- To raise the security awareness and knowledge within APAN community
- To exchange experience and knowledge in network security technologies and issues, and
- To cooperate with other international security efforts to raise security awareness, capabilities and interoperation globally.
Security related topics includes protection of the physical, intellectual, and electronic assets of the APAN and other network, including its security policies, network access controls, virus protection, network administration, auditing, and transaction security.
This time we invited three student presentations from Network Security Lab, Department of Communication and Computer Engineering, Waseda University.
Time: 13:30 - 15:00
Session Chair: Yoshiaki Kasahara
- Automatic Generation of URL Blacklist - 20160802_apan42_nsw_1_sun.pdf
Bo Sun, Mitsuaki Akiyama, Takeshi Yagi, Mitsuhiro Hatada, and Tatsuya Mori, Waseda University, Japan
Modern web users may encounter a browser security threat called drive-by-download attacks when surfing on the Internet. Drive-by-download attacks make use of exploit codes to take control of user’s web browser. Many web users do not take such underlying threats into account while clicking URLs. URL Blacklist is one of the practical approaches to thwarting browser-targeted attacks. However, URL Blacklist cannot cope with previously unseen malicious URLs. Therefore, to make a URL blacklist useful, it is crucial to keep the URLs updated. Given these observations, we propose a framework called automatic blacklist generator (AutoBLG) that automates the collection of new malicious URLs by starting from a given existing URL blacklist. The primary mechanism of AutoBLG is expanding the search space of web pages while reducing the amount of URLs to be analyzed by applying several pre-filters such as similarity search to accelerate the process of generating blacklists. AutoBLG consists of three primary components: URL expansion, URL filtration, and URL verification. Through extensive analysis using a high-performance web client honeypot, we demonstrate that AutoBLG can successfully discover new and previously unknown drive-by-download URLs from the vast web space.
Bo Sun received B.E degree in computer science from JiLin University in 2007 and M.E degree in Information and Media from Yokohama National University in 2012, respectively. Currently, he is a PhD student and a research associate at the Department of Computer Science and Engineering, Waseda University. His research interests include network security and mobile security.
- Analytics of Malware Traffic: Clustering and its Evaluation - 20160802_apan42_nsw_2_hatada.pdf
Mitsuhiro Hatada and Tatsuya Mori, Waseda University, Japan
A vast number of new malware samples have been developed for decades, and antivirus software may fail to detect evasive attacks. If we can specify that the activity of an unknown malware sample is very close to the activity of a known malware family, we can set a low prioritization of manual inspection against the unknown malware sample because we already have analyzed the similar one. In this presentation, we first present a model of traffic originating from malware samples. The model consists of malware specific features and general traffic features. Next, we apply a clustering analysis to the extracted features. We evaluate the effectiveness of the clustering analysis using large-scale live malware samples. We also report that the clustering analysis is useful in finding unknown malware samples.
Mitsuhiro Hatada received his B.E. and M.E. degrees in computer science and engineering from Waseda University in 2001 and 2003, respectively. He joined NTT Communications Corporation in 2003 and has
been engaged in the R&D of network security and anti-malware. Currently, he is a PhD student at Waseda University with particular interests in anti-malware technologies.
- Detecting malware-infected hosts using HTTP fingerprints - 20160802_apan42_nsw_3_mizuno.pdf
Sho Mizuno, Mitsuhiro Hatada, Tatsuya Mori, and Shigeki Goto, Waseda University, Japan
Damage caused by malware has been a significant problem that needs to be addressed. Even measures of infection are taken, it is always the case that vulnerable devices are infected by a zero-day attack of new malware. In this work, we propose a method to identify devices that are likely infected with malware. The system analyzes Internet backbone traffic and detects traffic attributed to malware communication. Our key idea is to make use of various information recorded in HTTP headers and apply a machine learning algorithm to classify observed HTTP headers into two classes: legitimate and malicious. Through the extensive experiments, we demonstrate that our methodology can detect malicious traffic with high accuracy.
Sho Mizuno is a graduate student at Department of Computer Science and Communication Engineering, Waseda University, Tokyo, Japan. He graduated from Waseda University in March 2016. Mr. Mizuno has been conducting projects in network security.