We propose a novel mechanism of short-term image-sticking phenomenon in in-plane switching liquid crystal displays (IPS LCDs) that is related to ionic relaxation generated by a vertical electric field caused by a flexoelectric effect. We discuss the differences between electric fields caused by the flexoelectric effect and those caused by DC bias voltage.

For flexibility in supporting mobility and multihoming in edge networks and scalability of the backbone routing system, future Internet is expected to be based on the concept of ID/locator split. Heterogeneity Inclusion and Mobility Adaptation through Locator ID Separation (HIMALIS) has been designed as a generic future network architecture based on ID/locator split concept. It can natively support mobility, multihoming, scalable backbone routing and heterogeneous protocols in the network layer of the new generation network or future Internet. However, HIMALIS still lacks security functions to protect itself from various attacks during the procedures of storing, updating, and retrieving of ID/locator mappings, such as impersonation attacks. Therefore, in this paper, we address the issues of security functions design and implementation for the HIMALIS architecture. We present an integrated security scheme consisting of mapping registration and retrieval security, network access security, communication session security, and mobility security. Through the proposed scheme, the hostname to ID and locator mapping records can be securely stored and updated in two types of name registries, domain name registry and host name registry. Meanwhile, the mapping records retrieved securely from these registries are utilized for securing the network access process, communication sessions, and mobility management functions. The proposed scheme provides comprehensive protection of both control and data packets as well as the network infrastructure through an effective combination of asymmetric and symmetric cryptographic functions.

We investigated optical transmission characteristics of aluminum thin films with periodic hole arrays in sub-wavelength. We divided white light into several color spectra using a color filter based on the surface plasmon resonance (SPR) utilizing aluminum showing high plasma frequency. By optimizing a hole-array period, hole shape, polarization and index difference of two surface, transmittance of 30% and full-width at half-maximum of around 100 nm were achieved.

As the number of new malware has increased explosively, traditional malware detection approaches based on pattern matching have been less effective. Therefore, it is important to develop a detection method which relies on not signatures but characteristic behaviors of malware. Recently, malware authors have been embedding functions for countermeasure against malware analyses and detections into malware. Accordingly, modern malware often changes their runtime behaviors in each execution to tolerate against malware analyses and detections. For example, when malware copies itself on a file system, it can randomly determine its file name for avoiding the detections. Another example is that when malware tries to connect its command and control server, it randomly chooses a domain name from a hard-coded domain name list to avoid being blocked by a static blacklist of malicious domain names. We assume that such evasive behaviors are unnecessary for benign software. Therefore the behaviors can be the clues to distinguish malware from benign software. In this paper, we propose a novel behavior-based malware detection method which focuses attention on such characteristics. Our proposed method conducts dynamic analysis on an executable file multiple times in same sandbox environment so as to obtain plural lists of API call sequences and plural traffic logs, and then compares the lists and the logs to find the difference between the multiple executions. In the experiments with 5,697 malware samples and 819 benign software samples, we can detect about 70% malware samples and the false positive rate is about 1%. In addition, we can detect about 50% malware samples which were not detected by each Anti-Virus Software engine. Therefore we confirm the possibility the proposed method may be able to improve the accuracy of malware detection utilizing in combination with other existing methods.

PEiD is a packer identification tool widely used for malware analysis but its accuracy is becoming lower and lower recently. There exist two major reasons for that. The first is that PEiD does not provide a way to create signatures, though it adopts a signature-based approach. We need to create signatures manually, and it is difficult to catch up with packers created or upgraded rapidly. The second is that PEiD utilizes exact matching. If a signature contains any error, PEiD cannot identify the packer that corresponds to the signature. In this paper, we propose a new automated packer identification method to overcome the limitations of PEiD and report the results of our numerical study. Our method applies string-kernel-based support vector machine (SVM): it can measure the similarity between packed programs without our operations such as manually creating signature and it provides some error tolerant mechanism that can significantly reduce detection failure caused by minor signature violations. In addition, we use the byte sequence starting from the entry point of a packed program as a packer's feature given to SVM. That is, our method combines the advantages from signature-based approach and machine learning (ML) based approach. The numerical results on 3902 samples with 26 packer classes and 3 unpacked (not-packed) classes shows that our method achieves a high accuracy of 99.46% outperforming PEiD and an existing ML-based method that Sun et al. have proposed.

In recent years, the number of spam emails has been dramatically increasing and spam is recognized as a serious internet threat. Most recent spam emails are being sent by bots which often operate with others in the form of a botnet, and skillful spammers try to conceal their activities from spam analyzers and spam detection technology. In addition, most spam messages contain URLs that lure spam receivers to malicious Web servers for the purpose of carrying out various cyber attacks such as malware infection, phishing attacks, etc. In order to cope with spam based attacks, there have been many efforts made towards the clustering of spam emails based on similarities between them. The spam clusters obtained from the clustering of spam emails can be used to identify the infrastructure of spam sending systems and malicious Web servers, and how they are grouped and correlate with each other, and to minimize the time needed for analyzing Web pages. Therefore, it is very important to improve the accuracy of the spam clustering as much as possible so as to analyze spam based attacks more accurately. In this paper, we present an optimized spam clustering method, called O-means, based on the K-means clustering method, which is one of the most widely used clustering methods. By examining three weeks of spam gathered in our SMTP server, we observed that the accuracy of the O-means clustering method is about 87% which is superior to the previous clustering methods. In addition, we define 12 statistical features to compare similarity between spam emails, and we determined a set of optimized features which makes the O-means clustering method more effective.

In this paper, we show that each of the special cases of strong conditional oblivious transfer can be obtained from only one instance of its inverse. Each of our constructions is simple and efficient, and preserves the same security level of its inverse.

Malicious software (malware) poses various significant challenges. One is the need to retrieve plain-text messages transmitted between malware and herders through an encrypted network channel. Those messages (e.g., commands for malware) can be a useful hint to reveal their malicious activities. However, the retrieving is challenging even if the malware is executed on an analysis computer. To assist analysts in retrieving the plain-text from the memory, this paper presents FCReducer(Function Candidate Reducer), which provides a small candidate set of cryptographic functions called by malware. Given this set, an analyst checks candidates to locate cryptographic functions. If the decryption function is found, she then obtains its output as the plain-text. Although existing systems such as CipherXRay have been proposed to locate cryptographic functions, they heavily rely on fine-grained dynamic taint analysis (DTA). This makes them weak against under-tainting, which means failure of tracking data propagation. To overcome under-tainting, FCReducer conducts coarse-grained DTA and generates a typical data dependency graph of functions in which the root function accesses an encrypted message. This does not require fine-grained DTA. FCReducer then applies a community detection method such as InfoMap to the graph for detecting a community of functions that plays a role in decryption or encryption. The functions in this community are provided as candidates. With experiments using 12 samples including four malware specimens, we confirmed that FCReducer reduced, for example, 4830 functions called by Zeus malware to 0.87% as candidates. We also propose a heuristic to reduce candidates more greatly.

Although transmittance changes like a quadratic function due to the DC offset voltage in FFS mode LCD, its bottom position and flicker minimum DC offset voltage varies depending on the gray level due to the flexoelectric effect. We demonstrated how the influence of the flexoelectric effect changes depending on the electrode width or black matrix position.

This paper reviews our recent activities on nanophotonics based on a photonic crystal (PC)/quantum dot (QD)-combined structure for an all-optical device and a metal/semiconductor composite structure using surface plasmon (SP) and negative refractive index material (NIM). The former structure contributes to an ultrafast signal processing component by virtue of new PC design and QD selective-area-growth technologies, while the latter provides a new RGB color filter with a high precision and optical beam-steering device with a wide steering angle.

Analyzing a malware sample requires much more time and cost than creating it. To understand the behavior of a given malware sample, security analysts often make use of API call logs collected by the dynamic malware analysis tools such as a sandbox. As the amount of the log generated for a malware sample could become tremendously large, inspecting the log requires a time-consuming effort. Meanwhile, antivirus vendors usually publish malware analysis reports (vendor reports) on their websites. These malware analysis reports are the results of careful analysis done by security experts. The problem is that even though there are such analyzed examples for malware samples, associating the vendor reports with the sandbox logs is difficult. This makes security analysts not able to retrieve useful information described in vendor reports. To address this issue, we developed a system called AMAR-Generator that aims to automate the generation of malware analysis reports based on sandbox logs by making use of existing vendor reports. Aiming at a convenient assistant tool for security analysts, our system employs techniques including template matching, API behavior mapping, and malicious behavior database to produce concise human-readable reports that describe the malicious behaviors of malware programs. Through the performance evaluation, we first demonstrate that AMAR-Generator can generate human-readable reports that can be used by a security analyst as the first step of the malware analysis. We also demonstrate that AMAR-Generator can identify the malicious behaviors that are conducted by malware from the sandbox logs; the detection rates are up to 96.74%, 100%, and 74.87% on the sandbox logs collected in 2013, 2014, and 2015, respectively. We also present that it can detect malicious behaviors from unknown types of sandbox logs.

Exploiting vulnerabilities of remote systems is one of the fundamental behaviors of malware that determines their potential hazards. Understanding what kind of propagation tactics each malware uses is essential in incident response because such information directly links with countermeasures such as writing a signature for IDS. Although recently malware sandbox analysis has been studied intensively, little work is done on securely observing the vulnerability exploitation by malware. In this paper, we propose a novel sandbox analysis method for securely observing malware's vulnerability exploitation in a totally isolated environment. In our sandbox, we prepare two victim hosts. We first execute the sample malware on one of these hosts and then let it attack the other host which is running multiple vulnerable services. As a simple realization of the proposed method, we have implemented a sandbox using Nepenthes, a low-interaction honeypot, as the second victim. Because Nepenthes can emulate a variety of vulnerable services, we can efficiently observe the propagation of sample malware. In the experiments, among 382 samples whose scan capabilities are confirmed, 381 samples successfully started exploiting vulnerabilities of the second victim. This indicates the certain level of feasibility of the proposed method.

Characterization of peer-to-peer (P2P) traffic is an essential step to develop workload models towards capacity planning and cyber-threat countermeasure over P2P networks. In this paper, we present a classification scheme for characterizing P2P file-sharing hosts based on transport layer statistical features. The proposed scheme is accessed on a virtualized environment that simulates a P2P-friendly cloud system. The system shows high accuracy in differentiating P2P file-sharing hosts from ordinary hosts. Its tunability regarding monitoring cost, system response time, and prediction accuracy is demonstrated by a series of experiments. Further study on feature selection is pursued to identify the most essential discriminators that contribute most to the classification. Experimental results show that an equally accurate system could be obtained using only 3 out of the 18 defined discriminators, which further reduces the monitoring cost and enhances the adaptability of the system.

This paper proposes individual computation processes of the partial demodulation reference signal (DM-RS) sequence in a synchronization signal (SS)/physical broadcast channel (PBCH) block to be used to detect the radio frame timing based on SS/PBCH block index detection for New Radio (NR) initial access. We present the radio frame timing detection probability using the proposed partial DM-RS sequence detection method that is applied subsequent to the physical-layer cell identity (PCID) detection in five tapped delay line (TDL) models in both non-line-of-sight (NLOS) and line-of-sight (LOS) environments. Computer simulation results show that by using the proposed method, the radio frame timing detection probabilities of almost 100% and higher than 90% are achieved for the LOS and NLOS channel models, respectively, at the average received signal-to-noise power ratio (SNR) of 0dB with the frequency stability of a local oscillator in a set of user equipment (UE) of 5ppm at the carrier frequency of 4GHz.

Along with the proliferation of IoT (Internet of Things) devices, cyberattacks towards them are on the rise. In this paper, aiming at efficient precaution and mitigation of emerging IoT cyberthreats, we present a multimodal study on applying machine learning methods to characterize malicious programs which target multiple IoT platforms. Experiments show that opcode sequences obtained from static analysis and API sequences obtained by dynamic analysis provide sufficient discriminant information such that IoT malware can be classified with near optimal accuracy. Automated and accelerated identification and mitigation of new IoT cyberthreats can be enabled based on the findings reported in this study.

Steganography is a technique that conceals the very existence of communication by means of hiding secret messages in innocuous cover objects. We previously developed a steganographic method that uses standard MIDI files (SMFs) as cover objects. Our method could conceal the secret messages in SMFs without changing their sound. We also investigated the effectiveness of our method against steganalysis. This steganalytic research revealed that files embedded using our method are vulnerable to detection, because stego SMFs lose the imprints borne by sequencers. In this study, we describe two improved methods of steganography that enable even stego SMFs to keep the sequencer's imprint. As a result, we improved the resistance of SMFs against steganalysis but there was a slight reduction in the embedding rate.

The power of laser radar received echoes varies over a large range due to many factors such as target distance, size, reflection ratio, etc, which leads to the difficulty of decoding codes from the received noise buried signals for spectrum code modulated laser radar. Firstly, a pseudo-random noise (PN) code modulated laser radar model is given, and the problem to be addressed is discussed. Then, a novel method based on Inter Symbol Interference (ISI) is proposed for resolving the problem, providing that only Additive White Gaussian Noise (AWGN) exists. The ISI effect is introduced by using a high pass filter (HPF). The results show that ISI improves laser radar receiver decoding ratio, thus the peak of the correlation function of decoded codes and modulation codes. Finally, the effect of proposed method is verified by a simple experiment.

Anonymous communication essentially involves two difficulties; 1) How does the sender send a message anonymously? 2) How does the receiver send a reply to the anonymous sender? In this paper, we propose an anonymous communication method named Rivulet that overcomes both of the difficulties by using group communication. Moreover, anonymous communication holds two dilemmas; 1) Strong anonymity or good performance? 2) Protect the privacy or promote the crime? Rivulet provides a solution for the former dilemma. The latter one is hard and important problem for all privacy protection schemes, therefore, we have to keep discussing this dilemma.

With the rapid development and proliferation of the Internet, cyber attacks are increasingly and continually emerging and evolving nowadays. Malware – a generic term for computer viruses, worms, trojan horses, spywares, adwares, and bots – is a particularly lethal security threat. To cope with this security threat appropriately, we need to identify the malwares' tendency/characteristic and analyze the malwares' behaviors including their classification. In the previous works of classification technologies, the malwares have been classified by using data from dynamic analysis or code analysis. However, the works have not been succeeded to obtain efficient classification with high accuracy. In this paper, we propose a new classification method to cluster malware more effectively and more accurately. We firstly perform dynamic analysis to automatically obtain the execution traces of malwares. Then, we classify malwares into some clusters using their characteristics of the behavior that are derived from Windows API calls in parallel threads. We evaluated our classification method using 2,312 malware samples with different hash values. The samples classified into 1,221 groups by the result of three types of antivirus softwares were classified into 93 clusters. 90% of the samples used in the experiment were classified into 20 clusters at most. Moreover, it ensured that 39 malware samples had characteristics different from other samples, suggesting that these may be new types of malware. The kinds of Windows API calls confirmed the samples classified into the same cluster had the same characteristics. We made clear that antivirus softwares named different name to malwares that have same behavior.

This paper proposes a physical-layer cell identity (PCID) detection method that uses joint estimation of the frequency offset and secondary synchronization signal (SSS) sequence for the 5G new radio (NR) initial access with beamforming transmission at a base station. Computer simulation results show that using the PCID detection method with the proposed joint estimation yields an almost identical PCID detection probability as the primary synchronization signal (PSS) detection probability at an average received signal-to-noise ratio (SNR) of higher than approximately -5dB suggesting that the residual frequency offset is compensated to a sufficiently low level for the SSS sequence estimation. It is also shown that the PCID detection method achieves a high PCID detection probability of greater than 90% and 50% at the carrier frequency of 30 and 50GHz, respectively, at the average received SNR of 0dB for the frequency stability of a user equipment oscillator of 3ppm.