Updated on 2022/05/25

写真a

 
GOTO, Shigeki
 
Affiliation
Faculty of Science and Engineering
Job title
Professor Emeritus

Education

  •  
    -
    1973

    The University of Tokyo  

  •  
    -
    1973

    The University of Tokyo   Graduate School, Division of Science   Mathematics  

  •  
    -
    1971

    The University of Tokyo   Faculty of Science  

  •  
    -
    1971

    The University of Tokyo   Faculty of Science  

Degree

  • The University of Tokyo   Dr Eng.

  • The University of Tokyo   MS

Research Experience

  • 1973
    -
    1996

    NTT研究所 研究員

  • 1973
    -
    1996

    Research Scientist, NTT Laboratories

Professional Memberships

  •  
     
     

    ACM

  •  
     
     

    応用数理学会

  •  
     
     

    電子情報通信学会

  •  
     
     

    IEEE

  •  
     
     

    人工知能学会

  •  
     
     

    情報処理学会

  •  
     
     

    ソフトウェア科学会

  •  
     
     

    Internet Society

  •  
     
     

    ACM

  •  
     
     

    IEEE

  •  
     
     

    Internet Society

▼display all

 

Research Areas

  • Computational science

Research Interests

  • 情報システム学(含情報図書館学)

Papers

  • DomainScouter: Analyzing the Risks of Deceptive Internationalized Domain Names

    Daiki CHIBA, Ayako AKIYAMA HASEGAWA, Takashi KOIDE, Yuta SAWABE, Shigeki GOTO, Mitsuaki AKIYAMA

    IEICE Transactions on Information and Systems   E103.D ( 7 ) 1493 - 1511  2020.07  [Refereed]

    DOI

  • ShamFinder: An Automated Framework for Detecting IDN Homographs.

    Hiroaki Suzuki, Daiki Chib, Yoshiro Yoneya, Tatsuya Mori, Shigeki Goto

    Proceedings of the Internet Measurement Conference, IMC 2019, Amsterdam, The Netherlands, October 21-23, 2019     449 - 462  2019  [Refereed]

    DOI

  • DomainProfiler: toward accurate and early discovery of domain names abused in future.

    Daiki Chiba, Takeshi Yagi, Mitsuaki Akiyama, Toshiki Shibahara, Tatsuya Mori, Shigeki Goto

    Int. J. Inf. Sec.   17 ( 6 ) 661 - 680  2018.11  [Refereed]

  • DomainChroma: Building actionable threat intelligence from malicious domain names.

    Daiki Chiba, Mitsuaki Akiyama, Takeshi Yagi, Kunio Hato, Tatsuya Mori, Shigeki Goto

    Computers & Security   77   138 - 161  2018.08  [Refereed]

    DOI

  • A Feasibility Study of Radio-frequency Retroreflector Attack.

    Satohiro Wakabayashi, Seita Maruyama, Tatsuya Mori, Shigeki Goto, Masahiro Kinugawa, Yu-ichi Hayashi

    12th USENIX Workshop on Offensive Technologies, WOOT 2018, Baltimore, MD, USA, August 13-14, 2018.    2018.08  [Refereed]

  • Detecting Malware-Infected Devices Using the HTTP Header Patterns.

    Sho Mizuno, Mitsuhiro Hatada, Tatsuya Mori, Shigeki Goto

    IEICE Transactions   101-D ( 5 ) 1370 - 1379  2018.05  [Refereed]

    DOI

  • DomainProfiler: toward accurate and early discovery of domain names abused in future

    Daiki Chiba, Takeshi Yagi, Mitsuaki Akiyama, Toshiki Shibahara, Tatsuya Mori, Shigeki Goto

    International Journal of Information Security     1 - 20  2017.12  [Refereed]

     View Summary

    Domain names are at the base of today’s cyber-attacks. Attackers abuse the domain name system (DNS) to mystify their attack ecosystems
    they systematically generate a huge volume of distinct domain names to make it infeasible for blacklisting approaches to keep up with newly generated malicious domain names. To solve this problem, we propose DomainProfiler for discovering malicious domain names that are likely to be abused in future. The key idea with our system is to exploit temporal variation patterns (TVPs) of domain names. The TVPs of domain names include information about how and when a domain name has been listed in legitimate/popular and/or malicious domain name lists. On the basis of this idea, our system actively collects historical DNS logs, analyzes their TVPs, and predicts whether a given domain name will be used for malicious purposes. Our evaluation revealed that DomainProfiler can predict malicious domain names 220 days beforehand with a true positive rate of 0.985. Moreover, we verified the effectiveness of our system in terms of the benefits from our TVPs and defense against cyber-attacks.

    DOI

  • DomainChroma: Providing Optimal Countermeasures against Malicious Domain Names.

    Daiki Chiba, Mitsuaki Akiyama, Takeshi Yagi, Takeshi Yada, Tatsuya Mori, Shigeki Goto

    41st IEEE Annual Computer Software and Applications Conference, COMPSAC 2017, Turin, Italy, July 4-8, 2017. Volume 1     643 - 648  2017.07  [Refereed]

    DOI

  • BotDetector: A robust and scalable approach toward detecting malware-infected devices.

    Sho Mizuno, Mitsuhiro Hatada, Tatsuya Mori, Shigeki Goto

    IEEE International Conference on Communications, ICC 2017, Paris, France, May 21-25, 2017     1 - 7  2017.05  [Refereed]

    DOI

  • DomainProfiler: Discovering Domain Names Abused in Future

    D. Chiba, T. Yagi, M. Akiyama, T. Shibahara, T. Yada, T. Mori, S. Goto

    Proceedings of the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks     491 - 502  2016.06  [Refereed]

    DOI

  • BotProfiler: Detecting Malware-Infected Hosts by Profiling Variability of Malicious Infrastructure

    Daiki Chiba, Takeshi Yagi, Mitsuaki Akiyama, Kazufumi Aoki, Takeo Hariu, Shigeki Goto

    IEICE TRANSACTIONS ON COMMUNICATIONS   E99B ( 5 ) 1012 - 1023  2016.05  [Refereed]

     View Summary

    Ever-evolving malware makes it difficult to prevent it from infecting hosts. Botnets in particular are one of the most serious threats to cyber security, since they consist of a lot of malware-infected hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system in order to achieve more accurate detection of malware-infected hosts. We focused on the key idea that malicious infrastructures, such as malware samples or command and control, tend to be reused instead of created from scratch. Our research verifies this idea and proposes here a new system to profile the variability of substrings in HTTP requests, which makes it possible to identify invariable keywords based on the same malicious infrastructures and to generate more accurate templates. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.

    DOI

  • MineSpider: Extracting Hidden URLs Behind Evasive Drive-by Download Attacks

    Yuta Takata, Mitsuaki Akiyama, Takeshi Yagi, Takeo Hariu, Shigeki Goto

    IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS   E99D ( 4 ) 860 - 872  2016.04  [Refereed]

     View Summary

    Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the user's web browser. In addition, several evasion techniques, such as code obfuscation and environment-dependent redirection, are used in combination with drive-by download attacks to prevent detection. In environment-dependent redirection, attackers profile the information on the user's environment, such as the name and version of the browser and browser plugins, and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques, such as honeyclients, are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. Therefore, it is necessary to improve analysis coverage while countering these adversarial evasion techniques. We propose a method for exhaustively analyzing JavaScript code relevant to redirections and extracting the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called MineSpider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that MineSpider extracted 30,000 new URLs from malicious websites in a few seconds that conventional methods missed.

    DOI

  • Statistical Estimation of the Names of HTTPS Servers with Domain Name Graphs

    T. Mori, T. Inoue, A. Shimoda, K. Sato, K. Ishibashi, S. Goto

    Computer Communications   94   104 - 113  2016  [Refereed]

    DOI

  • Inferring Popularity of Domain Names with DNS Traffic: Exploiting Cache Timeout Heuristics

    A. Shimoda, K. Ishibashi, K. Sato, M. Tsujino, T. Inoue, M. Shimura, T. Takebe, K. Takahashi, T. Mori, S. Goto

    Proceedings of the IEEE Global Communications Conference     1 - 6  2015.12  [Refereed]

    DOI

  • Increasing the Darkness of Darknet Traffic

    Y. Haga, A. Saso, T. Mori, S. Goto

    Proceedings of the IEEE Global Communications Conference     1 - 7  2015.12  [Refereed]

    DOI

  • SFMap: Inferring Services over Encrypted Web Flows using Dynamical Domain Name Graphs

    T. Mori, T. Inoue, A. Shimoda, K. Sato, K. Ishibashi, S. Goto

    Proceedings of IFIP Traffic Monitoring and Analysis workshop     126 - 139  2015.04  [Refereed]

    DOI

  • Efficient and Secure E-mail System in Information-Centric Networking

    Yao Hu, Shigeki Goto

    Proceedings of the IEICE General Conference   BS-3 ( 60 )  2015.03

  • Behavior Analysis of Video Application Users on Smart Phones Based on State Transition Diagram

    Norihiro Fukumoto, Shigehiro Ano, Shigeki Goto

    IEICE TRANSACTIONS ON COMMUNICATIONS   E98B ( 1 ) 42 - 50  2015.01  [Refereed]

     View Summary

    Video traffic occupies a major part of current mobile traffic. The characteristics of video traffic are dominated by the behavior of the video application users. This paper uses a state transition diagram to analyze the behavior of video application users on smart phones. Video application users are divided into two categories; keyword search users and initial screen users. They take different first action in video viewing. The result of our analysis shows that the patience of video application users depends on whether they have a specific purpose when they launch a video application or not. Mobile network operators can improve the QoE of video application users by utilizing the results of this study.

    DOI

  • BotProfiler: Profiling Variability of Substrings in HTTP Requests to Detect Malware-infected Hosts

    Daiki Chiba, Takeshi Yagi, Mitsuaki Akiyama, Kazufumi Aoki, Takeo Hariu, Shigeki Goto

    2015 IEEE TRUSTCOM/BIGDATASE/ISPA, VOL 1     758 - 765  2015  [Refereed]

     View Summary

    Malware is constantly evolving, which makes it difficult to prevent it from infecting hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system. We focused on the key idea that malicious infrastructures, such as command and control, tend to be reused instead of created from scratch. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.

    DOI

  • Introducing Routing Guidance Name in Content-Centric Networking

    Yao Hu, Shigeki Goto

    IEICE TRANSACTIONS ON COMMUNICATIONS   E97B ( 12 ) 2596 - 2605  2014.12  [Refereed]

     View Summary

    This paper proposes a name-based routing mechanism called Routing Guidance Name (RGN) that offers new routing management functionalities within the basic characteristics of CCN. The proposed mechanism names each CCN router. Each router becomes a Data Provider for its name. When a CCN Interest specifies a router's name, it is forwarded to the target router according to the standard mechanism of CCN. Upon receiving an Interest, each router reacts to it according to RGN. This paper introduces a new type of node called a Scheduler which calculates the best routes based on link state information collected from routers. The scheduler performs its functions based on RGN. This paper discusses how the proposed system builds CCN FIB (Forwarding Information Base) in routers. The results of experiments reveal that RGN is more efficient than the standard CCN scheme. It is also shown that the proposal provides mobility support with short delay time. We explain a practical mobile scenario to illustrate the advantages of the proposal.

    DOI

  • Structural Classification and Similarity Measurement of Malware

    Hongbo Shi, Tomoki Hamagami, Katsunari Yoshioka, Haoyuan Xu, Kazuhiro Tobe, Shigeki Goto

    IEEJ TRANSACTIONS ON ELECTRICAL AND ELECTRONIC ENGINEERING   9 ( 6 ) 621 - 632  2014.11  [Refereed]

     View Summary

    This paper proposes a new lightweight method that utilizes the growing hierarchical self-organizing map (GHSOM) for malware detection and structural classification. It also shows a new method for measuring the structural similarity between classes. A dynamic link library (DLL) file is an executable file used in the Windows operating system that allows applications to share codes and other resources to perform particular tasks. In this paper, we classify different malware by the data mining of the DLL files used by the malware. Since the malware families are evolving quickly, they present many new problems, such as how to link them to other existing malware families. The experiment shows that our GHSOM-based structural classification can solve these issues and generate a malware classification tree according to the similarity of malware families. (c) 2014 Institute of Electrical Engineers of Japan. Published by John Wiley & Sons, Inc.

    DOI

  • Smart Name-based Routing in ICN

    Yao Hu, Shigeki Goto

    Proceedings of the IEICE General Conference   BS-1 ( 56 )  2014.03

  • Analyzing Spatial Structure of IP Addresses for Detecting Malicious Websites

    Daiki Chiba, Kazuhiro Tobe, Tatsuya Mori, Shigeki Goto

    Journal of Information Processing   21 ( 3 ) 539 - 550  2013.07  [Refereed]

    DOI

  • A Practical Behavior Analysis of Video Application Users on Smart Phones

    Norihiro Fukumoto, Shigehiro Ano, Shigeki Goto

    2013 IEEE 37TH ANNUAL COMPUTER SOFTWARE AND APPLICATIONS CONFERENCE (COMPSAC)     288 - 289  2013  [Refereed]

     View Summary

    Mobile network operators are keeping a watchful eye on video applications because of their high impact on traffic volume. For optimum mobile network design it is desirable to know more about the characteristics of video traffic, which depend on the behavior of the video application users who generates that traffic. We conducted a practical behavior analysis of video application users on smart phones, using a traffic analysis approach that scales up well. We also present our findings about typical user behavior in video applications from a traffic analysis standpoint.

    DOI

  • Performance Evaluation of File Transmission in Content-Centric Networking

    Yao Hu, Shigeki Goto

    2nd IEEE International Conference on Cloud Computing and Intelligence Systems   200 ( 619 ) 979 - 980  2012.11  [Refereed]

    DOI

  • i-Path: Improving Path Visibility for the Future Internet

    Mochinaga, Dai, Kobayashi, Katsushi, Yamada, Ryo, Goto, Shigeki, Shimoda, Akihiro, Murase, Ichiro

    2012 IEEE/IPSJ 12TH INTERNATIONAL SYMPOSIUM ON APPLICATIONS AND THE INTERNET (SAINT)     155 - 160  2012  [Refereed]

     View Summary

    In this paper, we present the concept design, and implementation of a novel network measurement system for the future Internet. The new protocol offers end-point applications a mechanism for utilizing internal information to maximize transport. By a cross-layer approach, we can automatically to collect information along a path while upholding a disclosure policy for the information. The protocol has been implemented on commonly used operating systems and has been tested on both commercial and test-bed networks. A peer-to-peer file sharing application has been modified to support the protocol and experiments shows that download times were reduced and bandwidth was used more efficiently.

    DOI

  • Detecting Malicious Websites by Learning IP Address Features.

    Array,Kazuhiro Tobe, Tatsuya Mori, Shigeki Goto

    12th IEEE/IPSJ International Symposium on Applications and the Internet, SAINT 2012, Izmir, Turkey, July 16-20, 2012     29 - 39  2012  [Refereed]

    DOI

  • Extended Darknet: Multi-Dimensional Internet Threat Monitoring System.

    Akihiro Shimoda, Tatsuya Mori, Shigeki Goto

    IEICE Transactions   95-B ( 6 ) 1915 - 1923  2012  [Refereed]

    DOI

  • A Scalable Monitoring System for Distributed Environments

    Sayaka Akioka, Junichi Ikeda, Takanori Ueda, Yuki Ohno, Midori Sugaya, Yu Hirate, Jiro Katto, Shigeki Goto, Yoichi Muraoka, Hayato Yamana, Tatsuo Nakajima

    FIRST INTERNATIONAL WORKSHOP ON SOFTWARE TECHNOLOGIES FOR FUTURE DEPENDABLE DISTRIBUTED SYSTEMS, PROCEEDINGS     32 - +  2009  [Refereed]

  • An implementation of multiple home agents mechanism in Mobile IPv6

    Hongbo Shi, Shigeki Goto

    2007 3RD INTERNATIONAL CONFERENCE ON TESTBEDS AND RESEARCH INFRASTRUCTURE FOR THE DEVELOPMENT OF NETWORKS AND COMMUNITIES     342 - 350  2007  [Refereed]

     View Summary

    This paper proposes a new mechanism of multiple home agents to realize a stable connection in Mobile IPv6. The new mechanism has multiple home agents instead of only one home agent in the existing specification of Mobile IPv6.
    In the existing Mobile IPv6 protocol, it takes time to find a new home agent and make it work. A mobile node cannot find that the home agent is down until the mobile node needs to register or update the binding information at the home agent. When a home agent is down and a mobile node is away from home and on a foreign link, the mobile node cannot receive any packets from a newly joining correspondent node.
    The new mechanism provides multiple home agents with a new Binding Update Message and a new ICMP Home Agent Unreachable Error Message. The new binding update procedure realizes a fast home agent recovery. This paper describes the result of an experiment which shows how a mobile node works with multiple home agents. We also compare the fast home agent recovery process with existing methods.

  • Reconfigurable adaptive FEC system based on Reed-Solomon code with interleaving

    K Shimizu, N Togawa, T Ikenaga, S Goto

    IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS   E88D ( 7 ) 1526 - 1537  2005.07  [Refereed]

     View Summary

    This paper proposes a reconfigurable adaptive FEC system based on Reed-Solomon (RS) code with interleaving. In adaptive FEC schemes, error correction capability t is changed dynamically according to the communication channel condition. For given error correction capability t, we can implement an optimal RS decoder composed of minimum hardware units for each t. If the hardware units of the RS decoder can be reduced for any given error correction capability t, we can embed as large deinterleaver as possible into the RS decoder for each.t. Reconfiguring the RS decoder embedded with the expanded deinterleaver dynamically for each error correction capability t allows us to decode larger interleaved codes which are more robust error correction codes to burst errors. In a reliable transport protocol, experimental results show that our system achieves up to 65% lower packet error rate and 5.9% higher data transmission throughput compared to the adaptive FEC scheme on a conventional fixed hardware system. In an unreliable transport protocol, our system achieves up to 76% better bit error performance with higher code rate compared to the adaptive FEC scheme on a conventional fixed hardware system.

    DOI

  • Flow analysis of internet traffic: World Wide Web versus peer-to-peer.

    Tatsuya Mori, Masato Uchida, Shigeki Goto

    Systems and Computers in Japan   36 ( 11 ) 70 - 81  2005  [Refereed]

    DOI

  • A reconfigurable adaptive FEC system for reliable wireless communications

    K Shimizu, N Togawa, T Ikenaga, M Yanagisawa, S Goto, T Ohtsuki

    PROCEEDINGS OF THE 2004 IEEE ASIA-PACIFIC CONFERENCE ON CIRCUITS AND SYSTEMS, VOL 1 AND 2     13 - 16  2004  [Refereed]

     View Summary

    This paper proposes a reconfigurable adaptive FEC system. For adaptive FEC schemes, we can implement an FEC decoder which is optimal for error correction capability t by taking the number of operations into consideration. Reconfiguring the optimal FEC decoder dynamically for each t allows us to maximize the throughput of each decoder within a limited hardware resource. Our system can reduce packet dropping rate more efficiently than conventional fixed hardware systems for a reliable transport protocol.

▼display all

Books and Other Publications

  • インターネット工学

    コロナ社  2007

  • ネットワークアプリケーション

    岩波書店  2003

  • ネットワークの相互接続

    岩波書店  2001

  • インターネット入門

    岩波書店  2001

  • インタ-ネット縦横無尽(英訳)

    共立出版  1994

  • はやわかりTCP/IP(英訳)

    共立出版  1991

  • 記号処理プログラミング

    岩波書店  1988

  • PROLOG入門

    サンエンス社  1984

▼display all

Misc

  • ShamFinder: An Automated Framework for Detecting IDN Homographs.

    Hiroaki Suzuki, Daiki Chib, Yoshiro Yoneya, Tatsuya Mori, Shigeki Goto

    CoRR   abs/1909.07539  2019

    Internal/External technical report, pre-print, etc.  

  • Understanding the Feasbility of RF Retroreflector Attack

    Satohiro WAKABAYASHI, Seita MARUYAMA, Haruka HOSHINO, Tatsuya MORI, Shigeki GOTO, Masahiro KINUGAWA, Yuichi HAYASHI

    Computer Security Symposium 2017     1138 - 1145  2017.10  [Refereed]

    Research paper, summary (national, other academic conference)  

     View Summary

    Radio-frequency (RF) retroreflector attack (RFRA) is an active electromagnetic side-channel attack that aims to leak the target’s internal signals by irradiating the targeted device with a radio wave, where an attacker has embedded a malicious circuit (RF retroreflector) in the device in advance. As the retroreflector consists of small and cheap electrical elements such as a field-effect transistor (FET) chip and a wire that can work as a dipole antenna, the reflector can be embedded into various kinds of electric devices that carry unencrypted, sensitive information; e.g., keyboard, display monitor, microphone, speaker, USB, and so on. Only a few studies have addressed the basic mechanism of RFRA and demonstrated the success of the attack. The conditions for a successful attack have not been adequately explored before, and therefore, assessing the feasibility of the attack remains an open issue. In the present study, we aim to investigate empirically the conditions for a successful RFRA through field experiments. Understanding attack limitations should help to develop effective countermeasures against it. In particular, with regard to the conditions for a successful attack, we studied the distance between the attacker and the target, and the target signal frequencies. Through the extensive experiments using off-the-shelf hardware including software-defined radio (SDR) equipment, we revealed that the required conditions for a successful attack are (1) up to a 10-Mbps of target signal and (2) up to a distance of 10 meters. These results demonstrate the importance of the RFRA threat in the real world.

  • POSTER: Is Active Electromagnetic Side-channel Attack Practical?

    Satohiro Wakabayashi, Seita Maruyama, Tatsuya Mori, Shigeki Goto, Masahiro Kinugawa, Yu-ichi Hayashi

    Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017     2587 - 2589  2017  [Refereed]

    DOI

  • [Invited Talk] Exposing Hidden Traffic Using Name Information

    Tatsuya Mori, Takeru Inoue, Akihiro Shimoda, Kazumichi Sato, Shigeaki Harada, Keisuke Ishibashi, Yumehisa Haga, Akira Saso, Shigeki Goto

    IEICE Technical Report   115 ( 370 ) 19 - 24  2015.12  [Invited]

    Research paper, summary (national, other academic conference)  

    CiNii J-GLOBAL

  • Inferring the Number of Accesses to Internet Services using DNS Traffic

    Akihiro Shimoda, Keisuke Ishibashi, Shigeaki Harada, Kazumichi Sato, Masayuki Tsujino, Takeru Inoue, Masaki Shimura, Takanori Takebe, Kazuki Takahashi, Tatsuya Mori, Shigeki Goto

    IEICE Technical Report   115 ( 307 ) 129 - 134  2015.11

    Research paper, summary (national, other academic conference)  

  • DNSクエリの到着間隔に基づくユーザのアクセス数推定手法

    下田晃弘, 石橋圭介, 辻野雅之, 井上武, 森達哉, 後藤滋樹

    電子情報通信学会 総合大会   B ( 16 ) 8  2015.09

    Research paper, summary (national, other academic conference)  

    J-GLOBAL

  • B-16-8 Inferring the number of users' access by analyzing DNS query intervals

    Shimoda Akihiro, Ishibashi Keisuke, Tsujino Masayuki, Inoue Takeru, Mori Tatsuya, Goto Shigeki

    Proceedings of the Society Conference of IEICE   2015 ( 2 ) 333 - 333  2015.08

    CiNii

  • Estimation of hostnames of HTTPS communication using DNS queries/responses

    MORI Tatsuya, INOUE Takeru, SHIMODA Akihiro, SATO Kazumichi, ISHIBASHI Keisuke, GOTO Shigeki

    IEICE Technical Report   114 ( 478 ) 255 - 260  2015.03

    Research paper, summary (national, other academic conference)  

     View Summary

    Most modern Internet services are carried over the web. A significant amount of web transactions is now encrypted and the transition to encryption has made it difficult for network operators to understand traffic mix. The goal of this study is to enable network operators to infer hostnames within HTTPS traffic because hostname information is useful to understand the breakdown of encrypted web traffic. The proposed approach correlates HTTPS flows and DNS queries/responses. We introduce domain name graph (DNG), which is a formal expression that characterizes the highly dynamic and diverse nature of DNS mechanisms. Furthermore, we have developed a framework called Service-Flow map (SFMap) that works on top of the DNG. SFMap statistically estimates the hostname of an HTTPS server, given a pair of client and server IP addresses. We evaluate the performance of SFMap through extensive analysis using real packet traces collected from two locations with different scales. We demonstrate that SFMap establishes good estimation accuracies and outperforms a state-of-the-art approach.

    CiNii

  • Inferring Traffic Volume of Internet Services using Flows and DNS Logs

    Shimoda Akihiro, Sato Kazumichi, Ishibashi Keisuke, Inoue Takeru, Mori Tatsuya, Goto Shigeki

    Proceedings of the IEICE General Conference   B ( 7 ) 53  2015.03

    Research paper, summary (national, other academic conference)  

    CiNii

  • D-19-3 Detecting Web-based Malware by Analyzing HTTP Headers

    Nagai Nobuhiro, Goto Shigeki

    Proceedings of the IEICE General Conference   2015 ( 2 ) 156 - 156  2015.02

    CiNii

  • BS-3-60 Efficient and Secure E-mail System in Information-Centric Networking(BS-3. Advanced Technologies in the Design, Management and Control for Future Innovative Communication Network)

    Yao Hu, Goto Shigeki

    Proceedings of the IEICE General Conference   2015 ( 2 ) "S - 122"-"S-123"  2015.02

     View Summary

    Implementing push-based e-mail service in pull-based Information-Centric Networking (ICN) encounters some difficulties and thus calls for a new mechanism. This paper presents a new e-mail system design in the ICN architecture, which builds all the applications on a receiver-driven communication model. In our proposed mechanism, an e-mail user is assigned a hierarchical account name which can be also treated as a name or name prefix in ICN. To fully utilize the built-in multicast data delivery capability in ICN, the new design realizes an efficient name-based pub/sub communication pattern on top of the standard ICN to remove the iterative procedure that an interested recipient has to send an Interest request every time when he or she requires a piece of e-mail information on some specific topic. The push-based multicast capability enhances the pull-based ICN architecture.

    CiNii

  • B-7-91 Slow Port Scan Detection by Analyzing Darknet Traffic

    Furuoka Tatsuya, Goto Shigeki

    Proceedings of the IEICE General Conference   2015 ( 2 ) 241 - 241  2015.02

    CiNii

  • Proactive Content Caching and Delivery Scheme utilizing Transportation Systems

    Sato Takuro, Park Yong Jin, Tsuda Toshitaka, Goto Shigeki, Tanaka Yoshiaki, Kameyama Wataru, Shimamoto Shigeru, Katto Jiro, Ichino Masatsugu

    IEICE technical report   114 ( 252 ) 93 - 97  2014.10

     View Summary

    In the future, network traffic will be increasing according to demand of big traffic of moving picture on the mobile communication environment. For processing large traffic, virtualized network based on SDN (Software defined Network) has been provided for purpose of cloud networking as CDN (Contents Delivery Network). On the other hand, the ICN (Information Centric Network) has been proposing as IP independent network which isn't based on IP address. And it has been discussing about advantages compared to the IP network. This paper shows the experimental results of Proactive Content Caching and Delivery Scheme utilizing Transportation Systems. This research has been supported by SCOPE organized by Ministry of Internal Affairs and Communications.

    CiNii

  • B-6-88 Proactive Content Caching and Delivery Scheme utilizing Transportation Systems

    Sato Takuro, Park Yong Jin, Tsuda Toshitaka, Goto Shigeki, Tanaka Yoshiaki, Kameyama Wataru, Shimamoto Shigeru, Katto Jiro, Ichino Masatsugu

    Proceedings of the IEICE General Conference   2014 ( 2 ) 88 - 88  2014.03

    CiNii

  • BS-1-56 Smart Name-based Routing in ICN(BS-1. Future Network Technologies for Advanced Information and Communications Society)

    Yao Hu, Goto Shigeki

    Proceedings of the IEICE General Conference   2014 ( 2 ) "S - 104"-"S-105"  2014.03

     View Summary

    Recent Content-Centric Networking (CCN) proposal has ignited widespread interest in the Information Centric Networking (ICN) area. This paper presents the design of a smart name-based routing protocol for CCN. This new proposal imposes a comparatively large adjustment onto the existing CCN architecture, while it still preserves the basic characteristics of CCN. It introduces a dynamic DNS-like element to CCN. Compared to the basic CCN scheme, it offers more efficient packet dissemination and has less overhead within the network. Besides, it is suitable for realizing and enhancing the mobility aspect in CCN. The results of our evaluations show the superiority of the proposal over the basic or standard CCN architecture.

    CiNii

  • D-19-4 Detecting Web-based Malware by Analyzing HTTP Access Transition

    Kozaki Shota, Goto Shigeki

    Proceedings of the IEICE General Conference   2014 ( 2 ) 180 - 180  2014.03

    CiNii

  • D-19-3 Analysis of API call patterns for malware detection

    Aoki Kazuki, Goto Shigeki

    Proceedings of the IEICE General Conference   2014 ( 2 ) 179 - 179  2014.03

    CiNii

  • ブラウザ間通信を用いたアクセス集中時のコンテンツ配信法

    知識友紀江, 千葉大紀, 後藤滋樹

    全国大会講演論文集   2013 ( 1 ) 705 - 707  2013.03

     View Summary

    大量のアクセスが特定のサーバに集中すると、レスポンスが低下したり、サーバが異常停止することがある。本論文はサーバの性能や台数を増強せずに、大量のアクセスが集中するコンテンツを多数のユーザに迅速に配信可能な方法を提案する。具体的には、アクセス集中時にWebブラウザ間通信を活用して、ユーザ同士でコンテンツの配布を行い、サーバの負荷を分散する。本論文では実際にアクセスが集中する環境を用いて提案手法を評価し、従来のサーバ・クライアントモデルによるユニキャスト通信と比較した。その結果、提案手法がサーバの負荷を軽減し、コンテンツのダウンロード時間を大幅に短縮できることを確認した。

    CiNii

  • マニフェストファイルの分析によるAndroidマルウェア検出法

    佐藤亮, 千葉大紀, 後藤滋樹

    全国大会講演論文集   2013 ( 1 ) 557 - 559  2013.03

     View Summary

    Androidスマートフォンの急速な普及に伴い,Androidを対象とするマルウェアの脅威が拡大している。Androidマルウェアに感染すると,個人情報の搾取,有料サービスの不正使用,端末のボット化のような被害を受ける。急増するAndroidマルウェアへの従来の対策は十分ではない。本論文は新たなAndroidマルウェア検出手法を提案する。この方法は,Androidアプリケーションの中に必ず含まれるマニフェストファイルのみを分析対象とするのが特徴である。実データを用いた評価の結果,提案手法が、既存手法では検知できない未知のAndroidマルウェアを適切に検出できる事が示された。

    CiNii

  • HTTP通信の時間軸解析によるWeb感染型マルウェア検知

    永井信弘, 千葉大紀, 後藤滋樹

    全国大会講演論文集   2013 ( 1 ) 549 - 551  2013.03

     View Summary

    2009年にGumblarが出現してから,Webページを閲覧しただけで感染するWeb感染型マルウェアの脅威が継続している.マルウェアに感染すると個人情報の漏洩やWebページの改ざんなどの問題が引き起こされる.本研究はHTTP通信を時間軸に沿って解析して,Web感染型マルウェアの自動的なダウンロードと,ユーザによる正常な実行ファイルの手動によるダウンロードを識別する.この識別を用いてWeb感染型マルウェアの検知が可能となる.提案手法はWebページの攻撃コードや実行ファイルの中身に依存しないため,既存の手法では検知が困難な,未知のWeb感染型マルウェアの検知に対して優位性がある.

    CiNii

  • BS-1-60 A New Learning Mechanism of Forwarding Information Base in CCN

    Yao Hu, Goto Shigeki

    Proceedings of the IEICE General Conference   2013 ( 2 ) "S - 118"-"S-119"  2013.03

    CiNii

  • Power Reduction Mechanism with Network Visibility

    MOCHINAGA Dal, KOBAYASHI Katsushi, GOTO Shigeki, MURASE Ichiro

    IEICE technical report. Internet Architecture   112 ( 430 ) 83 - 87  2013.02

     View Summary

    We propose the power reduction mechanism utilizing information of communication paths. For collect-ing internal information of the network, the mechanism includes inband cross layer approach and makes aplications to feedback the network status. Then, applications can select the server that is more efficient than other servers We discuss the implementaition and the method to switch paths for visibility API.

    CiNii

  • Current issues of resource management in the Internet

    GOTO Shigeki

    IEICE technical report   112 ( 287 ) 33 - 34  2012.11

     View Summary

    This paper describes the current issues concerning resource management in the Internet. We discuss several topics based on the open documents on the Web pages of JPNIC. It is shown that none of the issues are easily resolved or settled.

    CiNii

  • Current issues of resource management in the Internet

    GOTO Shigeki

    IEICE technical report. Information and communication management   112 ( 289 ) 9 - 10  2012.11

     View Summary

    This paper describes the current issues concerning resource management in the Internet. We discuss several topics based on the open documents on the Web pages of JPNIC. It is shown that none of the issues are easily resolved or settled.

    CiNii

  • シーダを保証するLocation Based ClusteringによるP2P動画配信

    高田和也, 後藤滋樹

    全国大会講演論文集   2012 ( 1 ) 389 - 391  2012.03

     View Summary

    現在の映像配信方式の多くはクライアントサーバモデルを用いるために,サーバに負荷が集中する.集中を回避するためにP2Pを利用した配信方式が数多く研究されている.単純なP2Pプロトコルではピア同士の近接性を考慮することなくピアを選択するために遠距離のトラフィックが発生する.トラフィックの問題を解決するためには地理情報クラスタリングを用いるのが有効である.ただし地理情報に頼るだけではシーダが存在しないクラスタが生じる場合がある.本論文は従来の方法を改善するために,クラスタリング手法にソフトクラスタリングを導入する.提案手法を実証するためにPlanetLabを用いて検証する.

    CiNii

  • サーバ負荷分散におけるOpenFlowを用いた省電力法

    石井翔, 下田晃弘, 後藤滋樹

    全国大会講演論文集   2012 ( 1 ) 319 - 321  2012.03

     View Summary

    DNSを用いたサーバ負荷分散法を改善して省電力をはかる。具体的にはOpenFlowスイッチを用いてサーバ資源を集約する。サービスの要求に比べてサーバ資源が余剰なときには、余剰なサーバを待機状態にして消費電力を削減する。ここで、待機するサーバのDNSレコードを削除しても、レコードのキャッシュが残ることに留意する。キャッシュを参照する利用者は待機中のサーバへの接続要求を発生する。その要求をOpenFlowの機能で別のサーバに転送するのが本論文の特徴である。このようにして可用性を維持しつつ短時間でサーバを待機状態にすることができる。本論文では、従来と比べて消費電力を削減できることを実証する。

    CiNii

  • Expanding Darknet Space with Virtual Sensors

    TOBE Kazuhiro, GOTO Shigeki

    IEICE technical report. Information networks   111 ( 469 ) 311 - 316  2012.03

     View Summary

    Only anomalous traffic can be monitored in a network consisting of assigned but unused IP addresses (darknet). Although a darknet requires a large amount of IP addresses, it is difficult to acquire unused IP address space dedicated to network monitoring on a large scale. Some studies have proposed automatically detecting unused IP addresses (Virtual Dark IP addresses, VDIPs) and port numbers (Virtual Dark Ports, VDPs) as virtual sensors leveraged to monitor the network. Nevertheless, quantitative analyses on virtual sensor space have been incomplete. The purpose of this study is to expand virtual sensor space using features on the usage of IP addresses and port numbers. Also, this study aims to shorten the processing time to detect virtual sensors automatically. Our key findings from several evaluation experiments in an actual network with the /16 prefix are as follows: Setting appropriate parameters in the VDIP detection algorithm, the processing time can be reduced more than half without decreasing the number of VDIPs, the false detection of VDIPs can be moderated, and the changes in used IP addresses over time can be reflected into virtual sensor space; also, virtual sensor space consisting of VDPs can cover up to 99.98 percent of the network and expand the coverage of virtual sensor space consisting of VDIPs by up to 6.84 points.

    CiNii

  • Discriminating malcious packets using TTL in the IP header

    YAMADA Ryo, TOBE Kazuhiro, GOTO Shigeki

    IEICE technical report. Information networks   111 ( 469 ) 235 - 240  2012.03

     View Summary

    It is known that an IP packet passes through less than 30 routers before it reaches the destination host. According to our observation, some IP packets have an abnormal Time-To-Live (TTL) value that is decreased more than 30 from the initial TTL. These packets are likely to be generated by special software. We assume that IP packets with a strange TTL value are malicious. This paper investigates this conjecture through several experiments. As a result, we show that it is possible to discriminate malicious packets from legitimate ones only by observing TTL values.

    CiNii

  • Power Reduction by Optical Circuit Switching Network and CDN Utilizing Content Distribution over the Internet

    MOCHINAGA Dai, KOBAYASHI Katsushi, KUDOH Tomohiro, MURASE Ichiro, GOTO Shigeki

    The IEICE transactions on communications B   94 ( 10 ) 1293 - 1302  2011.10  [Refereed]

    Article, review, commentary, editorial, etc. (scientific journal)  

    CiNii

  • Web感染型マルウェアのリダイレクト解析

    高田雄太, 森達哉, 後藤滋樹

    情報処理学会第73回全国大会   2Y-7  2011

  • SVMによるIP攻撃通信の判別法

    千葉大紀, 森達哉, 後藤滋樹

    情報処理学会第73回全国大会   2Y-4  2011

  • Location Based Clusteringを用いたP2Pストリーミング

    大村淳己, 高田和也, 後藤滋樹

    電子情報通信学会 情報ネットワーク研究会 信学技報 IEICE Technical Report   IN2010-124   37 - 42  2011

  • ネットワークの可視化によるNAT越え

    戸部和洋, 下田晃弘, 後藤滋樹

    情報処理学会 第72回 全国大会   2ZP-6  2010

  • i-Path ルータのフロー情報を用いたDoS攻撃検知法

    野上晋平, 下田晃弘, 後藤滋樹

    情報処理学会 第72回 全国大会   2ZP-4  2010

  • 実行ファイルに含まれる文字列の学習に基づくマルウェア検出方法

    戸部和洋, 森達哉, 千葉大紀, 下田晃弘, 後藤滋樹

    マルウェア対策研究人材育成ワークショップ 2010 (MWS 2010)     777 - 782  2010

  • Extended UDP Multiple Hole Punching Method to Traverse Large Scale NATs

    Kazuhiro Tobe, Akihiro Shimoda, Shigeki Goto

    APAN Network Research Workshop     S2-1  2010

  • Sensor in the dark: Building untraceable large-scale honeypots using virtualization technologies

    Akihiro Shimoda, Tatsuya Mori, Shigeki Goto

    Proceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010     22 - 30  2010

     View Summary

    A Honeypot is a system that aims to detect and analyze malicious attacks attempted on a network in an interactive manner. Because the primary objective of a honeypot is to detect enemies without being known to them, it is important to hide its existence. However, as several studies have reported, exploiting the unique characteristics of hosts working on a consecutive IP addresses range easily reveals the existence of honeypots. In fact, there exist some anti-honeypot tools that intelligently probe IP address space to locate Internet security sensors including honeypots. In order to tackle this problem, we propose a system called DarkPots, that consists of a large number of virtualized honeypots using unused and nonconsecutive IP addresses in a production network. DarkPots enables us to deploy a large number of honeypots within an active IP space used for a production network
    thus detection is difficult using existing probing techniques. In addition, by virtually classifying the unused IP addresses into several groups, DarkPots enables us to perform several monitoring schemes simultaneously. This function is meaningful because we can adopt more than one monitoring schemes and compare their results in an operating network. We design and implement a prototype of DarkPots and empirically evaluate its effectiveness and feasibility by concurrently performing three independent monitoring schemes in a high-speed campus network. The system successfully emulated 7,680 of virtualized honeypots on a backbone link that carries 500 Mbps - 1 Gbps of traffic without affecting legitimate traffic. Our key findings suggest: (1) active and interactive monitoring schemes provide more in-depth insights of malicious attacks, compared to passive monitoring approach in a quantitative way, and (2) randomly distributed allocation of IP addresses has an advantage over the concentrated allocation in that it can collect more information from malwares. These features are crucial in monitoring the security threats. © 2010 IEEE.

    DOI

  • Understanding Large-Scale Spamming Botnets From Internet Edge Sites

    Tatsuya Mori, Holly Esquivel, Aditya Akella, Akihiro Shimoda, Shigeki Goto

    Proceedings of Seventh Conference on Email and Anti-spam (CEAS 2010)     1 - 8  2010

  • Extended UDP Multiple Hole Punching Method to Traverse Large Scale NATs

    Kazuhiro Tobe, Akihiro Shimoda, Shigeki Goto

    APAN Network Research Workshop     S2-1  2010

  • Sensor in the dark: Building untraceable large-scale honeypots using virtualization technologies

    Akihiro Shimoda, Tatsuya Mori, Shigeki Goto

    Proceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010     22 - 30  2010

     View Summary

    A Honeypot is a system that aims to detect and analyze malicious attacks attempted on a network in an interactive manner. Because the primary objective of a honeypot is to detect enemies without being known to them, it is important to hide its existence. However, as several studies have reported, exploiting the unique characteristics of hosts working on a consecutive IP addresses range easily reveals the existence of honeypots. In fact, there exist some anti-honeypot tools that intelligently probe IP address space to locate Internet security sensors including honeypots. In order to tackle this problem, we propose a system called DarkPots, that consists of a large number of virtualized honeypots using unused and nonconsecutive IP addresses in a production network. DarkPots enables us to deploy a large number of honeypots within an active IP space used for a production network
    thus detection is difficult using existing probing techniques. In addition, by virtually classifying the unused IP addresses into several groups, DarkPots enables us to perform several monitoring schemes simultaneously. This function is meaningful because we can adopt more than one monitoring schemes and compare their results in an operating network. We design and implement a prototype of DarkPots and empirically evaluate its effectiveness and feasibility by concurrently performing three independent monitoring schemes in a high-speed campus network. The system successfully emulated 7,680 of virtualized honeypots on a backbone link that carries 500 Mbps - 1 Gbps of traffic without affecting legitimate traffic. Our key findings suggest: (1) active and interactive monitoring schemes provide more in-depth insights of malicious attacks, compared to passive monitoring approach in a quantitative way, and (2) randomly distributed allocation of IP addresses has an advantage over the concentrated allocation in that it can collect more information from malwares. These features are crucial in monitoring the security threats. © 2010 IEEE.

    DOI

  • Understanding Large-Scale Spamming Botnets From Internet Edge Sites

    Tatsuya Mori, Holly Esquivel, Aditya Akella, Akihiro Shimoda, Shigeki Goto

    Proceedings of Seventh Conference on Email and Anti-spam (CEAS 2010)     1 - 8  2010

  • Design for an end-to-end cross-layer measurement protocol and its API : Toward network visibility respecting disclosure policies

    KOBAYASHI Katsushi, GOTO Shigeki, MURASE Ichiro, MOCHINAGA Dai

    IEICE technical report   108 ( 409 ) 11 - 16  2009.01

     View Summary

    In order mainly to improve transport throughput, a number of in-band cross-layer protocols to provide visibility inside the network from end-system have been proposed. We present a policy coordination mechanism among stakeholders, when disclosing the information of inside a network. The mechanism realizes the visibility respecting the disclosure policies, not only of the transit networks operators, but also of the end-system. Furthermore, We discuss the implementation and design issues for the visibility API.

    CiNii

  • DNSラウンドロビンの動的レコード更新によるサーバ負荷分散法

    岸本和之, 後藤滋樹

    第71回情報処理学会全国大会   6V-6  2009

  • マルチキャストを用いたハイブリッドローミング

    小山田浩起, 後藤滋樹, 史虹波

    第71回情報処理学会全国大会   3U-5  2009

  • FLASHを用いたフルHD配信システムの構築と評価

    魏元, 後藤滋樹

    第71回情報処理学会全国大会   1W-2 and デ-10  2009

  • APAN Activities

    Shigeki Goto

    APRICOT 2009 - TEIN3 Philippines National Launch    2009

  • フローデータからのDark IP抽出による脅威観測法

    下田晃弘, 後藤滋樹

    電子情報通信学会 論文誌   Vol.J92-B ( No.1 ) 163 - 173  2009

  • TCPフィンガープリントによる悪意のある通信の分析

    木佐森幸太, 下田晃弘, 森達哉, 後藤滋樹

    コンピュータセキュリティシンポジウム2009     553 - 558  2009

  • Flow based anomaly traffic detection

    Akihiro Shimoda, Shigeki Goto

    The 13th JSPS/NRF Core University Program Seminar    2009

  • Understanding the large-scale spamming botnet

    MORI Tatsuya, ESQUIVEL Holly, AKELLA Aditya, SHIMODA Akihiro, GOTO Shigeki

    IEICE technical report   109 ( 137 ) 53 - 58  2009

     View Summary

    On November 11, 2008, the primary web hosting company, McColo, for the command and control servers of Srizbi botnet was shutdown by its upstream ISPs. Subsequent reports claimed that the volume of spam dropped significantly everywhere on that very same day. In this work, we aim to understand the world's worst spamming botnet, Srizbi, and to study the effectiveness of targeting the botnet's command and control servers, i.e., McColo shutdown, from the viewpoint of Internet edge sites. We conduct an extensive measurement study that consists of e-mail delivery logs and packet traces collected at three vantage points. The total measurement period spans from July 2007 to April 2009, which includes the day of McColo shutdown. We employ passive TCP fingerprinting on the collected packet traces to identify Srizbi bots and spam messages sent from them. The main contributions of this work are summarized as follows. We first estimate the global scale of Srizbi botnet in a probabilistic way. Next, we quantify the volume of spam sent from Srizbi and the effectiveness of the McColo shutdown from an edge site perspective. Finally, we reveal several findings that are useful in understanding the growth and evolution of spamming botnets. We detail the rise and steady growth of Srizbi botnet, as well as, the version transition of Srizbi after the McColo shutdown.

    CiNii

  • Algorithms to Minimize Channel Interference in Multiple Channels Multiple Interfaces Environments

    Trung-Tuan Luong, Bu-Sung Lee, Chai-Kiat Yeo, Ming-Shiunn Wong, Shigeki Goto

    2009 IEEE 34TH CONFERENCE ON LOCAL COMPUTER NETWORKS (LCN 2009)     61 - +  2009

     View Summary

    Significant throughput degradation of multihop path communication in wireless mesh network is one of the major problems in wireless communication. The main reason for the lack of bandwidth is channel interference, which is caused by contention for the shared channel between wireless nodes. The natural approach to overcome this problem is exploiting the availability of multiple channels multiple interfaces (MCMI) networks. However, it is costly and may not be practical to dedicate one interface per channel for every node. Thus in this paper, we study the MCMI network, where the number of interfaces that every node has is less than the number of available channels. Simple and distributed channel scheduling algorithms for communication in multiple channels multiple interfaces networks are discussed. The objective of the proposed algorithms is to minimize the channel interference that causes the throughput degradation in multihop networks. The proposed algorithms are evaluated with extensive simulations. The simulation results show that the proposed algorithms well exploited the availability of multiple channels multiple interfaces to overcome the throughput degradation problem.

    DOI

  • Collecting inside information to visualize network status

    Dai Mochinaga, Katsushi Koyabashi, Shigeki Goto, Akihiro Shimoda, Ichiro Murase

    APAN Network Research Workshop     1 - 4  2009

  • Privacy-conscious P2P data sharing scheme with bogus profile distribution

    Makoto Iguchi, Shigeki Goto

    Web Intelligence and Agent Systems   7 ( 2 ) 209 - 222  2009

     View Summary

    With the increasing use of P2P (peer-to-peer) network technology in everyday services, the issue of privacy protection has gained considerable importance. This paper describes a method to realize an anonymity-conscious P2P data sharing network. The proposed network allows users to extract data possessed by other users who have similar profiles, thereby providing them with a collaborative filtering-based data recommendation. In the proposed P2P network protocol, bogus user profiles are distributed intentionally throughout the network to protect users' anonymity without harming the overall effectiveness of the data exchange. We conduct a series of simulations to prove that our proposed method protects the profile's privacy and performs efficient data exchange. © 2009 - IOS Press.

    DOI

  • 通信ネットワークの保全度向上のための故障修理時間分布の特性分析

    船越裕介, 松川達哉, 吉野秀明, 後藤滋樹

    電子情報通信学会論文誌 B   Vol.J92-B ( No.7 ) 1153 - 1163  2009

  • APAN Activities

    Shigeki Goto

    APRICOT 2009 - TEIN3 Philippines National Launch    2009

  • Flow based anomaly traffic detection

    Akihiro Shimoda, Shigeki Goto

    The 13th JSPS/NRF Core University Program Seminar    2009

  • Algorithms to Minimize Channel Interference in Multiple Channels Multiple Interfaces Environments

    Trung-Tuan Luong, Bu-Sung Lee, Chai-Kiat Yeo, Ming-Shiunn Wong, Shigeki Goto

    2009 IEEE 34TH CONFERENCE ON LOCAL COMPUTER NETWORKS (LCN 2009)     61 - +  2009

     View Summary

    Significant throughput degradation of multihop path communication in wireless mesh network is one of the major problems in wireless communication. The main reason for the lack of bandwidth is channel interference, which is caused by contention for the shared channel between wireless nodes. The natural approach to overcome this problem is exploiting the availability of multiple channels multiple interfaces (MCMI) networks. However, it is costly and may not be practical to dedicate one interface per channel for every node. Thus in this paper, we study the MCMI network, where the number of interfaces that every node has is less than the number of available channels. Simple and distributed channel scheduling algorithms for communication in multiple channels multiple interfaces networks are discussed. The objective of the proposed algorithms is to minimize the channel interference that causes the throughput degradation in multihop networks. The proposed algorithms are evaluated with extensive simulations. The simulation results show that the proposed algorithms well exploited the availability of multiple channels multiple interfaces to overcome the throughput degradation problem.

    DOI

  • Collecting inside information to visualize network status

    Dai Mochinaga, Katsushi Koyabashi, Shigeki Goto, Akihiro Shimoda, Ichiro Murase

    APAN Network Research Workshop     1 - 4  2009

  • Privacy-conscious P2P data sharing scheme with bogus profile distribution

    Makoto Iguchi, Shigeki Goto

    Web Intelligence and Agent Systems: An International Journal   7   209 - 222  2009

    DOI

  • HTTPセッションのハンドオーバによるWEBサーバのロードバランス

    土居幸一朗, 後藤滋樹

    情報処理学会 研究報告   2008-DSM-48 & 2008-QAI-26  2008

  • Dark IPと Snortによるネットワーク上の攻撃の検知

    田中祐樹, 後藤滋樹

    情報処理学会70回全国大会   3ZL-5  2008

  • Symmetric NATに対するTCP/UDP NAT越えの新技法

    魏元, 後藤滋樹, 山田大輔, 吉田傑

    情報処理学会70回全国大会   3ZL-3  2008

  • Similarities between Market Behavior and Network Traffic

    Shigeki Goto

    CORE University Seminar    2008

  • A New Method for Symmetric NAT Traversal in UDP and TCP

    Yuan Wei, D. Yamada, S. Yoshida, S. Goto

    APAN Network Research Workshp 2008     11 - 18  2008

  • Similarities between Market Behavior and Network Traffic

    Shigeki Goto

    CORE University Seminar    2008

  • A New Method for Symmetric NAT Traversal in UDP and TCP

    Yuan Wei, D. Yamada, S. Yoshida, S. Goto

    APAN Network Research Workshp 2008     11 - 18  2008

  • Identifying heavy-hitter flows from sampled flow statistics

    Tatsuya Mori, Tetsuya Takine, Jianping Pan, Ryoichi Kawahara, Masato Uchida, Shigeki Goto

    IEICE TRANSACTIONS ON COMMUNICATIONS   E90B ( 11 ) 3061 - 3072  2007.11

     View Summary

    With the rapid increase of link speed in recent years, packet sampling has become a very attractive and scalable means in collecting flow statistics; however, it also makes inferring original flow characteristics much more difficult. In this paper, we develop techniques and schemes to identify flows with a very large number of packets (also known as heavy-hitter flows) from sampled flow statistics. Our approach follows a two-stage strategy: We first parametrically estimate the original flow length distribution from sampled flows. We then identify heavy-hitter flows with Bayes' theorem, where the flow length distribution estimated at the first stage is used as an a priori distribution. Our approach is validated and evaluated with publicly available packet traces. We show that our approach provides a very flexible framework in striking an appropriate balance between false positives and false negatives when sampling frequency is given.

    DOI CiNii

  • Identifying heavy-hitter flows from sampled flow statistics

    Tatsuya Mori, Tetsuya Takine, Jianping Pan, Ryoichi Kawahara, Masato Uchida, Shigeki Goto

    IEICE TRANSACTIONS ON COMMUNICATIONS   E90B ( 11 ) 3061 - 3072  2007.11

     View Summary

    With the rapid increase of link speed in recent years, packet sampling has become a very attractive and scalable means in collecting flow statistics; however, it also makes inferring original flow characteristics much more difficult. In this paper, we develop techniques and schemes to identify flows with a very large number of packets (also known as heavy-hitter flows) from sampled flow statistics. Our approach follows a two-stage strategy: We first parametrically estimate the original flow length distribution from sampled flows. We then identify heavy-hitter flows with Bayes' theorem, where the flow length distribution estimated at the first stage is used as an a priori distribution. Our approach is validated and evaluated with publicly available packet traces. We show that our approach provides a very flexible framework in striking an appropriate balance between false positives and false negatives when sampling frequency is given.

    DOI CiNii

  • Anonymous P2P web browse history sharing for web page recommendation

    Makoto Iguchi, Shigeki Goto

    IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS   E90D ( 9 ) 1343 - 1353  2007.09

     View Summary

    This paper proposes a new method for realizing the web page recommendation system by sharing users' web browse history on an anonymous P2P network. Our scheme creates a user profile, a summary of the user's web browse trends, by analyzing the contents of the web pages browsed. The scheme then provides a P2P network to exchange web browse histories so as to create mutual web page recommendations. The novelty of our method lies in its P2P network formulation; it is formulated in a way so that users having similar user profiles are automatically connected, yet their user profiles are protected from being disclosed to other users. The proposed method intentionally distributes bogus user profiles on the P2P network, while not harming the efficiency of the web browse history sharing process.

    DOI CiNii

  • MTU を考慮したTCP Selective ACK 拡張オプションの性能評価

    伊沢信太郎, 関宏規, 後藤滋樹

    情報処理学会第69回全国大会   4U-2  2007

  • 大規模アドホックネットワークにおける階層的な名前解決法

    鈴木幹也, 後藤滋樹

    情報処理学会第69回全国大会   3U-5  2007

  • DNS を活用したSIP セッションの確立法

    時光潤, 後藤滋樹

    情報処理学会第69回全国大会   2U-2  2007

  • International Collaborations among Advanced Networks

    Shigeki Goto

    APII Workshop 2007 and KR-JP APII 10Gbps Launching Ceremony    2007

  • Interaction between Society and ICT

    Shigeki Goto

    Korea ASEAN u-ICT Forum   Keynote Speech 3  2007

  • Cooperation on Regional Research Networks

    Shigeki Goto

    The 4th Jeju Peace Forum     221 - 226  2007

  • Load Balancing with HTTP Session Handover

    Koichiro Doi, Shigeki Goto

    CORE University Seminar, Jeju Korea    2007

  • Measuring the Stability of Web Browsing Preferences

    Makoto Iguchi, Shigeki Goto

    CORE University Seminar, Jeju Korea    2007

  • IEEE 802.11eにおけるVoIPの通信品質評価

    森田慎吾, 後藤滋樹

    FIT2007 (第6回 情報科学技術フォーラム) 一般論文   L-035  2007

  • Optimum Parameters for VoIP in IEEE 802.11e Wireless LAN

    Ryo Kitahara, Koichiro Doi, Tomoya Iimura, Shingo Morita, Shigeki Goto

    APAN Network Research Workshp 2007     75 - 83  2007

  • Virtual Dark IP for Internet Threat Detection

    Akihiro Shimoda, Shigeki Goto

    APAN Network Research Workshp 2007     17 - 23  2007

  • An Analysis on Distribution of Malicious Packets and Threats over the Internet

    Masaki Ishiguro, Shigeki Goto, Hironobu Suzuki, Ichiro Murase

    APAN Network Research Workshp 2007     9 - 16  2007

  • Filling the P2P Network with White Lies to Make It Anonymous

    Makoto Iguchi, Shigeki Goto

    2007 IEEE/WIC/ACM International Conference on Intelligent Agent Technology    2007

    DOI

  • 広域ネットワークにおけるフロー解析に基づく脅威検出法

    下田晃弘, 後藤滋樹

    FIT2007 (第6回 情報科学技術フォーラム)   LL-001  2007

  • Interaction between Society and ICT

    Shigeki Goto

    Korea ASEAN u-ICT Forum   Keynote Speech 3  2007

  • Cooperation on Regional Research Networks

    Shigeki Goto

    The 4th Jeju Peace Forum     221 - 226  2007

  • Load Balancing with HTTP Session Handover

    Koichiro Doi, Shigeki Goto

    CORE University Seminar, Jeju Korea    2007

  • Measuring the Stability of Web Browsing Preferences

    Makoto Iguchi, Shigeki Goto

    CORE University Seminar, Jeju Korea    2007

  • Optimum Parameters for VoIP in IEEE 802.11e Wireless LAN

    Ryo Kitahara, Koichiro Doi, Tomoya Iimura, Shingo Morita, Shigeki Goto

    APAN Network Research Workshp 2007     75 - 83  2007

  • Virtual Dark IP for Internet Threat Detection

    Akihiro Shimoda, Shigeki Goto

    APAN Network Research Workshp 2007     17 - 23  2007

  • An Analysis on Distribution of Malicious Packets and Threats over the Internet

    Masaki Ishiguro, Shigeki Goto, Hironobu Suzuki, Ichiro Murase

    APAN Network Research Workshp 2007     9 - 16  2007

  • Filling the P2P network with white lies to make it anonymous

    Makoto Iguchi, Shigeki Goto

    PROCEEDINGS OF THE IEEE/WIC/ACM INTERNATIONAL CONFERENCE ON INTELLIGENT AGENT TECHNOLOGY (IAT 2007)     196 - +  2007

     View Summary

    This paper explores a method to realize an anonymity-conscious P2P data sharing network. The proposed network lets users extract other users' data that match the users' profiles, thereby providing them a collaborative filtering-based data recommendation. Our proposal realizes such a recommendation scheme without forcing the users to disclose their profiles. Our method intentionally fills the network with "white lies," whereby bogus user profiles are distributed throughout the network to protect users' anonymity without harming the overall effectiveness of the data exchange.

    DOI

  • Anonymous P2P web browse history sharing for web page recommendation

    Makoto Iguchi, Shigeki Goto

    IEICE Transactions on Information and System   E90-D ( 9 ) 1343 - 1353  2007

    DOI CiNii

  • Special section on new technologies and their applications of the Internet IV

    Jun Matsukata, Jun Matsukata, Jun Matsukata, Ichiro Iida, Shingo Ichii, Takashi Imaizumi, Kyoji Umemura, Hiroshi Esaki, Mitsuhiro Okamoto, Hiroshi G. Okuno, Mizue Kayama, Ryutaro Kawamura, Kunio Goto, Shigeki Goto, Shiro Sakata, Hideki Sunahara, Shuichi Tashiro, Yasuo Tan, Yukio Tsuruoka, Fumio Teraoka, Matsuaki Terada, Osamu Nakamura, Masaya Nakayama, Kouji Nishimura, Kazutoshi Fujikawa, Kenji Horikawa, Shigeru Miyake, Katsuyuki Yamazaki, Kenichi Yoshida

    IEICE Transactions on Information and Systems   E89-D   2821  2006.01

    DOI

  • Mobile IPを利用したAccess Gridの実現

    石井勇弥, 三浦周平, 後藤滋樹

    情報処理学会第68回全国大会   5R-1  2006

  • 家庭におけるRFIDの活用方式

    荒井大輔, 河野真也, 井口誠, 美尾治生, 後藤滋樹

    情報処理学会第68回全国大会   4Q-9  2006

  • IPv6ネットワークにおけるBGP経路制御トラフィックの解析

    有田真也, 後藤滋樹

    情報処理学会第68回全国大会   3R-6  2006

  • VoIP向け無線LAN QoS制御方式(EDCA)の拡張

    北原亮, 鈴木偉元, 石川憲洋, 後藤滋樹

    FIT2006 (第5回情報科学技術フォーラム)   L-039  2006

  • IEEE 802.11e 無線LANにおけるVoIPの品質評価

    夏目祐輔, 閻多一, 土居幸一朗, 北原亮, 後藤滋樹

    FIT2006 (第5回情報科学技術フォーラム)   L-038  2006

  • リアルタイム圧縮によるパケットキャプチャの高速化

    清水 奨, 風間 一洋, 廣津 登志夫, 後藤 滋樹

    情報処理学会論文誌:コンピューティングシステム   Vol.47 ( No.SIG 7 (ACS 14) ) 183 - 193  2006

  • Traffic matrix estimation using spike flow detection

    S Shimizu, K Fukuda, K Murakami, S Goto

    IEICE TRANSACTIONS ON COMMUNICATIONS   E88B ( 4 ) 1484 - 1492  2005.04

     View Summary

    This paper proposes a new method of estimating real-time traffic matrices that only incurs small errors in estimation. A traffic matrix represents flows of traffic in a network. It is an essential tool for capacity planning and traffic engineering. However, the high costs involved in measurement make it difficult to assemble an accurate traffic matrix. It is therefore important to estimate a traffic matrix using limited information that only incurs small errors. Existing approaches have used IP-related information to reduce the estimation errors and computational complexity. In contrast, our method, called spike flow measurement (SFM) reduces errors and complexity by focusing on spikes. A spike is transient excessive usage of a communications link. Spikes are easily monitored through an SNMP framework. This reduces the measurement costs compared to that of other approaches. SFM identifies spike flows from traffic byte counts by detecting pairs of incoming and outgoing spikes in a network. A matrix is then constructed from collected spike flows as an approximation of the real traffic matrix. Our experimental evaluation reveals that the average error in estimation is 28%, which is sufficiently small for the method to be applied to a wide range of network nodes, including Ethernet switches and IP routers.

    DOI CiNii

  • DNSの階層キャッシングによる効率的な名前解決法

    竹谷賢二, 後藤滋樹

    情報処理学会第67回全国大会   5W-8  2005

  • ENUMを応用した三者間の通話法

    杉田隆俊, 後藤滋樹, 宮嶋晃

    情報処理学会第67回全国大会   4T-3  2005

  • TCPのフラグを用いたポートスキャンの検出法

    鈴木和明, 岡部吉彦, 後藤滋樹

    情報処理学会第67回全国大会   3T-5  2005

  • Identifying elephant flows from sampled packet stream

    MORI Tatsuya, UCHIDA Masato, KAWAHARA Ryoichi, GOTO Shigeki

    IEICE technical report   104 ( 18 ) 17 - 20  2004.04

     View Summary

    In a network link with sufficient volume of traffic, a small number of flows constructed from a large number of packets occupy a large part of whole aggregated traffic. Such flows are called "elephant flows". Idenfying and controlling them will be useful for contrusting efficient and effective traffic engieering schemes. Meanwhile, with the recent growth in bandwidth of network links, packet sampling technique has been widely noticed as a scalable technology for measuring and managing networks. In this paper, we propose a new method for identifying elephant flows from a sampled packet stream.. We will also evaluate the method using measured data.

    CiNii

  • B-7-117 Identifying elephant flows using packet sampling

    Mori Tatsuya, Uchida Masato, Kawahara Ryoichi, Goto Shigeki

    Proceedings of the IEICE General Conference   2004 ( 2 ) 326 - 326  2004.03

    CiNii

  • GlobusにおけるGridFTPの性能評価

    河合裕貴, 後藤滋樹

    情報処理学会第66回全国大会   5W-3  2004

  • システムコールの分析によるホストベースの不正侵入検出法

    藤井優尚, 後藤滋樹

    情報処理学会第66回全国大会   4V-5  2004

  • ICMPを用いたポートスキャンの検知

    岡部吉彦, 後藤滋樹

    情報処理学会第66回全国大会   5V-5  2004

  • Utilizing multiple home links in mobile IPv6

    H Shi, S Goto

    2004 IEEE WIRELESS COMMUNICATIONS AND NETWORKING CONFERENCE, VOLS 1-4   ( A06-3 ) 149 - 154  2004

     View Summary

    This paper proposes an improved mechanism for keeping stable connections between mobile nodes and corresponding nodes in the mobile IPv6 protocol. The mobile IPv6 protocol enables mobile nodes to keep the reachability while they are moving freely in the Internet. Our new method has multiple home links instead of one single home link in the current specification of the mobile IPv6 protocol.
    The new method is based on our earlier idea of having multiple home agents. Multiple home agents can provide backups when a home agent is not working properly. However. all the home agents should reside on one single network segment according to the current specification of the mobile IPv6. This paper further extends our earlier idea of multiple home agents, and proposes multiple home links.
    We have more stable connections by using multiple home links. This paper also shows a working example which illustrates the merit of multiple home links.

  • New binding update method in mobile IPv6

    H Khosravi, H Fukuda, S Goto

    INFORMATION NETWORKING   3090   267 - 276  2004

     View Summary

    In the current mobile IP standard, the home agent (HA) of a mobile node (MN) is located in the home link. If a mobile node (MN) is moved away from the home link, it takes time for MN to make a registration and binding update at the home agent (HA). It also generates extra traffic in the Internet because the Binding Update should be refreshed after the lifetime expires.
    This paper proposes a new method for distributing multiple home agents (HAs) geographically. By applying this method, a mobile node (MN) can find a home agent (HA) which is nearest to it. It facilitates fast registration and short latency time. It also reduces the traffic of transaction. This technique is simple to apply. However, it is very effective. We demonstrate the capability of this method through working experiments.

  • On the characteristics of Internet traffic variability: Spikes and elephants

    T Mori, R Kawahara, S Naito, S Goto

    2004 INTERNATIONAL SYMPOSIUM ON APPLICATIONS AND THE INTERNET, PROCEEDINGS     99 - 106  2004

     View Summary

    Analysing and modeling of traffic play a vital role in designing and controlling of networks effectively. To construct a practical traffic model that can be used for various networks, it is necessary to characterize aggregated traffic and user traffic, This paper investigates these characteristics and their relationship. Our analyses are based on a huge number of packet traces from five different networks on the Internet. We found that: (1) marginal distributions of aggregated traffic fluctuations follow positively skewed (non-Gaussian) distributions, which leads to the existence of "spikes", where spikes correspond to an extremely large value of momentary throughput, (2) the amount of user traffic in a unit of time has a wide range of variability, and (3) flows within spikes are more likely to be "elephant flows", where an elephant flow is an IP flow with a high volume of traffic. These findings are useful in constructing a practical and realistic Internet traffic model.

    DOI

  • On the Characteristics of Internet Traffic Variability: Spikes and Elephants

    Tatsuya Mori, Ryoichi Kawahara, Shozo Naito, Shigeki Goto

    IEICE Transactions on Information and Systems   Vol.E87-D ( No.12 ) 2644 - 2653  2004

  • Identifying elephant flows through periodically sampled packets

    Tatsuya Mori, Masato Uchida, Ryoichi Kawahara, Jianping Pan, Shigeki Goto

    Proceedings of ACM SIGCOMM/USENIX Internet Measurement Conference (IMC 2004)     115 - 120  2004

  • インターネットトラヒックのフロー分析:WebとP2Pの比較

    森達哉, 内田真人, 後藤滋樹

    電子情報通信学会論文誌   Vol.J87-D-I ( No.5 ) 561 - 571  2004

  • A new protocol for double auction based on homomorphic encryption

    W Ohkishima, S Goto

    IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS   E86D ( 11 ) 2361 - 2370  2003.11

     View Summary

    The auction is a popular way of trading. Despite of the popularity of the auction, only a small number of papers have addressed the protocol which realize the double auction. In this paper, we propose a new method of double auction which improves the algorithm of the existing double auction protocol. Our new method is based on the idea of number comparison which is realized by homomorphic encryption. The new method solves the problem of the privacy of losing bids found in the existing algorithm. The buyers and the sellers can embed a random number in their bidding information by the use of the homomorphic encryption. The players in an auction cannot get anyone else's bidding information. The new method is more efficient than the existing ones. Our new method satisfies the criteria for the auction protocol.

  • An improved TCP protocol machine for flow analysis and network monitoring

    H Khosravi, M Fukushima, S Goto

    IEICE TRANSACTIONS ON COMMUNICATIONS   E86B ( 2 ) 595 - 603  2003.02

     View Summary

    In the Internet, flow analysis and network monitoring have been studied by various methods. Some methods try to make TCP (Transport Control Protocol) traces more readable by showing them graphically. Others such as MRTG, NetScope, and NetFlow read the traffic counters of the routers and record the data for traffic engineering. Even if all of the above methods are useful, they are made only to perform a single task. This paper describes an improved TCP Protocol Machine, a multipurpose tool that can be used for flow analysis, intrusion detection and link congestion monitoring. It is developed based on a finite state machine (automaton). The machine separates the flows into two main groups. If a flow can be mapped to a set of input symbols of the automaton, it is valid, otherwise it is invalid. It can be observed that intruders' attacks are easily detected by the use of the protocol machine. Also link congestion can be monitored, by measuring the percentage of valid flows to the total number of flows. We demonstrate the capability of this tool through measurement and working examples.

  • IPv6 Mobileネットワークにおける複数ホームエージェント

    史虹波, 後藤滋樹

    情報処理学会第65回全国大会   5T9-5  2003

  • BGP (Border Gateway Protocol)におけるupdateメッセージの解析

    志賀靖夫, 後藤滋樹

    情報処理学会第65回全国大会   3W-4  2003

  • SIP-ALGにおけるセッション管理方式の検討

    電子情報通信学会 信学技報   Ns2003-208 PN2003-36  2003

  • Packet Analysis in Congested Networks, Progress in Discovery Science

    Shigeki Goto, Masaki Fukushima

    Springer LNAI   2281   600 - 615  2002

  • A new Intrusion Detection method based on process profiling

    Y Okazaki, Sato, I, S Goto

    2002 SYMPOSIUM ON APPLICATIONS AND THE INTERNET (SAINT 2002), PROCEEDINGS     82 - 90  2002

     View Summary

    There have been two well-known models for intrusion detection. They are called Anomaly Intrusion Detection (AID) model and Misuse Intrusion Detection (MID) model. The former model analyzes user behavior and the statistics of a process in normal situation, and it checks whether the system is being used in a different manner. The latter model maintains database of known intrusion technique and detects intrusion by comparing a behavior against the database. An intrusion detection method based on an AID model can detect a new intrusion method. however it needs to update. the data describing users behavior and the statistics in normal usage, We call these information profiles, There are several problems in AID to be addressed. The profiles are tend to be large. Detecting intrusion needs a large amount of system resource, like CPU time and memory and disk space. An AND model requires less amount of system resource to detect intrusion. However it cannot detect new. unknown intrusion methods. Our method solves these problems by recording system calls from daemon processes and setuid programs. We improved detection accuracy by adopting a DP matching scheme.

    DOI

  • Remote attack detection method in IDA: MLSI-based intrusion detection using discriminant analysis

    M Asaka, T Onabura, T Inoue, S Goto

    2002 SYMPOSIUM ON APPLICATIONS AND THE INTERNET (SAINT 2002), PROCEEDINGS     64 - 73  2002

     View Summary

    In order to detect intrusions, IDA (Intrusion Detection Agent system) initially monitors system, logs ill order to discover all MLSI - which is all certain event Which ill many cases occurs during an intrusion. If all,MLSI is found. then IDA Judges whether the MLSI is accompanied by all intrusion. We adopt discriminant analysis to analyze information after IDA detects,in MLSI in a remote attack. Discriminant analysis provides a classification function that allows IDA to,separate intrusive activities from non-intrusive activities. Using discriminant analysis. we call detect intrusions by analyzing only a part of system calls occurring Oil, a host machine. and we can determine whether all unknown sample is all intrusion. In this paper, we explain in detail how we perform discriminant analysis to detect intrusions, and evaluate the classification function. We also describe how to extract a sample from system logs, which is necessary to implement the discriminant analysis function in IDA.

    DOI

  • 不正侵入の痕跡と判別分析によるリモートアタックの検出法

    浅香緑, 女部田武史, 井上直, 岡澤俊士, 後藤滋樹

    電子情報通信学会論文誌   Vol.J85-B ( No.1 ) 60 - 74  2002

  • An Improved Intrusion Detection Method based on Process Profiling

    Izuru Sato, Yoshiki Okazaki, Shigeki Goto

    情報処理学会論文誌   第43巻 ( 第11号 ) 3316 - 3326  2002

  • Public information server for tracing intruders in the Internet

    M Asaka, T Onabuta, S Goto

    IEICE TRANSACTIONS ON COMMUNICATIONS   E84B ( 12 ) 3104 - 3112  2001.12

     View Summary

    The number of computer break-ins from the outside of an organization has increased with the rapid growth of the Internet. Since many intruders from the outside of an organization employ stepping stones, it is difficult to trace back where the real origin of the attack is. Sonic research projects have proposed tracing methods for DoS attacks and detecting method of stepping stories. It is still difficult to locate the origin of an attack that uses stepping stones. We have developed IDA (Intrusion Detection Agent system). which has an intrusion tracing mechanism in a LAN environment. In this paper, we improve the tracing mechanism so that it can trace back stepping stories attack in the Internet. In our method, the information about tracing stepping stone is collected from hosts in a LAN effectively, and the information is made available at the public information server. A pursuer of stepping stone attack can trace back the intrusion based on the information available at the public information server on an intrusion route.

  • A multi-agent monitoring and diagnostic system for TCP/IP-based network and its coordination

    T Sugawara, K Murakami, S Goto

    KNOWLEDGE-BASED SYSTEMS   14 ( 7 ) 367 - 383  2001.11

     View Summary

    This paper describes an application of an AI-based multiagent system to the management and diagnosis of TCP/IP-based intranet/intra-AS (autonomous system) computer networks. A copy of this system is attached to each network segment and is made responsible for that segment. It captures packets in the promiscuous mode and analyzes their data in real time. Based on this analysis, the data needed to manage the local network are obtained, any changes in the local network or network components are recognized, and problems are detected. When a problem is reported by a user or detected by the system, the problem is diagnosed cooperatively or autonomously depending on its type. The activities of the agents are coordinated based on the concepts of coordination levels and functional organizations. An example of cooperative diagnosis clarifies why this multiagent approach is essential for network management. (C) 2001 Elsevier Science B.V. All rights reserved.

    DOI

  • Extension of DNS to the internationalized domain names

    HB Shi, Sato, I, S Goto

    IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS   E84D ( 5 ) 588 - 595  2001.05

     View Summary

    This paper proposes a new method of realizing internationalized domain names (iDN) and has been discussed at IETF (Internet Engineering Task Force). iDN allows a user to specify multi-lingual domain names, such as Japanese, Chinese, and Korean. iDN is a proper extension of the current domain name system. We have already developed an iDN implementation, named Global Domain Name System (GDNS). GDNS extends the usage of alias records, and gives reverse mapping information for multi-lingual domain names. This paper presents yet another method which introduces new Resource Record (RR) types to cover multi-lingual domain names. We have two new RR (Resource Record) types. The first new record is INAME and the other is IPTR. These two RR types can cover multi-lingual domain names. This paper also discusses the efficiency of DNS. Since DNS is a distributed database system, the performance depends on the method of retrieving data. This paper suggests a new retrieving method that can improve the performance of DNS remarkably.

  • A new intrusion detection method based on discriminant analysis

    M Asaka, T Onabuta, T Inoue, S Okazawa, S Goto

    IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS   E84D ( 5 ) 570 - 577  2001.05

     View Summary

    Many methods have been proposed to detect intrusions; for example, the pattern matching method on known intrusion patterns and the statistical approach to detecting deviation from normal activities. We investigated a new method for detecting intrusions based on the number of system calls during a user's network activity on a host machine. This method attempts to separate intrusions from normal activities by using discriminant analysis, a kind of multivariate analysis. We can detect intrusions by analyzing only 11 system calls occurring on a host machine by discriminant analysis with the Mahalanobis' distance, and can also tell whether an unknown sample is an intrusion. Our approach is a lightweight intrusion detection method, given that it requires only 11 system calls for analysis. Moreover, our approach does not require user profiles or a user activity database in order to detect intrusions. This paper explains our new method for the separation of intrusions and normal behavior by discriminant analysis, and describes the classification method by which to identify an unknown behavior.

  • 岩波講座インターネット第1巻「インターネット入門」

    岩波書店    2001

  • Improving TCP Protocol Machine to Accept Real Internet Traffic

    Masaki Fukusima, Shigeki Goto

    IWS2001     47 - 53  2001

  • A Network Measurement Tool with Linked-list Traffic Generator

    Keita Fujii, Shigeki Goto

    IWS2001     23 - 30  2001

  • New Resource Records in the Internationalized Domain Name System

    Hongbo Shi, Izuru Sato, Shigeki Goto

    IWS2001     1 - 8  2001

  • Analysis of TCP flags in congested network

    M Fukushima, S Goto

    IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS   E83D ( 5 ) 996 - 1002  2000.05

     View Summary

    This paper proposes a new simple method for network measurement. It extracts 6-bit control flags of TCP (Transmission Control Protocol) packets. The idea is based on the unique feature of flag ratios which is discovered by our exhaustive search for the new indexes of network traffic. By the use of flag ratios, one can tell if the network is really congested. It is much simpler than the conventional network monitoring by a network analyzer. The well-known monitoring method is based on the utilization parameter of a communication circuit which ranges from 0% to 100%. One cannot tell the line is congested even if the factor is 100%. 100% means full utilization and does not give any further information. To calculate the real performance of the network. one should estimate the throughput or effective speed of each user. The estimation needs much calculation. Our new method tries to correlate ratios of TCP control flags and network congestion. The result shows the usefulness of this new method. This paper analyzes the reason why the flag ratios show the unique feature.

  • Hit ratio of Web cache with infinitely large disk space

    IWS2000, Internet Workshp 2000   pp.175-180  2000

  • Traffic Analysis Based on Autonomous System Numbers

    IWS2000, Internet Workshp 2000   pp.121-126  2000

  • Measurement of Multicast Network Performance

    IWS2000, Internet Workshp 2000   pp.107-113  2000

  • Correlation between Hop count and Packet Transfer Time

    IWS2000, Internet Workshp 2000   pp.99-105  2000

  • 新・社会楽

    インターネットマガジン/インプレス   2000年4月号から毎号  2000

  • APNG (Asia Pacific Networking Group)

    インターネット白書2000/インプレス    2000

  • Local attack detection and intrusion route tracing

    M Asaka, M Tsuchiya, T Onabuta, S Okazawa, S Goto

    IEICE TRANSACTIONS ON COMMUNICATIONS   E82B ( 11 ) 1826 - 1833  1999.11

     View Summary

    At the Information-technology Promotion Agency (IPA), we have been developing a network intrusion detection system called IDA (Intrusion Detection Agent system). IDA system has two distinctive features that most conventional intrusion detection systems lack. First, it has a mechanism for tracing the origin of a break-in by means of mobile agents. Second, it has a new and efficient method of detecting intrusions: rather than continuously monitoring the user's activities, it watches for an event that meets the criteria of an MLSI (Mark Left by Suspected Intruders) and may relate to an intrusion. By this method, IDA described herein can reduce the processing overhead of systems and networks. At present. IDA can detect local attacks that are initiated against a machine to which the attacker already has access and he or she attempts to exceed his or her authority. This paper mainly describes how IDA detects local attacks and traces intrusions.

  • Detecting malicious activities through port profiling

    M Iguchi, S Goto

    IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS   E82D ( 4 ) 784 - 792  1999.04

     View Summary

    This paper presents a network surveillance technique for detecting malicious activities. Based on the hypothesis that unusual conducts like system exploitation will trigger an abnormal network pattern, we try to detect this anomalous network traffic pattern as a sign of malicious, or at least suspicious activities. Capturing and analyzing of a network traffic pattern is implemented with a concept of port profiling, where measures representing various characteristics of connections are monitored and recorded for each port. Though the generation of the port profiles requires the minimum calculation and memory, they exhibit high stability and robustness. Each port profile retains the patterns of the corresponding connections precisely, even if the connections demonstrate multi-modal characteristics. By comparing the pattern exhibited by live traffic with the expected behavior recorded in the profile, intrusive activities like compromising backdoors or invoking trojan programs are successfully detected.

  • End-to-end delay distribution on the Internet

    JY Kato, A Shimizu, S Goto

    IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS   E82D ( 4 ) 762 - 768  1999.04

     View Summary

    This paper proposes a new model which can approximate the delay time distribution in the Internet. It is well known that the delay time in communication links follows the exponential distribution. However, the earlier models cannot explain the distribution when a communication link is heavily overloaded. This paper proposes to use the M / M / S(m) model for the Internet. We have applied our model to the measurement results. This paper deals with one-way delay because it reflects the actual characteristics of communication links. Most measurement statistics in the Internet have been based on round-trip time delay between two end nodes. These characteristics are easily measured by sending sample packets from one node to the other. The receiver side echoes back the packets. However, the results are not always useful. A long distance communication link, such as a leased line, has two different fibers or wires for each direction: an incoming link, and an outgoing link. When the link is overloaded, the traffic in each link is quite different. The measurement of one-way delay is especially important for multimedia communications, because audio and video transmissions are essentially one-way traffic.

  • Domain survey for counting connected hosts in the Internet

    Izuru Sato Sato, Shigeki Goto

    1999 Internet Workshop, IWS 1999   PP231-237   175 - 181  1999

     View Summary

    Many people want to know the number of Internet users. It is, however, impossible to count the users directly. Instead, we can count the number of hosts which are connected to the Internet. There have been two methods of counting connected hosts. The first method surveys the DNS (Domain Name System) database, and counts the unique names of computers appearing on it. A host name takes the form of www.waseda.ac.jp. This method gathers DNS records from remote sites, and looks into them. Another method also utilizes DNS records in a different manner. It starts counting hosts with the IP address. There is a DNS record in the database which gives a mapping from an IP address to a host name. The record is called a reverse pointer. The first method is well known and has been used in Japan by JPNIC. Recently, some sites refused to allow their DNS records to be transferred as a whole. They refused the transfer, because illegal intruders sometimes use DNS records to acquire information about their target. Since this security issue is serious, the zone transfer would be refused by many sites. To count the hosts in Japan, we should take the second approach. This paper addresses several issues on host counting and concludes that it is feasible to deploy the second method in Japan although some care should be taken.

    DOI

  • Analysis of TCP flags in congested network

    Masaki Fukushima, Shigeki Goto

    1999 Internet Workshop, IWS 1999   PP207-212   151 - 156  1999

     View Summary

    This paper proposes a new simple method for network measurement. It extracts 6-bit control flags of TCP (Transmission Control Protocol) packets. The idea is based on the unique feature of flag ratios which is discovered by our rather exhaustive search for the new indexes of network traffic. By the use of flag ratios, one can tell if the network is really congested. It is much simpler than the conventional network monitoring by a network analyzer. The well-known monitoring method is based on the utilization parameter of a communication circuit which ranges from 0% to 100%. One cannot tell the line is congested even if the factor is 100%. 100% means full utilization and does not give any further information. To calculate the real performance of the network, one should estimate the throughput of effective speed of each user. The estimation needs much calculation. Our new method tries to correlate ratios of TCP control flags and network congestion. The result shows the usefulness of this new method. This paper analyses the reason why the flag ratios show the unique feature.

    DOI

  • Network surveillance for detecting intrusions

    Makoto Iguchi, Shigeki Goto

    1999 Internet Workshop, IWS 1999   PP134-141   99 - 106  1999

     View Summary

    The paper proposes a network surveillance method for detecting malicious activities. Based on the hypothesis that unusual conducts like system exploitation will trigger an abnormal network traffic, we try to detect this anomalous traffic pattern as a sign of malicious, or at least suspicious activities. Capturing and analyzing of a network traffic pattern is implemented with an idea of port profiling, where measures representing various characteristics of connections are monitored and recorded for each port. Though the generation of the port profiles requires a small amount of calculation, they exhibit high stability and robustness. By comparing the pattern exhibited by live traffic with the expected behavior recorded in the profile, intrusive activities like compromising backdoors or invoking trojan programs are successfully detected.

    DOI

  • マルチキャスト通信を用いたネットワーク特性の測定法

    電子情報通信学会1999年総合全国大会   通信(2) SB-9-2 (PP660-661)  1999

  • 無限のキャッシュ領域を持つWWWキャッシュのヒット率評価

    電子情報通信学会1999年総合全国大会   通信(2) SB-9-1 (PP658-659)  1999

  • Active measurement and analysis of delay time in the Internet

    Jun-Ya Kato, Atsuo Shimizu, Shigeki Goto

    Proceedings of the International Conference on Parallel Processing   1999-   254 - 259  1999

     View Summary

    This paper analyzes the delay time distribution in the Internet. We send sample packets with a time stamp to measure the delay time. It is well known that the delay time in communication links follows the exponential distribution. However, the earlier models cannot explain the distribution when a communication link is heavily overloaded. This paper proposes to use a new model for the Internet. We have applied our model to the measurement results successfully.

    DOI

  • Measurement of Internet Traffic―Delay Time and Packet Arrivals in Congested Networks

    ITC-CSCC'99   pp.776-779  1999

  • A Method of Tracing Intruders by Use of Mobile Agents

    INET'99/Internet Society   abstract/p.71, full paper/in CD-ROM.  1999

  • 日本のインターネットの歴史と教訓

    99インターネットと教育フォーラム(1999/11/28)   pp.17~18  1999

  • 次世代インターネットの研究課題

    日本社会情報学会(1999/7/9)   社会情報理論研究部会  1999

  • APNG (Asia Pacific Networking Group)

    インターネット白書 '99/インプレス   1999年版  1999

  • Performance Measurement in the Internet

    Net'98 Taiwan 網路新紀元   International Track, March 28  1998

  • Internet Status in Japan

    Net'98 Taiwan 網路新紀元   International Track, March 26  1998

  • The APAN and TRANSPAC initiative

    APNG Manila Meeting 98   Day 3 Program, February 19  1998

  • 我が国の情報科学技術の推進戦略を語る

    科学技術ジャーナル   7;11, PP10-15  1998

  • 2010年の超広域分散コンピューティングを目指して

    スーパーコンパイラに関する調査研究報告書   PP265-274  1998

  • Information-gathering with mobile agents for intrusion detection system

    M Asaka, S Goto

    KNOWLEDGE-BASED SOFTWARE ENGINEERING   48   23 - 31  1998

     View Summary

    Many network intrusion detection systems detect intrusions by concentrating all logs of target systems in a server and having the server subsequently analyze these logs. At the Information-technology Promotion Agency (IPA), we have been developing an alternate type of network intrusion detection system called IDA (Intrusion Detection Agent system), which detects intrusions with mobile agents that act by gathering information related to intrusions from target systems on a network. The mobile agents autonomously trace the origin of the bleak-in without the intrusion-detection server's control, and also gather information from target systems. Consequently, network traffic between the target systems and the server is reduced. This paper describes how the mobile agents migrate from machine to machine within a network, and details how they trace intrusions and gather and exchange information efficiently.

  • Favoritism in AS Numbers measured at IMnet/Waseda U

    CCIRN Measurement WG Meeting   Chicago, August 22  1998

  • Discovery of Congestion

    CCIRN Measurement WG Meeting   Geneva, July 21  1998

  • Delay Time Distribution in the Internet

    CCIRN Measurement WG Meeting   Geneva, July 21  1998

  • High Performance Network, Overview and APAN

    KRNET'98 6th Computer Networking Conference   PP245-247  1998

  • ネットワークの輻輳状態とTCPフラグの関係

    科研費「発見科学」A05班会議講演要旨集   PP58-68, PP237-240  1998

  • インターネットにおけるプライバシ技術構築と適用に関する研究開発

    第17回技術発表会論文集/IPA   17, PP7-15  1998

  • 新・社会楽

    インターネットマガジン/インプレス   1998年4月号-1999年3月号(連載)  1998

  • APNG (Asia Pacific Networking Group)

    インターネット白書/日本インターネット協会/インプレス   1998年版;PP198  1998

  • インターネットにおけるプライバシを考慮した視聴度調査システムの実装と実証実験

    電子通信学会 SICS'97   SICS'97-27A  1997

  • History Day & Developer's Day Keynote Address

    6th World Wide Web Conference (WWW6)   Friday, April 11, Morning Plenary Session  1997

  • インターネットにおけるプライバシ技術構築と適用に関する研究開発

    第16回技術発表会論文集/IPA   Vol 16, pp.115-123  1997

  • APANアジア太平洋高度情報ネットワーク

    NETWORLD+INTEROP 97   June 5, pp.191-202  1997

  • 新・社会楽

    インターネットマガジン/インプレス   1997年4月号~1998年3月号(連載)  1997

  • ISOC (Internet Society)

    インターネット白書/日本インターネット協会/インプレス   1997年版;pp.158-159  1997

  • Would Internet meet global acceptance? From application perspective

    S Goto

    TWENTIETH ANNUAL INTERNATIONAL COMPUTER SOFTWARE & APPLICATIONS CONFERENCE (COMPSAC'96), PROCEEDINGS   20   222 - 222  1996

  • インターネットにおけるプライバシ技術構築と適用に関する研究開発

    IPA第15回技術発表会   pp.19-27  1996

  • 新・社会楽

    インターネットマガジン/インプレス   1996年4月号-1997年3月号  1996

  • インターネット7つの不安を検証する

    DOORS/朝日新聞社   1996年11月号  1996

  • 新・社会楽

    インターネットマガジン/インプレス   1999・4~

▼display all

Awards

  • 電気通信普及財団 テレコムシステム技術賞

    2010  

  • 電子情報通信学会通信ソサイエティ インターネットアーキテクチャ(IA)研究賞

    2010  

  • 電子情報通信学会論文賞(平成20年度)

    2009  

  • 情報通信月間総務大臣表彰

    2003  

  • 情報処理学会フェロー

    2003  

  • 情報処理学会ベストオ-サ賞

    1996  

▼display all

Research Projects

  • コンピュータネットワーク

  • コンピュ-タネットワ-ク

  • Computer Network, especially the Internet

  • Computer Networks

Specific Research

  • インターネットにおける渋滞区間の検出法

    1996  

     View Summary

     ・問題の所在 本研究課題に着手する時点において、早稲田大学と外部との交信は、深夜および休日には快適なスピード(200~300ミリ秒)で行なえたが、月~金の昼間には実効速度が低下していた。実効速度の差は50~60倍にも達する。 ・研究成果 得られたデータを基に改善策を検討した。結果的には本研究計画で予定した範囲を超えて、外部との接続を高速回線へ移行することができた。 (1) 1996年度当初の早稲田大学から外部への接続は384Kbpsの専用線を用いていた。この専用線の部分が渋滞の原因であることは、測定の開始後すぐに判明した。 (2) ディジタル専用線は、「入」と「出」に別々の光ファイバーを用いる。当該区間の渋滞状況は「入」(外部から早稲田へ入る方向)の方がより深刻であることがわかった。 (3) この状況は把握できたものの、本研究計画だけでは改善する方策まで至らなかった。しかし1996年度の科学技術振興調整費による研究課題を7月29日から急拠スタートさせることが決まった。その研究予算で1.5Mbpsの専用線を敷設することができたため、事態は劇的に改善された。 (4) 1.5Mbpsに増速後も測定を継続した。その結果「入」と「出」を区別して測定することが有意義であることを再確認できた。また時間帯によって実効速度が変化すること、「入」のトラフィックの多くがWEB(HTTP)の利用であることが判明した。 今後は1996年度に得られた知見を基に、科学技術振興調整費の研究課題として更に研究を遂行する予定である。特定研究課題としては本年度で終了する。このように発展的に研究を展開できたのは関係各位のご理解とご協力のお蔭である。厚く御礼申し上げたい。

 

Committee Memberships

  • 1994
    -
    1997

    Internet Society  理事(Trustee)

  • 1993
    -
    1994

    ソフトウェア科学会  理事