Most modern Internet services are carried over the web. A significant amount of web transactions is now encrypted and the transition to encryption has made it difficult for network operators to understand traffic mix. The goal of this study is to enable network operators to infer hostnames within HTTPS traffic because hostname information is useful to understand the breakdown of encrypted web traffic. The proposed approach correlates HTTPS flows and DNS queries/responses. We introduce domain name graph (DNG), which is a formal expression that characterizes the highly dynamic and diverse nature of DNS mechanisms. Furthermore, we have developed a framework called Service-Flow map (SFMap) that works on top of the DNG. SFMap statistically estimates the hostname of an HTTPS server, given a pair of client and server IP addresses. We evaluate the performance of SFMap through extensive analysis using real packet traces collected from two locations with different scales. We demonstrate that SFMap establishes good estimation accuracies and outperforms a state-of-the-art approach.

Implementing push-based e-mail service in pull-based Information-Centric Networking (ICN) encounters some difficulties and thus calls for a new mechanism. This paper presents a new e-mail system design in the ICN architecture, which builds all the applications on a receiver-driven communication model. In our proposed mechanism, an e-mail user is assigned a hierarchical account name which can be also treated as a name or name prefix in ICN. To fully utilize the built-in multicast data delivery capability in ICN, the new design realizes an efficient name-based pub/sub communication pattern on top of the standard ICN to remove the iterative procedure that an interested recipient has to send an Interest request every time when he or she requires a piece of e-mail information on some specific topic. The push-based multicast capability enhances the pull-based ICN architecture.

In the future, network traffic will be increasing according to demand of big traffic of moving picture on the mobile communication environment. For processing large traffic, virtualized network based on SDN (Software defined Network) has been provided for purpose of cloud networking as CDN (Contents Delivery Network). On the other hand, the ICN (Information Centric Network) has been proposing as IP independent network which isn't based on IP address. And it has been discussing about advantages compared to the IP network. This paper shows the experimental results of Proactive Content Caching and Delivery Scheme utilizing Transportation Systems. This research has been supported by SCOPE organized by Ministry of Internal Affairs and Communications.

Recent Content-Centric Networking (CCN) proposal has ignited widespread interest in the Information Centric Networking (ICN) area. This paper presents the design of a smart name-based routing protocol for CCN. This new proposal imposes a comparatively large adjustment onto the existing CCN architecture, while it still preserves the basic characteristics of CCN. It introduces a dynamic DNS-like element to CCN. Compared to the basic CCN scheme, it offers more efficient packet dissemination and has less overhead within the network. Besides, it is suitable for realizing and enhancing the mobility aspect in CCN. The results of our evaluations show the superiority of the proposal over the basic or standard CCN architecture.

大量のアクセスが特定のサーバに集中すると、レスポンスが低下したり、サーバが異常停止することがある。本論文はサーバの性能や台数を増強せずに、大量のアクセスが集中するコンテンツを多数のユーザに迅速に配信可能な方法を提案する。具体的には、アクセス集中時にWebブラウザ間通信を活用して、ユーザ同士でコンテンツの配布を行い、サーバの負荷を分散する。本論文では実際にアクセスが集中する環境を用いて提案手法を評価し、従来のサーバ・クライアントモデルによるユニキャスト通信と比較した。その結果、提案手法がサーバの負荷を軽減し、コンテンツのダウンロード時間を大幅に短縮できることを確認した。

Androidスマートフォンの急速な普及に伴い,Androidを対象とするマルウェアの脅威が拡大している。Androidマルウェアに感染すると,個人情報の搾取,有料サービスの不正使用,端末のボット化のような被害を受ける。急増するAndroidマルウェアへの従来の対策は十分ではない。本論文は新たなAndroidマルウェア検出手法を提案する。この方法は,Androidアプリケーションの中に必ず含まれるマニフェストファイルのみを分析対象とするのが特徴である。実データを用いた評価の結果,提案手法が、既存手法では検知できない未知のAndroidマルウェアを適切に検出できる事が示された。

2009年にGumblarが出現してから,Webページを閲覧しただけで感染するWeb感染型マルウェアの脅威が継続している.マルウェアに感染すると個人情報の漏洩やWebページの改ざんなどの問題が引き起こされる.本研究はHTTP通信を時間軸に沿って解析して,Web感染型マルウェアの自動的なダウンロードと,ユーザによる正常な実行ファイルの手動によるダウンロードを識別する.この識別を用いてWeb感染型マルウェアの検知が可能となる.提案手法はWebページの攻撃コードや実行ファイルの中身に依存しないため,既存の手法では検知が困難な,未知のWeb感染型マルウェアの検知に対して優位性がある.

We propose the power reduction mechanism utilizing information of communication paths. For collect-ing internal information of the network, the mechanism includes inband cross layer approach and makes aplications to feedback the network status. Then, applications can select the server that is more efficient than other servers We discuss the implementaition and the method to switch paths for visibility API.

This paper describes the current issues concerning resource management in the Internet. We discuss several topics based on the open documents on the Web pages of JPNIC. It is shown that none of the issues are easily resolved or settled.

This paper describes the current issues concerning resource management in the Internet. We discuss several topics based on the open documents on the Web pages of JPNIC. It is shown that none of the issues are easily resolved or settled.

現在の映像配信方式の多くはクライアントサーバモデルを用いるために,サーバに負荷が集中する.集中を回避するためにP2Pを利用した配信方式が数多く研究されている.単純なP2Pプロトコルではピア同士の近接性を考慮することなくピアを選択するために遠距離のトラフィックが発生する.トラフィックの問題を解決するためには地理情報クラスタリングを用いるのが有効である.ただし地理情報に頼るだけではシーダが存在しないクラスタが生じる場合がある.本論文は従来の方法を改善するために,クラスタリング手法にソフトクラスタリングを導入する.提案手法を実証するためにPlanetLabを用いて検証する.

DNSを用いたサーバ負荷分散法を改善して省電力をはかる。具体的にはOpenFlowスイッチを用いてサーバ資源を集約する。サービスの要求に比べてサーバ資源が余剰なときには、余剰なサーバを待機状態にして消費電力を削減する。ここで、待機するサーバのDNSレコードを削除しても、レコードのキャッシュが残ることに留意する。キャッシュを参照する利用者は待機中のサーバへの接続要求を発生する。その要求をOpenFlowの機能で別のサーバに転送するのが本論文の特徴である。このようにして可用性を維持しつつ短時間でサーバを待機状態にすることができる。本論文では、従来と比べて消費電力を削減できることを実証する。

Only anomalous traffic can be monitored in a network consisting of assigned but unused IP addresses (darknet). Although a darknet requires a large amount of IP addresses, it is difficult to acquire unused IP address space dedicated to network monitoring on a large scale. Some studies have proposed automatically detecting unused IP addresses (Virtual Dark IP addresses, VDIPs) and port numbers (Virtual Dark Ports, VDPs) as virtual sensors leveraged to monitor the network. Nevertheless, quantitative analyses on virtual sensor space have been incomplete. The purpose of this study is to expand virtual sensor space using features on the usage of IP addresses and port numbers. Also, this study aims to shorten the processing time to detect virtual sensors automatically. Our key findings from several evaluation experiments in an actual network with the /16 prefix are as follows: Setting appropriate parameters in the VDIP detection algorithm, the processing time can be reduced more than half without decreasing the number of VDIPs, the false detection of VDIPs can be moderated, and the changes in used IP addresses over time can be reflected into virtual sensor space; also, virtual sensor space consisting of VDPs can cover up to 99.98 percent of the network and expand the coverage of virtual sensor space consisting of VDIPs by up to 6.84 points.

It is known that an IP packet passes through less than 30 routers before it reaches the destination host. According to our observation, some IP packets have an abnormal Time-To-Live (TTL) value that is decreased more than 30 from the initial TTL. These packets are likely to be generated by special software. We assume that IP packets with a strange TTL value are malicious. This paper investigates this conjecture through several experiments. As a result, we show that it is possible to discriminate malicious packets from legitimate ones only by observing TTL values.

APAN is an Asia-based consortium established in 1997, and has worked to develop & deploy the global R&E Networks, with the help of EC's developing project as well as the leading contribution of a US government NSF (National Science Foundation). The member of APAN should represent the R&E network projects of the Nation or the equivalent economy, and thus our governments jointly established APAN-JP Consortium, including the non-government R&E network WIDE project. This paper describes APAN position & the role, and tries to clarify the challenges for the policy as well as the technical engineering.

APAN (Asia-Pacific Advanced Network) consists of National Research and Education Networks (NRENs). This paper describes the requirements for NRENs, learned from the history in the Unites States. It is also described that APAN-JP network operators have contributed the developments of advanced networks. It should be noted that the independent purchase of the international circuits by NREN members has built inefficient networks, compared with TEIN (Trans-Eurasia Information Network) based on EC's ODA fund. Finally, fiber optics technologies have enabled the expansion of NREN, but further dramatic developments can't be expected, whereas the demand of the bandwidth will be continuously increased. More budget for expanding international circuits should be pursued to meet the demand of the users.

A Honeypot is a system that aims to detect and analyze malicious attacks attempted on a network in an interactive manner. Because the primary objective of a honeypot is to detect enemies without being known to them, it is important to hide its existence. However, as several studies have reported, exploiting the unique characteristics of hosts working on a consecutive IP addresses range easily reveals the existence of honeypots. In fact, there exist some anti-honeypot tools that intelligently probe IP address space to locate Internet security sensors including honeypots. In order to tackle this problem, we propose a system called DarkPots, that consists of a large number of virtualized honeypots using unused and nonconsecutive IP addresses in a production network. DarkPots enables us to deploy a large number of honeypots within an active IP space used for a production network
thus detection is difficult using existing probing techniques. In addition, by virtually classifying the unused IP addresses into several groups, DarkPots enables us to perform several monitoring schemes simultaneously. This function is meaningful because we can adopt more than one monitoring schemes and compare their results in an operating network. We design and implement a prototype of DarkPots and empirically evaluate its effectiveness and feasibility by concurrently performing three independent monitoring schemes in a high-speed campus network. The system successfully emulated 7,680 of virtualized honeypots on a backbone link that carries 500 Mbps - 1 Gbps of traffic without affecting legitimate traffic. Our key findings suggest: (1) active and interactive monitoring schemes provide more in-depth insights of malicious attacks, compared to passive monitoring approach in a quantitative way, and (2) randomly distributed allocation of IP addresses has an advantage over the concentrated allocation in that it can collect more information from malwares. These features are crucial in monitoring the security threats. © 2010 IEEE.

In order mainly to improve transport throughput, a number of in-band cross-layer protocols to provide visibility inside the network from end-system have been proposed. We present a policy coordination mechanism among stakeholders, when disclosing the information of inside a network. The mechanism realizes the visibility respecting the disclosure policies, not only of the transit networks operators, but also of the end-system. Furthermore, We discuss the implementation and design issues for the visibility API.

On November 11, 2008, the primary web hosting company, McColo, for the command and control servers of Srizbi botnet was shutdown by its upstream ISPs. Subsequent reports claimed that the volume of spam dropped significantly everywhere on that very same day. In this work, we aim to understand the world's worst spamming botnet, Srizbi, and to study the effectiveness of targeting the botnet's command and control servers, i.e., McColo shutdown, from the viewpoint of Internet edge sites. We conduct an extensive measurement study that consists of e-mail delivery logs and packet traces collected at three vantage points. The total measurement period spans from July 2007 to April 2009, which includes the day of McColo shutdown. We employ passive TCP fingerprinting on the collected packet traces to identify Srizbi bots and spam messages sent from them. The main contributions of this work are summarized as follows. We first estimate the global scale of Srizbi botnet in a probabilistic way. Next, we quantify the volume of spam sent from Srizbi and the effectiveness of the McColo shutdown from an edge site perspective. Finally, we reveal several findings that are useful in understanding the growth and evolution of spamming botnets. We detail the rise and steady growth of Srizbi botnet, as well as, the version transition of Srizbi after the McColo shutdown.

With the increasing use of P2P (peer-to-peer) network technology in everyday services, the issue of privacy protection has gained considerable importance. This paper describes a method to realize an anonymity-conscious P2P data sharing network. The proposed network allows users to extract data possessed by other users who have similar profiles, thereby providing them with a collaborative filtering-based data recommendation. In the proposed P2P network protocol, bogus user profiles are distributed intentionally throughout the network to protect users' anonymity without harming the overall effectiveness of the data exchange. We conduct a series of simulations to prove that our proposed method protects the profile's privacy and performs efficient data exchange. © 2009 - IOS Press.

Significant throughput degradation of multihop path communication in wireless mesh network is one of the major problems in wireless communication. The main reason for the lack of bandwidth is channel interference, which is caused by contention for the shared channel between wireless nodes. The natural approach to overcome this problem is exploiting the availability of multiple channels multiple interfaces (MCMI) networks. However, it is costly and may not be practical to dedicate one interface per channel for every node. Thus in this paper, we study the MCMI network, where the number of interfaces that every node has is less than the number of available channels. Simple and distributed channel scheduling algorithms for communication in multiple channels multiple interfaces networks are discussed. The objective of the proposed algorithms is to minimize the channel interference that causes the throughput degradation in multihop networks. The proposed algorithms are evaluated with extensive simulations. The simulation results show that the proposed algorithms well exploited the availability of multiple channels multiple interfaces to overcome the throughput degradation problem.

With the rapid increase of link speed in recent years, packet sampling has become a very attractive and scalable means in collecting flow statistics; however, it also makes inferring original flow characteristics much more difficult. In this paper, we develop techniques and schemes to identify flows with a very large number of packets (also known as heavy-hitter flows) from sampled flow statistics. Our approach follows a two-stage strategy: We first parametrically estimate the original flow length distribution from sampled flows. We then identify heavy-hitter flows with Bayes' theorem, where the flow length distribution estimated at the first stage is used as an a priori distribution. Our approach is validated and evaluated with publicly available packet traces. We show that our approach provides a very flexible framework in striking an appropriate balance between false positives and false negatives when sampling frequency is given.

This paper proposes a new method for realizing the web page recommendation system by sharing users' web browse history on an anonymous P2P network. Our scheme creates a user profile, a summary of the user's web browse trends, by analyzing the contents of the web pages browsed. The scheme then provides a P2P network to exchange web browse histories so as to create mutual web page recommendations. The novelty of our method lies in its P2P network formulation; it is formulated in a way so that users having similar user profiles are automatically connected, yet their user profiles are protected from being disclosed to other users. The proposed method intentionally distributes bogus user profiles on the P2P network, while not harming the efficiency of the web browse history sharing process.

This paper explores a method to realize an anonymity-conscious P2P data sharing network. The proposed network lets users extract other users' data that match the users' profiles, thereby providing them a collaborative filtering-based data recommendation. Our proposal realizes such a recommendation scheme without forcing the users to disclose their profiles. Our method intentionally fills the network with "white lies," whereby bogus user profiles are distributed throughout the network to protect users' anonymity without harming the overall effectiveness of the data exchange.

This paper proposes a new method of estimating real-time traffic matrices that only incurs small errors in estimation. A traffic matrix represents flows of traffic in a network. It is an essential tool for capacity planning and traffic engineering. However, the high costs involved in measurement make it difficult to assemble an accurate traffic matrix. It is therefore important to estimate a traffic matrix using limited information that only incurs small errors. Existing approaches have used IP-related information to reduce the estimation errors and computational complexity. In contrast, our method, called spike flow measurement (SFM) reduces errors and complexity by focusing on spikes. A spike is transient excessive usage of a communications link. Spikes are easily monitored through an SNMP framework. This reduces the measurement costs compared to that of other approaches. SFM identifies spike flows from traffic byte counts by detecting pairs of incoming and outgoing spikes in a network. A matrix is then constructed from collected spike flows as an approximation of the real traffic matrix. Our experimental evaluation reveals that the average error in estimation is 28%, which is sufficiently small for the method to be applied to a wide range of network nodes, including Ethernet switches and IP routers.

In a network link with sufficient volume of traffic, a small number of flows constructed from a large number of packets occupy a large part of whole aggregated traffic. Such flows are called "elephant flows". Idenfying and controlling them will be useful for contrusting efficient and effective traffic engieering schemes. Meanwhile, with the recent growth in bandwidth of network links, packet sampling technique has been widely noticed as a scalable technology for measuring and managing networks. In this paper, we propose a new method for identifying elephant flows from a sampled packet stream.. We will also evaluate the method using measured data.

This paper proposes an improved mechanism for keeping stable connections between mobile nodes and corresponding nodes in the mobile IPv6 protocol. The mobile IPv6 protocol enables mobile nodes to keep the reachability while they are moving freely in the Internet. Our new method has multiple home links instead of one single home link in the current specification of the mobile IPv6 protocol.
The new method is based on our earlier idea of having multiple home agents. Multiple home agents can provide backups when a home agent is not working properly. However. all the home agents should reside on one single network segment according to the current specification of the mobile IPv6. This paper further extends our earlier idea of multiple home agents, and proposes multiple home links.
We have more stable connections by using multiple home links. This paper also shows a working example which illustrates the merit of multiple home links.

In the current mobile IP standard, the home agent (HA) of a mobile node (MN) is located in the home link. If a mobile node (MN) is moved away from the home link, it takes time for MN to make a registration and binding update at the home agent (HA). It also generates extra traffic in the Internet because the Binding Update should be refreshed after the lifetime expires.
This paper proposes a new method for distributing multiple home agents (HAs) geographically. By applying this method, a mobile node (MN) can find a home agent (HA) which is nearest to it. It facilitates fast registration and short latency time. It also reduces the traffic of transaction. This technique is simple to apply. However, it is very effective. We demonstrate the capability of this method through working experiments.

Analysing and modeling of traffic play a vital role in designing and controlling of networks effectively. To construct a practical traffic model that can be used for various networks, it is necessary to characterize aggregated traffic and user traffic, This paper investigates these characteristics and their relationship. Our analyses are based on a huge number of packet traces from five different networks on the Internet. We found that: (1) marginal distributions of aggregated traffic fluctuations follow positively skewed (non-Gaussian) distributions, which leads to the existence of "spikes", where spikes correspond to an extremely large value of momentary throughput, (2) the amount of user traffic in a unit of time has a wide range of variability, and (3) flows within spikes are more likely to be "elephant flows", where an elephant flow is an IP flow with a high volume of traffic. These findings are useful in constructing a practical and realistic Internet traffic model.

The auction is a popular way of trading. Despite of the popularity of the auction, only a small number of papers have addressed the protocol which realize the double auction. In this paper, we propose a new method of double auction which improves the algorithm of the existing double auction protocol. Our new method is based on the idea of number comparison which is realized by homomorphic encryption. The new method solves the problem of the privacy of losing bids found in the existing algorithm. The buyers and the sellers can embed a random number in their bidding information by the use of the homomorphic encryption. The players in an auction cannot get anyone else's bidding information. The new method is more efficient than the existing ones. Our new method satisfies the criteria for the auction protocol.

In the Internet, flow analysis and network monitoring have been studied by various methods. Some methods try to make TCP (Transport Control Protocol) traces more readable by showing them graphically. Others such as MRTG, NetScope, and NetFlow read the traffic counters of the routers and record the data for traffic engineering. Even if all of the above methods are useful, they are made only to perform a single task. This paper describes an improved TCP Protocol Machine, a multipurpose tool that can be used for flow analysis, intrusion detection and link congestion monitoring. It is developed based on a finite state machine (automaton). The machine separates the flows into two main groups. If a flow can be mapped to a set of input symbols of the automaton, it is valid, otherwise it is invalid. It can be observed that intruders' attacks are easily detected by the use of the protocol machine. Also link congestion can be monitored, by measuring the percentage of valid flows to the total number of flows. We demonstrate the capability of this tool through measurement and working examples.

This paper proposes a new method for estimating the bandwidth of DiffServ networks. There have been two popular ways of bandwidth estimation. One is the packet pair method and the other is the packet train method. Their main objectives are to estimate the capacity of a path bandwidth, and throughput (i.e., effective bandwidth) which is determined by the bottleneck link along a path. These tools assume that a router handles packets based on the FCFS (First Come, First Serve) principle. On the other hand, they cannot measure the guaranteed bandwidth of DiffServ networks. Our new method can estimate the guaranteed bandwidth. This paper also shows working examples which evaluates the new method.

There have been two well-known models for intrusion detection. They are called Anomaly Intrusion Detection (AID) model and Misuse Intrusion Detection (MID) model. The former model analyzes user behavior and the statistics of a process in normal situation, and it checks whether the system is being used in a different manner. The latter model maintains database of known intrusion technique and detects intrusion by comparing a behavior against the database. An intrusion detection method based on an AID model can detect a new intrusion method. however it needs to update. the data describing users behavior and the statistics in normal usage, We call these information profiles, There are several problems in AID to be addressed. The profiles are tend to be large. Detecting intrusion needs a large amount of system resource, like CPU time and memory and disk space. An AND model requires less amount of system resource to detect intrusion. However it cannot detect new. unknown intrusion methods. Our method solves these problems by recording system calls from daemon processes and setuid programs. We improved detection accuracy by adopting a DP matching scheme.

In order to detect intrusions, IDA (Intrusion Detection Agent system) initially monitors system, logs ill order to discover all MLSI - which is all certain event Which ill many cases occurs during an intrusion. If all,MLSI is found. then IDA Judges whether the MLSI is accompanied by all intrusion. We adopt discriminant analysis to analyze information after IDA detects,in MLSI in a remote attack. Discriminant analysis provides a classification function that allows IDA to,separate intrusive activities from non-intrusive activities. Using discriminant analysis. we call detect intrusions by analyzing only a part of system calls occurring Oil, a host machine. and we can determine whether all unknown sample is all intrusion. In this paper, we explain in detail how we perform discriminant analysis to detect intrusions, and evaluate the classification function. We also describe how to extract a sample from system logs, which is necessary to implement the discriminant analysis function in IDA.

The number of computer break-ins from the outside of an organization has increased with the rapid growth of the Internet. Since many intruders from the outside of an organization employ stepping stones, it is difficult to trace back where the real origin of the attack is. Sonic research projects have proposed tracing methods for DoS attacks and detecting method of stepping stories. It is still difficult to locate the origin of an attack that uses stepping stones. We have developed IDA (Intrusion Detection Agent system). which has an intrusion tracing mechanism in a LAN environment. In this paper, we improve the tracing mechanism so that it can trace back stepping stories attack in the Internet. In our method, the information about tracing stepping stone is collected from hosts in a LAN effectively, and the information is made available at the public information server. A pursuer of stepping stone attack can trace back the intrusion based on the information available at the public information server on an intrusion route.

This paper proposes a new query type in Domain Name System (DNS) called IDNQUERY. It is used to cover internationalized domain names (IDNs) encoded in non-ASCII characters, like Unicode (UTF-8). IDNQUERY provides IDNs based on binary string. The IDN allows a user to specify multi-lingual domain names in Japanese, Chinese, and Korean. The IDN is a proper extension of the current DNS. Earlier implementations of DNS and applications provide domain names encoded in 7-bit ASCII only. These old systems and applications are designed on a text base. DNS can be a complete 8-bit clean protocol. There are good reasons to use domain names in 8-bit encoding. Older systems and applications are still working, and they do not work properly when they receive an IDN in 8-bit encoding. Several proposals to realize IDNs in UTF-8 have been discussed at IDN WG in IETF (Internet Engineering Task Force). However, none of them can be used with the older systems and applications because they have trouble with IDNs in 8-bit encoding. This paper proposes a new query type in DNS, IDNQUERY, which sends a query including an IDN in 8-bit encoding. Older DNS and applications can return an error message when they receive a query including an IDN in 8-bit encoding by reading the OPCODE in HEADER of IDNQUERY. This paper proposes the IDNQUERY which can cover both text based IDNs, including ACE, and binary sting based IDNs, such as UTF-8, in the current existing DNS environment. The solution in this paper lets binary string based domain names coexist with existing DNS

This paper describes an application of an AI-based multiagent system to the management and diagnosis of TCP/IP-based intranet/intra-AS (autonomous system) computer networks. A copy of this system is attached to each network segment and is made responsible for that segment. It captures packets in the promiscuous mode and analyzes their data in real time. Based on this analysis, the data needed to manage the local network are obtained, any changes in the local network or network components are recognized, and problems are detected. When a problem is reported by a user or detected by the system, the problem is diagnosed cooperatively or autonomously depending on its type. The activities of the agents are coordinated based on the concepts of coordination levels and functional organizations. An example of cooperative diagnosis clarifies why this multiagent approach is essential for network management. (C) 2001 Elsevier Science B.V. All rights reserved.

This paper proposes a new method of realizing internationalized domain names (iDN) and has been discussed at IETF (Internet Engineering Task Force). iDN allows a user to specify multi-lingual domain names, such as Japanese, Chinese, and Korean. iDN is a proper extension of the current domain name system. We have already developed an iDN implementation, named Global Domain Name System (GDNS). GDNS extends the usage of alias records, and gives reverse mapping information for multi-lingual domain names. This paper presents yet another method which introduces new Resource Record (RR) types to cover multi-lingual domain names. We have two new RR (Resource Record) types. The first new record is INAME and the other is IPTR. These two RR types can cover multi-lingual domain names. This paper also discusses the efficiency of DNS. Since DNS is a distributed database system, the performance depends on the method of retrieving data. This paper suggests a new retrieving method that can improve the performance of DNS remarkably.

Many methods have been proposed to detect intrusions; for example, the pattern matching method on known intrusion patterns and the statistical approach to detecting deviation from normal activities. We investigated a new method for detecting intrusions based on the number of system calls during a user's network activity on a host machine. This method attempts to separate intrusions from normal activities by using discriminant analysis, a kind of multivariate analysis. We can detect intrusions by analyzing only 11 system calls occurring on a host machine by discriminant analysis with the Mahalanobis' distance, and can also tell whether an unknown sample is an intrusion. Our approach is a lightweight intrusion detection method, given that it requires only 11 system calls for analysis. Moreover, our approach does not require user profiles or a user activity database in order to detect intrusions. This paper explains our new method for the separation of intrusions and normal behavior by discriminant analysis, and describes the classification method by which to identify an unknown behavior.

This paper proposes a new simple method for network measurement. It extracts 6-bit control flags of TCP (Transmission Control Protocol) packets. The idea is based on the unique feature of flag ratios which is discovered by our exhaustive search for the new indexes of network traffic. By the use of flag ratios, one can tell if the network is really congested. It is much simpler than the conventional network monitoring by a network analyzer. The well-known monitoring method is based on the utilization parameter of a communication circuit which ranges from 0% to 100%. One cannot tell the line is congested even if the factor is 100%. 100% means full utilization and does not give any further information. To calculate the real performance of the network. one should estimate the throughput or effective speed of each user. The estimation needs much calculation. Our new method tries to correlate ratios of TCP control flags and network congestion. The result shows the usefulness of this new method. This paper analyzes the reason why the flag ratios show the unique feature.

At the Information-technology Promotion Agency (IPA), we have been developing a network intrusion detection system called IDA (Intrusion Detection Agent system). IDA system has two distinctive features that most conventional intrusion detection systems lack. First, it has a mechanism for tracing the origin of a break-in by means of mobile agents. Second, it has a new and efficient method of detecting intrusions: rather than continuously monitoring the user's activities, it watches for an event that meets the criteria of an MLSI (Mark Left by Suspected Intruders) and may relate to an intrusion. By this method, IDA described herein can reduce the processing overhead of systems and networks. At present. IDA can detect local attacks that are initiated against a machine to which the attacker already has access and he or she attempts to exceed his or her authority. This paper mainly describes how IDA detects local attacks and traces intrusions.

APAN (Asia-Pacific Advanced Network) is a non-profit international consortium started in 1997. It is intended to be a high-performance network for research and development on advanced applications and services. The backbone of APAN is based on ATM. Dedicated PVCs are allocated and managed for IPv6 between Japan and the US, Korea and Singapore. Measurement working group of APAN is developing and deploying new monitoring tools for advanced network. One of them is the oc3mon developed by NLANR which captures traffic on an OC3 link. It also provides various perl scripts for analyzing captured data. However, those scripts are for IPv4 and there is no support for IPv6 currently. This paper describes our experiences on monitoring IPv6 traffic with oc3mon at APAN Tokyo-XP (eXchange Point).

This paper presents a network surveillance technique for detecting malicious activities. Based on the hypothesis that unusual conducts like system exploitation will trigger an abnormal network pattern, we try to detect this anomalous network traffic pattern as a sign of malicious, or at least suspicious activities. Capturing and analyzing of a network traffic pattern is implemented with a concept of port profiling, where measures representing various characteristics of connections are monitored and recorded for each port. Though the generation of the port profiles requires the minimum calculation and memory, they exhibit high stability and robustness. Each port profile retains the patterns of the corresponding connections precisely, even if the connections demonstrate multi-modal characteristics. By comparing the pattern exhibited by live traffic with the expected behavior recorded in the profile, intrusive activities like compromising backdoors or invoking trojan programs are successfully detected.

This paper proposes a new model which can approximate the delay time distribution in the Internet. It is well known that the delay time in communication links follows the exponential distribution. However, the earlier models cannot explain the distribution when a communication link is heavily overloaded. This paper proposes to use the M / M / S(m) model for the Internet. We have applied our model to the measurement results. This paper deals with one-way delay because it reflects the actual characteristics of communication links. Most measurement statistics in the Internet have been based on round-trip time delay between two end nodes. These characteristics are easily measured by sending sample packets from one node to the other. The receiver side echoes back the packets. However, the results are not always useful. A long distance communication link, such as a leased line, has two different fibers or wires for each direction: an incoming link, and an outgoing link. When the link is overloaded, the traffic in each link is quite different. The measurement of one-way delay is especially important for multimedia communications, because audio and video transmissions are essentially one-way traffic.

Many people want to know the number of Internet users. It is, however, impossible to count the users directly. Instead, we can count the number of hosts which are connected to the Internet. There have been two methods of counting connected hosts. The first method surveys the DNS (Domain Name System) database, and counts the unique names of computers appearing on it. A host name takes the form of www.waseda.ac.jp. This method gathers DNS records from remote sites, and looks into them. Another method also utilizes DNS records in a different manner. It starts counting hosts with the IP address. There is a DNS record in the database which gives a mapping from an IP address to a host name. The record is called a reverse pointer. The first method is well known and has been used in Japan by JPNIC. Recently, some sites refused to allow their DNS records to be transferred as a whole. They refused the transfer, because illegal intruders sometimes use DNS records to acquire information about their target. Since this security issue is serious, the zone transfer would be refused by many sites. To count the hosts in Japan, we should take the second approach. This paper addresses several issues on host counting and concludes that it is feasible to deploy the second method in Japan although some care should be taken.

This paper proposes a new simple method for network measurement. It extracts 6-bit control flags of TCP (Transmission Control Protocol) packets. The idea is based on the unique feature of flag ratios which is discovered by our rather exhaustive search for the new indexes of network traffic. By the use of flag ratios, one can tell if the network is really congested. It is much simpler than the conventional network monitoring by a network analyzer. The well-known monitoring method is based on the utilization parameter of a communication circuit which ranges from 0% to 100%. One cannot tell the line is congested even if the factor is 100%. 100% means full utilization and does not give any further information. To calculate the real performance of the network, one should estimate the throughput of effective speed of each user. The estimation needs much calculation. Our new method tries to correlate ratios of TCP control flags and network congestion. The result shows the usefulness of this new method. This paper analyses the reason why the flag ratios show the unique feature.

The paper proposes a network surveillance method for detecting malicious activities. Based on the hypothesis that unusual conducts like system exploitation will trigger an abnormal network traffic, we try to detect this anomalous traffic pattern as a sign of malicious, or at least suspicious activities. Capturing and analyzing of a network traffic pattern is implemented with an idea of port profiling, where measures representing various characteristics of connections are monitored and recorded for each port. Though the generation of the port profiles requires a small amount of calculation, they exhibit high stability and robustness. By comparing the pattern exhibited by live traffic with the expected behavior recorded in the profile, intrusive activities like compromising backdoors or invoking trojan programs are successfully detected.

This paper analyzes the delay time distribution in the Internet. We send sample packets with a time stamp to measure the delay time. It is well known that the delay time in communication links follows the exponential distribution. However, the earlier models cannot explain the distribution when a communication link is heavily overloaded. This paper proposes to use a new model for the Internet. We have applied our model to the measurement results successfully.

Many network intrusion detection systems detect intrusions by concentrating all logs of target systems in a server and having the server subsequently analyze these logs. At the Information-technology Promotion Agency (IPA), we have been developing an alternate type of network intrusion detection system called IDA (Intrusion Detection Agent system), which detects intrusions with mobile agents that act by gathering information related to intrusions from target systems on a network. The mobile agents autonomously trace the origin of the bleak-in without the intrusion-detection server's control, and also gather information from target systems. Consequently, network traffic between the target systems and the server is reduced. This paper describes how the mobile agents migrate from machine to machine within a network, and details how they trace intrusions and gather and exchange information efficiently.