Publishing type：Research paper (international conference proceedings)  

© 2019 IEEE. Authoritative DNS server hijacking has been a critical threat which can be hardly prevented by DNSSEC. In this work, we propose a machine learning based detection method against DNS responses replied from hijacked external authoritative DNS servers by DNS traffic data classification and heuristic analysis. The proposed method consists of header, answer, authority and additional section analysis each of which is combined with the corresponding question section. The decision maker decides if a DNS query-response pair has been related to a hijacked external authoritative DNS server by conducting heuristic analysis on the classified DNS traffic data with comparing with old cached DNS data. We have setup a local experimental network and achieved DNS traffic data (A records) of the top 500 FQDNs listed on Alexa web site for about one month and confirmed that the required features can be attracted from the DNS traffic data. Accordingly, we confirmed that it was expectable to conduct the DNS traffic classification and heuristic analysis in order to detect DNS responses replied from hijacked external authoritative DNS servers. The future work includes the DNS traffic data training and the evaluations on a local experimental network as well as in a large scale real network environment.

DOI： 10.1109/BigData47090.2019.9006365

Scopus

researchmap

Publishing type：Research paper (international conference proceedings)  

© 2019 IEEE. DNS based domain name resolution has been known as one of the most fundamental Internet services. In the meanwhile, DNS cache poisoning attacks also have become a critical threat in the cyber world. In addition to Kaminsky attacks, the falsified data from the compromised authoritative DNS servers also have become the threats nowadays. Several solutions have been proposed in order to prevent DNS cache poisoning attacks in the literature for the former case such as DNSSEC (DNS Security Extensions), however no effective solutions have been proposed for the later case. Moreover, due to the performance issue and significant workload increase on DNS cache servers, DNSSEC has not been deployed widely yet. In this work, we propose an advanced detection method against DNS cache poisoning attacks using machine learning techniques. In the proposed method, in addition to the basic 5-tuple information of a DNS packet, we intend to add a lot of special features extracted based on the standard DNS protocols as well as the heuristic aspects such as 'time related features', 'GeoIP related features' and 'trigger of cached DNS data', etc., in order to identify the DNS response packets used for cache poisoning attacks especially those from compromised authoritative DNS servers. In this paper, as a work in progress, we describe the basic idea and concept of our proposed method as well as the intended network topology of the experimental environment while the prototype implementation, training data preparation and model creation as well as the evaluations will belong to the future work.

DOI： 10.1109/NCA.2019.8935025

Scopus

researchmap

Publishing type：Research paper (international conference proceedings)  

© 2019 IEEE. Cybersecurity threats from malware attacks has become one of the most serious issues in the Internet nowadays. Most types of malware, after intruding an individual computer, attempt to connect the corresponding Command and Control (CC) servers using IP addresses or Fully Qualified Domain Name (FQDN) and receive further instructions (e.g. attacking target IP addresses and FQDNs) from them in order to conduct subsequent cyber attacks. In recent years, it has been clarified that DNS traffic has been used for communication between the malware infection computers and the CC servers. In this research, we focus on these peculiarities and propose a method for detecting malware infected computers by monitoring unintended DNS traffic on wireless networks by collaboration with DHCP (Dynamic Host Configuration Protocol) server. By deploying the proposed system on campus wireless networks, the computers within DHCP configured environment can be detected when they are infected by some types of malware and it attempts to communicate with the corresponding CC servers using DNS (Domain Name System) protocol. In this paper, we describe the detailed design of the proposed method and the future work includes prototype implementation as well as evaluations.

DOI： 10.1109/PACRIM47961.2019.8985052

Scopus

researchmap

Publishing type：Research paper (international conference proceedings)  

© 2019 IEEE Nowadays mobile devices have become the majority terminals used by people for social activities so that carrying business data and private information in them have become normal. Accordingly, the risk of data related cyber attacks has become one of the most critical security concerns. The main purpose of this work is to mitigate the risk of data breaches and damages caused by malware and the lost of mobile devices. In this paper, we propose an encrypted QR code based optical challenge-response authentication by mobile devices for mounting concealed file systems. The concealed file system is basically invisible to the users unless being successfully mounted. The proposed authentication scheme practically applies cryptography and QR code technologies to challenge-response scheme in order to secure the concealed file system. The key contribution of this work is to clarify a possibility of a mounting authentication scheme involving two mobile devices using a special optical communication way (QR code exchanges) which can be realizable without involving any network accesses. We implemented a prototype system and based on the preliminary feature evaluations results we confirmed that encrypted QR code based optical challenge-response is possible between a laptop and a smart phone and it can be applied to authentication for mounting concealed file systems.

DOI： 10.1109/COMPSAC.2019.10286

Scopus

researchmap

Language：English   Publishing type：Research paper (international conference proceedings)   Publisher：IEEE  

IoT remote control is faced with scalability, secure communication and privacy preservation issues and conventional solutions (HTTPS) have disclosed poor scaling problem and privacy concerns. In this paper, we propose a novel lightweight and secure IoT remote monitoring mechanism using DNS with privacy preservation. Basically, the communication between IoT devices and gateways uses the conventional protocols as usual such as CoAP and MQTT while only the remote monitoring uses DNS protocol. That is, encrypted IoT data, after being encoded with base64, is stored as a DNS TXT record of the domain name of the IoT device and only the designated users are allowed to query and decrypt the data based on TSIG authentication of DNS protocol and asymmetric cryptography. We implemented a prototype system over name-bound virtual networks (NBVNs) in which all virtual nodes are registered in DNS automatically and the network traffic is restricted within each NBVN. Through the preliminary evaluations we confirmed the effectiveness of secure communication and privacy preservation in IoT remote monitoring in the proposed mechanism.

Web of Science

researchmap

Publishing type：Research paper (international conference proceedings)   Publisher：IEEE  

DOI： 10.1109/ITNAC46935.2019.9078020

researchmap

Publishing type：Research paper (international conference proceedings)   Publisher：IEEE  

DOI： 10.1109/BigData47090.2019.9006365

researchmap

Publishing type：Research paper (scientific journal)  

© 2018 The Institute of Electronics, Information and Communication Engineers. Data breach and data destruction attack have become the critical security threats for the ICT (Information and Communication Technology) infrastructure. Both the Internet service providers and users are suffering from the cyber threats especially those to confidential data and private information. The requirements of human social activities make people move carrying confidential data and data breach always happens during the transportation. The Internet connectivity and cryptographic technology have made the usage of confidential data much secure. However, even with the high deployment rate of the Internet infrastructure, the concerns for lack of the Internet connectivity make people carry data with their mobile devices. In this paper, we describe the main patterns of data breach occur on mobile devices and propose a secure in-depth file system concealed by GPS-based mounting authentication to mitigate data breach on mobile devices. In the proposed in-depth file system, data can be stored based on the level of credential with corresponding authentication policy and the mounting operation will be only successful on designated locations. We implemented a prototype system using Veracrypt and Perl language and confirmed that the in-depth file system worked exactly as we expected by evaluations on two locations. The contribution of this paper includes the clarification that GPS-based mounting authentication for a file system can reduce the risk of data breach for mobile devices and a realization of prototype system.

DOI： 10.1587/transinf.2017ICP0017

Web of Science

Scopus

researchmap

Language：English   Publishing type：Research paper (scientific journal)   Publisher：IEICE-INST ELECTRONICS INFORMATION COMMUNICATIONS ENG  

Data breach and data destruction attack have become the critical security threats for the ICT (Information and Communication Technology) infrastructure. Both the Internet service providers and users are suffering from the cyber threats especially those to confidential data and private information. The requirements of human social activities make people move carrying confidential data and data breach always happens during the transportation. The Internet connectivity and cryptographic technology have made the usage of confidential data much secure. However, even with the high deployment rate of the Internet infrastructure, the concerns for lack of the Internet connectivity make people carry data with their mobile devices. In this paper, we describe the main patterns of data breach occur on mobile devices and propose a secure in-depth file system concealed by GPS-based mounting authentication to mitigate data breach on mobile devices. In the proposed in-depth file system, data can be stored based on the level of credential with corresponding authentication policy and the mounting operation will be only successful on designated locations. We implemented a prototype system using Veracrypt and Perl language and confirmed that the in-depth file system worked exactly as we expected by evaluations on two locations. The contribution of this paper includes the clarification that GPS-based mounting authentication for a file system can reduce the risk of data breach for mobile devices and a realization of prototype system.

DOI： 10.1587/transinf.2017ICP0017

Web of Science

researchmap

Language：English   Publishing type：Research paper (international conference proceedings)   Publisher：IEEE  

DNSSEC has been proposed to provide data origin authentication and data integrity between recursive DNS server and authoritative zone server. Although DNSSEC is an effective countermeasure to DNS cache poisoning attack, it still has low deployment rate in the Internet due to the significant workload increase on recursive DNS servers. Moreover, current DNSSEC operation does not cover end clients and the recursive DNS server separation has not been considered so that end users do not intend to use free and powerful public recursive DNS servers due to security concerns. In this paper, we propose a client based DNSSEC validation mechanism with recursive DNS server separation based on query types. DNSSEC related record types such as RRSIG, DNSKEY, DS, etc. will be forwarded to a trusted internal recursive DNS server while normal record types such as A, AAAA, MX, etc. will be forwarded to public recursive DNS server, and eventually, DNSSEC validation will be performed on end clients. Consequently, not only end clients can obtain the benefit of DNSSEC but also the workload increase of internal recursive DNS servers can be mitigated. We implemented a prototype system and evaluated the features on a local experimental network. Based on the results, we confirmed that the prototype system worked effectively and it is possible to prevent end clients from DNS cache poisoning attacks by the proposed mechanism.

Web of Science

researchmap

Language：English   Publishing type：Research paper (international conference proceedings)   Publisher：IEEE  

Malware has become one of the most critical targets of network security solutions nowadays. Many types of malware receive further instructions from the C&C servers and the attack targets may be instructed by IP addresses which causes direct attacks without DNS name resolution from the malware-infected computers. In the meanwhile, several programs that are hidden from the users (e.g. malware, virus, etc.) may perform DNS name resolutions for cyber attacks or other communications. In this paper, we propose a client based anomaly traffic detection and blocking mechanism by monitoring DNS name resolution per application program. In the proposed mechanism, by the collaboration of DNS proxy and packet filter, DNS traffic is monitored on the client and the traffic destined to the IP addresses obtained without DNS name resolution or the traffic from unrecognized programs will be detected and blocked. In addition, in order to mitigate false positive detection, an alert-window will be shown to let the users decide whether to allow the traffic or not. We implemented a prototype system on a Windows 7 client and confirmed that the proposed mechanism worked as expected.

DOI： 10.1109/CW.2018.00070

Web of Science

researchmap

Language：English   Publishing type：Research paper (scientific journal)   Publisher：IEICE-INST ELECTRONICS INFORMATION COMMUNICATIONS ENG  

The widespread usage of computers and communication networks affects people's social activities effectively in terms of intercommunication and the communication generally begins with domain name resolutions which are mainly provided by DNS (Domain Name System). Meanwhile, continuous cyber threats to DNS such as cache poisoning also affects computer networks critically. DNSSEC (DNS Security Extensions) is designed to provide secure name resolution between authoritative zone servers and DNS full resolvers. However high workload of DNSSEC validation on DNS full resolvers and complex key management on authoritative zone servers hinder its wide deployment. Moreover, querying clients use the name resolution results validated on DNS full resolvers, therefore they only get errors when DNSSEC validation fails or times out. In addition, name resolution failure can occur on querying clients due to technical and operational issues of DNSSEC. In this paper, we propose a client based DNSSEC validation system with adaptive alert mechanism considering minimal querying client timeout. The proposed system notifies the user of alert messages with answers even when the DNSSEC validation on the client fails or timeout so that the user can determine how to handle the received answers. We also implemented a prototype system and evaluated the features on a local experimental network as well as in the Internet. The contribution of this article is that the proposed system not only can mitigate the workload of DNS full resolvers but also can cover querying clients with secure name resolution, and by solving the existing operation issues in DNSSEC, it also can promote DNSSEC deployment.

DOI： 10.1587/transinf.2016ICP0028

Web of Science

researchmap

Language：English   Publisher：The Institute of Electronics, Information and Communication Engineers  

<p>The widespread usage of computers and communication networks affects people's social activities effectively in terms of intercommunication and the communication generally begins with domain name resolutions which are mainly provided by DNS (Domain Name System). Meanwhile, continuous cyber threats to DNS such as cache poisoning also affects computer networks critically. DNSSEC (DNS Security Extensions) is designed to provide secure name resolution between authoritative zone servers and DNS full resolvers. However high workload of DNSSEC validation on DNS full resolvers and complex key management on authoritative zone servers hinder its wide deployment. Moreover, querying clients use the name resolution results validated on DNS full resolvers, therefore they only get errors when DNSSEC validation fails or times out. In addition, name resolution failure can occur on querying clients due to technical and operational issues of DNSSEC. In this paper, we propose a client based DNSSEC validation system with adaptive alert mechanism considering minimal querying client timeout. The proposed system notifies the user of alert messages with answers even when the DNSSEC validation on the client fails or timeout so that the user can determine how to handle the received answers. We also implemented a prototype system and evaluated the features on a local experimental network as well as in the Internet. The contribution of this article is that the proposed system not only can mitigate the workload of DNS full resolvers but also can cover querying clients with secure name resolution, and by solving the existing operation issues in DNSSEC, it also can promote DNSSEC deployment.</p>

DOI： 10.1587/transinf.2016ICP0028

researchmap

Language：English   Publishing type：Research paper (international conference proceedings)   Publisher：IEEE  

The widespread computers in all over the world are connected with each other via the Internet and their communications normally begin with domain name resolutions which are mainly provided by DNS (Domain Name System). Recent cyber threats to DNS system attract much attentions of DNSSEC (DNS Security Extensions) which can provide secure name resolution services. However the high workload on DNS full resolvers and complex key management hinders its wide deployment. In addition, in the current DNSSEC protocol, secure name resolution does not cover end clients. In order to solve the problem, in this paper, we propose a client based DNSSEC validation and alert system. The proposed system not only can mitigate the workload of DNS full resolvers but also can perform DNSSEC validation on clients. Furthermore, the system also notifies the user of failure message so that the user can determine whether trust the answer or not rather than just receives "server failure" error in case DNSSEC validation fails. We also implemented a prototype system and evaluated the proposed features on a local experimental network. Based on the evaluation results, we confirmed that the proposed system worked well as we expected.

DOI： 10.1109/COMPSAC.2016.91

Web of Science

researchmap

Language：Japanese   Publisher：日本ソフトウェア科学会  

DOI： 10.11309/jssst.18.455

CiNii Books

researchmap

Language：Japanese   Publisher：日本ソフトウェア科学会  

システムが停止することを仮定した性質(例えば,「システムの終了は必ず正常終了である」という性質)を時間論理を用いて検証する場合には,有限な時間構造を意味論に持つ様相論理KWを用いることができる。本論文では,KWに対する様相演算子の列の統一化を用いる分解証明法を提案する。式が有限な時間構造のモデルを持たないことを確認するためには,もし式がモデルを持つならば,無限に遷移するモデルしか持たないことを調べる必要がある。ところが,様相演算子列の統一化を用いる証明法で,それを確認することは困難であった。本論文では,有限な時間構造と式の充足可能性が一致する非反復構造を導入した。式が非反復構造のモデルを持たないことを確認するためには,もし式がモデルを持つならば,繰り返し同じ遷移をするモデルしか持たないことを調べればよい。この性質に基づき,KWで式が充足不能であることを調べる証明法を構成した

Scopus

researchmap

DOI： 10.11309/jssst.18.78

researchmap

Language：Japanese   Publisher：日本ソフトウェア科学会  

CiNii Books

researchmap

Language：Japanese  

J-GLOBAL

researchmap

Language：English   Publisher：IEEE  

Many reports predicted that the number of connected IoT (Internet of Things) devices will reach to billions in the next several years, accordingly, how to securely and effectively manage, monitor and control them becomes a critical problem. In conventional IoT solutions, direct SSL/TLS based HTTP connections to IoT devices with high overhead are required and encryption is not considered due to low computing capability and memory capacity of IoT devices. In this paper, we propose an integrated mechanism using DNS (Domain Name System) to accomplish the objective. In the proposed mechanism, names or IDs of IoT devices are managed by DNS server and the monitoring and control are conducted by the collaboration of DNS name resolution, DNS dynamic update and DNS zone transfer. Considering the security and privacy protection, the status and control command for IoT devices described in the corresponding DNS TXT records will be encrypted and TSIG (Transaction SIGnatures) will be used for authentication to restrict the clients allowed to monitor and control the IoT devices.

DOI： 10.1109/COMPSAC.2017.33

Web of Science

researchmap

Language：English   Publisher：IEEE  

Domain Name System (DNS) is one of the most important services of the Internet since most communications normally begin with domain name resolutions provided by DNS. However, DNS has vulnerability against some kind of attacks such as DNS spoofing, DNS cache poisoning, and so on. DNSSEC is an security extension of DNS to provide secure name resolution services by using digital signature based on public key cryptography. However, there are several problems with DNSSEC such as failing resolution in case of validation failure, increasing the load of DNS full resolver, and so on. To mitigate these problems, we proposed a Client Based DNSSEC Validation System. This system performs DNSSEC validation on the client, and in case of validation failure, it forwards the failed response and alerts the user to the fact. However, this system has a problem that it inactivates the cache function of validation library so that it always performs DNSSEC validation even for the same query. In this paper, we report how to solve this problem by multithreading of DNSSEC validation system.

DOI： 10.1109/COMPSAC.2017.78

Web of Science

researchmap

Language：English   Publisher：IEEE  

With the development of ICT (Information and Communication Technology), computer and the Internet have become indispensable for people's social activities while cyber security threats keep on increase trend. Unfortunately, the current popular security facilities cannot efficiently detect cyber attacks due to a tremendous amount of network traffic needs to be analyzed. In this paper, we focus on DNS (Domain Name System) name resolution and propose an efficient detection method of suspicious DNS traffic by resolver separation per application program. Based on that almost all kinds of software including malware use DNS name resolution, in the proposed method, the DNS queries will be forwarded to different DNS full resolver per application program. The DNS queries from well-known application programs such as Internet browsers and anti-virus software will be forwarded to a normal DNS full resolver while others from unknown application programs such as malware will be forwarded to a highly-monitored DNS full resolver. Consequently, the DNS queries from unknown application programs can be detected immediately since there will be only little DNS traffic need to be analyzed compare to the whole network traffic. We implemented a prototype system on a windows operating system and evaluated the features on a local experimental network. According to the evaluation results, we confirmed that the proposed method can precisely forward the DNS queries based on the application programs correctly, and also the DNS queries are logged on the client by mapping with the corresponding application program which initialized the DNS queries.

DOI： 10.1109/ICTC.2017.8190948

Web of Science

researchmap

Language：English   Publisher：ATLANTIS PRESS  

We provide a unification-based resolution method for basic modal logics. Because we use a clausal normal form that is quite similar to that in first-order logic, our method has good prospects for importing proof strategies for resolution methods from first-order logic. Furthermore, we show a solution for obtaining a resolution method for the modal logic KM, the frames of which are first-order and undefinable. It is impossible to make a unification rule for the modal logics of first-order undefinable frames in a similar way to that of basic modal logics. In this paper, we use a clausal rewriting rule for KM in addition to modal unification. We expect that this kind of adaptation can be applied to the construction of unification-based proof methods for other modal logics with first-order undefinable frames.

Web of Science

researchmap

Language：English   Publisher：IEEE  

Security threats from cyber attacks never stop threatening human's social activities. Even though, carrying mobile devices with confidential data is still popular among people without constraint due to business needs and usability. In this paper, we propose an in-depth concealed file system with GPS authentication adaptable for multiple locations in order to mitigate data breaches and file destructions on mobile devices. The proposed file system has in-depth layout and is mountable only when the mobile device is in the designated areas using GPS authentication. Different security policies can be set for each layer and data can be separately stored in each layer based on the confidentiality. Moreover, usability is considered as high priority and an automatic mounting feature is also introduced since people cannot be bordered to run the program a lot times. We implemented a 2-layer prototype system with combination of GPS only authentication (lightweight) and collaborated authentication (mobile device and smart phone). According to the preliminary evaluation results, we confirmed that the proposed in-depth concealed file system can contribute to mitigate the risk of data breaches and destructions on mobile devices.

DOI： 10.1109/COMPSAC.2017.56

Web of Science

researchmap

Language：Japanese  

J-GLOBAL

researchmap

Language：Japanese  

DOI： 10.1109/COMPSAC.2016.91

Web of Science

J-GLOBAL

researchmap

Language：Japanese   Publisher：電子情報通信学会  

researchmap

Language：Japanese   Publisher：電子情報通信学会  

researchmap

Language：Japanese  

J-GLOBAL

researchmap

Language：English   Publisher：IEEE  

VPN (Virtual Private Network) technology is well used for remote access to the internal server in order to mitigate intrusion attacks and data breaches. In the current VPN technologies, PKI (Public Key Infrastructure) based certificate authentication and user ID/Password authentication are well used. However, in case of password leakage and lost of mobile devices, those authentication methods cannot effectively prevent the malicious accesses. In this paper, we propose an enhancement method of VPN authentication using GPS (Global Positioning System) information with geo-privacy protection. In this method, the GPS information of the client is used for VPN authentication without leaking the raw GPS coordinates of the client. Specifically, the hash values of GPS coordinate ranges will be registered on the VPN authentication server in order to protect the user geo-privacy. By using the proposed method, the remote access via VPN tunnel can be controlled within all designated areas so that the risk of intrusion attacks can be mitigated significantly. We achieved the GPS coordinates in our lab for one month and checked their hit rates in the GPS coordinate ranges achieved from the Google Maps. The results showed about 99.29% and 92.96% hit rates in the latitude and longitude respectively which are acceptable for real operation.

Web of Science

researchmap

Language：English   Publisher：IEEE  

DNSSEC (Domain Name System Security Extensions) is designed to provide security functions for the current DNS protocol. However, DNSSEC yet has low deployment rate in the Internet due to its heavy workload on DNS full resolvers and high administrative cost. Furthermore, DNSSEC does not cover the last one mile in name resolution: between the DNS full resolver and client. In order to provide complete DNSSEC service between authoritative zone servers and clients, a new DNSSEC validation mechanism with acceptable workload on DNS full resolver and client is required. In this paper, we propose an advanced client based DNSSEC validation mechanism and compare the DNSSEC performance between DNS full resolver and client based on evaluations in a local experimental network. By validating DNSSEC on each client, the proposed mechanism can reduce the workload of DNS full resolvers and also can provide secure name resolution for each client. According to the results of preliminary evaluations we confirmed that it is possible to reduce the workload of DNS full resolver by transferring the DNSSEC validation process to clients with acceptable extra workload. More importantly, the benefit of DNSSEC can be extended to clients with secure name resolution service.

DOI： 10.1109/ICTC.2016.7763463

Web of Science

researchmap

Language：English   Publisher：IEEE COMPUTER SOC  

The Internet Security Threat Report by Symantec announced that the number of data breaches increased 23 percent in 2014 and the causes by theft or loss of devices reached to 21 percent. Carrying mobile devices with business data and private information is indispensable for human's social activities nowadays and unexpected data breach is one of the severe ongoing issues in cyber security. In this paper, we propose a concealed file system adapted for mobile devices based on GPS (Global Positioning System) information which is only mountable in the designated area. Differs from conventional encryption technologies, the proposed file system can be completely isolated from the viruses and attacks outside the designated area. Moreover, instead of the GPS information of the designated area, the encrypted hash value will be stored in mobile devices for the privacy concerns. We statistically analyzed the GPS information logged in our lab and defined an algorithm for deciding the designated area without leaking the GPS information. Based on the algorithm, we evaluated the proposed file system using Veracrypt by adding the hash of GPS information indicating the designated area as one of the attributes for mounting authentication. As a result, we confirmed that the proposed file system was mounted with about 91% success rate within average in the designated area even with noise interference.

DOI： 10.1109/COMPSAC.2016.93

Web of Science

Scopus

researchmap

Language：English   Publisher：IEEE  

In a high performance computer network system especially that has high-speed networks, an imbalance problem occurs in terms of that network performance is significantly higher than computer capacity. The problem deteriorates performance of the entire system by ineffectively overloading application servers by few high performance clients. In this paper, we present performance analysis and validation of a web server and confirm the possibility of transparent performance enhancement for a high performance computer network system by only changing the configuration of network facilities such as switches and routers. We constructed a local experimental web system and reproduced several cases in which the problem occurred and confirmed that it is possible to solve the problem by only suppressing network traffic on the communication lines for high performance clients. By practically using the network traffic control method it is expectable to provide best performance of application systems in a high-speed network environment in the future.

DOI： 10.1109/APNOMS.2015.7275385

Web of Science

Scopus

researchmap

Language：Japanese  

J-GLOBAL

researchmap

Language：Japanese   Publisher：The Institute of Electronics, Information and Communication Engineers  

As an e-Science infrastructure, We propose a network environment where site resources are federated by a point-of-presence named RENKEI-PoP. RENKEI-PoPs are located in sites that provide resources for e-Science, are integrated with site local resources, and relay communications between sites by cooperating with each other using a grid security infrastructure. RENKEI-PoP provides 1) a virtual machine hosting environment that executes e-science infrastructure services and 2) a general-purpose data transfer/sharing environment. We installed RENKEI-PoPs in eight sites in Japan and connected them to SINET 10Gbps network. We show the current RENKEI-PoP system and its network and storage access performance.

CiNii Books

researchmap

Language：Japanese   Publisher：The Institute of Electronics, Information and Communication Engineers  

As an e-Science infrastructure, We propose a network environment where site resources are federated by a point-of-presence named RENKEI-PoP. RENKEI-PoPs are located in sites that provide resources for e-Science, are integrated with site local resources, and relay communications between sites by cooperating with each other using a grid security infrastructure. RENKEI-PoP provides 1) a virtual machine hosting environment that executes e-science infrastructure services and 2) a general-purpose data transfer/sharing environment. We installed RENKEI-PoPs in eight sites in Japan and connected them to SINET 10Gbps network. We show the current RENKEI-PoP system and its network and storage access performance.

CiNii Books

J-GLOBAL

researchmap

Language：Japanese   Publisher：情報処理学会  

ネットワーク分散した種々のリソースを統合して，科学技術の新発見・融合研究領域の開拓を促進する研究手法であるe-サイエンスが注目されている．e-サイエンス実現基盤として，我々は RENKEI-PoP と名付けた Point-of-Presence にて拠点間を接続するネットワーク環境を提案する．RENKEI-PoP は e-サイエンスリソースを提供する拠点に設置され，拠点内リソースとは強く結合し，RENKEI-PoP 間ではグリッド認証により連携して，拠点間通信の中継を行う．RENKEI-PoP は，1) e-サイエンス基盤システムを構成するサービス群の実行環境，および分散システム開発・評価環境を仮想マシンで実現する仮想ホスティングと，2) 拠点間の汎用データ転送・共有環境を提供する．我々は，日本国内7拠点に RENKEI-PoP を設置し，SINET の提供する 10 Gbps ネットワークで接続した．現状のシステム構成，ネットワーク，ストレージアクセスの評価結果を示す．As an e-Science infrastructure, We propose a network environment where site resources are connected by a point-of-presence named RENKEI-PoP. RENKEI-PoPs are located in sites that provide resources for e-Science, are integrated with site local resources, and relay communications between sites by cooperating with each other using a grid security infrastructure. RENKEI-PoP provides 1) a virtual hosting environment that supports running and developing e-science infrastructure services and 2)a general-purpose data transfer/sharing environment. We installed RENKEI-PoPs in seven sites in Japan and connected them to SINET 10Gbps network. We propose the current RENKEI-PoP system and show its performance of network and storage access.

CiNii Books

researchmap

Language：Japanese   Publisher：The Institute of Electronics, Information and Communication Engineers  

In campus-wide network, reliable and the state-of-the-art technology with low operational costs must be deployed. In this paper, we describe the design and deployment of the campus-wide network Titanet3, which will be deplyed in Tokyo Tech in March 2010. Furhtermore, virtual network technology will be useful in campus-wide network, so that we introduce such technologies which will be employed in Titanet3.

researchmap

Language：Japanese   Publisher：The Institute of Electronics, Information and Communication Engineers  

In campus-wide network, reliable and the state-of-the-art technology with low operational costs must be deployed. In this paper, we describe the design and deployment of the campus-wide network Titanet3, which will be deplyed in Tokyo Tech in March 2010. Furhtermore, virtual network technology will be useful in campus-wide network, so that we introduce such technologies which will be employed in Titanet3.

CiNii Books

J-GLOBAL

researchmap

Language：Japanese   Publisher：The Institute of Electronics, Information and Communication Engineers  

In campus-wide network, reliable and the state-of-the-art technology with low operational costs must be deployed. In this paper, we describe the design and deployment of the campus-wide network Titanet3, which will be deplyed in Tokyo Tech in March 2010. Furhtermore, virtual network technology will be useful in campus-wide network, so that we introduce such technologies which will be employed in Titanet3.

CiNii Books

researchmap

Language：Japanese   Publisher：Information Processing Society of Japan (IPSJ)  

Four Information Technology Centers in Osaka University, Tokyo Institute of Technology, Kyushu University and Nagoya University deployed NAREGI Grid Middleware to their Supercomputing Resources under real operational scenarios, and tested its interoperability for nation-wide large-scale cooperation with two NAREGI R &amp; D centers: National Institute of Informatics and Institute for Molecular Science. We successfully demonstrated that we&#039;re able to formulate virtual organizations with certificates from multiple authorities and manage their grid resources, and also able to submit real grid applications to authorized computing resources with resource reservations, with coordinated execution across multiple meta-schedulers that issue reservation requests independently to potentially a same resource.

CiNii Books

researchmap

Language：Japanese   Publisher：Information Processing Society of Japan (IPSJ)  

Four Information Technology Centers in Osaka University, Tokyo Institute of Technology, Kyushu University and Nagoya University deployed NAREGI Grid Middleware to their Supercomputing Resources under real operational scenarios, and tested its interoperability for nation-wide large-scale cooperation with two NAREGI R & D centers: National Institute of Informatics and Institute for Molecular Science. We successfully demonstrated that we're able to formulate virtual organizations with certificates from multiple authorities and manage their grid resources, and also able to submit real grid applications to authorized computing resources with resource reservations, with coordinated execution across multiple meta-schedulers that issue reservation requests independently to potentially a same resource.

CiNii Books

J-GLOBAL

researchmap

Language：Japanese   Publisher：The Institute of Electronics, Information and Communication Engineers  

The new IEEE standards of wireless LAN security and network technologies used in the standards are shown in this paper. The problem of WEP encryption discussed in the recent years are summarized, and TKIP technology and AES encryption for the next standard IEEE 802.11i are shown. For authentication, authorization, and accounting of wireless LAN client, IEEE 802.1X port-based network access control will be adopted in IEEE 802.11i. We explain EAP, RADIUS technologies, which gives the foundation for IEEE 802.1X. Finally, we show an example of management and operation of a wireless LAN environment using these technologies and point out some problems and prospects.

CiNii Books

researchmap

Language：English   Publisher：SCRIPTA TECHNICA-JOHN WILEY & SONS  

POP before SMTP is a method of e-mail authentication in which users are authenticated by POP prior to SMTP connection. This method has been recognized by RFC2476, and is being increasingly employed. However, the danger of external attack is high if the POP server is operated in a demilitarized zone. In the implementation proposed in this study, POP server is protected by a firewall; for this purpose, POP connections to the gateway are relayed to an internal POP server, while the SMTP server remains in a demilitarized zone. In addition, security is improved by applying SSL to POP sessions between the relay server and clients. (C) 2004 Wiley Periodicals, Inc.

DOI： 10.1002/ecjc.20105

Web of Science

Scopus

researchmap

Language：Japanese   Publisher：一般社団法人電子情報通信学会  

電子メールの送信時にユーザ認証を行うために,SMTP接続の前にPOPによるユーザ認証を要求する,POP before SMTPと呼ばれる方式がRFC2476において提案され,これを採用するサイトが増えている.しかし,POPサーバを非武装地帯で運用することは,外部からの攻撃を受けやすく危険性が高い.そこで,POPサーバをファイアウォールで保護するために,ゲートウェイヘのPOP接続をサイト内側のPOPサーバにリレーし,SMTPは従来どおり非武装地帯で運用する方法を提案する.更に,リレーサーバとクライアントの間のPOPセッションをSSL上で実行させることにより,セキュリティの向上を図る.

CiNii Books

researchmap

Language：English   Publisher：The Institute of Electronics, Information and Communication Engineers  

POP before SMTP is a method for controlling access to SMTP servers. In this method, a user is required to be authenticated in a POP session before starting SMTP sessions. This method is very popular since the system is constructed on these basic protocols, however, when a POP server is located in DMZ, the server which might contain secret information such as mails has risk of being attacked by malicious users. On the other hand, an SMTP server should be located in DMZ, since an SMTP server is expected to have heavy traffic with other sites. In order to protect a POP server from attacks by means of a firewall, we introduce a new implementation method of POP before SMTP. In this implementation, a relay server which relays messages in a POP session to the POP server is located inside of the firewall. With the construction, the relay server monitors a POP session and notifies the result of the session to the SMTP server which is located in DMZ as in the case of usual setting. In addition, we improved security of the system by executing a POP session over an SSL channel.

CiNii Books

researchmap

Language：Japanese   Publisher：Network Operation Center,Tokyo Institute of Technology  

CiNii Books

researchmap

Scopus

researchmap

© Springer-Verlag Berlin Heidelberg 2001. On usual UNIX systems, a privileged user of root is allowedto acquire any user’s authority without authentication process. If anintruder obtains the root privilege by taking advantage of system’s securityhole, he can abuse network reachability of any user of the system tobreak into other sites. Thus we present a new system design where theauthority of users is protected from root by introducing a new user substitutionmechanism. However, even if we introduce the new mechanism,on usual UNIX systems, the intruder can get the authority using manyother methods for root. We implement the new user substitution mechanismand the mechanisms which prevent the intruder from using suchmethods in FreeBSD-4.2, and confirm that the system design is effective.

Scopus

researchmap

researchmap

Language：Japanese   Publisher：京都大学  

CiNii Books

researchmap

researchmap

Language：English   Publisher：IEEE COMPUTER SOC  

In this paper, we present a new consistency checking method for temporal logic specifications. The new method verifies consistency of a whole specification by using a tableau graph constructed from tableau graphs obtained on the verifications of partial specifications. The new method is applicable not only to on-the-fly verification, but also to comositional verification By on-the-fly verification, Ive mean a verification that proceeds as a specification is evolved. Compositional verification is verification constructed by merging modular verifications. By verifying a specification at each step of its refinement, we carl make specification evolution process efficient.
A tableau graph constructed by a traditional tableau method does not suit reuse. The traditional tableau method has two phases; a tableau graph construction phase and eventuality checking phase. It is difficult to reflect the results of the eventuality checking on the tableau graph because there is no suitable substructure which can keep the results. For that reason, it is necessary to check eventuality formulae repeatedly on the reuse of the tableau graphs
A tableau graph, introduced in this paper has a new structure and is obtained by piling up tableau graphs of subformulae, In this new structure, the checked results of eventuality checking are encoded. Therefore, all the results of the verification in each step can be reused for constructing the verification for a whole specifcation.

DOI： 10.1109/ISPSE.2000.913236

Web of Science

Scopus

researchmap

researchmap

researchmap

researchmap

researchmap

researchmap

Language：Japanese   Publisher：The Institute of Electronics, Information and Communication Engineers  

A reactive system maintains some interaction with its environment. It is necessary for its specification to be realizable that the specification has some special properties such as satisfiability, strong satisfiability and so on. When some specification doesn&#039;t have some of such properties, it is convenient to detect the specification&#039;s parts that break the property. Our purpose is to find the origins of un-realizability, to specify defective parts of an un-realizable specification. We first formalize causes of unsatisfiability in a specification, then introduce a method to derive all the causes at one try from a given specification.We also give a proof of the correctness of the method.

CiNii Books

researchmap

Language：Japanese   Publisher：The Institute of Electronics, Information and Communication Engineers  

On the verification of a reactive system specification, it was not possible to reuse the verification by-products of its parts. We present a consistency checking method with news tableau graphs that can make it possible. The main idea of the tableau construction is based on the new way of representaton and examination f eventualities, where storongly connected parts are kept as a collection of symple loop structures.

CiNii Books

researchmap

Language：Japanese  

本研究では, フレームのクラスが一階の制約で特徴づけられない体系KMに対して分解証明法を定義する。公理Mは時系列モデルが終了状態に到達することを表しており, デッドロックがないこと証明するのに利用することができる。このために, まず, 一階の制約でフレームが特徴づけられる体系に対する様相記号列の統一化による分解証明法を構成する。これまでも, Untilを持つ論理について公理系に基づいて規則を定義するものや, □に支配されるの選言肢, ◇に支配される連言肢を展開しない形の節形式を用いるものが提案されているが, 本研究では, 様相記号へのラベリングに対して意味論を記述する一階の言語におけるスコーレム化と対応をとることで, 節がラベルづけられた様相記号列をprefixとするリテラルの選言肢となる節形式を導入する。これにより, これまでに述語論理などの分解証明法において研究されてきた戦略を様相論理の分解証明法に導入する際の見通しがよくなるだけでなく, 証明の途中で選言, 連言を展開する必要がなく, 証明が分解規則によるステップのみとなるため証明の流れが見やすい。次に, 一階の言語におけるスコーレム化と対応できないKMの場合について分解証明法を拡張する。

CiNii Books

researchmap

Language：Japanese   Publisher：The Institute of Electronics, Information and Communication Engineers  

logic with &quot;unless&quot; operator.This method is based on a tableau p roof system which reuses tableau graph in previous step.We suppose requirement specification description process is performed step by step.In this setting cheking specifications at each stage is more efficient than checking the total specifications once at the final stage,since we often specify contradicting requirements and to know contradicting part of specifications at an early stage helps us to get final consistent specifications.The problem of the stepwise chocking is that,if the checking process takes a time at each stage,then this approach becomes unrealistic.Our approach overcomes this problem by introducing the following ideas based on the new representation of tableau graphs and an introduction of new kind of canonical models.The main advantage of Obr new method is that it reuses tableau graphs generated for the specification at earlier stages.It avoids generating a subgraph which is the same as or similar to a graph generated previously.

CiNii Books

researchmap

researchmap

researchmap

researchmap

researchmap

researchmap

researchmap

researchmap