In this paper, we present non-Markovian availability models for capturing the dynamics of system behavior of an operational software system that undergoes aperiodic time-based software rejuvenation and checkpointing. Two availability models with rejuvenation are considered taking account of the procedure after the completion of rollback recovery operation. We further proceed to investigate whether there exists the optimal rejuvenation schedule that maximizes the steady-state system availability, which is derived by means of the phase expansion technique, since the resulting models are not the trivial stochastic models such as semi-Markov process and Markov regenerative process, so that it is hard to solve them by using the common approaches like Laplace-Stieltjes transform and embedded Markov chain techniques. The numerical experiments are conducted to determine the optimal rejuvenation trigger timing maximizing the steady-state system availability for each availability model, and to compare both two models.

The number of malware, including variants and new types, is dramatically increasing over the years, posing one of the greatest cybersecurity threats nowadays. To counteract such security threats, it is crucial to detect malware accurately and early enough. The recent advances in machine learning technology have brought increasing interest in malware detection. A number of research studies have been conducted in the field. It is well known that malware detection accuracy largely depends on the training dataset used. Creating a suitable training dataset for efficient malware detection is thus crucial. Different works usually use their own dataset; therefore, a dataset is only effective for one detection method, and strictly comparing several methods using a common training dataset is difficult. In this paper, we focus on how to create a training dataset for efficiently detecting malware. To achieve our goal, the first step is to clarify the information that can accurately characterize malware. This paper concentrates on threads, by treating them as important information for characterizing malware. Specifically, on the basis of the dynamic analysis log from the Alkanet, a system call tracer, we obtain the thread information and classify the thread information processing into four patterns. Then the malware detection is performed using the number of transitions of system calls appearing in the thread as a feature. Our comparative experimental results showed that the primary thread information is important and useful for detecting malware with high accuracy.

A wide range of communication protocols has recently been developed to address service diversification. At the same time, firewalls (FWs) are installed at the boundaries between internal networks, such as those owned by companies and homes, and the Internet. In general, FWs are configured as whitelists and release only the port corresponding to the service to be used and block communication from other ports. In a previous study, we proposed a method for traversing a FW and enabling communication by inserting a pseudo-transmission control protocol (TCP) header imitating HTTPS into a packet, which normally would be blocked by the FW. In that study, we confirmed the efficiency of the proposed method via its implementation and experiments. Even though common encapsulating techniques work on end-nodes, the previous implementation worked on the relay node assuming a router. Further, middleboxes, which overwrite L3 and L4 headers on the Internet, need to be taken into consideration. Accordingly, we re-implemented the proposed method into an end-node and added a feature countering a typical middlebox, i.e., NAPT, into our implementation. In this paper, we describe the functional confirmation and performance evaluations of both versions of the proposed method.

Utilization data (a kind of incomplete data) is defined as the fraction of a fixed period in which the system is busy. In computer systems, utilization data is very common and easily observable, such as CPU utilization. Unlike inter-arrival times and waiting times, it is more significant to consider the parameter estimation of transaction-based systems with utilization data. In our previous work [7], a novel parameter estimation method using utilization data for an Mt/M/1/K queueing system was presented to estimate the parameters of a non-homogeneous Poisson process (NHPP). Since NHPP is classified as a simple counting process, it may not fit actual arrival streams very well. As a generalization of NHPP, Markovian arrival process (MAP) takes account of the dependency between consecutive arrivals and is often used to model complex, bursty, and correlated traffic streams. In this paper, we concentrate on the parameter estimation of an MAP/M/1/K queueing system using utilization data. In particular, the parameters are estimated by using maximum likelihood estimation (MLE) method. Numerical experiments on real utilization data validate the proposed approach and evaluate the effective traffic intensity of the arrival stream of MAP/M/1/K queueing system. Besides, three kinds of utilization datasets are created from a simulation to assess the effects of observed time intervals on both estimation accuracy and computational cost. The numerical results show that MAP-based approach outperforms the exiting method in terms of both the estimation accuracy and computational cost.

Survivability is the capability of a system to provide its services in a timely manner even after intrusion and compromise occur. In this paper, we focus on the quantitative analysis of survivability of virtual machine (VM) based intrusion tolerant system in the presence of Byzantine failures due to malicious attacks. Intrusion tolerant system has the ability of a system to continuously provide correct services even if the system is intruded. This paper introduces a scheme of the intrusion tolerant system with virtualization, and derives the success probability for one request by a Markov chain under the environment where VMs have been intruded due to a security hole by malicious attacks. Finally, in numerical experiments, we evaluate the performance of VM-based intrusion tolerant system from the viewpoint of survivability.