Due to the periodic recovery of virtual machines regardless of whether malicious intrusions exist, proactive recovery-based Intrusion Tolerant Systems (ITSs) are being considered for mission-critical applications. However, the virtual replicas can easily be exposed to attacks during their working period, and additionally, proactive recovery-based ITSs are ineffective in eliminating the vulnerability of exposure time, which is closely related to service availability. To address these problems, we propose a novel hybrid recovery-based ITS in this paper. The proposed method utilizes availability-driven recovery and dynamic cluster resizing. The availability-driven recovery method operates the recovery process by both proactive and reactive ways for the system to gain shorter exposure times and higher success rates. The dynamic cluster resizing method reduces the overhead of the system that occurs from dynamic workload fluctuations. The performance of the proposed ITS with various synthetic and real workloads using CloudSim showed that it guarantees higher availability and reliability of the system, even under malicious intrusions such as DDoS attacks.

Survivability is the capability of a system to provide its services in a timely manner even after intrusion and compromise occur. In this paper, we focus on the quantitative analysis of survivability of virtual machine (VM) based intrusion tolerant system in the presence of Byzantine failures due to malicious attacks. Intrusion tolerant system has the ability of a system to continuously provide correct services even if the system is intruded. This paper introduces a scheme of the intrusion tolerant system with virtualization, and derives the success probability for one request by a Markov chain under the environment where VMs have been intruded due to a security hole by malicious attacks. Finally, in numerical experiments, we evaluate the performance of VM-based intrusion tolerant system from the viewpoint of survivability.

This letter presents a method to adaptively counter false data injection attacks (FDIAs) in wireless sensor networks, in which a fuzzy rule-based system detects FDIAs and chooses the most appropriate countermeasures. The method does not require en-route verification processes and manual parameter settings. The effectiveness of the method is shown with simulation results.

We investigated client honeypots for detecting and circumstantially analyzing drive-by download attacks. A client honeypot requires both improved inspection performance and in-depth analysis for inspecting and discovering malicious websites. However, OS overhead in recent client honeypot operation cannot be ignored when improving honeypot multiplication performance. We propose a client honeypot system that is a combination of multi-OS and multi-process honeypot approaches, and we implemented this system to evaluate its performance. The process sandbox mechanism, a security measure for our multi-process approach, provides a virtually isolated environment for each web browser. It prevents system alteration from a compromised browser process by I/O redirection of file/registry access. To solve the inconsistency problem of file/registry view by I/O redirection, our process sandbox mechanism enables the web browser and corresponding plug-ins to share a virtual system view. Therefore, it enables multiple processes to be run simultaneously without interference behavior of processes on a single OS. In a field trial, we confirmed that the use of our multi-process approach was three or more times faster than that of a single process, and our multi-OS approach linearly improved system performance according to the number of honeypot instances. In addition, our long-term investigation indicated that 72.3% of exploitations target browser-helper processes. If a honeypot restricts all process creation events, it cannot identify an exploitation targeting a browser-helper process. In contrast, our process sandbox mechanism permits the creation of browser-helper processes, so it can identify these types of exploitations without resulting in false negatives. Thus, our proposed system with these multiplication approaches improves performance efficiency and enables in-depth analysis on high interaction systems.

At Indocrypt 2005, Coglianese and Goi [1] suggested a new public key cryptosystem, MaTRU, which is a variant of NTRU. MaTRU is defined over ring M of k×k matrices whose elements are in the quotient ring R = Z[X]/(Xn-1). In addition, five example parameter sets suitable for this new structure were proposed. In this paper, we prove that it is impossible to generate appropriate key pairs for four parameter sets among the five proposed in [1] according to the key generation procedure described in [1]. The only parameter set where key pair generation is possible is when p, one of the parameters of MaTRU, is 2 and df, another parameter, is odd. Even with this parameter set, however, the decryption operation defined in [1] cannot recover an original plaintext from a given ciphertext because the value of another parameter, q, has been defined too small in [1]. Therefore, we propose an alternative method for key generation and suggest corrected parameter sets. In addition, a refined analysis for the key security of MaTRU is provided, and it is demonstrated that the key security may be significantly lower than that of the original analysis.

Recently, a malicious user attacks a web browser through a malicious page that exploits the vulnerability of the browser and that executes malicious code. To prevent this attack, some methods have been devised such as DEP (Data Execution Prevention) that prevents data in stack frame or heap region from being executed. However, to evade these defense techniques, return-oriented programming (ROP) is introduced. ROP executes arbitrary code indirectly using gadget, which is group of instructions including ret instruction in a module that doesn't apply ASLR (Address Space Layout Randomization). In this paper, we propose a static approach to detect ROP payload in a network irrespective of the environment of the system under attack. Most studies have tried to detect ROP attacks using dynamic analysis, because ROP has various addresses of gadgets according to loaded modules. These methods have a limitation that must consider the environment of system to operate ROP, such as the version of OS and modules including gadgets. To overcome this limitation, our method detects ROP payload using static analysis without preliminary knowledge about the environment. We extract five characteristics of ROP and then propose a novel algorithm, STROP, to detect ROP in payload without execution. Our idea is as follows: STROP makes stack frame using input payload statically. It extracts addresses suspected as indicating gadgets and makes groups using the addresses. And then, STROP determine whether the payload includes ROP based on static characteristics. We implement a prototype using snort (network-based intrusion system) and evaluate it. Experiments show that our technique can detect ROP payload with a low number of false alarms. False positive (FP) is 1.3% for 2,239 benign files and 0.05-0.51% for 1GB packet dump file. Among 68 ROP payloads, STROP detects 51 payloads. This research can be applied to existing systems that collect malicious codes, such as Honeypot.

The past decade has witnessed a growing interest in vehicular networking. Initially motivated by traffic safety, vehicles equipped with computing, communication and sensing capabilities will be organized into ubiquitous and pervasive networks with a significant Internet presence while on the move. Large amount of data can be generated, collected, and processed on the vehicular networks. Big data on vehicular networks include useful and sensitive information which could be exploited by malicious intruders. But intrusion detection in vehicular networks is challenging because of its unique features of vehicular networks: short range wireless communication, large amount of nodes, and high mobility of nodes. Traditional methods are hard to detect intrusion in such sophisticated environment, especially when the attack pattern is unknown, therefore, it can result unacceptable false negative error rates. As a novel attempt, the main goal of this research is to apply data mining methodology to recognize known attacks and uncover unknown attacks in vehicular networks. We are the first to attempt to adapt data mining method for intrusion detection in vehicular networks. The main contributions include: 1) specially design a decentralized vehicle networks that provide scalable communication and data availability about network status; 2) applying two data mining models to show feasibility of automated intrusion detection system in vehicular networks; 3) find the detection patterns of unknown intrusions.

This letter proposes a novel intrusion tolerant system consisting of several virtual machines (VMs) that refresh the target system periodically and by live migration, which monitors the many features of the VMs to identify and replace exhausted VMs. The proposed scheme provides adequate performance and dependability against denial of service (DoS) attacks. To show its efficiency and security, we conduct experiments on the CSIM20 simulator, which showed 22% improvement in a normal situation and approximately 77.83% improvement in heavy traffic in terms of the response time compared to that reported in the literature. We measure and compare the response time. The result show that the proposed scheme has shorter response time and maintains than other systems and supports services during the heavy traffic.

NTRU is a public key cryptosystem based on hard problems over lattices. In this paper, we present efficient methods for convolution product computation which is a dominant operation of NTRU. The new methods are based on the observation that repeating patterns in coefficients of an NTRU polynomial can be used for the construction of look-up tables, which is a similar approach to the sliding window methods for exponentiation. We provide efficient convolution algorithms to implement this idea, and we make a comprehensive analysis of the complexity of the new algorithms. We also give software implementations over a Pentium IV CPU, a MICAz mote, and a CUDA-based GPGPU platform. According to our analyses and experimental results, the new algorithms speed up the NTRU encryption and decryption operations by up to 41%.

A 24-GHz continuous wave (CW) radar with three vertically switched beam antennas for monitoring different range segments has been newly proposed and developed as a means to detect intruders in a fan-shaped ground area with 90 degs. in azimuth and over 10 m in range. This radar can detect moving targets and measure their positions from a tampering-proof height of about 5 m by taking advantage of a two-frequency-CW modulation technique and monopulse scheme used to achieve the wide azimuth coverage. The radar module consists of microstrip-patch planar antennas and monolithic microwave integrated circuits (MMICs), which are placed on the opposite side of a single metal plate to attain compact size and lower cost. An experimental radar successfully detected a human intruder with a position accuracy of 50 cm when moving at 1.4 m/s.

Detecting spreaders, or scan sources, helps intrusion detection systems (IDS) identify potential attackers. The existing work can only detect aggressive spreaders that scan a large number of distinct destinations in a short period of time. However, stealthy spreaders may perform scanning deliberately at a low rate. We observe that these spreaders can easily evade the detection because current IDS's have serious limitations. Being lightweight, the proposed scheme can detect scan sources in high speed networking while residing in SRAM. By theoretical analysis and experiments on real Internet traffic traces, we demonstrate that the proposed scheme detects stealthy spreaders successfully.

In this paper, we present a fault analysis of the original NTRU public key cryptosystem. The fault model in which we analyze the cipher is the one in which the attacker is assumed to be able to fault a small number of coefficients of the polynomial input to (or output from) the second step of the decryption process but cannot control the exact location of injected faults. For this specific original instantiation of the NTRU encryption system with parameters (N,p,q), our attack succeeds with probability≈ and when the number of faulted coefficients is upper bounded by t, it requires O((pN)t) polynomial inversions in Z/p Z[x]/(xN-1).

Those host-based intrusion detection models like VPStatic first construct a model of acceptable behaviors for each monitored program via static analysis, and then perform intrusion detection by comparing them with programs' runtime behaviors. These models usually share the highly desirable feature that they do not produce false alarms but face the conflicts between accuracy and efficiency. For instance, the high accuracy of the VPStatic model is at the cost of high space complexity. In this paper, we use a statically-constructed state transition table (STT), which records expected transitions among system calls as well as their stack states (return address lists), as a behavior model to perform context-sensitive intrusion detection. According to our analysis, our STT model improves the space efficiency of the VPStatic model without decreasing its high precision and time efficiency. Experiments show that for three test programs, memory uses of our STT models are all much less than half of the VPStatic models'. Thereby, we alleviate the conflicts between the accuracy and the efficiency.

This paper proposes a new pattern matching architecture with multi-character processing for deep packet inspection. The proposed pattern matching architecture detects the start point of pattern matching from multi-character input using input text alignment. By eliminating duplicate hardware components using process element tree, hardware cost is greatly reduced in the proposed pattern matching architecture.

Intrusion Detection Systems (IDS) have been received considerable attention among the network security researchers as one of the most promising countermeasures to defend our crucial computer systems or networks against attackers on the Internet. Over the past few years, many machine learning techniques have been applied to IDSs so as to improve their performance and to construct them with low cost and effort. Especially, unsupervised anomaly detection techniques have a significant advantage in their capability to identify unforeseen attacks, i.e., 0-day attacks, and to build intrusion detection models without any labeled (i.e., pre-classified) training data in an automated manner. In this paper, we conduct a set of experiments to evaluate and analyze performance of the major unsupervised anomaly detection techniques using real traffic data which are obtained at our honeypots deployed inside and outside of the campus network of Kyoto University, and using various evaluation criteria, i.e., performance evaluation by similarity measurements and the size of training data, overall performance, detection ability for unknown attacks, and time complexity. Our experimental results give some practical and useful guidelines to IDS researchers and operators, so that they can acquire insight to apply these techniques to the area of intrusion detection, and devise more effective intrusion detection models.

Packet classification has become one of the most important application techniques in network security since the last decade. The technique involves a traffic descriptor or user-defined criteria to categorize packets to a specific forwarding class which will be accessible for future security handling. To achieve fast packet classification, we propose a new scheme, Hierarchical Cross-Producting. This approach simplifies the classification procedure and decreases the distinct combinations of fields by hierarchically decomposing the multi-dimensional space based on the concept of telescopic search. Analogous to the use of telescopes with different powers**, a multiple-step process is used to search for targets. In our scheme, the multi-dimensional space is endowed with a hierarchical property which self-divides into several smaller subspaces, whereas the procedure of packet classification is translated into recursive searching for matching subspaces. The required storage of our scheme could be significantly reduced since the distinct field specifications of subspaces is manageable. The performance are evaluated based on both real and synthetic filter databases. The experimental results demonstrate the effectiveness and scalability of the proposed scheme.

In the last decade, the technique of packet classification has been widely deployed in various network devices, including routers, firewalls and network intrusion detection systems. In this work, we improve the performance of packet classification by using multiple hash tables. The existing hash-based algorithms have superior scalability with respect to the required space; however, their search performance may not be comparable to other algorithms. To improve the search performance, we propose a tuple reordering algorithm to minimize the number of accessed hash tables with the aid of bitmaps. We also use pre-computation to ensure the accuracy of our search procedure. Performance evaluation based on both real and synthetic filter databases shows that our scheme is effective and scalable and the pre-computation cost is moderate.

The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Nowadays, the number of web-browser targeted attacks that lead users to adversaries' web sites and exploit web browser vulnerabilities is increasing, and a clarification of their methods and countermeasures is urgently needed. In this paper, we introduce the design and implementation of a new client honeypot for drive-by-download attacks that has the capacity to detect and investigate a variety of malicious web sites. On the basis of the problems of existing client honeypots, we enumerate the requirements of a client honeypot: 1) detection accuracy and variety, 2) collection variety, 3) performance efficiency, and 4) safety and stability. We improve our system with regard to these requirements. The key features of our developed system are stepwise detection focusing on exploit phases, multiple crawler processing, tracking of malware distribution networks, and malware infection prevention. Our evaluation of our developed system in a laboratory experiment and field experiment indicated that its detection variety and crawling performance are higher than those of existing client honeypots. In addition, our system is able to collect information for countermeasures and is secure and stable for continuous operation. We conclude that our system can investigate malicious web sites comprehensively and support countermeasures.

The NTRU cryptosystem is a public key system based on lattice problems. While its theoretical security has been well studied, little effort has been made to analyze its security against implementation attacks including power analysis attacks. In this paper, we show that a typical software implementation of NTRU is vulnerable to the simple power analysis and the correlation power analysis including a second-order power attack. We also present novel countermeasures to prevent these attacks, and perform experiments to estimate the performance overheads of our countermeasures. According to our experimental results, the overheads in required memory and execution time are only 8.17% and 9.56%, respectively, over a Tmote Sky equipped with an MSP430 processor.