現在のspam対策は，検出率は高いが全てのメールに対策を適用するため通常メールの受信までに遅延が発生するものや，負荷が軽く検出率も高いが誤検知が多いなど，どの対策にも欠点と利点が存在する．　
　本研究では，メールフィルタプラグインであるmilterを用いてspam対策を組み合わせることで，負荷が軽く検出率の高いもので対策を行った後に誤検出されたメールを他のspam対策で救済するなど，利点を生かしながら欠点を補うことで効率的なspamメールの排除を目指す．
　本論文では，milterを管理するmilter-managerを用いたメールサーバの設計・運用を行い，その有用性について検討する．

抄録全体を表示

There have been several recent reports that botnet communication between bot-infected computers and Command and Control servers (C&C servers) using the Domain Name System (DNS) protocol has been used by many cyber attackers. In particular, botnet communication based on the DNS TXT record type has been observed in several kinds of botnet attack. Unfortunately, the DNS TXT record type has many forms of legitimate usage, such as hostname description. In this paper, in order to detect and block out botnet communication based on the DNS TXT record type, we first differentiate between legitimate and suspicious usages of the DNS TXT record type and then analyze real DNS TXT query data obtained from our campus network. We divide DNS queries sent out from an organization into three types — via-resolver, and indirect and direct outbound queries — and analyze the DNS TXT query data separately. We use a 99-day dataset for via-resolver DNS TXT queries and an 87-day dataset for indirect and direct outbound DNS TXT queries. The results of our analysis show that about 30%, 8% and 19% of DNS TXT queries in via-resolver, indirect and direct outbound queries, respectively, could be identified as suspicious DNS traffic. Based on our analysis, we also consider a comprehensive botnet detection system and have designed a prototype system.

抄録全体を表示

Domain Name System (DNS) is a major target for the network security attacks due to the weak authentication. A security extension DNSSEC has been proposed to introduce the public-key authentication, but it is still on the deployment phase. DNSSEC assumes IP fragmentation allowance for exchange of its messages over UDP large payloads. IP fragments are often blocked on network packet filters for administrative reasons, and the blockage may prevent fast exchange of DNSSEC messages. In this paper, we propose a scheme to detect the UDP large-payload transfer capability between two DNSSEC hosts. The proposed detection scheme does not require new protocol elements of DNS and DNSSEC, so it is applicable by solely modifying the application software and configuration. The scheme allows faster capability detection to probe the end-to-end communication capability between two DNS hosts by transferring a large UDP DNS message. The DNS software can choose the maximum trans-mission unit (MTU) on the application level using the probed detection results. Implementation test results show that the proposed scheme shortens the detection and transition time on fragment-blocked transports.

抄録全体を表示

内閣官房情報セキュリティセンターは,わが国の情報セキュリティ政策の中核機関である。その役割は,基本戦略の策定,政府機関や重要インフラ分野の対策,国民への普及啓発,国際連携など多岐に及ぶ。政府機関の対策の中から,統一基準群の策定,情報セキュリティ報告書の策定,SBD,送信ドメイン認証,不審メール対処訓練,ペネトレーションテスト,組織内CSIRTの整備等を紹介し,今後政府機関のセキュリティ対策の方向性を展望する。

抄録全体を表示