To maintain the availability of industrial control systems (ICS), it is important to robustly detect malware infection that spreads within the ICS network. In ICS, a host often communicates with the determined hosts; for instance, a supervisory control host observes and controls the same devices routinely via the network. Therefore, a communication request to the unused internet protocol (IP) address space, i.e., darknet, in the ICS network is likely to be caused by malware in the compromised host in the network. That is, darknet monitoring may enable us to detect malware that tries to spread indiscriminately within the network. On the other hand, clever malware, such as malware determining target hosts of infection with reference to host lists in the networks, infects the confined hosts in the networks, and consequently evades detection by security sensors or honeypots. In this paper, we propose novel deception techniques that lure such malware to our sensor, by embedding the sensor information continuously in the lists of hosts in the ICS networks. In addition, the feasibility of the proposed deception techniques is shown through our simplified implementation by using actual malware samples: WannaCry and Conficker.

抄録全体を表示

Computer security has been getting more attention because a computer security incident may cause great damage on an organization. A quick and correct response against an incident is then important. One of the first possible responses is then locating and isolating a suspicious host. This isolation typically requires a manual operation that may cause a mistake or long delay. In order to solve these issues, this paper proposes a novel system to locate and isolate a suspicious host on an incident response adopting the Software Defined Network (SDN) approach. This SDN approach allows the proposed system to locate and isolate a suspicious host on-demand in a network that comprises different switches and routers of different makers. The proposed system then requires no host authentication configured, no IP address allocation/assignment database, no network topology map and no switch port list in advance. The proposed system, therefore, can reduce human manual operations. This paper then presents that human manual operations actually induce longer delays, more than 3 minutes on average, and also cause mistakes. This paper also presents that the proposed system can locate and isolate a suspicious host within 10 seconds right after an IP address of a suspicious host is given.

抄録全体を表示

In this study, a low-cost, power-saving and reliable Multiple Server Backup System (MSBS) was configured and tested. The MSBS is based on a Dynamic Backup Server System (DBSS) and is able to recover many different server functions. To configure the DBSS, the mode segmentation method is introduced to simplify system control design and improve applicability to other systems. Experiments based on a mail server showed that the DBSS has sufficient ability to deal with various types of issues, including software and hardware failures. Furthermore, it is important to evaluate the virtual server performance in recovering target server functions. The well-known clock time inaccuracy problem of the virtual server is solved using the network access method regardless of the failure.

抄録全体を表示

A picture archiving and communication system (PACS) for multi-vendor imaging servers is useful, since it can provide a variety of image-processing services. However, to delete an image file in the PACS, it is necessary to delete not only the image but all its associated images that are stored in multiple servers: this is a lengthy and painstaking process. To reduce this workload, we have developed a system consisting of a computer program with a graphical user interface that can delete the target image and all related images by means of batch processing. The developed system creates an extensible markup language (XML)-format file that describes the operation for deleting an image and forwards the XML file to the main server. Using a Windows file-sharing system (SMB/CIFS), each server shares the XML file and deletes the images in its own database in response to the instructions described in the XML file. We can also rigorously manage information concerning the deleted images using the information that is output from the main server to external storage. We also discuss the degree of load reduction in our system compared with that of ordinary systems.

抄録全体を表示

Since cyber attacks such as cyberterrorism against Industrial Control Systems (ICSs) and cyber espionage against companies managing them have increased, the techniques to detect anomalies in early stages are required. To achieve the purpose, several studies have developed anomaly detection methods for ICSs. In particular, some techniques using packet flow regularity in industrial control networks have achieved high-accuracy detection of attacks disrupting the regularity, i.e. normal behaviour, of ICSs. However, these methods cannot identify scanning attacks employed in cyber espionage because the probing packets assimilate into a number of normal ones. For example, the malware called Havex is customised to clandestinely acquire information from targeting ICSs using general request packets. The techniques to detect such scanning attacks using widespread packets await further investigation. Therefore, the goal of this study was to examine high performance methods to identify anomalies even if elaborate packets to avoid alert systems were employed for attacks against industrial control networks. In this paper, a novel detection model for anomalous packets concealing behind normal traffic in industrial control networks was proposed. For the proposal of the sophisticated detection method, we took particular note of packet flow regularity and employed the Markov-chain model to detect anomalies. Moreover, we regarded not only original packets but similar ones to them as normal packets to reduce false alerts because it was indicated that an anomaly detection model using the Markov-chain suffers from the ample false positives affected by a number of normal, irregular packets, namely noise. To calculate the similarity between packets based on the packet flow regularity, a vector representation tool called word2vec was employed. Whilst word2vec is utilised for the culculation of word similarity in natural language processing tasks, we applied the technique to packets in ICSs to calculate packet similarity. As a result, the Markov-chain with word2vec model identified scanning packets assimulating into normal packets in higher performance than the conventional Markov-chain model. In conclusion, employing both packet flow regularity and packet similarity in industrial control networks contributes to improving the performance of anomaly detection in ICSs.

抄録全体を表示

あらゆるものがインターネットに繋がっている現在，サイバー攻撃は社会に重大な影響を及ぼす脅威となっている。サイバー攻撃のトレンドは時代とともに変化しており，新型コロナウイルス感染症拡大の対策として急速に普及したリモートワーク環境は攻撃者に新たな攻撃の隙を与えた。2020年以降，マルウェアの検出数は高い水準で推移しており，その中でもとくに猛威を振るうマルウェアがLockBitなどのランサムウェアとEmotetである。本稿では，マルウェア解析者の視点でそれらの脅威を解説し，一般のユーザーが実施可能かつ実効性のある対策を紹介する。

抄録全体を表示

人間社会の歴史において犯罪行為が途絶えたことがないのと同様に，サイバー空間における攻撃行為（以下，サイバー攻撃）もまた途絶える気配はなく，むしろ攻撃対象の拡大や攻撃に用いられる技術の高度化が進んでいる。本稿では，ここ数年のサイバー攻撃全般の動向を概観するとともに，サイバー攻撃大規模観測・分析システムNICTER（ニクター）の観測に基づく無差別型サイバー攻撃の動向について詳説し，感染IoT機器の現状とその対策の一つであるNOTICEの取り組みについて紹介する。

抄録全体を表示

本稿は，当社のオープンソースへの取り組み実績をもとに実践的な導入方法について解説する。前編は，採用が活発になりつつあるオープンソースを概観し，導入の利点，また，注意すべき点に触れ，各種サーバの構築方法について解説する。当社の新ネットワーク/サーバ群設計・構築事例をベースに，インターネット向け，および，複数拠点間通信を含むイントラネット向けサービス・サーバ群の構築手順を紹介する。ここでは，Red Hat LinuxとTurbo Linuxとを目的別に導入し，その採用理由と構築方法について述べる。

抄録全体を表示

Information leakage is a significant threat to organizations, and effective measures are required to protect information assets. As confidential files can be leaked through various paths, a countermeasure is necessary to prevent information leakage from various paths, from simple drag-and-drop movements to complex transformations such as encryption and encoding. However, existing methods are difficult to take countermeasures depending on the information leakage paths. Furthermore, it is also necessary to create a visualization format that can find information leakage easily and a method that can remove unnecessary parts while leaving the necessary parts of information leakage to improve visibility. This paper proposes a new information leakage countermeasure method that incorporates file tracking and visualization. The file tracking component recursively extracts all events related to confidential files. Therefore, tracking is possible even when data have transformed significantly from the original file. The visualization component represents the results of file tracking as a network graph. This allows security administrators to find information leakage even if a file is transformed through multiple events. Furthermore, by pruning the network graph using the frequency of past events, the indicators of information leakage can be more easily found by security administrators. In experiments conducted, network graphs were generated for two information leakage scenarios in which files were moved and copied. The visualization results were obtained according to the scenarios, and the network graph was pruned to reduce vertices by 17.6% and edges by 10.9%.

抄録全体を表示

In recent years, control systems have rapidly advanced and increasingly tend to be connected to IT networks and the Internet. In environments where IT and Industrial Control Systems (ICS) are interconnected, there is a risk of intrusion via the IT network. Nowadays, IT technologies are integrated into ICS, so it is crucial to consider IT attack risks in ICS environments in addition to ICS-specific attacks. A vast amount of information on attack tools and cyberattack reports has been published.Security analysts must analyze or meticulously read this information to determine if the attacks are relevant to their organization and how they should be defended against, necessitating a curation process. However, understanding the content of all published attack methods and reports properly requires significant resources, including costs and skills based on experience. Therefore, this research investigates the practical use of Large Language Models (LLMs) for extracting information beneficial to an organization's security measures efficiently. Specifically, we examined whether it is possible to identify protocols and ports from public information that could be exploited in attacks.These information are helpful in preventing or monitoring these attacks using tools such as firewalls, even if timely security updates are difficult. This examination was conducted from the following two perspectives:

・Extracting port numbers to be protected and monitored against attacks targeting IT networks, especially Windows environments, based on Proof of Concept (PoC) information on the Internet.

・From the perspective of ICS networks, extracting exploited protocols, port numbers, and product names from past ICS-related reports.

The goal of the research is to prepare for attacks in advance, identify exploitable products and protocols. The results obtained from the proposed method can be utilized for mitigation and enhanced monitoring. Furthermore, they can also be applied to risk assessment and penetration testing. Using the proposed method, we were able to extract port numbers with a potential for misuse in IT attacks with a 60.0% correct response rate. For ICS, we achieved an 81.8% correct response rate in extracting potentially exploited port numbers and protocol names, and a 72.7% correct response rate in identifying target products.

抄録全体を表示

Detecting new malicious traffic is a challenging task. There are many behavior-based detection methods which extract the features of malicious traffic. However, many previous methods require knowledge of how to extract feature vectors. If attackers modify the attack techniques, these previous methods may have to extract new feature representation to detect them. To address this problem, neural networks can be applied to perform feature learning. Doc2vec is one of these models that learn fixed-length feature representation from variable-length documents and has been applied to proxy logs. However, some attackers still use protocols other than http or https. In this paper, we extend the previous method to a generic detection method which supports any protocol. The key idea of this research is reading network packets as a natural language. In our method, a protocol analyzer reads network packets, and summarizes the traffic. Our method extracts the feature representation from the summary with Doc2vec. We apply several classifiers to the automatically extracted feature representation, and classify traffic into benign and malicious traffic. In the fundamental experiment, the best F-measure achieves 0.98 in the timeline analysis and 0.97 in the cross-dataset validation. Furthermore, we generate imbalanced datasets which simulate actual network traffic. In the practical experiment, the best F-measure achieves 0.82 in the timeline analysis and 0.73 in the cross-dataset validation.

抄録全体を表示

徳島大学情報センターは, ISMSに基づく情報セキュリティポリシーに則り, 教員及び職員が作成したISMS 文書をファイルサーバで管理している.ISMS文書以外の本センターが関わる業務文書,契約書, マニュアル, ログ等といった業務運用系文書についても, 同一のファイルサーバで管理している状況である. ISMS文書については, ディレクトリ構造やファイル名に運用規定を設けることによって, 必要な人が必要なときに使用できる状態を維持している. しかしながら, 教員及び職員全員が, ファイルサーバのディレクトリの最新状況を常に把握することは困難なため,ISMS文書やその他の必要書類を即座に使用できない場面があるのも事実である. この状況を改善するため, 我々は, 本センター内で利用するファイルサーバに全文検索システムを導入することを検討した. 本論文では, 全文検索システムの要件定義, システム設計, 導入範囲の見積もり, 性能評価を行い, その導入効果を検証した結果を報告する.

抄録全体を表示