Remote Access Trojans (RAT) is a spyware which can steal the confidential information from a target organization. The detection of RATs becomes more and more difficult because of targeted attacks, since the victim usually cannot realize that he/she is being attacked. After RAT's intrusion, the attacker can monitor and control the victim's PC remotely, to wait for an opportunity to steal the confidential information. As this situation, the main issue we face now is how to prevent confidential information being leaked back to the attacker. Although there are many existing approaches about RAT detection, there still remain two challenges: to detect RAT sessions as early as possible, and to distinguish them from the normal applications with a high accuracy. In this paper, we propose a novel approach to detect RAT sessions by their network behavior during the early stage of communication. The early stage is defined as a short period of time at communication's beginning; it also can be seen as the preparation period of the communication. We extract network behavior features from this period, to differentiate RAT sessions and normal sessions. For the implementation and evaluation, we use machine learning techniques with 5 algorithms and K-Fold cross-validation. As the results, our approach could detect RAT sessions in the communication's early stage with the accuracy over 96% together with the FNR of 10% by Random Forest algorithm.

Proof of Retrievability (POR) is a protocol by which a client can distribute his/her data to cloud servers and can check if the data stored in the servers is available and intact. After that, network coding-based POR has been applied to improve network throughput. Although many network coding-based PORs have been proposed, most of them have not achieved the following practical features: direct repair and dynamic operations. In this paper, we propose the D2-POR scheme (Direct repair and Dynamic operations in network coding-based POR) to address these shortcomings. When a server is corrupted, the D2-POR can support the direct repair in which the data stored in the corrupted server can be repaired using the data directly provided by healthy servers. The client is thus free from the burden of data repair. Furthermore, the D2-POR allows the client to efficiently perform dynamic operations, i.e., modification, insertion and deletion.

Malware proliferation has become a serious threat to the Internet in recent years. Most current malware are subspecies of existing malware that have been automatically generated by illegal tools. To conduct an efficient analysis of malware, estimating their functions in advance is effective when we give priority to analyze malware. However, estimating the malware functions has been difficult due to the increasing sophistication of malware. Actually, the previous researches do not estimate the functions of malware sufficiently. In this paper, we propose a new method which estimates the functions of unknown malware from APIs or categories observed by dynamic analysis on a host. We examine whether the proposed method can correctly estimate the malware functions by the supervised machine learning techniques. The results show that our new method can estimate the malware functions with the average accuracy of 83.4% using API information.

Timed-Release Encryption (TRE) is a kind of time-dependent encryption, where the time of decryption can be controlled. More precisely, TRE prevents even a legitimate recipient decrypting a ciphertext before a semi-trusted Time Server (TS) sends trapdoor sT assigned with a release time T of the encryptor's choice. Cathalo et al. (ICICS2005) and Chalkias et al. (ESORICS2007) have already considered encrypting a message intended for multiple recipients with the same release time. One drawback of these schemes is the ciphertext size and computational complexity, which depend on the number of recipients N. Ideally, it is desirable that any factor (ciphertext size, computational complexity of encryption/decryption, and public/secret key size) does not depend on N. In this paper, to achieve TRE with such fully constant costs from the encryptor's/decryptor's point of view, by borrowing the technique of Proxy Re-Encryption (PRE), we propose a cryptosystem in which even if the proxy transformation is applied to a TRE ciphertext, the release time is still effective. By sending a TRE ciphertext to the proxy, an encryptor can foist N-dependent computation costs on the proxy. We call this cryptosystem Timed-Release PRE (TR-PRE). This function can be applied to efficient multicast communication with a release time indication.

In key-recovery methods using smart cards, a user can recover the disk encryption key in cooperation with the system administrator, even if the user has lost the smart card including the disk encryption key. However, the disk encryption key is known to the system administrator in advance in most key-recovery methods. Hence user's disk data may be read by the system administrator. Furthermore, if the disk encryption key is not known to the system administrator in advance, it is difficult to achieve a key authentication. In this paper, we propose a scheme which enables to recover the disk encryption key when the user's smart card is lost. In our scheme, the disk encryption key is not preserved anywhere and then the system administrator cannot know the key before key-recovery phase. Only someone who has a user's smart card and knows the user's password can decrypt that user's disk data. Furthermore, we measured the processing time required for user authentication in an experimental environment using a virtual machine monitor. As a result, we found that this processing time is short enough to be practical.

Nowadays, many individuals and organizations tend to outsource their data to a cloud storage for reducing the burden of data storage and maintenance. However, a cloud provider may be untrustworthy. The cloud thus leads to a numerous security challenges: data availability, data integrity, and data confidentiality. In this paper, we focus on data availability and data integrity because they are the prerequisites of the existence of a cloud system. The approach of this paper is the network coding-based Proof of Retrievability (POR) scheme which allows a client to check whether his/her data stored on the cloud servers are intact. Although many existing network coding-based PORs have been proposed, most of them still incur high costs in data check and data repair, and cannot prevent the small corruption attack which is a common attack in the POR scheme. This paper proposes a new network coding-based POR using the dispersal coding technique, named the ND-POR (Network coding - Dispersal coding POR) to improve the efficiency in data check and data repair and to protect against the small corruption attack.

Wireless Sensor Networks (WSNs) rely on in-network aggregation for efficiency, that is, readings from sensor nodes are aggregated at intermediate nodes to reduce the communication cost. However, the previous optimally secure in-network aggregation protocols against multiple corrupted nodes require two round-trip communications between each node and the base station, including the result-checking phase whose congestion is O(log n) where n is the total number of sensor nodes. In this paper, we propose an efficient and optimally secure sensor network aggregation protocol against multiple corrupted nodes by a random-walk adversary. Our protocol achieves one round-trip communication to satisfy optimal security without the result-checking phase, by conducting aggregation along with the verification, based on the idea of TESLA technique. Furthermore, we show that the congestion complexity, communication complexity and computational cost in our protocol are constant, i.e., O(1).

This paper proposes methods for “restricting the message space” of public-key encryption, by allowing a third party to verify whether a given ciphertext does not encrypt some message which is previously specified as a “bad” (or “problematic”) message. Public-key encryption schemes are normally designed not to leak even partial information of encrypted plaintexts, but it would be problematic in some circumstances. This higher level of confidentiality could be abused, as some malicious parties could communicate with each other, or could talk about some illegal topics, using an ordinary public key encryption scheme with help of the public-key infrastructure. It would be undesirable considering the public nature of PKI. The primitive of restrictive public key encryption will help this situation, by allowing a trusted authority to specify a set of “bad” plaintexts, and allowing every third party to detect ciphertexts that encrypts some of the specified “bad” plaintext. The primitive also provides strong confidentiality (of indistinguishability type) of the plaintext when it is not specified as “bad.” In this way, a third party (possible a gateway node of the network) can examine a ciphertext (which comes from the network) includes an allowable content or not, and only when the ciphertext does not contain forbidden message, the gateway transfers the ciphertext to a next node. In this paper, we formalize the above requirements and provide two constructions that satisfied the formalization. The first construction is based on the techniques of Teranishi et al. (IEICE Trans. Fundamentals E92-A, 2009), Boudot (EUROCRYPT 2000), and Nakanishi et al. (IEICE Trans. Fundamentals E93-A, 2010), which are developed in the context of (revocation of) group signature. The other construction is based on the OR-proof technique. The first construction has better performance when very few messages are specified as bad, while the other does when almost all of messages are specified as bad (and only very few messages are allowed to encrypt).

With the rise of social network service (SNS) in recent years, the security of SNS users' private information has been a concern for the public. However, due to the anonymity of SNS, identity impersonation is hard to be detected and prevented since users are free to create an account with any username they want. This could lead to cybercrimes like fraud because impersonation allows malicious users to steal private information. Until now, there are few studies about this problem, and none of them can perfectly handle this problem. In this paper, based on an idea from previous work, we combine blockchain technology and security protocol to prevent impersonation in SNS. In our scheme, the defects of complex and duplicated operations in the previous work are improved. And the authentication work of SNS server is also adjusted to resist single-point, attacks. Moreover, the smart contract is introduced to help the whole system runs automatically. Afterward, our proposed scheme is implemented and tested on an Ethereum test network and the result suggests that it is acceptable and suitable for nowadays SNS network.

An English auction is the most familiar type of auctions. Generally, an electronic auction has mainly two entities, the registration manager (RM) who treats the registration of bidders, and the auction manager (AM) who holds auctions. Before starting an auction, a bidder who wants to participate in English auction is registered to RM with her/his information. An electronic English auction protocol should satisfy the following nine properties, (a) Anonymity, (b) Traceability, (c) No framing, (d) Unforgeability, (e) Fairness, (f) Verifiability, (g) Unlinkability among plural auctions, (h) Linkability in an auction, and (i) Efficiency of bidding. Furthermore from the practical point of view we add two properties (j) Easy revocation and (k) One-time registration. A group signature is adapted to an English auction in order to satisfy (a), (b), and (f). However such a direct adoption suffers from the most critical drawback of efficiency in group signatures. In this paper we propose more realistic electronic English auction scheme, which satisfies all of these properties without using a group signature. Notable features of our scheme are: (1) both of bidding and verification of bids are done quite efficiently by introducing a bulletin board, (2) both properties (j) Easy revocation and (k) One-time registration are satisfied.

In an open-bid auction, a bidder can know the budgets of other bidders. Thus, a sealed-bid auction that hides bidding prices is desirable. However, in previous sealed-bid auction protocols, it has been difficult to provide a “fund binding” property, which would guarantee that a bidder has funds more than or equal to the bidding price and that the funds are forcibly withdrawn when the bidder wins. Thus, such protocols are vulnerable to a false bidding. As a solution, many protocols employ a simple deposit method in which each bidder sends a deposit to a smart contract, which is greater than or equal to the bidding price, before the bidding phase. However, this deposit reveals the maximum bidding price, and it is preferable to hide this information. In this paper, we propose a sealed-bid auction protocol that provides a fund binding property. Our protocol not only hides the bidding price and a maximum bidding price, but also provides a fund binding property, simultaneously. For hiding the maximum bidding price, we pay attention to the fact that usual Ethereum transactions and transactions for sending funds to a one-time address have the same transaction structure, and it seems that they are indistinguishable. We discuss how much bidding transactions are hidden. We also employ DECO (Zhang et al., CCS 2020) that proves the validity of the data to a verifier in which the data are taken from a source without showing the data itself. Finally, we give our implementation which shows transaction fees required and compare it to a sealed-bid auction protocol employing the simple deposit method.