While the online advertisement is widely used on the web and on mobile applications, the monetary damages by advertising frauds (ad frauds) have become a severe problem. Countermeasures against ad frauds are evaded since they rely on noticeable features (e.g., burstiness of ad requests) that attackers can easily change. We propose an ad-fraud-detection method that leverages robust features against attacker evasion. We designed novel features on the basis of the statistics observed in an ad network calculated from a large amount of ad requests from legitimate users, such as the popularity of publisher websites and the tendencies of client environments. We assume that attackers cannot know of or manipulate these statistics and that features extracted from fraudulent ad requests tend to be outliers. These features are used to construct a machine-learning model for detecting fraudulent ad requests. We evaluated our proposed method by using ad-request logs observed within an actual ad network. The results revealed that our designed features improved the recall rate by 10% and had about 100,000-160,000 fewer false negatives per day than conventional features based on the burstiness of ad requests. In addition, by evaluating detection performance with long-term dataset, we confirmed that the proposed method is robust against performance degradation over time. Finally, we applied our proposed method to a large dataset constructed on an ad network and found several characteristics of the latest ad frauds in the wild, for example, a large amount of fraudulent ad requests is sent from cloud servers.

This paper proposes an electronic retail payment system to provide flexible and efficient funds transfers with adequate security, reliability, circulativity, and anonymity even in large-scale applications. Funds are represented by a portable intelligent device called a card issued by a supervising organization, the system provider. Funds can be transferred from a card to another at an intelligent terminal called a mediator. To update the balance of each card, two digital signatures are generated by a three-party protocol conducted by the cards and mediator, and are encoded and appended to a write-once separate memory in the card. Old signatures are simultaneously nullified. Through a wired or radio non-real-time link, the generated signatures are periodically reported to the system provider to systemically manage possible abuses.

Recently, criminals frequently utilize logical attacks to install malware in the PC of Automated Teller Machines (ATMs) for the sake of unauthorized cash withdrawal from ATMs. Malware in the PC sends unauthorized cash dispensing commands to the dispenser to withdraw cash without generating a transaction. Existing security measures primarily try to protect information property in the PC so as not to be compromised by malware. Such security measures are not so effective or efficient because the PC contains too many protected items to tightly control them in present ATM operational environments. This paper proposes a new ATM security measure based on secure peripheral devices; the secure dispenser in an ATM verifies the authenticity of a received dispensing command with the withdrawal transaction evidence, which is securely transferred from the secure card reader of an ATM. The card reader can capture the transaction evidence since all transaction data flows through the card reader in a smart card transaction. Even though the PC is compromised, unauthorized dispensing commands are not accepted by the secure dispenser. As a result, the new security measure does not impose heavy burden of tighter security managements for the PCs on financial institutes while achieving stringent security for the logical attacks to ATMs.

A drastic increase in cyberattacks targeting Internet of Things (IoT) devices using telnet protocols has been observed. IoT malware continues to evolve, and the diversity of OS and environments increases the difficulty of executing malware samples in an observation setting. To address this problem, we sought to develop an alternative means of investigation by using the telnet logs of IoT honeypots and analyzing malware without executing it. In this paper, we present a malware classification method based on malware binaries, command sequences, and meta-features. We employ both unsupervised or supervised learning algorithms and text-mining algorithms for handling unstructured data. Clustering analysis is applied for finding malware family members and revealing their inherent features for better explanation. First, the malware binaries are grouped using similarity analysis. Then, we extract key patterns of interaction behavior using an N-gram model. We also train a multiclass classifier to identify IoT malware categories based on common infection behavior. For misclassified subclasses, second-stage sub-training is performed using a file meta-feature. Our results demonstrate 96.70% accuracy, with high precision and recall. The clustering results reveal variant attack vectors and one denial of service (DoS) attack that used pure Linux commands.

Many malicious programs we encounter these days are armed with their own custom encoding methods (i.e., they are packed) to deter static binary analysis. Thus, the initial step to deal with unknown (possibly malicious) binary samples obtained from malware collecting systems ordinarily involves the unpacking step. In this paper, we focus on empirical experimental evaluations on a generic unpacking method built on a dynamic binary instrumentation (DBI) framework to figure out the applicability of the DBI-based approach. First, we present yet another method of generic binary unpacking extending a conventional unpacking heuristic. Our architecture includes managing shadow states to measure code exposure according to a simple byte state model. Among available platforms, we built an unpacking implementation on PIN DBI framework. Second, we describe evaluation experiments, conducted on wild malware collections, to discuss workability as well as limitations of our tool. Without the prior knowledge of 6029 samples in the collections, we have identified at around 64% of those were analyzable with our DBI-based generic unpacking tool which is configured to operate in fully automatic batch processing. Purging corrupted and unworkable samples in native systems, it was 72%.

This paper proposes a new concept of Interaction key. An interaction key is a group public key that corresponds to a shared key shared by multiple users, and it has a new feature that an interaction key generator can verify the following: the shared key has been generated now, and the shared key has not existed before. In other words, the multiple users can prove them to the key generator. This feature is different from Time-stamp technology proves that a message existed at a point in time. Here, the key generator is a third party that can observe communications of the multiple users. Present technology only allows a group member or a privileged entity to generate a group public key. We are not presently aware of a technology where a third party can generate the group public key as above. The interaction key technology is useful both for generating public key certificates and for message certification. In a certificate generation, a certificate authority can issue a public key certificate with the shared key (i.e. secret key) to be used by the multiple users. In a message certification, the users can prove the signed message has not existed before, since the message is signed by the shared key corresponds to the interaction key.

Malware sandbox analysis, in which a malware sample is actually executed in a testing environment (i.e. sandbox) to observe its behavior, is one of the promising approaches to tackling the emerging threats of exploding malware. As a lot of recent malware actively communicates with remote hosts over the Internet, sandboxes should also support an Internet connection, otherwise important malware behavior may not be observed. In this paper, we propose a multi-pass sandbox analysis with a controlled Internet connection. In the proposed method, we start our analysis with an isolated sandbox and an emulated Internet that consists of a set of dummy servers and hosts that run vulnerable services, called Honeypots in the Sandbox (HitS). All outbound connections from the victim host are closely inspected to see if they could be connected to the real Internet. We iterate the above process until no new behaviors are observed. We implemented the proposed method in a completely automated fashion and evaluated it with malware samples recently captured in the wild. Using a simple containment policy that authorizes only certain application protocols, namely, HTTP, IRC, and DNS, we were able to observe a greater variety of behaviors compared with the completely isolated sandbox. Meanwhile, we confirmed that a noticeable number of IP scans, vulnerability exploitations, and DoS attacks are successfully contained in the sandbox. Additionally, a brief comparison with two existing sandbox analysis systems, Norman Sandbox and CWSandbox, are shown.

This paper proposes a user revocation scheme for decentralized networks. User revocation is a method to distribute a group decryption key that is shared by n users in a group so that all but d revoked users can obtain the key. In decentralized networks such as ad-hoc networks, mesh networks, and Peer to Peer (P2P) networks, a sender should revoke the access of a dishonest user or an unauthorized user as soon as possible to protect the security of group communication. However, if the sender distributes the group key to all users aside from the revoked user, it would take a long time to revoke a user in a large group. In addition, users must set shared group keys for each user without a privileged center. We propose a scheme in which the amount of transmission and the key storage of each user are small.

Aggregate signature schemes enable us to aggregate multiple signatures into a single short signature. One of its typical applications is sensor networks, where a large number of users and devices measure their environments, create signatures to ensure the integrity of the measurements, and transmit their signed data. However, if an invalid signature is mixed into aggregation, the aggregate signature becomes invalid, thus if an aggregate signature is invalid, it is necessary to identify the invalid signature. Furthermore, we need to deal with a situation where an invalid sensor generates invalid signatures probabilistically. In this paper, we introduce a model of aggregate signature schemes with interactive tracing functionality that captures such a situation, and define its functional and security requirements and propose aggregate signature schemes that can identify all rogue sensors. More concretely, based on the idea of Dynamic Traitor Tracing, we can trace rogue sensors dynamically and incrementally, and eventually identify all rogue sensors of generating invalid signatures even if the rogue sensors adaptively collude. In addition, the efficiency of our proposed method is also sufficiently practical.

Spread spectrum systems have been recently studied and developed for commercial applications, because they have some advantages such as robustness against interference and a noise, low probability of intercept, realization of code-division multiple access, high accuracy ranging and so on. In this paper we analyze the information security of spread spectrum systems into confidentiality, untraceability, authenticity, and antijamming property and present some measures to achieve these properties using cryptographic techniques. We show that the spreading sequences play central role in the information security issues of spread spectrum systems. A generation method of the spreading sequence having high-security property is proposed.

Web-based social engineering (SE) attacks manipulate users to perform specific actions, such as downloading malware and exposing personal information. Aiming to effectively lure users, some SE attacks, which we call multi-step SE attacks, constitute a sequence of web pages starting from a landing page and require browser interactions at each web page. Also, different browser interactions executed on a web page often branch to multiple sequences to redirect users to different SE attacks. Although common systems analyze only landing pages or conduct browser interactions limited to a specific attack, little effort has been made to follow such sequences of web pages to collect multi-step SE attacks. We propose STRAYSHEEP, a system to automatically crawl a sequence of web pages and detect diverse multi-step SE attacks. We evaluate the effectiveness of STRAYSHEEP's three modules (landing-page-collection, web-crawling, and SE-detection) in terms of the rate of collected landing pages leading to SE attacks, efficiency of web crawling to reach more SE attacks, and accuracy in detecting the attacks. Our experimental results indicate that STRAYSHEEP can lead to 20% more SE attacks than Alexa top sites and search results of trend words, crawl five times more efficiently than a simple crawling module, and detect SE attacks with 95.5% accuracy. We demonstrate that STRAYSHEEP can collect various SE attacks, not limited to a specific attack. We also clarify attackers' techniques for tricking users and browser interactions, redirecting users to attacks.

This paper describes some representations of a mapping and their simplification. Any mapping from a finite set into another can be represented by a sequence of Boolean functinos if we encode its domain and range to finite binary sequences. The complexity of the representation depends on the encoding. We present a problem of finding an algorithm that derives one of the simplest representations of a given mapping, and solve it in a case where the complexity measure is determined according to the number of literals in disjunctive forms.

This paper describes the design principles, the specification, and evaluations of a new 128-bit block cipher E2, which was proposed to the AES (Advanced Encryption Standard) candidates. This algorithm supports 128-bit, 192-bit, and 256-bit secret keys. The design philosophy of E2 is highly conservative; the structure uses 12-round Feistel as its main function whose round function is constructed with 2-round SPN structure, and initial/final transformational functions. E2 has practical security against differential attack, linear attack, cryptanalysis with impossible differential, truncated differential attack, and so on. Furthermore, E2 can be implemented efficiently and flexibly on various platforms because the primitive operations involve byte length processing.

The authors present a multiparty signature generation (MSG) scheme of the Digital Signature Algorithm (FIPS 186-1). The scheme is based on a simple idea, however, it is much more convenient in usability in the real world than existing MSGs. The scheme has the following properties: (1) valid signatures are generated with odd n split private keys, (2) broadcast messages between the key holders are hidden from them, so that the n key holders do not need to process signature generation simultaneously, (3) even if up to t (= ) split keys are stolen, the adversary can get no information on the private key, (4) the scheme is as secure as the original signature algorithm against chosen message attack, and (5) the scheme is efficient in the sense that an implementation on smart card has demonstrated practical performance for interactive use with human user.

This paper studies security of Feistel ciphers with SPN round function against differential cryptanalysis, linear cryptanalysis, and truncated differential cryptanalysis from the "designer's standpoint." In estimating the security, we use the upper bounds of differential characteristic probability, linear characteristic probability and truncated differential probability, respectively. They are useful to design practically secure ciphers against these cryptanalyses. Firstly, we consider the minimum numbers of differential and linear active s-boxes. They provide the upper bounds of differential and linear characteristic probability, which show the security of ciphers constructed by s-boxes against differential and linear cryptanalysis. We clarify the (lower bounds of) minimum numbers of differential and linear active s-boxes in some consecutive rounds of the Feistel ciphers by using differential and linear branch numbers, Pd, Pl, respectively. Secondly, we discuss the following items on truncated differential probability from the designer's standpoint, and show how the following items affect the upper bound of truncated differential probability; (a) truncated differential probability of effective active-s-box, (b) XOR cancellation probability, and (c) effect of auxiliary functions. Finally, we revise Matsui's algorithm using the above discussion in order to evaluate the upper bound of truncated differential probability, since we consider the upper bound of truncated differential probability as well as that of differential and linear probability.

This paper demonstrates and confirms that a large-network-oriented key sharing method called the key predistribution system (KPS) is really practical and useful for supporting end-to-end cryptographic communication, by presenting a prototype implementation of KPS using special IC cards and its application to facsimile systems. This prototype can build a secure channel over any ordinary facsimile network using the following types of equipments: (1) an IC card implementing a linear scheme for KPS and the DES algorithm, (2) an adaptor-type interface device between the IC card and a facsimile terminal with no cryptographic function, and (3) a device for each managing center of KPS.

The Internet of Things (IoT) implicates an infrastructure that creates new value by connecting everything with communication networks, and its construction is rapidly progressing in anticipation of its great potential. Enhancing the security of IoT is an essential requirement for supporting IoT. For ensuring IoT security, it is desirable to create a situation that even a terminal component device with many restrictions in computing power and energy capacity can easily verify other devices and data and communicate securely by the use of public key cryptography. To concretely achieve the big goal of penetrating public key cryptographic technology to most IoT end devices, we elaborated the secure cryptographic unit (SCU) built in a low-end microcontroller chip. The SCU comprises a hardware cryptographic engine and a built-in access controlling functionality consisting of a software gate and hardware gate. This paper describes the outline of our SCU construction technology's research and development and prospects.

The access control method adopted by UNIX is simple, understandable, and useful. However, it is quite possible that unexpected information flows occur when we are cooperating with some group members on UNIX. Introducing notions such as "flow right," "maximal permission" and "minimal umask value", this note proposes a simple method, can be seen as a natural extension of UNIX, to control indirect information flows without losing availability and understandability of UNIX.

A fault-tolerant aggregate signature (FT-AS) scheme is a variant of an aggregate signature scheme with the additional functionality to trace signers that create invalid signatures in case an aggregate signature is invalid. Several FT-AS schemes have been proposed so far, and some of them trace such rogue signers in multi-rounds, i.e., the setting where the signers repeatedly send their individual signatures. However, it has been overlooked that there exists a potential attack on the efficiency of bandwidth consumption in a multi-round FT-AS scheme. Since one of the merits of aggregate signature schemes is the efficiency of bandwidth consumption, such an attack might be critical for multi-round FT-AS schemes. In this paper, we propose a new multi-round FT-AS scheme that is tolerant of such an attack. We implement our scheme and experimentally show that it is more efficient than the existing multi-round FT-AS scheme if rogue signers randomly create invalid signatures with low probability, which for example captures spontaneous failures of devices in IoT systems.

In recent years, cyber attacks against infrastructure have become more serious. Unfortunately, infrastructures with vulnerable remote management devices, which allow attackers to control the infrastructure, have been reported. Targeted attacks against infrastructure are conducted manually by human attackers rather than automated scripts. Here, open questions are how often the attacks against such infrastructure happen and what attackers do after intrusions. In this empirical study, we observe the accesses, including attacks and security investigation activities, using the customized infrastructure honeypot. The proposed honeypot comprises (1) a platform that easily deploys real devices as honeypots, (2) a mechanism to increase the number of fictional facilities by changing the displayed facility names on the WebUI for each honeypot instance, (3) an interaction mechanism with visitors to infer their purpose, and (4) tracking mechanisms to identify visitors for long-term activities. We implemented and deployed the honeypot for 31 months. Our honeypot observed critical operations, such as changing configurations of a remote management device. We also observed long-term access to WebUI and Telnet service of the honeypot.