In order to improve the universality and security of the data management of the Internet of Things and avoid the single point of failure problem in the traditional management architecture, this paper proposes a massive connection management architecture based on blockchain. The blockchain is reconstructed according to the hierarchical structure of blockchain technology, and with reference to the attribute-based access control mechanism, a data exchange model is designed using gossip mode and TLS networking mode to ensure the safe transmission of data. The peer computer network technology, data signature, and consensus mechanism are used to complete the design of the data exchange network layer and realize the design of the blockchain-based massive connection management architecture, so as to effectively avoid the single point of failure problem in the traditional management architecture and greatly reduce the burden of the management center. The access requests of massive devices in 5G application scenarios were simulated, and the results showed that the blockchain-based access control architecture designed in this article can quickly process received requests, with information leakage below 10%, improving the security and processing performance of data connections, achieving efficient processing and management of large-scale data, and providing reliable guarantees for the development of the Internet era.

抄録全体を表示

We consider network security exercises where students construct virtual networks with User-mode Linux (UML) virtual machines and then execute attack and defense activities on these networks. In an older version of the exercise system, the students accessed the desktop screens of the remote servers running UMLs with Windows applications and then built networks by executing UML commands. However, performing the exercises remotely (e.g., due to the COVID-19 pandemic) resulted in difficulties due to factors such as the dependency of the work environment on specific operating systems, narrow-band networks, as well as issues in providing support for configuring UMLs. In this paper, a novel web-based hands-on system with intuitive and seamless operability and lightweight responsiveness is proposed in order to allow performing the considered exercises while avoiding the mentioned shortcomings. The system provides web pages for editing device layouts and cable connections by mouse operations intuitively, web pages connecting to UML terminals, and web pages for operating X clients running on UMLs. We carried out experiments for evaluating the proposed system on the usability, system performance, and quality of experience. The subjects offered positive assessments on the operability and no negative assessments on the responsiveness. As for command inputs in terminals, the response time was shorter and the traffic was much smaller in comparison with the older system. Furthermore, the exercises using nano required at least 16 kbps bandwidth and ones using wireshark required at least 2048 kbps bandwidth.

抄録全体を表示

Computer security has been getting more attention because a computer security incident may cause great damage on an organization. A quick and correct response against an incident is then important. One of the first possible responses is then locating and isolating a suspicious host. This isolation typically requires a manual operation that may cause a mistake or long delay. In order to solve these issues, this paper proposes a novel system to locate and isolate a suspicious host on an incident response adopting the Software Defined Network (SDN) approach. This SDN approach allows the proposed system to locate and isolate a suspicious host on-demand in a network that comprises different switches and routers of different makers. The proposed system then requires no host authentication configured, no IP address allocation/assignment database, no network topology map and no switch port list in advance. The proposed system, therefore, can reduce human manual operations. This paper then presents that human manual operations actually induce longer delays, more than 3 minutes on average, and also cause mistakes. This paper also presents that the proposed system can locate and isolate a suspicious host within 10 seconds right after an IP address of a suspicious host is given.

抄録全体を表示

Recently, with the proliferation of IoT devices, network technologies have also rapidly developed to serve the rising needs of users. IoT devices are often complemented by cloud computing technology to provide better services. Fog computing was introduced as a method to bring cloud applications closer to IoT devices so that end-users could avoid communication latency. An edge device at the fog node could use Network Functions Virtualization to optimize its performance and resource management. However, recent research has shown that certain fundamental virtual switch settings can be misused to carry out cyberattacks. In previous research, we proposed Slow-port-exhaustion DoS Attack, an attack that targets virtual switches using the Port Address Translation mechanism for communication between virtual machines and the physical network. In this attack, an attacker with a low amount of attack bandwidth can sabotage the virtual switch by occupying all of the host machine's ports for a long period of time. In this paper, we introduce some methods for exploiting IoT devices to leverage this attack. We also perform experimental attacks with new methods and compare the results with the old methods. Finally, we suggest some countermeasures against this kind of attack.

抄録全体を表示

QoS of applications is essential for content providers, and it is required to improve the end-to-end communication quality from a content provider to users. Generally, a content provider's data center network is connected to multiple ASes and has multiple egress paths to reach the content user's network. However, on the Internet, the communication quality of network paths outside of the provider's administrative domain is a black box, so multiple egress paths cannot be quantitatively compared. In addition, it is impossible to determine a unique egress path within a network domain because the parameters that affect the QoS of the content are different for each network. We propose a “Performance Aware Egress Path Discovery” method to improve QoS for content providers. The proposed method uses two techniques: Egress Peer Engineering with Segment Routing over IPv6 and Passive End-to-End Measurement. The method is superior in that it allows various metrics depending on the type of content and can be used for measurements without affecting existing systems. To evaluate our method, we deployed the Performance Aware Egress Path Discovery System in an existing content provider network and conducted experiments to provide production services. Our findings from the experiment show that, in this network, 15.9% of users can expect a 30Mbps throughput improvement, and 13.7% of users can expect a 10ms RTT improvement.

抄録全体を表示

In this paper, we propose a simple but flexible virtual machine consolidation method for power saving. This method is specifically designed for datacenters where heterogeneous high-density blade servers host dozens or even hundreds of virtual machines. This method utilizes an extended First-Fit Decreasing (FFD) algorithm. It selects a migration destination server on the basis of server rank. The rank represents server selection priority and is uniquely assigned to each physical server. Our simulation results show that this method reduces power consumption by 34.5% under a typical workload and 33.8% under a random workload.

抄録全体を表示

In this paper, we propose a simple but flexible virtual machine consolidation method for power saving. This method is specifically designed for datacenters where heterogeneous high-density blade servers host dozens or even hundreds of virtual machines. This method utilizes an extended First-Fit Decreasing (FFD) algorithm. It selects a migration destination server on the basis of server rank. The rank represents server selection priority and is uniquely assigned to each physical server. Our simulation results show that this method reduces power consumption by 34.5% under a typical workload and 33.8% under a random workload.

抄録全体を表示

近年，授業や自習で利用するPC教室の教育システムにおいて，利用者数は増加傾向にあるが，運用コストは削減傾向にあることより，PC教室の増設や利用時間の拡張が難しい．そのため，PC教室を授業で利用したい場合や，PC教室で自習したい際，空き教室がないことが頻繁に発生している．この問題回避のために，本研究では，PC教室以外の研究室や自宅等からでも個人PCを使って教育システムが利用出来る仮想PC教室環境の設計を行う．東京海洋大学の教育システムは，ログイン時に本人認証としてICカードを使った認証を用いている．そのため，PC教室以外の研究室や自宅等から利用する際においても，PC教室で利用する認証方式と同等以上の認証方式が求められる．そこで，仮想PC教室の利用の際においても，カード認証を併用する．併用するカード認証は，ICカードが導入されていない教職員でも利用できるよう，大学が発行するICカー ドだけでなく，個人が保有する携帯電話や定期等のカード（以下，一般カードとする）でも認証が行える仕組みとする．一般カードを使った認証方法は，著者らが先行研究として行っているPINコード生成方式を応用して実現する

抄録全体を表示

情報技術が世界的に普及整備され，経済社会の基盤となった現在，我々は保有する情報資源を有効かつ便利に活用できるようになっている．一方でこれらの進んだ環境が悪用される例も後を絶たない． これまではネットワークや情報システムの事故に対して「未然に防ぐにはどうすればよいのか」が注目されてきたが，現在では情報の取り扱いにおける対策が「事故前提社会システム」としての情報インフラ構築，運用および対策に切り替わってきている．しかし，事後の状況を個々の環境であらかじめ作り出すことは困難であり，人的，物的にもコストがかかる． 情報危機管理演習を遠隔から誰でも参加できる形式で実現することで，より低コストで情報セキュリティ対策に必要な人材の育成を行うことが可能となり，情報セキュリティについての啓蒙を深めることにもつなげることができる． 本稿では情報危機管理演習の構築手法に加え，これに遠隔から誰でも参加できる形式を実現する手法を提案する．また，他の類似する情報セキュリティ演習と比較，運用上の課題を検討し，将来の運用支援と拡張性について考察する．

抄録全体を表示

香川大学のハイブリッドクラウド教育基盤システムKadai-Cloud（2018）で2021年3月まで運用したMoodleを調査した結果，課題などの格納ファイル数とファイルデータ量が急増していた．そのため，シンプロビジョニング機能で作成された仮想ディスクの割り当て済み領域について，TRIM機能を用いた未使用領域の回収が必要であった．本論文は，スナップショット機能により保護されたVMにおいて，そのVMの仮想ディスクに対するTRIM機能適用について実機評価し，使用用途に応じた適用方法を明らかにした．

抄録全体を表示

Recently, many spam mails associated with “One-click fraud, ” “Phishing, ” and so on have been sent to unspecified large number of e-mail users. According to some previous works, most spam mails contained some URLs whose domains were registered relatively recently, such that the age of the domain used in the URL in the messages would be a good criterion for spam mail discrimination. However, it is difficult to obtain the age or the registration date of a specific domain for each message by WHOIS service since most WHOIS services would block frequent queries. In this paper, we propose a domain registration date retrieval system, which updates zone files of some Top Level Domains (TLDs) every day, keeps track of the registration date for new domains, and works as a DNS server that replys with the registration date of the queried domain. According to the performance evaluation, the prototype system could update the registration date for all the domains of “com” TLD in two hours.

抄録全体を表示

In order for autonomous vehicles to drive safely and comfortably, environmental information detected by sensors need to be gathered from wider area and to be more accurate. We can improve data accuracy by fusions of sensor data from not only vehicles but also road infrastructures. Fusion processing is usually performed in a high-performance server (centralized system). However, when the number of sensors is enormous, processing time and communication time for fusions become unacceptable due to high-load and limited capacity of network. And, waiting data-arrivals from all sensors is impractical in such situations. Thus, fusions should be distributed and incrementally updated on each data-arrival. In this paper, we propose a distributed environmental information management system using edge computing and a sensor fusion method.Since the system is composed of geographically distributed edges and a centralized cloud, it can distribute processing costs and communication costs of fusions to the edges and the cloud. The proposal sensor fusion method can incrementally compute intermediate results without waiting for receiving all the environmental information. In comparison experiments with the centralized system, the proposed system improved the efficiency of data processing and reduced the amount of communication data.

抄録全体を表示

A data restoration method for the large-scale disasters is proposed. Recently, social data, e.g. resident information or medical information, are stored into information systems. The social data are backed up to remote site to protect from data loss. It is important for restoration to be able to utilize the backup data as soon as possible. Thus, a part of backup data, e.g. files, is individually restored (File-lvl Restore). To reduce the time to get backup data by the File-lvl Restore more further, we apply the parallel data downloading. However, the current method does not consider the TCP slow-start processing; thus, the number of chunks of parallel downloading becomes insufficient. In this paper, we propose a data restoration method that decides the number of chunks based on Round Trip Time and the characteristics of TCP slow-start. Our evaluation results show that the time to get the backup data by using the proposed method becomes 1/2 to 1/3 compared to the current method.

抄録全体を表示

A virtual machine (VM) migration is useful for improving flexibility and maintainability in cloud computing environments. However, VM monitor (VMM)-bypass I/O technologies, including PCI passthrough and SR-IOV, in which the overhead of I/O virtualization can be significantly reduced, make VM migration impossible. This paper proposes a novel and practical mechanism, called Symbiotic Virtualization (SymVirt), for enabling migration and checkpoint/restart on a virtualized cluster with VMM-bypass I/O devices, without the virtualization overhead during normal operations. SymVirt allows a VMM to cooperate with a message passing layer on the guest OS, then it realizes VM-level migration and checkpoint/restart by using a combination of a user-level dynamic device configuration and coordination of distributed VMMs. We have implemented the proposed mechanism on top of QEMU/KVM and the Open MPI system. All PCI devices, including Infiniband, Ethernet, and Myrinet, are supported without implementing specific para-virtualized drivers; and it is not necessary to modify either of the MPI runtime and applications. Using the proposed mechanism, we demonstrate reactive and proactive FT mechanisms on a virtualized Infiniband cluster. We have confirmed the effectiveness using both a memory intensive micro benchmark and the NAS parallel benchmark.

抄録全体を表示

The issue of copying values or references has historically been studied for managing memory objects, especially in distributed systems. In this paper, we explore a new topic on copying values v.s. references, for memory page compaction on virtualized systems. Memory page compaction moves target physical pages to a contiguous memory region at the operating system kernel level to create huge pages. Memory virtualization provides an opportunity to perform memory page compaction by copying the references of the physical pages. That is, instead of copying pages' values, we can move guest physical pages by changing the mappings of guest-physical to machine-physical pages. The goal of this paper is a quantitative comparison between value- and reference-based memory page compaction. To do so, we developed a software mechanism that achieves memory page compaction by appropriately updating the references of guest-physical pages. We prototyped the mechanism on Linux 4.19.29 and the experimental results show that the prototype's page compaction is up to 78% faster and achieves up to 17% higher performance on the memory-intensive real-world applications as compared to the default value-copy compaction scheme.

抄録全体を表示

In LTE (Long Term Evolution) / LTE-Advanced (LTE-A) system, the user-plane for a user equipment (UE) is provided by tunneling, which increases header overhead, processing overhead, and management overhead. In addition, the LTE-A system does not support moving cells which are composed of a mobile Relay Node (RN) and UEs attached to the mobile RN. Although there are several proposals for moving cells in the LTE-A system and the 5G system, all of them rely on tunneling for the user-plane, which means that none of them avoid the tunneling overheads. This paper proposes MocLis, a moving cell support protocol based on a Locator/ID split approach. MocLis does not use tunneling. Nested moving cells are supported. Signaling cost for handover of a moving cell is independent of the number of UEs and nested RNs in the moving cell. A MocLis prototype, implemented in Linux, includes user space daemons and modified kernel. Measurements show that the attachment time and handover time are short enough for practical use. MocLis has higher TCP throughput than the tunneling based approaches.

抄録全体を表示

本論文では新しい学生向け掲示板システムの構築と仮想化されたサーバ上への集約について述べる．最初に構築したシステムをメンテナンスしながら工学部において10年以上使用してきたが，今回デザインと使い勝手を向上させ，業務フローを考慮に入れ，全学で使用できる形に更新を行った．新しく構築したシステムは，掲示板に表示する情報の元データは教員等がWebから入力し，掲示板担当者が内容の確認と表記の統一をした上で掲示することが可能であり，学生が見て分かりやすいことを目指したものである．新しい掲示板を構築し，運用していく上で多くの検討を行った．システムの構成と運用の他，これら検討した内容についても述べる．

抄録全体を表示

TCP/IP, the foundation of the current Internet, assumes a sufficiently low packet loss rate for links in communication path. On the other hand, for communication services such as mobile and wireless communications, communication link tends to be disruptive. In this paper, we propose Layer-5 temporally-spliced path protocol (L5-TSPP), which provides disruption-tolerance in the L5 temporally-spliced path (L5-TSP), as one of the communication paths provided by Layer-5 (L5-paths). We design and implement an API for using L5-paths (L5 API). The L5 API is designed and implemented to support not only POSIX systems but also non-POSIX systems. L5 API and L5-TSPP are implemented in the user space in Go language. The measurement results show that L5-TSP achieves lower and more stable connection establishment time and better end-to-end throughput in the presence of disruption than conventional communication paths.

抄録全体を表示

Protecting critical files in operating system is very important to system security. With the increasing adoption of Virtual Machine Introspection (VMI), designing VMI-based monitoring tools become a preferential choice with promising features, such as isolation, stealthiness and quick recovery from crash. However, these tools inevitably introduce high overhead due to their operation-based characteristic. Specifically, they need to intercept some file operations to monitor critical files once the operations are executed, regardless of whether the files are critical or not. It is known that file operation is high-frequency, so operation-based methods often result in performance degradation seriously. Thus, in this paper we present CFWatcher, a target-based real-time monitoring solution to protect critical files by leveraging VMI techniques. As a target-based scheme, CFWatcher constraints the monitoring into the operations that are accessing target files defined by users. Consequently, the overhead depends on the frequency of target files being accessed instead of the whole filesystem, which dramatically reduces the overhead. To validate our solution, a prototype system is built on Xen with full virtualization, which not only is able to monitor both Linux and Windows virtual machines, but also can take actions to prevent unauthorized access according to predefined policies. Through extensive evaluations, the experimental results demonstrate that the overhead introduced by CFWatcher is acceptable. Especially, the overhead is very low in the case of a few target files.

抄録全体を表示

A dialogue system that responds mechanically to given queries can be used for public relations for prospective university students. However, as a user-specific problem, collecting information from first-time entrances and passive examinations is difficult, and a conventional dialogue system may not collect sufficient information. Therefore, we developed a recommendation-type dialogue system that supports information gathering by evoking potential user requests. Based on the preference analysis results using previous and real-time query histories and recommended information from universities, information in the form of queries is recommended to users when considering their personal attributes. We evaluated the presence or absence of a recommendation function and implemented an introduction evaluation targeting public relations for those who wish to enroll in a university. The average number of queries increases by evoking potential requests, and the information gathering of the user is supported.

抄録全体を表示