symmetric key encryption algorithm.

(2) Risk Assessment Model using Threat Probability depending on Classified Information Security Measures
Takayasu YAMAGUCHI (NTT DoCoMo, Inc., Network Management Development Department)
Hiroshi AONO (NTT DoCoMo, Inc., Network Management Development Department)
Sadayuki HONGO (NTT DoCoMo, Inc., Network Management Development Department)
Kanta MATSUURA (The University of Tokyo, Institute of Industrial Science)

Threat probability used for risk assessment changes with investment and affects the optimal investment. However, in the conventional technique for system-security design, the incident probability is calculated using an investment-independent heuristic value of the threat probability. Based on the incident probability, the best design that maximizes the expected net benefit is selected out of a certain but limited number of candidates. In fear of the limitation of this heuristics, we propose a technique for a more sophisticated optimization of the investment by considering an investment-dependent threat probability. The technique we propose is evaluated by computer simulation whose setup is based on an actual survey of Japanese industry. In the simulation, we choose the design with the lowest level of the incident probability, and see if the choice is consistent with the best one regarding the expected net benefit. The simulation results show that our technique gives better consistency in comparison with the conventional approach of using the investment-independent value of the threat probability.

(3) The lD Recycle Management Technology for Anonymizing Service
Akihiko Kawasaki (Systems Development Laboratoly, Hitachi Ltd.)
Yoshinori Sato (Systems Development Laboratoly, Hitachi Ltd.)
Toyohisa Morita (Systems Development Laboratoly, Hitachi Ltd.)
Hajime Morito (Systems Development Laboratoly, Hitachi Ltd.)

The Personal Information Protection Act represents a big concern about privacy issues in our socicty. Because the quality and quantity of personal information will increase as progress of information technology, potential risk of privacy violation will increase. In this paper, we focus linkability between information and data subject as an important threat on privacy and propose a newly diveloped privacy enhancing technology, which is called "ID Recycled Management Technology" , Our technology bases on a concept that users exchange their lDs each other to protect from behavior tracking by using ID. This paper describes the basic concept, application, and evaluation of recycle lD.

(4) Efficient Content Distribution and Charging Scheme with Privacy
Takayuki TOBITA (Institute of Information Security,NEC Soft,Ltd.)
Hironori YAMAMOTO (The University of Chuo)
Hiroshi DOI (Institute of Information Security)
Keigo MAJIMA (NHK Science and Technical Research Laboratories)

As broadband lP networks have spread rapidly, the number of users of content distribution services has grown. Also, the new possibilities brought by digital broadcasting, such as broadcasting based on home servers, are expected to lead to sophisticated information services utilizing broadcasting and communication networks. Although for privacy reasons it is desirable to protect the usage history and preferences provided that usage charges is calculated correctly based on the contents that the user got. This paper proposes content distribution and charging scheme with privacy, based on the group signature proposed by Ateniese et al. In this construction, the computation/communication cost only depends on the number of contents that the user got. They do not depend on the number of all contents that the user can get.

(5) An implementation of database using CAPTCHA to limit personal information disclosure
YU YANAGI (Information and System Engineering Course, Graduate School of Science and Engineering, Chuo University)
YUJI CHIBA (Research and Development Initiative, Chuo University)
NORIHISA DOI (Information and System Engineering Course, Graduate School of Science and Engineering, Chuo University)

Recently, personal information disclosure incidents are reported so often and organizations are required to control personal information in their possession so as not to disclose it. To cope with personal information disclosure, this paper presents an implementation of database for personal information that prevents computer programs from extracting personal information in the database. The database use CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) to authenticate a user if he or she is human or not, and permits only human beings to extract the information in it. The database contains not raw personal information but pairs of encrypted personal information and a picture where key to decode the personal information is drawn, and authenticate if the user is human or not by requesting the user to read the decode key drawn on them. Because the picture is created as CAPTCHA, it is defficult for computers to read the decode key drawn on it, and thus computers cannot extract personal information in the database. We applied the technology to the database for automobile insurance business.

(6) ACTM:Fast Detection Method of Silent Worms using Anomaly Connection Tree
Nobutaka KAWAGUCHI (Department of Instrumentation (Information), Fuculty of Science and Technology, Keio University)
Hiroshi SHIGENO (Department of Instrumentation (Information), Fuculty of Science and Technology, Keio University)
Kenichi OKADA (Department of Instrumentation (Information), Fuculty of Science and Technology, Keio University)

In this paper we propose a novel worm detection method that can detect silent worms in intranet and local area network. Most existing detection methods use aggressive activities of worms as a clue for detection and are ineffective against worms that propagate silently using a list of vulnerable hosts. To detect such worms, we propose Anomaly Connection Tree Method (ACTM) . ACTM uses two features present to most worms to detect worms. First is that worms`s propagation behaviour is expressed as tree-like structures. Second is that the worm`s selection of infection targets does not consider which hosts its infected host communicates to frequently. Through the simulation results, we have shown that ACTM can detect the worms in an early stage.

(7) A Study of Abuse of Trusted Java Web Start Applications
Hisashi Kojima (Fujitsu Laboratories Ltd.)
Satoru Torii (Fujitsu Laboratories Ltd.)

Client-side technologies of Web applications, called RIA (Rich Internet Application), are widely used, but an attacker may abuse trusted RIA components. ln the past,we showed that a Java applet which is a kind of RIA was vulnerable to an attack which we called a malicious recomposition attack. It is difficult for developers to prevent this attack only through their careful design and programming.ln this paper, we study a possibility of the attack to java Web Start which is also a kind of RIA and a similar technology to Java applets.

(8) Invited Presentation: ROOTKIT
Junichi Murakami (Little eArth Corporation Co., Ltd.)

(9) Application and evaluation of Bayesian filter for Chinese spam mail
Zhan Wang (The Department of Computer Science and Communication Engineering, Kyushu University)
Yoshiaki HORI (Faculty of Information Science and Electrical Engineering, Kyushu University)
Kouichi SAKURAI (Faculty of Information Science and Electrical Engineering, Kyushu University)

A statistical filtering based on Bayes theory, so-called bayesian filtering, has been researched for anti-spam through it before. From Graham`s thesis in 2002, a lot of spam mail filters based on the Bayesian filtering have been developed and widely applied to the real system in recent years. The implementation of the statistical filtering corresponding to the e-mail written in English and Japanese has already been developed. On the other hand, the implementation of the statistical filtering corresponding to e-mail written in Ohinese is still few. In this thesisAwe adopted a statistical filtering called as Bsfilter and modified it to filter out e-mails written in Chinese. When we targeted e-mails written in Chinese for experiment, we analyzed the relation between the parameter and the spam mail judgment accuracy of the filtering, and also considered the optimal value of the parameter.

(10) A Packet Filtering Rules Analysis by Decomposing into Matrixes -Series and ldentity Analysis-
Katsushi MATSUDA (Internet Systems Research Laboratories, NEC Corp.)

Packet filters are essential for organizations that are connected to the lnternet. Network adlninistrators have to understand precisely complicated rules to manage the packet filter. Moreover, there are plural filtering systems and several configurations. Management cost keeps high. In this paper, we describe a novel model called "matrix decomposition" which enables to analyze rules of filtering and two analysis applications using the model. First application called series analysis provides virtual packet filtering systems combined plural fllters. The other one called identity analysis verifies the identity of filtering meanings between plural filters written with different fashions.

(11) Consideration about Personal Information management in Laboratory
Ryoju Hamada (Graduate School of Information Sciences, Tohoku University)

Personal information protection act of 2003 enacted in April 1, 2005 and related legislations have brought great impact to Japanese society. It is also very important topic for universities, but it is not still common that university manages such problem in the laboratory like the management of intellectual property. So every laboratory has to manage personal information and data security adequately by its own responsibility until University will establish whole risk management systems. The four important and least role of laboratoly is:(1)To specify the purpose of collecting of personal information,(2) To notice the specified purpose to students (3)To appoint personal information manager and manage personal data in secure (4)To promote the adequate knowledge of personal information management among the laboratory staffs and students.

(12) A Study for the Requirement of the Formal Social Acts over the lnformational Services with Electronic Authorization
Shigeichiro Yamasaki (Kinki University)

Present Japanese electronic signature law only recognizes the legal effect to the electronic signature by a natural person. The legal framework which regarding the electronic signature other than the natural person such as automatic electronic signature and electronic authentication is still not exist. In this paper, we examine the requirements of the formal social acts by the information services with electronic authentication or with the automatic electronic signature from the point of view of the speech act theoly. We also examine the requirement of the common architecture which supports such kind of social information Systems.

(13) Information Security Consciousness and skills in Using Computers of University Students Studying the Humanities
Makiko Matsumura (National Institute of Public Health/Assistant researcher)

A survey on Information Security of university students studying the Humanities revealed the necessity of an extra technical education at university to provide them with concrete knowledge on information security and sufficient technical skills to keep their computers safe. At the same time according to the survey, their past learning experience on security before entering university had some effect for managing personal data.


Valid HTML 4.01! Valid CSS!