Intrusion Detection Systems (IDS) have been received considerable attention among the network security researchers as one of the most promising countermeasures to defend our crucial computer systems or networks against attackers on the Internet. Over the past few years, many machine learning techniques have been applied to IDSs so as to improve their performance and to construct them with low cost and effort. Especially, unsupervised anomaly detection techniques have a significant advantage in their capability to identify unforeseen attacks, i.e., 0-day attacks, and to build intrusion detection models without any labeled (i.e., pre-classified) training data in an automated manner. In this paper, we conduct a set of experiments to evaluate and analyze performance of the major unsupervised anomaly detection techniques using real traffic data which are obtained at our honeypots deployed inside and outside of the campus network of Kyoto University, and using various evaluation criteria, i.e., performance evaluation by similarity measurements and the size of training data, overall performance, detection ability for unknown attacks, and time complexity. Our experimental results give some practical and useful guidelines to IDS researchers and operators, so that they can acquire insight to apply these techniques to the area of intrusion detection, and devise more effective intrusion detection models.

Malware has been recognized as one of the major security threats in the Internet . Previous researches have mainly focused on malware's internal activity in a system. However, it is crucial that the malware analysis extracts a malware's external activity toward the network to correlate with a security incident. We propose a novel way to analyze malware: focus closely on the malware's external (i.e., network) activity. A malware sample is executed on a sandbox that consists of a real machine as victim and a virtual Internet environment. Since this sandbox environment is totally isolated from the real Internet, the execution of the sample causes no further unwanted propagation. The sandbox is configurable so as to extract specific activity of malware, such as scan behaviors. We implement a fully automated malware analysis system with the sandbox, which enables us to carry out the large-scale malware analysis. We present concrete analysis results that are gained by using the proposed system.

In this paper, we introduce a new notion of conditional converge cast (CCC), by adding the conditional property to converge cast. A CCC protocol with predicate Q is a three-party protocol which involves two senders S0 and S1 and a receiver R. S0 owns a secret x and a message m0, so does S1 with y and m1. In a protocol, S0 and S1 send their messages to R in a masked form. R obtains the message depending on the value of Q(x,y), i.e. R obtains m0 if Q(x,y)=0, or m1 otherwise. The secrets, x and y, are not revealed to R or the other sender, and Q(x,y) is not revealed to S0 and S1. In addition to the formulation, we propose a concrete scheme for conditional converge cast with the "equality" predicate.

With the rapid evolution and increase of cyberthreats in recent years, it is necessary to detect and understand it promptly and precisely to reduce the impact of cyberthreats. A darknet, which is an unused IP address space, has a high signal-to-noise ratio, so it is easier to understand the global tendency of malicious traffic in cyberspace than other observation networks. In this paper, we aim to capture global cyberthreats in real time. Since multiple hosts infected with similar malware tend to perform similar behavior, we propose a system that estimates a degree of synchronizations from the patterns of packet transmission time among the source hosts observed in unit time of the darknet and detects anomalies in real time. In our evaluation, we perform our proof-of-concept implementation of the proposed engine to demonstrate its feasibility and effectiveness, and we detect cyberthreats with an accuracy of 97.14%. This work is the first practical trial that detects cyberthreats from in-the-wild darknet traffic regardless of new types and variants in real time, and it quantitatively evaluates the result.

Since the outbreak of IoT malware “Mirai,” several incidents have occurred in which IoT devices have been infected with malware. The malware targets IoT devices whose Telnet and SSH services are accessible from the Internet and whose ID/Password settings are not strong enough. Several IoT malware families, including Mirai, are also known that restrict access to Telnet and other services to keep the devices from being infected by other malware after infection. However, tens of thousands of devices in Japan can be still accessed Telnet services over the Internet according to network scan results. Does this imply that these devices can avoid malware infection by setting strong enough passwords, and thus cannot be used as a stepping stone for cyber attacks? In February 2019, we initiated the National Operation Toward IoT Clean Environment (NOTICE) project in Japan to investigate IoT devices with weak credentials and notify the device users. In this study, we analyze the results of the NOTICE project from February 2021 to May 2021 and the results of the large-scale darknet monitoring to reveal whether IoT devices with weak credentials are infected with malware or not. Moreover, we analyze the IoT devices with weak credentials to find out the factors that prevent these devices from being infected with malware and to assess the risk of abuse for cyber attacks. From the results of the analysis, it is discovered that approximately 2,000 devices can be easily logged in using weak credentials in one month in Japan. We also clarify that no device are infected with Mirai and its variants malware due to lack of functions used for malware infection excluding only one host. Finally, even the devices which are logged in by NOTICE project are not infected with Mirai, we find that at least 80% and 93% of the devices can execute arbitrary scripts and can send packets to arbitrary destinations respectively.

Although security and privacy technologies are incorporated into every device and service, the complexity of these concepts confuses non-expert users. Prior research has shown that non-expert users ask strangers for advice about digital media use online. In this study, to clarify the security and privacy concerns of non-expert users in their daily lives, we investigated security- and privacy-related question posts on a Question-and-Answer (Q&A) site for non-expert users. We conducted a thematic analysis of 445 question posts. We identified seven themes among the questions and found that users asked about cyberattacks the most, followed by authentication and security software. We also found that there was a strong demand for answers, especially for questions related to privacy abuse and account/device management. Our findings provide key insights into what non-experts are struggling with when it comes to privacy and security and will help service providers and researchers make improvements to address these concerns.

Considering rapid increase of recent highly organized and sophisticated malwares, practical solutions for the countermeasures against malwares especially related to zero-day attacks should be effectively developed in an urgent manner. Several research activities have been already carried out focusing on statistic calculation of network events by means of global network sensors (so-called macroscopic approach) as well as on direct malware analysis such as code analysis (so-called microscopic approach). However, in the current research activities, it is not clear at all how to inter-correlate between network behaviors obtained from macroscopic approach and malware behaviors obtained from microscopic approach. In this paper, in one side, network behaviors observed from darknet are strictly analyzed to produce scan profiles, and in the other side, malware behaviors obtained from honeypots are correctly analyzed so as to produce a set of profiles containing malware characteristics. To this end, inter-relationship between above two types of profiles is practically discussed and studied so that frequently observed malwares behaviors can be finally identified in view of scan-malware chain.

The optical properties of arrays of nanoholes and nanoslits in Al films were investigated both numerically and experimentally. The choice of Al was based on its low cost and ease of processing, in addition to the fact that it has a higher plasma frequency than gold or silver, leading to lower optical losses at wavelengths of 400 to 500nm.

This paper presents the physical-layer cell identity (PCID) detection probability using the narrowband primary synchronization signal (NPSS) and narrowband secondary synchronization signal (NSSS) based on the narrowband Internet-of-Things (NB-IoT) radio interface considering frequency offset and the maximum Doppler frequency in the 28-GHz band. Simulation results show that the autocorrelation based NPSS detection method is more effective than the cross-correlation based NPSS detection using frequency offset estimation and compensation before the NPSS received timing detection from the viewpoints of PCID detection probability and computational complexity. We also show that when using autocorrelation based NPSS detection, the loss in the PCID detection probability at the carrier frequency of fc =28GHz compared to that for fc =3.5GHz is only approximately 5% at the average received signal-to-noise ratio (SNR) of 0dB when the frequency stability of a local oscillator of a user equipment (UE) set is 20ppm. Therefore, we conclude that the multiplexing schemes and sequences of NPSS and NSSS based on the NB-IoT radio interface associated with autocorrelation based NPSS detection will support the 28-GHz frequency spectra.

We propose a novel mechanism of short-term image-sticking phenomenon in in-plane switching liquid crystal displays (IPS LCDs) that is related to ionic relaxation generated by a vertical electric field caused by a flexoelectric effect. We discuss the differences between electric fields caused by the flexoelectric effect and those caused by DC bias voltage.

For flexibility in supporting mobility and multihoming in edge networks and scalability of the backbone routing system, future Internet is expected to be based on the concept of ID/locator split. Heterogeneity Inclusion and Mobility Adaptation through Locator ID Separation (HIMALIS) has been designed as a generic future network architecture based on ID/locator split concept. It can natively support mobility, multihoming, scalable backbone routing and heterogeneous protocols in the network layer of the new generation network or future Internet. However, HIMALIS still lacks security functions to protect itself from various attacks during the procedures of storing, updating, and retrieving of ID/locator mappings, such as impersonation attacks. Therefore, in this paper, we address the issues of security functions design and implementation for the HIMALIS architecture. We present an integrated security scheme consisting of mapping registration and retrieval security, network access security, communication session security, and mobility security. Through the proposed scheme, the hostname to ID and locator mapping records can be securely stored and updated in two types of name registries, domain name registry and host name registry. Meanwhile, the mapping records retrieved securely from these registries are utilized for securing the network access process, communication sessions, and mobility management functions. The proposed scheme provides comprehensive protection of both control and data packets as well as the network infrastructure through an effective combination of asymmetric and symmetric cryptographic functions.

We investigated optical transmission characteristics of aluminum thin films with periodic hole arrays in sub-wavelength. We divided white light into several color spectra using a color filter based on the surface plasmon resonance (SPR) utilizing aluminum showing high plasma frequency. By optimizing a hole-array period, hole shape, polarization and index difference of two surface, transmittance of 30% and full-width at half-maximum of around 100 nm were achieved.

As the number of new malware has increased explosively, traditional malware detection approaches based on pattern matching have been less effective. Therefore, it is important to develop a detection method which relies on not signatures but characteristic behaviors of malware. Recently, malware authors have been embedding functions for countermeasure against malware analyses and detections into malware. Accordingly, modern malware often changes their runtime behaviors in each execution to tolerate against malware analyses and detections. For example, when malware copies itself on a file system, it can randomly determine its file name for avoiding the detections. Another example is that when malware tries to connect its command and control server, it randomly chooses a domain name from a hard-coded domain name list to avoid being blocked by a static blacklist of malicious domain names. We assume that such evasive behaviors are unnecessary for benign software. Therefore the behaviors can be the clues to distinguish malware from benign software. In this paper, we propose a novel behavior-based malware detection method which focuses attention on such characteristics. Our proposed method conducts dynamic analysis on an executable file multiple times in same sandbox environment so as to obtain plural lists of API call sequences and plural traffic logs, and then compares the lists and the logs to find the difference between the multiple executions. In the experiments with 5,697 malware samples and 819 benign software samples, we can detect about 70% malware samples and the false positive rate is about 1%. In addition, we can detect about 50% malware samples which were not detected by each Anti-Virus Software engine. Therefore we confirm the possibility the proposed method may be able to improve the accuracy of malware detection utilizing in combination with other existing methods.