スタブリゾルバのDNSキャッシュの挙動から、あるドメインへのアクセス数を推定する手法が下田らによって提案されている。本研究ではこの手法を拡張して、User-Agent毎に特徴的なグラフが現れるか否かを検討した。その結果、多くの場合に従来の手法と同様の特徴が現れたが、一部のUser-Agentとドメインの組み合わせにおいて従来とは異なる特徴が現れた。

近年,スパムメールに添付されたマルウェア感染の被害が拡大している.マルウェア感染を目的としたメールは,一般的なスパムと比べて性質が異なると考えられる.本論文はマルウェア感染を目的としたスパムメールに着目し,その特徴を一般的なスパムメールとの比較を通して分析した.この分析の結果,マルウェア添付スパムメールは,一般的なスパムメールと異なるドメインやアドレス宛に送信される傾向があるなど,メールの送信活動に違いがあることがわかった.

IN2015-74

IA2015-63<br />
インターネットアーキテクチャ研究会 最優秀研究賞

IN2014-164

Implementing push-based e-mail service in pull-based Information-Centric Networking (ICN) encounters some difficulties and thus calls for a new mechanism. This paper presents a new e-mail system design in the ICN architecture, which builds all the applications on a receiver-driven communication model. In our proposed mechanism, an e-mail user is assigned a hierarchical account name which can be also treated as a name or name prefix in ICN. To fully utilize the built-in multicast data delivery capability in ICN, the new design realizes an efficient name-based pub/sub communication pattern on top of the standard ICN to remove the iterative procedure that an interested recipient has to send an Interest request every time when he or she requires a piece of e-mail information on some specific topic. The push-based multicast capability enhances the pull-based ICN architecture.

ネットワーク攻撃者は攻撃対象となるノードやサービスを調査するためにポートスキャンを行う.通常のスキャンは既存のIDSによって検知可能だが,スロースキャンは検知が難しい.ダークネットは未使用のIPアドレス帯を観測するものである.そこに届くパケットの多くは悪性な通信であり,その中でも特にスキャンパケットが多い,本研究は,ダークネットのトラヒックからスロースキャンと思われるパケットを抽出し,その特徴を分析することで,トラヒックの中からスロースキャンを検知する手法を提案する.

今後、モバイル環境において大容量動画像コンテンツを中心にトラヒックが爆発的に増大する,膨大なトラヒックを処理するために、ネットワークとしてCDN (Contents Delivery Network)を経てネットワークのクラウド化を目的としてSDN (Software Defined Network)により仮想化ネットワークの実現を図ってきた.一方で、従来のIPネットワークのIPアドレスに依存しないネットワークとしてICN (Information Centric Network)が発表され、IPネットワークに対する優位性の検討が進められている.本論文ではICNを用いた列車内のコンテンツ配信システムとしてICNを用いて実証試験を行った結果について報告する.本研究は総務省SCOPE「先進的アプリケーション」の委託事業の協力により実証された成果である.

Recent Content-Centric Networking (CCN) proposal has ignited widespread interest in the Information Centric Networking (ICN) area. This paper presents the design of a smart name-based routing protocol for CCN. This new proposal imposes a comparatively large adjustment onto the existing CCN architecture, while it still preserves the basic characteristics of CCN. It introduces a dynamic DNS-like element to CCN. Compared to the basic CCN scheme, it offers more efficient packet dissemination and has less overhead within the network. Besides, it is suitable for realizing and enhancing the mobility aspect in CCN. The results of our evaluations show the superiority of the proposal over the basic or standard CCN architecture.

大量のアクセスが特定のサーバに集中すると、レスポンスが低下したり、サーバが異常停止することがある。本論文はサーバの性能や台数を増強せずに、大量のアクセスが集中するコンテンツを多数のユーザに迅速に配信可能な方法を提案する。具体的には、アクセス集中時にWebブラウザ間通信を活用して、ユーザ同士でコンテンツの配布を行い、サーバの負荷を分散する。本論文では実際にアクセスが集中する環境を用いて提案手法を評価し、従来のサーバ・クライアントモデルによるユニキャスト通信と比較した。その結果、提案手法がサーバの負荷を軽減し、コンテンツのダウンロード時間を大幅に短縮できることを確認した。

Androidスマートフォンの急速な普及に伴い,Androidを対象とするマルウェアの脅威が拡大している。Androidマルウェアに感染すると,個人情報の搾取,有料サービスの不正使用,端末のボット化のような被害を受ける。急増するAndroidマルウェアへの従来の対策は十分ではない。本論文は新たなAndroidマルウェア検出手法を提案する。この方法は,Androidアプリケーションの中に必ず含まれるマニフェストファイルのみを分析対象とするのが特徴である。実データを用いた評価の結果,提案手法が、既存手法では検知できない未知のAndroidマルウェアを適切に検出できる事が示された。

2009年にGumblarが出現してから,Webページを閲覧しただけで感染するWeb感染型マルウェアの脅威が継続している.マルウェアに感染すると個人情報の漏洩やWebページの改ざんなどの問題が引き起こされる.本研究はHTTP通信を時間軸に沿って解析して,Web感染型マルウェアの自動的なダウンロードと,ユーザによる正常な実行ファイルの手動によるダウンロードを識別する.この識別を用いてWeb感染型マルウェアの検知が可能となる.提案手法はWebページの攻撃コードや実行ファイルの中身に依存しないため,既存の手法では検知が困難な,未知のWeb感染型マルウェアの検知に対して優位性がある.

本論文は,ネットワークの内部情報を活用してネットワークの消費電力を削減する方式を提案する.この方式では,ネットワーク端末が内部情報を収集するために1n-bandクロスレイヤ方式を採用し,アプリケーションに内部情報を提供する.端末側のアプリケーションは提供された情報に基づき消費電力の少ない通信経路を選択できるようになり消費電力削減が行える.ネットワークの内部情報の活用はトランスポート性能を向上させるために主に使われてきたが,我々は内部情報を活用して消費電力の削減を実現する手法を提案する.また,本論文では内部情報の取得を実現するAPIの実装方法と内部情報を活用した通信経路の切り替え法について議論する.

インターネットの資源管理は常に課題を抱えている.ここでは,IPv4アドレスの枯渇,IPアドレスの移転,IPv6におけるフォールバック,歴史的PIアドレス,ITUのregulation,都道府県名JPドメイン名,新しいccTLD(ドット日本)の話題を紹介する.

インターネットの資源管理は常に課題を抱えている.ここでは,IPv4アドレスの枯渇,IPアドレスの移転,IPv6におけるフォールバック,歴史的PIアドレス,ITUのregulation,都道府県名JPドメイン名,新しいccTLD(ドット日本)の話題を紹介する.

現在の映像配信方式の多くはクライアントサーバモデルを用いるために,サーバに負荷が集中する.集中を回避するためにP2Pを利用した配信方式が数多く研究されている.単純なP2Pプロトコルではピア同士の近接性を考慮することなくピアを選択するために遠距離のトラフィックが発生する.トラフィックの問題を解決するためには地理情報クラスタリングを用いるのが有効である.ただし地理情報に頼るだけではシーダが存在しないクラスタが生じる場合がある.本論文は従来の方法を改善するために,クラスタリング手法にソフトクラスタリングを導入する.提案手法を実証するためにPlanetLabを用いて検証する.

DNSを用いたサーバ負荷分散法を改善して省電力をはかる。具体的にはOpenFlowスイッチを用いてサーバ資源を集約する。サービスの要求に比べてサーバ資源が余剰なときには、余剰なサーバを待機状態にして消費電力を削減する。ここで、待機するサーバのDNSレコードを削除しても、レコードのキャッシュが残ることに留意する。キャッシュを参照する利用者は待機中のサーバへの接続要求を発生する。その要求をOpenFlowの機能で別のサーバに転送するのが本論文の特徴である。このようにして可用性を維持しつつ短時間でサーバを待機状態にすることができる。本論文では、従来と比べて消費電力を削減できることを実証する。

組織に配布されているが未使用のIPアドレスで構成されるネットワーク(ダークネット)では,異常な通信のみを観測できる.ダークネットには大量のIPアドレスが必要であるが,観測専用の未使用IPアドレス空間を大規模に確保することは難しい.未使用のIPアドレスやポート番号を動的に検出して仮想センサとして観測に用いるVirtual Dark IPアドレス(VDIP)やVirtual Dark Port (VDP)が提案されているが,仮想センサ空間の定量的な分析は十分に行われていない.本研究の目的は,IPアドレスとポート番号の使用状況における特徴を利用して仮想センサ空間を拡張することである.同時に,その空間の検出にかかる時間を短縮する.本研究では,/16のプレフィックスを持つネットワークを対象とした実験から以下のことを示す.VDIP検出アルゴリズムのパラメータを適切に設定することで,VDIP数をほとんど減らずに処理時間を半分以下にでき,VDIPの誤検出を十分に少なくでき,時間帯による使用IPアドレス変化を仮想センサ空間に反映できる.また,VDPによる仮想センサ空間は,このネットワーク空間の最大99.98%をカバーでき,VDIPによる仮想センサ空間を最大6.84ポイント拡張できる.

パケットが宛先ホストに到達するまでに通過するルータの数は高々30であると言われている.ところが現実に稼働しているネットワークで実測してみると,IPへッダのTime-To-Live (TTL)フィールドが各々のOSで定められているTTLの初期値から30以上減少しているパケットが観測される.このような一般的でないTTLの値を持つパケットは,特殊なソフトウェアで生成されたと考えられる.本研究ではTTLが大きく減少しているパケットを悪意のあるパケットであると考えた.本論文は,この仮説を複数の実験により実証する.結論としてはTTLの値のみを用いて悪意のあるパケットの識別が可能であることが分かる.

APAN(Asia-Pacific Advanced Network)は、米国政府機関NSF(National Science Foundation)主導による国際研究教育ネットワーク構築計画に呼応して、わが国が中核となりアジア各国を代表する研究教育ネットワーク(NREN,National R&E Network)を取りまとめ、1997年に東京で設立したコンソーシアムである。APANへの参加資格として、国(や経済)を代表することが要求されるので、わが国の研究教育ネットワークを管理する省庁等が参加し、日本APAN連絡協議会(APAN-JP)が設立された。本稿では、APANの位置付けと役割を明確にした上で、今後の政策的および技術的課題について私見を述べる。

本研究は2030年までのネットワークが消費する電力を検討することを目標とする.消費電力の低減を検討するためにネットワークの構成を見直して,現在のパケット交換方式だけでなく,消費電力削減効果が期待できる光回線交換方式やコンテンツ配信ネットワークも活用した将来のネットワークの構成を想定する.この構成の特徴はアクセス回線網,広域中継網,中核拠点網に階層化することである.本論文では,インターネット上で転送されるコンテンツの大きさによって通信方式を変化させる手法を活用して,提案する方式の消費電力を従来のパケット交換方式と比較する.この消費電力の算出にあたっては,通信方式による効果だけでなく通信量・利用者数の将来の伸び,技術進化による省電力化効果も算入している.従来のパケット交換方式に加えて光回線交換方式,コンテンツ配信ネットワーク(CDN)方式を組み合わせたネットワーク構成の消費電力を検討した結果,いずれの方式においても消費電力を削減可能であり,パケット交換方式と回線交換方式を併用すれば,従来のパケット交換方式と比較して,67.7%の省電力化が達成できることが分かった.

カーネルマルウェアは独自のネットワークドライバを実装し，カーネルモードの通信を行うことで監視ツールからの隠匿を試みる．これらのネットワークドライバは独自の実装であるため，TCPヘッダのパラメータを分析することでカーネルマルウェア発のトラヒックフローを検出することができる．本研究ではこの性質に基づき，カーネルマルウェアの可能性があるTCPフィンガープリントを整理した．そのフィンガープリントを複数の実運用ネットワークに適用し，フルカーネルマルウェアに感染した可能性が高いホストおよびその通信の特徴を分析する．Modern kernel malwares compose of their own network drivers and use them directly from kernel-mode to conceal their activities from anti-malware tools. Since these network drivers have specific characteristics, we can detect traffic flows originating from those drivers by analyzing some parameters recorded in TCP headers. On the basis of the above characteristics, we apply a fingerprinting technique to collect IP addresses of the hosts that are likely infected with kernel malwares. Using the method, we also aim to understand the characteristics of the hosts infected with kernel malware and their communications using network measurement data collected in several production networks.

APAN (Asia-Pacific Advanced Network)はアジア各国を代表する研究教育ネットワークが参加するコンソーシアムである.本稿ではまず研究教育ネットワークが満たすべき要件を述べ、これまでのネットワークの拡充は主として光通信技術の進歩の恩恵によることを説明する.次いで、これまでのAPANネットワーク運用者の果たした貢献を述べ、わが国はアジアのリーダ役を演じているけれども、アジア域内のネットワーク展開活動は必ずしも効率的ではないことを説明する.最後に、近い将来の光通信技術は従来ほど大きく進歩できないと考えられ、需要増に対処するため、研究教育ネットワーク関係者は国際通信回線予算の拡大に更に努力する必要のあることを述べる.

通信相手ごとに別のポート番号を割り当てるNAT (Symmetric NAT)をHole Punchingで越えるには,次に割り当てられるポート番号を予測する必要がある.従来の技法には,自分側のNATと相手側のNATの間でIPパケットが破棄されるようにTTLの値を調節する手法がある.しかし,経路上に複数のNATが存在すると,最適なTTLの値を予測することは難しい.本論文では,通信パスに関する情報をエンドノートに提供するフレームワーク(i-Path)を利用してルータがNATの情報を公開し,その情報を活用することで,Hole PunchingによるNAT越えの問題を解決できることを示す.

A Honeypot is a system that aims to detect and analyze malicious attacks attempted on a network in an interactive manner. Because the primary objective of a honeypot is to detect enemies without being known to them, it is important to hide its existence. However, as several studies have reported, exploiting the unique characteristics of hosts working on a consecutive IP addresses range easily reveals the existence of honeypots. In fact, there exist some anti-honeypot tools that intelligently probe IP address space to locate Internet security sensors including honeypots. In order to tackle this problem, we propose a system called DarkPots, that consists of a large number of virtualized honeypots using unused and nonconsecutive IP addresses in a production network. DarkPots enables us to deploy a large number of honeypots within an active IP space used for a production network
thus detection is difficult using existing probing techniques. In addition, by virtually classifying the unused IP addresses into several groups, DarkPots enables us to perform several monitoring schemes simultaneously. This function is meaningful because we can adopt more than one monitoring schemes and compare their results in an operating network. We design and implement a prototype of DarkPots and empirically evaluate its effectiveness and feasibility by concurrently performing three independent monitoring schemes in a high-speed campus network. The system successfully emulated 7,680 of virtualized honeypots on a backbone link that carries 500 Mbps - 1 Gbps of traffic without affecting legitimate traffic. Our key findings suggest: (1) active and interactive monitoring schemes provide more in-depth insights of malicious attacks, compared to passive monitoring approach in a quantitative way, and (2) randomly distributed allocation of IP addresses has an advantage over the concentrated allocation in that it can collect more information from malwares. These features are crucial in monitoring the security threats. © 2010 IEEE.

主としてトランスポート通信性能の向上を目指して、ネットワーク端末がインターネット内部の状態を把握する手法としてin-bandクロスレイヤ方式を利用した通信方式が提案されてきた。我々は、これらの通信方式でネットワーク内部情報の公開する際に問題となる開示ポリシの摺り合わせを実現する方式を示す。この方式は、通過ネットワークの運用者および端末側の開示ポリシの尊重を実現している。さらに、内部情報取得を実現するAPIの実装に関しても議論する。

インターネット上のワームやDDoSによる攻撃を最小限に抑えるためにネットワーク上の脅威を早期に検出して警告する各種のシステムが運用されている.本論文では,観測のためにパケット収集装置(物理センサ)を設置しなくても,中継ノード(ルータ)でデータを観測すれば効率的に脅威を検出できることを示す.この新しい方法を実現するためには,パケットやフロー等のトラヒック情報から未使用のIPアドレスを抽出して,それを仮想センサとみなして不正パケットの検出を行う.ただし,未使用のIPアドレスを抽出する方法は自明ではない.単純に片方向のトラヒックを脅威とみなすわけにはいかない.本論文では,未使用のIPアドレスを抽出する方法を提案する.この方法を実装して従来の物理センサを使用する方法と比較する.本論文の技法は,広域のバックボーンを構成するルータのフローデータに適用することができる.また1組織のネットワークのような局所的な観測にも適用できる.本論文の結果を用いることにより,バックボーンネットワークの管理者及び組織のネットワーク管理者が,少ないコストで効率的な脅威検出を行うことができるようになる.

2008年11月11日に実施されたホスティング会社McColo社の上位ISPによる遮断は,世界の至るところでスパム流量を半分あるいはそれ以上減少させるという画期的な効果をもたらした.2007年夏以降の世界的なスパム流量の爆発的増大を引き起こした主要因とされるスパムボット,Srizbiをはじめ,今日の主要なスパムボットのC&Cサーバが同社によってホスティングされていたことが明らかになっている.本研究では世界最大規模のスパムボットであるSrizbiの全体像把握,およびインターネットエッジサイトの視点からスパムボットC&Cを標的とした制御の有効性を定量化することを狙いとする.分析には2007年7月から2009年4月にかけて3箇所の異なるネットワークで計測された広範なデータを用いた.本研究の主要な貢献は次の通りである.(1)Srizbiの世界的な規模を確率的な方法によって推定した.(2)Srizbiボットネットから送信されたスパムの流量とそのインパクト,およびMcColo社遮断による効果をインターネットエッジサイトの視点から定量化した.(3)Srizbiの勃興と衰退,そしてMcColo社の遮断前後におけるバージョン遷移など,スパムボットの全体像把握に有用な発見を明らかにした.

With the increasing use of P2P (peer-to-peer) network technology in everyday services, the issue of privacy protection has gained considerable importance. This paper describes a method to realize an anonymity-conscious P2P data sharing network. The proposed network allows users to extract data possessed by other users who have similar profiles, thereby providing them with a collaborative filtering-based data recommendation. In the proposed P2P network protocol, bogus user profiles are distributed intentionally throughout the network to protect users' anonymity without harming the overall effectiveness of the data exchange. We conduct a series of simulations to prove that our proposed method protects the profile's privacy and performs efficient data exchange. © 2009 - IOS Press.

Significant throughput degradation of multihop path communication in wireless mesh network is one of the major problems in wireless communication. The main reason for the lack of bandwidth is channel interference, which is caused by contention for the shared channel between wireless nodes. The natural approach to overcome this problem is exploiting the availability of multiple channels multiple interfaces (MCMI) networks. However, it is costly and may not be practical to dedicate one interface per channel for every node. Thus in this paper, we study the MCMI network, where the number of interfaces that every node has is less than the number of available channels. Simple and distributed channel scheduling algorithms for communication in multiple channels multiple interfaces networks are discussed. The objective of the proposed algorithms is to minimize the channel interference that causes the throughput degradation in multihop networks. The proposed algorithms are evaluated with extensive simulations. The simulation results show that the proposed algorithms well exploited the availability of multiple channels multiple interfaces to overcome the throughput degradation problem.

With the rapid increase of link speed in recent years, packet sampling has become a very attractive and scalable means in collecting flow statistics; however, it also makes inferring original flow characteristics much more difficult. In this paper, we develop techniques and schemes to identify flows with a very large number of packets (also known as heavy-hitter flows) from sampled flow statistics. Our approach follows a two-stage strategy: We first parametrically estimate the original flow length distribution from sampled flows. We then identify heavy-hitter flows with Bayes' theorem, where the flow length distribution estimated at the first stage is used as an a priori distribution. Our approach is validated and evaluated with publicly available packet traces. We show that our approach provides a very flexible framework in striking an appropriate balance between false positives and false negatives when sampling frequency is given.

This paper proposes a new method for realizing the web page recommendation system by sharing users' web browse history on an anonymous P2P network. Our scheme creates a user profile, a summary of the user's web browse trends, by analyzing the contents of the web pages browsed. The scheme then provides a P2P network to exchange web browse histories so as to create mutual web page recommendations. The novelty of our method lies in its P2P network formulation; it is formulated in a way so that users having similar user profiles are automatically connected, yet their user profiles are protected from being disclosed to other users. The proposed method intentionally distributes bogus user profiles on the P2P network, while not harming the efficiency of the web browse history sharing process.

This paper explores a method to realize an anonymity-conscious P2P data sharing network. The proposed network lets users extract other users' data that match the users' profiles, thereby providing them a collaborative filtering-based data recommendation. Our proposal realizes such a recommendation scheme without forcing the users to disclose their profiles. Our method intentionally fills the network with "white lies," whereby bogus user profiles are distributed throughout the network to protect users' anonymity without harming the overall effectiveness of the data exchange.

This paper proposes a new method of estimating real-time traffic matrices that only incurs small errors in estimation. A traffic matrix represents flows of traffic in a network. It is an essential tool for capacity planning and traffic engineering. However, the high costs involved in measurement make it difficult to assemble an accurate traffic matrix. It is therefore important to estimate a traffic matrix using limited information that only incurs small errors. Existing approaches have used IP-related information to reduce the estimation errors and computational complexity. In contrast, our method, called spike flow measurement (SFM) reduces errors and complexity by focusing on spikes. A spike is transient excessive usage of a communications link. Spikes are easily monitored through an SNMP framework. This reduces the measurement costs compared to that of other approaches. SFM identifies spike flows from traffic byte counts by detecting pairs of incoming and outgoing spikes in a network. A matrix is then constructed from collected spike flows as an approximation of the real traffic matrix. Our experimental evaluation reveals that the average error in estimation is 28%, which is sufficiently small for the method to be applied to a wide range of network nodes, including Ethernet switches and IP routers.

比較的流量の多いインターネット回線では,極めて多数のパケットから構成される少数のフロー(エレファントフロー)が全体のトラフィック流量の大部分を占める現象が観測される.エレファントフローを特定し,それを制御対象とすることにより,効率的かつ効果的なトラフィック制御を実現できる.一方,近年のネットワーク回線の高速化にともない,スケーラブルなネットワーク計測・管理技術としてパケットサンプリングが注目されている.本研究は,特にエレファントフローに着目し,サンプルしたパケットからエレファントフローを特定する手法を提案する。また,提案手法を実データを用いて評価した結果を示す.

This paper proposes an improved mechanism for keeping stable connections between mobile nodes and corresponding nodes in the mobile IPv6 protocol. The mobile IPv6 protocol enables mobile nodes to keep the reachability while they are moving freely in the Internet. Our new method has multiple home links instead of one single home link in the current specification of the mobile IPv6 protocol.
The new method is based on our earlier idea of having multiple home agents. Multiple home agents can provide backups when a home agent is not working properly. However. all the home agents should reside on one single network segment according to the current specification of the mobile IPv6. This paper further extends our earlier idea of multiple home agents, and proposes multiple home links.
We have more stable connections by using multiple home links. This paper also shows a working example which illustrates the merit of multiple home links.

In the current mobile IP standard, the home agent (HA) of a mobile node (MN) is located in the home link. If a mobile node (MN) is moved away from the home link, it takes time for MN to make a registration and binding update at the home agent (HA). It also generates extra traffic in the Internet because the Binding Update should be refreshed after the lifetime expires.
This paper proposes a new method for distributing multiple home agents (HAs) geographically. By applying this method, a mobile node (MN) can find a home agent (HA) which is nearest to it. It facilitates fast registration and short latency time. It also reduces the traffic of transaction. This technique is simple to apply. However, it is very effective. We demonstrate the capability of this method through working experiments.

Analysing and modeling of traffic play a vital role in designing and controlling of networks effectively. To construct a practical traffic model that can be used for various networks, it is necessary to characterize aggregated traffic and user traffic, This paper investigates these characteristics and their relationship. Our analyses are based on a huge number of packet traces from five different networks on the Internet. We found that: (1) marginal distributions of aggregated traffic fluctuations follow positively skewed (non-Gaussian) distributions, which leads to the existence of "spikes", where spikes correspond to an extremely large value of momentary throughput, (2) the amount of user traffic in a unit of time has a wide range of variability, and (3) flows within spikes are more likely to be "elephant flows", where an elephant flow is an IP flow with a high volume of traffic. These findings are useful in constructing a practical and realistic Internet traffic model.

The auction is a popular way of trading. Despite of the popularity of the auction, only a small number of papers have addressed the protocol which realize the double auction. In this paper, we propose a new method of double auction which improves the algorithm of the existing double auction protocol. Our new method is based on the idea of number comparison which is realized by homomorphic encryption. The new method solves the problem of the privacy of losing bids found in the existing algorithm. The buyers and the sellers can embed a random number in their bidding information by the use of the homomorphic encryption. The players in an auction cannot get anyone else's bidding information. The new method is more efficient than the existing ones. Our new method satisfies the criteria for the auction protocol.

In the Internet, flow analysis and network monitoring have been studied by various methods. Some methods try to make TCP (Transport Control Protocol) traces more readable by showing them graphically. Others such as MRTG, NetScope, and NetFlow read the traffic counters of the routers and record the data for traffic engineering. Even if all of the above methods are useful, they are made only to perform a single task. This paper describes an improved TCP Protocol Machine, a multipurpose tool that can be used for flow analysis, intrusion detection and link congestion monitoring. It is developed based on a finite state machine (automaton). The machine separates the flows into two main groups. If a flow can be mapped to a set of input symbols of the automaton, it is valid, otherwise it is invalid. It can be observed that intruders' attacks are easily detected by the use of the protocol machine. Also link congestion can be monitored, by measuring the percentage of valid flows to the total number of flows. We demonstrate the capability of this tool through measurement and working examples.

本論文はDiffServを用いた通信回線の帯域の新しい測定方法を提案する. 従来から知られている代表的な帯域測定方法にPacket Pair方式 Packet Train方式がある.ただし従来の方法は ルータがパケットをFCFS (First Come First Serve)で扱うことを前提としている. 従来の方式ではボトルネックとなるリンクの物理的な帯域と実効帯域を測定するのに留まっている. その一方で DiffServ環境には最低保証された帯域がある. 本論文は DiffServにおいて最低保証される帯域を測定可能とするように 帯域測定方法を改良した. さらに提案する帯域測定方法の評価を行った.This paper proposes a new method for estimating the bandwidth of DiffServ networks. There have been two popular ways of bandwidth estimation. One is the packet pair method and the other is the packet train method. Their main objectives are to estimate the capacity of a path bandwidth, and throughput (i.e., effective bandwidth) which is determined by the bottleneck link along a path. These tools assume that a router handles packets based on the FCFS (First Come, First Serve) principle. On the other hand, they cannot measure the guaranteed bandwidth of DiffServ networks. Our new method can estimate the guaranteed bandwidth. This paper also shows working examples which evaluates the new method.

There have been two well-known models for intrusion detection. They are called Anomaly Intrusion Detection (AID) model and Misuse Intrusion Detection (MID) model. The former model analyzes user behavior and the statistics of a process in normal situation, and it checks whether the system is being used in a different manner. The latter model maintains database of known intrusion technique and detects intrusion by comparing a behavior against the database. An intrusion detection method based on an AID model can detect a new intrusion method. however it needs to update. the data describing users behavior and the statistics in normal usage, We call these information profiles, There are several problems in AID to be addressed. The profiles are tend to be large. Detecting intrusion needs a large amount of system resource, like CPU time and memory and disk space. An AND model requires less amount of system resource to detect intrusion. However it cannot detect new. unknown intrusion methods. Our method solves these problems by recording system calls from daemon processes and setuid programs. We improved detection accuracy by adopting a DP matching scheme.

In order to detect intrusions, IDA (Intrusion Detection Agent system) initially monitors system, logs ill order to discover all MLSI - which is all certain event Which ill many cases occurs during an intrusion. If all,MLSI is found. then IDA Judges whether the MLSI is accompanied by all intrusion. We adopt discriminant analysis to analyze information after IDA detects,in MLSI in a remote attack. Discriminant analysis provides a classification function that allows IDA to,separate intrusive activities from non-intrusive activities. Using discriminant analysis. we call detect intrusions by analyzing only a part of system calls occurring Oil, a host machine. and we can determine whether all unknown sample is all intrusion. In this paper, we explain in detail how we perform discriminant analysis to detect intrusions, and evaluate the classification function. We also describe how to extract a sample from system logs, which is necessary to implement the discriminant analysis function in IDA.

現在開発中の侵入検出システムIDAは, 痕(こん)跡の発生をモニタし, 痕跡に関連した情報を解析することにより侵入を検出する.ここに痕跡とは, 侵入行為そのものではなく, 多くの侵入行為に付随して発生するイベントである.本論文はIDAにリモートアタック検出機能を新たに付加する方法を考察する.筆者らは, 従来の検出方法とは異なる新しい侵入検出法を考案した.この方法では, 痕跡を検出した後に, 多変量解析の一手法である判別分析を用いて情報を解析する.判別分析を用いると, 測定した対象を分類する関数が得られる.筆者らは, システムコールの発生状況を判別分析して, 通常行為と侵入行為とを分離した.このような判別分析によって得られる分類関数を用いると, 既知の侵入だけでなく未知のリモートアタックも検出できる可能性がある.本論文では, このような判別分析による侵入検出手法の詳細及び評価について述べる.また, 判別分析を用いた侵入検出手法を実装するときに, システムログからサンプルを切り出す方法についても考察する.

The number of computer break-ins from the outside of an organization has increased with the rapid growth of the Internet. Since many intruders from the outside of an organization employ stepping stones, it is difficult to trace back where the real origin of the attack is. Sonic research projects have proposed tracing methods for DoS attacks and detecting method of stepping stories. It is still difficult to locate the origin of an attack that uses stepping stones. We have developed IDA (Intrusion Detection Agent system). which has an intrusion tracing mechanism in a LAN environment. In this paper, we improve the tracing mechanism so that it can trace back stepping stories attack in the Internet. In our method, the information about tracing stepping stone is collected from hosts in a LAN effectively, and the information is made available at the public information server. A pursuer of stepping stone attack can trace back the intrusion based on the information available at the public information server on an intrusion route.

This paper proposes a new query type in Domain Name System (DNS) called IDNQUERY. It is used to cover internationalized domain names (IDNs) encoded in non-ASCII characters like Unicode (UTF-8). IDNQUERY provides IDNs based on binary string. The IDN-allows a user to specify multi-Lingual domain names in Japanese Chinese and Korean. The IDN is a proper extension of the current DNS. Earlier implementations of DNS and applications provide domain names encoded in 7-bit ASCII only. These old systems and applications are designed on a text base. DNS can be acomplete 8-bit clean protocol. There are good reasons to use domain names in 8-bit encoding. Older systems and applications are still working and they do not work properly when they receive an IDN in 8-bit encoding. Several proposals to realize IDNs in UTF-8 have been discussed at IDN WG in IETF (Internet Engineering Task Force). However none of them can be used with the older systemsand applications because they have trouble with IDNs in 8-bit encoding. Older DNS and applications can return an error message when they receive a query including an IDN in 8-bit encoding by reading the OPCODE in HEADER of IDNQUERY. This paper proposes the IDNQUERY which can cover both text based IDNs including ACE and binary sting based IDNs such as UTF-8 in the current existing DNS environment. The solution in this paper lets bunary string based domain names coexist with existiong DNS.

This paper describes an application of an AI-based multiagent system to the management and diagnosis of TCP/IP-based intranet/intra-AS (autonomous system) computer networks. A copy of this system is attached to each network segment and is made responsible for that segment. It captures packets in the promiscuous mode and analyzes their data in real time. Based on this analysis, the data needed to manage the local network are obtained, any changes in the local network or network components are recognized, and problems are detected. When a problem is reported by a user or detected by the system, the problem is diagnosed cooperatively or autonomously depending on its type. The activities of the agents are coordinated based on the concepts of coordination levels and functional organizations. An example of cooperative diagnosis clarifies why this multiagent approach is essential for network management. (C) 2001 Elsevier Science B.V. All rights reserved.

This paper proposes a new method of realizing internationalized domain names (iDN) and has been discussed at IETF (Internet Engineering Task Force). iDN allows a user to specify multi-lingual domain names, such as Japanese, Chinese, and Korean. iDN is a proper extension of the current domain name system. We have already developed an iDN implementation, named Global Domain Name System (GDNS). GDNS extends the usage of alias records, and gives reverse mapping information for multi-lingual domain names. This paper presents yet another method which introduces new Resource Record (RR) types to cover multi-lingual domain names. We have two new RR (Resource Record) types. The first new record is INAME and the other is IPTR. These two RR types can cover multi-lingual domain names. This paper also discusses the efficiency of DNS. Since DNS is a distributed database system, the performance depends on the method of retrieving data. This paper suggests a new retrieving method that can improve the performance of DNS remarkably.

Many methods have been proposed to detect intrusions; for example, the pattern matching method on known intrusion patterns and the statistical approach to detecting deviation from normal activities. We investigated a new method for detecting intrusions based on the number of system calls during a user's network activity on a host machine. This method attempts to separate intrusions from normal activities by using discriminant analysis, a kind of multivariate analysis. We can detect intrusions by analyzing only 11 system calls occurring on a host machine by discriminant analysis with the Mahalanobis' distance, and can also tell whether an unknown sample is an intrusion. Our approach is a lightweight intrusion detection method, given that it requires only 11 system calls for analysis. Moreover, our approach does not require user profiles or a user activity database in order to detect intrusions. This paper explains our new method for the separation of intrusions and normal behavior by discriminant analysis, and describes the classification method by which to identify an unknown behavior.

This paper proposes a new simple method for network measurement. It extracts 6-bit control flags of TCP (Transmission Control Protocol) packets. The idea is based on the unique feature of flag ratios which is discovered by our exhaustive search for the new indexes of network traffic. By the use of flag ratios, one can tell if the network is really congested. It is much simpler than the conventional network monitoring by a network analyzer. The well-known monitoring method is based on the utilization parameter of a communication circuit which ranges from 0% to 100%. One cannot tell the line is congested even if the factor is 100%. 100% means full utilization and does not give any further information. To calculate the real performance of the network. one should estimate the throughput or effective speed of each user. The estimation needs much calculation. Our new method tries to correlate ratios of TCP control flags and network congestion. The result shows the usefulness of this new method. This paper analyzes the reason why the flag ratios show the unique feature.

At the Information-technology Promotion Agency (IPA), we have been developing a network intrusion detection system called IDA (Intrusion Detection Agent system). IDA system has two distinctive features that most conventional intrusion detection systems lack. First, it has a mechanism for tracing the origin of a break-in by means of mobile agents. Second, it has a new and efficient method of detecting intrusions: rather than continuously monitoring the user's activities, it watches for an event that meets the criteria of an MLSI (Mark Left by Suspected Intruders) and may relate to an intrusion. By this method, IDA described herein can reduce the processing overhead of systems and networks. At present. IDA can detect local attacks that are initiated against a machine to which the attacker already has access and he or she attempts to exceed his or her authority. This paper mainly describes how IDA detects local attacks and traces intrusions.

APANはvBNSのアジア・大平洋地域への延長でもあることから、ATMを根幹のネットワーク技術としたHigh Performance Networkとして運用され、米国インディアナ大学と中心としたTransPACとともに、先端的ネットワーク実験をおこなっている。この実験の中ではネットワーク上を流れるトラフィックモニタ技術は一つの重要な要素技術とみなされいる。ネットワーク・トラフィック・モニタ・ツールとして光ファイバをマジックミラーによって分光してキャプチャするoc3monを導入した。一方、APANにおいては、IPv6の研究開発運用が活発で、ATM技術を用いることでIPv6を転送できることからnative IPv6による運用が行なわれている。このため、native IPv6に関してのモニタ技術が必要となってきている。本報告では、oc3monにより生成されたCRLフォーマットにおいてLLC/SNAP部を解析することにより、トラフィックがIPv6による物であることを決定することについて述べる。

This paper presents a network surveillance technique for detecting malicious activities. Based on the hypothesis that unusual conducts like system exploitation will trigger an abnormal network pattern, we try to detect this anomalous network traffic pattern as a sign of malicious, or at least suspicious activities. Capturing and analyzing of a network traffic pattern is implemented with a concept of port profiling, where measures representing various characteristics of connections are monitored and recorded for each port. Though the generation of the port profiles requires the minimum calculation and memory, they exhibit high stability and robustness. Each port profile retains the patterns of the corresponding connections precisely, even if the connections demonstrate multi-modal characteristics. By comparing the pattern exhibited by live traffic with the expected behavior recorded in the profile, intrusive activities like compromising backdoors or invoking trojan programs are successfully detected.

This paper proposes a new model which can approximate the delay time distribution in the Internet. It is well known that the delay time in communication links follows the exponential distribution. However, the earlier models cannot explain the distribution when a communication link is heavily overloaded. This paper proposes to use the M / M / S(m) model for the Internet. We have applied our model to the measurement results. This paper deals with one-way delay because it reflects the actual characteristics of communication links. Most measurement statistics in the Internet have been based on round-trip time delay between two end nodes. These characteristics are easily measured by sending sample packets from one node to the other. The receiver side echoes back the packets. However, the results are not always useful. A long distance communication link, such as a leased line, has two different fibers or wires for each direction: an incoming link, and an outgoing link. When the link is overloaded, the traffic in each link is quite different. The measurement of one-way delay is especially important for multimedia communications, because audio and video transmissions are essentially one-way traffic.

Many people want to know the number of Internet users. It is, however, impossible to count the users directly. Instead, we can count the number of hosts which are connected to the Internet. There have been two methods of counting connected hosts. The first method surveys the DNS (Domain Name System) database, and counts the unique names of computers appearing on it. A host name takes the form of www.waseda.ac.jp. This method gathers DNS records from remote sites, and looks into them. Another method also utilizes DNS records in a different manner. It starts counting hosts with the IP address. There is a DNS record in the database which gives a mapping from an IP address to a host name. The record is called a reverse pointer. The first method is well known and has been used in Japan by JPNIC. Recently, some sites refused to allow their DNS records to be transferred as a whole. They refused the transfer, because illegal intruders sometimes use DNS records to acquire information about their target. Since this security issue is serious, the zone transfer would be refused by many sites. To count the hosts in Japan, we should take the second approach. This paper addresses several issues on host counting and concludes that it is feasible to deploy the second method in Japan although some care should be taken.

This paper proposes a new simple method for network measurement. It extracts 6-bit control flags of TCP (Transmission Control Protocol) packets. The idea is based on the unique feature of flag ratios which is discovered by our rather exhaustive search for the new indexes of network traffic. By the use of flag ratios, one can tell if the network is really congested. It is much simpler than the conventional network monitoring by a network analyzer. The well-known monitoring method is based on the utilization parameter of a communication circuit which ranges from 0% to 100%. One cannot tell the line is congested even if the factor is 100%. 100% means full utilization and does not give any further information. To calculate the real performance of the network, one should estimate the throughput of effective speed of each user. The estimation needs much calculation. Our new method tries to correlate ratios of TCP control flags and network congestion. The result shows the usefulness of this new method. This paper analyses the reason why the flag ratios show the unique feature.

The paper proposes a network surveillance method for detecting malicious activities. Based on the hypothesis that unusual conducts like system exploitation will trigger an abnormal network traffic, we try to detect this anomalous traffic pattern as a sign of malicious, or at least suspicious activities. Capturing and analyzing of a network traffic pattern is implemented with an idea of port profiling, where measures representing various characteristics of connections are monitored and recorded for each port. Though the generation of the port profiles requires a small amount of calculation, they exhibit high stability and robustness. By comparing the pattern exhibited by live traffic with the expected behavior recorded in the profile, intrusive activities like compromising backdoors or invoking trojan programs are successfully detected.

This paper analyzes the delay time distribution in the Internet. We send sample packets with a time stamp to measure the delay time. It is well known that the delay time in communication links follows the exponential distribution. However, the earlier models cannot explain the distribution when a communication link is heavily overloaded. This paper proposes to use a new model for the Internet. We have applied our model to the measurement results successfully.

Many network intrusion detection systems detect intrusions by concentrating all logs of target systems in a server and having the server subsequently analyze these logs. At the Information-technology Promotion Agency (IPA), we have been developing an alternate type of network intrusion detection system called IDA (Intrusion Detection Agent system), which detects intrusions with mobile agents that act by gathering information related to intrusions from target systems on a network. The mobile agents autonomously trace the origin of the bleak-in without the intrusion-detection server's control, and also gather information from target systems. Consequently, network traffic between the target systems and the server is reduced. This paper describes how the mobile agents migrate from machine to machine within a network, and details how they trace intrusions and gather and exchange information efficiently.

コンピュータネットワークはハード的な帯域が増加すれば単純に高速化されると考えられがちであるが,遅延時間というあまり注目されていない本質的な問題があることを指摘する.

This paper applies equilibrium analysis in micro-economics to analyze a stable structure in a model of human society. The structure is observed in the study of the distribution of information.It has a three-layered hierarchy and three layers are called brains, gatekeepers and end users. The three-layer structure is widely observed in a variety of research fields. For example, in computer networks, core gateways correspond to brains, stub gateways behave like gatekeepers, and local networks are just end users. The three-layer model is considered to be an essential extension of the popular "client and server" concept in computer science. This paper calculates the supply and the demand curves in micro-economics to show how the equilibrium is established. The law of diminishing utility is utilized to represent the distribution of information or knowledge. The calculations are straightforward if the dependence of the end users on the other layers is taken into account. The results can explain many properties of the three-layer model.

本論文の目的は二つある.まずFormal LISPという新しい表現形式でプログラムの実行結果のトレースを表すことを提案する.ここにFormalとは形式的あるいは論理的(logical)という意味である.この名前が示すようにFormal LISPで表現されたトレースは論理式の証明図のように読むことが出来る. 最も重要な点は,この新しいトレースの性質を応用して,二つのプログラムの同値性の証明が可能になることである.この証明は論理式の証明図におけるnormalization定理を準用して行う.またnormalなトレースは,論理式の証明図の場合と同様に,分解,基本操作,合成の三つのパートに分かれる.これはトレースが一種の標準形を持つことを意味する. 二番目の目的は,数学的帰納法を陰に利用したプログラムの拡張法を示すことである.この方法では,小さなプログラムに対する二つのトレースをずらして重ね合わせることにより,一回り大きなプログラムに対するトレースを得る.この拡張法は対象となるプログラムが一様である(uniform)という性質を満たす場合に利用可能である.一様なプログラムのクラスの中には,BoyerとMooreが示したような数学的帰納法を使うプログラムの例題が含まれている.